Joseph F. Kovar
‘Clients want to be able to figure out how to standardize their stack. The problem that we have is, there are 1,000 security vendors that are out there with a high level of overlap across a lot of those things. And how do we make sense of what we do and what we choose and what we don’t choose, and does it make any sense?’ says Justin Weller, director of product marketing at Blackpoint Cyber.
MSPs looking to provide cybersecurity services to business users need to have the right tools to stop threat actors before the “boom” from the actual launch of the attack, as well as the tools to help those businesses recover after the attack.
That’s the word from Justin Weller, director of product marketing at Blackpoint Cyber, an Ellicott City, Md.-based provider of a cybersecurity ecosystem powered by 24/7 managed detection and response technology for Windows and Mac devices serving businesses worldwide via MSPs.
Weller told an audience of MSPs and MSSPs at this week’s XChange NexGen 2023 conference in Houston, hosted by CRN parent The Channel Company, that the “boom” is the point on a timeline, stretching between starting to plan an attack and remediating the attack, at which a threat actor has executed that attack.
[Related: 10 Cool Cybersecurity Products For MSPs To Check Out]
“We want to deliver an ecosystem of security products that are based on industry best practices, allows you to standardize, simplify, and most importantly, create a high watermark for cyber resiliency,” Weller said. “This is going to allow your businesses to shift their competency as far left of ‘boom’ as humanly possible.”
Tackling security before the “boom” is complex given that there are 1,000 security vendors with a high level of overlap, Weller said.
One way to improve the chances of stopping an attack before the “boom” is defense in depth, Weller said. However, he said, defense in depth is a concept that is continually evolving as new ways are found to attack a network and a single technology like EDR (endpoint detection and response) or firewalls is not enough. And, he said, everyone has their own definition of the term.
The security industry has gotten around those issues by building frameworks, but choosing between frameworks like NIST (National Institute of Standards and Technology), CIS (Center for Internet Security), or CMMC (Cybersecurity Maturity Model Certification), as well as deciding which version of the framework to use, has its own complexity, Weller said.
Regardless of which framework is used, there are five main pillars that MSPs need to make sure they cover, Weller said. Those pillars are pretty agnostic, and give MSPs about 80 percent of where they need to be regardless of their target vertical or industry.
The first pillar is asset viability, which Weller said is based on the concept that if a business doesn’t know what assets it needs to protect, how can it protect them.
“This is where we’re going to take a look at things like network maps,” he said. “We’re gonna want to make sure we have great documentation. We want RMMs that are going to give us operating systems and software and versioning and those kinds of things.”
The second pillar, once a business knows what it needs to protect, is to harden the network and system, Weller said. This, he said, is just basic IT hygiene with such tools as multi-factor authentication or principle of least privilege.
The third pillar is threat detection, Weller said.
“[Threat actors] are very, very, very good at what they do,” he said. “And they also understand that the number one pull in your guys’ network is most likely not your systems. It’s the people. The people that you manage, getting legitimate IT credentials, mimicking you as the MSP, so when they do get inside, we’ve got to detect them as quickly as possible.”
Once a threat is detected, the fourth pillar, real-time response, comes into play, Weller said. This is because threat actors don’t give businesses much time to react, he said.
“When we’re talking to small to medium sized businesses, it’s usually going to be hours to days,” he said. “They want to get in, get their stuff taken care of, hit, and they want to get that Bitcoin. When we’re talking about nation-state espionage, and we’re talking about enterprise-level spying, those things are going to take a while, because they don’t want to get caught. But for your guys’ organizations, and the ones that you’re most likely managing, they want to get in and get out as quickly as possible and speed matters. So then we have the ‘boom’ here.”
To the right of that “boom” comes the fifth pillar, which Weller called incident recovery.
“Think about things like digital forensics, incident response, backups, even better, BCDR (business continuity and disaster recovery) solutions that are out there,” he said. Cyber insurance is a big one today. So we want to make sure that we can have this plan built out. And this pillar allows you to limit the blast radius a little bit to help your businesses live to fight another day.”
Threat actors are still using common tools like viruses and malware to launch attacks, and so traditional tools like anti-virus and EDR are still important, Weller said. However, those threat actors are also likely to be using tradecraft, or the kinds of tools security professional use, in their attacks to mimic MSPs, he said.
“They’re utilizing built in system admin tools,” he said. “They’re utilizing netstat (network and protocol statistics). They’re utilizing legitimate IT tools like advanced IP scanners or open port scanners to identify and map these networks and move and automate their attacks.”
Threat actors know to prepare for their cyberattacks when MSPs are not working, Weller said.
