We are using a little bit of where we are in the holidays to theme out our talk today–Thanksgiving, Friendsgiving–we have been having a lot of conversations in the course of our history, but even more recently with Managed Services and Managed Services Providers. We have had previous TECH talks about the difference between a Managed Service Provider and a Managed Security Service Provider, but what we really want to talk about is the struggle that we are finding Managed Security Partners go through. Interestingly enough, we spend a lot of time talking about our customers, the end customer organizations, and how they’re struggling with security. MSPs are struggling as well, and a lot of the same reasons that affect our end customers affect MSPs. MSPs are an extension of our service; we help them get broader security services out to their customer base.
When there was no MSP environment back in the 90s, Kirsten and I had the privilege of starting at the edge of creating that space for MSPs and creating subscription computing and technologies. The concept was simple: creating a centralized ID environment for many companies and leveraging the scale of that centralized IoT organization. Fast forward to today and MSPs are second nature. People don’t even consider doing IT themselves–they have MSPs doing it for them because of the scale of resources. Having to hire one or two IT people for a company with a hundred employees will get to a point where the IT team becomes an organization of its own. It takes a lot of time and energy in the constant refilling of staff because that first-level help desk and user support function is the biggest turnstile in our industry for turnover.
The concept of the MSP is that it is the centralized IT organization; one that can be leveraged across multiple companies. It has the same problems that any IT organization has in still having to deal with all the tools, technologies, processes, procedures, and staffing. MSPs shield their customers from a lot of that pain by selecting the right tools to help hiring and managing that whole turnover process, putting in a solid process and simultaneously training together to enable new hires to come in and hit the ground running.
20 years ago, security was a part of everything we did and a part of the IT organization. Fast forward to today, we have entire nation-states attacking other nations and companies trying to get access to anything they can in order to: A) take money from people, B) espionage, and C) try to impact the economy. There are a lot of factors that are coming in that have made the new world battlefield cyber. As a result, we have had to create our own cyber armies, which are the MSSPs and security organizations out there. That is why the charge of the CISO has increased, why they have board visibility and report to the CEOs now instead of to CIOs. There are a lot of changes in the industry that stem from the security landscape in general. There are 3,000 security vendors out there that are constantly knocking on your door and saying, “Hey! Our tool is better than their tool. Look at our tool,” and it takes a full-time job to do the due diligence, POCs, and evaluations. The analysts do their best to give us some information while security shootout firms give us their best in regard to shootouts and gaining visibility into what tools are most effective. At the end of the day, you must take the time to evaluate it yourself to see if it really works rather than just in a lab. That’s where we come in; we’ve taken that concept of MSP and reimagined it as security and only security, and what we’ve created is a set of tools to help not just our end customers, but our MSP partners so that they can put energy into maintaining the health of the organization from a support perspective, maintaining the infrastructure of the organization from an IT perspective, and then having the comfort in knowing that there’s a 24×7 seasoned team of security analysts with the best-in-class tools to monitor the environment for threats that are trying to take advantage of that environment.
We have been saying for 20 years that anybody can do what we do. We have just taken the time to build the processes, resources, training, and support models to make sure we are ensuring solid security for our customer base. When you think about the charter of an MSP or how they got started, a lot of these organizations started as resellers and were vertically-focused, industry-based, or wanted to eliminate help desks. As you look at how the market moves, they have a solid relationship with their customers, are a trusted resource, and fill in that gap.
These MSPs are trying to scale as they grow and as they add differentiation or new customer value. When a customer starts asking about how quickly and effectively security implementation can be done internally, this is an extremely heavy lift to build and staff themselves while drying out resources and pulling away from customer focus. We accelerate MSPs in their entry into the security space as well as ensure that what they are bringing on is going to strengthen their posture in a way that will be difficult for them to do on their own in the same time span.
