Dear Managed Services provider (MSP) friends,
I’ve made some observations recently regarding cyber security services and products (namely managed detection and response services) serving the MSP community, and I’m curious about your thoughts on them. There is an article circulating that summarizes MSPs being targeted by the GANCRAB ransomware, taking advantage of a Kaseya and Connectwise integration vulnerability. The result for some of the MSPs was a wholesale encryption and ransom demand of all their clients’ computers, which is literally the worst case scenario for an MSP and possibly a company-ending event.
As you may be aware, Managed Detection and Response (MDR) is quickly becoming a common buzzword and a hot market as folks come to the realization that – most of the time – implementing base A/V, firewall, and a managed SIEM will not protect a customer from getting hacked. There are usually two primary reasons for a company to outsource security:
- To check cyber compliance framework boxes that are required for the organization’s industry
- To obtain or enhance an effective cyber security platform for the organization
From my perspective, as well as my company’s as a whole, a company can only claim to offer true Managed Detection and Response if it provides 24/7 threat hunting, alert triage, and response. Merely delivering an alert to the customer to let them know they are hacked and providing a list of remediation steps is useful, but it is not MDR. Anyone who has been hacked knows that time is of the essence when responding to a breach – therefore, the initial response must be performed as quickly as possible by the MDR service provider. The goal of MDR is to prevent an initial infection from taking root at all and/or stop an initial infection from turning into a major cyber event.
Our Managed Detection and Response service includes anti-malware technologies, agent-based behavior and hacker tradecraft detection, agent-based privileged insider behavior monitoring, live network asset mapping, as well as traffic-based detection via a physical appliance. Our offering was built to cover the distinct phases of a breach to give our MDR SOC analysts the most comprehensive view of normal and abnormal behavior so that they can make the quickest and most accurate decision when an active response is required.
I’m noticing companies actively targeting the MSP space that simply offer a passive traffic appliance or an agent sending mostly known malware detection alerts and indicators/metadata to the cloud with zero anti-malware capabilities to catch known malware, and zero response capabilities to address purposeful breaches that involved file-less malware and hard-to-detect sys-admin tradecraft. In my opinion, these companies are falsely marketing themselves as MDR service providers; giving MSPs and their clients a completely false sense of security. If your objective is to stop a breach in the shortest time possible, then an email or phone call telling you that you’ve been breached and some steps to resolve it are not enough in most scenarios.
So, I wrote this note for two reasons: First, I am curious how the MSPs out there define Managed Detection and Response; is an email with manual remediation steps enough, or is active breach response and remediation required to be true MDR? Secondly, I believe that some of our competitors are selling a service that leads to a false sense of security and I think it is important to call it out.
In closing, my PSA to the MSP community is that if you are being pitched big promises and the price seems too good to pass up ($1-$2 per endpoint), you are probably being sold on something that will do very little to actually protect your customers and the result could be a worst case scenario event similar to the Kaseya/Connectwise plugin GANCRAB event.