Summary
Louis Stoio, cybersecurity analyst and team lead at M.A. Polce Consulting, recounts how Blackpoint Cyber has stopped ransomware attacks before they impacted his clients. When Blackpoint’s Managed Detection and Response (MDR) technology detected unusual activity consistent with ransomware, the Security Operations Center (SOC) analysts immediately isolated the affected device, and then notified Stoio’s team. This proactive stance enables Blackpoint to stop attacks before they spread, allowing Stoio to have constructive conversations with clients about the root cause and corrective actions. Stoio praises Blackpoint’s security-first approach and responsiveness as crucial safeguards for his MSP’s small- and medium-sized business (SMB) clients.
Transcript
My name is Louis Stoio. I work for M.A. Polce Consulting, and my current title is cybersecurity analyst and team lead. We’re people first, you know, everybody knows everybody. We’re there for each other.
We need to make sure our MSP clients are taken care of. And there’s quite a few different MDR tools out there, and we needed to have one that met the right standards for our clients. And a lot of our clients are smaller and medium-sized businesses. We needed something that can do everything that we needed them to do at the end of the day, and Blackpoint didn’t cost an arm and a leg.
When it came to selecting a vendor, there are quite a few things that we were looking for. We wanted to ensure that there was an agent going on the workstation so that the workstations were being reviewed, but have an API so that the AV was being pulled. But also having that SOC, the experience that you guys have from that standpoint, was good comfort for us.
So we’ve been a partner with Blackpoint Cyber for over a year, maybe a year and a half at this point. So we use the Blackpoint Response package for all our clients at this point. That includes setting up the APIs for their AV, and then 365 or Google Workspace.
But what we’ve found too is that dark web scanning that you guys now put in place has been extremely helpful to having conversations with clients. Not in a way to scare them, but to educate them and make policy changes where needed.
Obviously the price point, I mean, that’s always going to be a big one from a leadership standpoint. We need to make sure that it also met a certain price standard for our clients so that they can afford it. Blackpoint Cyber, you guys continued to push for more stuff and you listened to us.
There’s a couple of different actual incidents that we’ve had along the way. Blackpoint Cyber has actually caught a few of them before anything’s ever happened, which is really nice. I’ve gotten a couple of calls at like two, three in the morning: “Hey, this is happening. We need something to be looked at.”
Blackpoint Cyber does it exactly right. They isolate the device before anything happens, before they even call. We’re then able to have the conversation with the client, let them know what we’re seeing.
And in a few incidents, Blackpoint Cyber was actually able to stop ransomware from happening before anything happened. We were able to then take care of the issue, then have conversations with clients, actually explain to them what happened, why it happened, and how to correct it moving forward.
I was actually in Dallas last year for a conference and I got a phone call from my team saying, “Hey, we got a device that was isolated. We’re not 100% sure what’s going on. We’re about to have a phone call with Blackpoint Cyber. Can you jump in on the call?”
I asked for detail, and Blackpoint Cyber, very straightforward, said, “Listen, we’re seeing scripting that’s being ran and it’s unusual activity.”
And I asked them, “What about it is unusual?”
And they’re saying, “Well, we see a device that VPN’d into the network and it remoted onto a domain controller, and it’s running scripts that fall in line with a ransomware group. We’ve isolated the device at this point, but from our eyes, it’s not expected.”
Perfect. Follow back up with the client. Have the conversation with them. No, this isn’t expected. In fact, the account that’s being used was supposed to be disabled prior to a year ago, and they forgot to do it. Obviously, the account was compromised.
But here’s Blackpoint Cyber taking the initiative, seeing something that ransomware groups have done in the past, something an EDR tool wouldn’t have picked up, isolated the device, and then had had a conversation with us to explain what’s going on.
The big point for me from a security standpoint is isolate. I’d rather see isolation ahead of time instead of you calling me and saying, “Hey, is this expected? I’d like to isolate.”
And for them to take that initiative and say, “We’re isolating, validate and we’ll de-isolate,” I’d rather have a ten-minute headache than a five-day headache trying to go back and forth with a client. So to me, the security focus on let’s be safe, safe than sorry is huge to me.
Blackpoint Cyber is doing it right. They’re asking the questions to their partners. They’re actually listening and taking the steps to ever improve.
EDR is a fantastic tool, but it’s only going to do so much. We needed to have more eyes on the environment. Obviously we needed something that was going to be cost effective for them, as a lot of our clients are smaller size companies.
Blackpoint Cyber helps me to have a more educated conversation with my clients.