If you look at the MSP space, a large majority of MSPs come from the reseller path and their DNA is to sell the customer the technology and then manage it. That doesn’t work in security because security tools are constantly changing. If you have a good Network Monitoring tool, Remote Management tool, or a Patch Management, they change from time to time, but endpoint security specifically has changed drastically. In the last two decades, we have used almost every single Endpoint Security Technology, starting from the early days of McAfee and Symantec to today, where traditional antivirus does not work. If you stick with what you picked, there’s a challenge of managing that but even more so if you recommend a tool to a customer, they buy it along with a three-year license, and then you realize a year later that the tool is ineffective, and a new tool needs to be implemented. Suddenly you must go back to that customer and tell them they have two more years of license left but there is a much better tool available. You’re then going to have customers that have the new and old tool, and if it ends up being three generations then you have three tools to manage. Not only is the customer stuck with these tools, they are in harms way if they decide to not update or switch out these tools which blows back to the MSP because they were managing it.
DataEndure’s security platform is designed to be an OEM approach to the vendor relationships. It’s designed to include the licenses and technologies that the end user and their customers–the MSPs–take advantage of without having to do the due diligence around selecting the tool, changing the tool, and getting everything up to speed. It’s a huge list in terms of the effort our teams have to do in architecture and design.
Having looked at several reports and what MSPs are dealing with nowadays is automation and accelerating services so they can then redeploy their people in the right direction and on the right tasks. Automation is key for MSPs, but which Monitoring Services can be automated? Automation has come to mean a lot of things over the years. In the early days, automation was about onboarding or off-boarding. Moving forward, it has shifted to what is now called DevOps: automating the creation of infrastructure and the repeatability or training infrastructure as code so that configurations can be managed more easily. Over the last five years, DevOps has not been so much of the provisioning of security, but the automation around the response to security incidents. It’s not just about deploying security, but about managing what happens when there is an incident and automating the response to that incident, or automating the triggering of investigations so that 80 people are not involved in identifying and threat hunting within their environment.
Building the SOC is expensive and it takes a lot of human resources and training. Analysts cannot operate for two months from the time they are hired, assuming they have three years of experience before they even start. They are hired and cannot add any value to the team for two months, and then once they hit the ground, they are the junior resources, they have to grow their skills in how to threat hunt. You can’t possibly scale without, what we like to call augmented intelligence instead of artificial intelligence. It’s deep machine learning correlation rules, and where you create those correlation rules, you can’t rely on the vendor. There are rules, configurations, and additional machine learning in our platforms that none of the vendors implement on their own and we often have dialogues with our vendors saying, “You’re not catching this. We’ve created rules to do it, why don’t you make it standard?” to which their response is that it is not something that makes sense. In reality, it has protected our customers. We see an attack, implement all the IOCs for that attack in a monitoring mode in our endpoint tools and in our SIEM, and all the correlation rules that determine threats. If we see it in any customer, an alert is created, and we dig deeper and create automated responses. Isolation of systems and networks have to come together across the portfolio of tools.
We’ve got the same problem any organization does: we have 30 products in our technology stack. Managing 30 consoles is hard, so how do you get that level of integration by all of these correlation rules? The data must be integrated so that it is coming into a central source. You have to be able to identify threats that are coming in from multiple sources and correlate them so they all line up to say that there is an attack on a particular system. Ultimately, our goal is to take six months of dwell time down to six minutes, and that’s a huge step forward for any security organization.
The common theme discussed in MSP industry conferences is to separate the technology stack from the security staff. There’s a lot of guidance by the mentors in the Managed Services space to the MSP owners around separation, and not just including it. If you just include it in the services and bring to market, it becomes difficult to identify what is being done and allows the customer to think they need to do something for it, whereas if you separate it into an advanced technology stack focused on security and the standard technology stack which is focused on support and infrastructure, then you have the ability to cover your customers with the advanced stack. If you’re just doing it, the CISO that comes into that organization can say it’s not enough, and that more needs to be done. It gets obfuscated too many layers down, so our real ability to help in terms of that differentiation is our distinct set of services and tools that align with all of the industry acronyms, and our MSP partners have the ability to just grab those, run with them, and white label them as their own services so that we become the OEM to them and become an extension of their security team.