“This is where some sort of a 24/7 security operations center is going to help you out,” he said. “These are not going to be like the SIEM (security information and event management)-based solutions where you’re threat hunting based off of logs. You need something that is detecting this tradecraft real time [so you can say], ‘Hey, I can go ahead and identify an attack as its unfolding, as opposed to after it has already happened.’”
The goal is to never have to get to the point where incident response is needed, Weller said. Incident response is very expensive in terms of time and money, and leads to a lot of stress, he said.
“There’s not a person in this world, in this room, that got into the MSP community because they were like, ‘You know what I want to do? I want to do some IT crime scene cleanup. That’s what I want to do. I want to make sure that people get breached, and there’s all kinds of stress, and I’ve got to deal with all these people,’” he said.
Instead, MSPs got into IT to keep systems running and businesses moving, which is difficult after a breach, Weller said.
After an incident, MSPs are stuck in the middle of two competing ideologies, Weller said. The customer on one side wants to get back up and running ASAP, but the digital forensics and incidence response team wants to keep the system down to find where the attack happened, he said.
“And now you’re in the middle here because you want both,” he said. “You want to get your person that pays your bills back up and running as quick as humanly possible. But you also want to make sure that the digital forensics team has the ability to identify what has happened. The worst thing that can happen is you get them back up and running again and that pinhole was still open that they never discovered.”
MSPs have adopted a wide range of tools including MDR (managed detection and response), SIEM, cloud identity, EDR, application control, and even SOC, Weller said. And, he said, those are good up to a point.
“If you’re a threat hunting off of logs, here’s what you’re doing: you’re threat-hunting off of events that have already happened,” he said. “Oftentimes, the attack has already happened at that point in time. If you’ve got M365 logs that are coming through application control, EDR alerts, and a SOC analyst, well, these are all disparate systems that now have to figure out, ‘Is this white noise? Is it not? Is this actionable? Is it not actionable?”
While Weller said his was not trying to specifically pitch Blackpoint Cyber, he did say the company’s security platform provides tradecraft detection, MDR, 24/7 SOC for Windows and Mac devices, user identity protection, application control, vulnerability management, and ransomware response.
It is important for MSPs to standardize their security stacks and align them to industry standard best practices, whether that is the Blackpoint Cyber stack or another, Weller said.
“Listen,” he said. “I love our stack. It’s orchestrated. We see things. Everything comes into our platform. We see the attacks unfolding as they come along. But if you build [a security stack] yourself, align it to something. That way it’s easy to digest for your customers.”
That lets the MSP show that it is forward-thinking, Weller said.
“[You can say] what we do is we align ourselves to industry standard best practices,” he said. It allows you to put the cart before the horse. The value is in that, and not in whether or not they caught something.”
Showing clients an integrated capability to protect themselves against possible attacks and recover from a successful attack is the best way to sell such a solution, Weller said.
“In the worst case scenario, the best laid plans of mice and men, right, if [an attack] were to happen, we’ve still got you by taking care of the recovery side of the house as well,” he said. “This is how you sell cybersecurity. Fear, uncertainty, and doubt is a terrible way of selling it. If you spend your entire time talking to your customers about the boogeyman that’s going to come get them, do you want to know what doesn’t happen that often? Boogeymen don’t come and get them that often. Just like buildings don’t burn down that often. Server boards don’t [fail] that often. But I’ve still got to have business continuity and disaster recovery.”
Blackpoint Cyber channel partner Strategic Information Resources has used that company’s approach, including not using scare tactics to sell cybersecurity protection, said Dave Alton, chief technology officer for the Canoga Park, Calif.-based MSP.
“We’ve used that quite extensively trying to educate clients and not scaring the crap out of them,” Alton said. “Sometimes it works, sometimes it doesn’t. But Blackpoint Cyber has done so much to elevate our ability to have a very non-threatening conversation with a client about, ‘Hey, this is what security looks like. This is what security in depth looks like.”
Framing the conversation that way is critical, Alton said.
“Oftentimes, everything they hear in the news, what they get on CNN or MSNBC or Fox or whatever, is so scary,” he said. “And I don’t want them to be afraid to talk to me. I want them to have conversations about their business. A lot of times, they don’t even recognize that they are at risk. I can’t tell you how many times I’ve heard, ‘Well, my data is not sexy. Nobody cares about my data.’ No, but they care about your money, right? They want your money.”
Shifting the conversation from trying to scare clients seems to resonate with them, Alton said.
“And I have a lot more success with clients saying, ‘Yeah, that probably is something we should do’ versus, ‘Oh, you’re just trying to sell me something.’”