Intensifying Cyber Threats Show Why The ‘Tools Are Not Enough’: Sophos Expert

Sophisticated and persistent attacks linked to nation-states such as China are just one reason demonstrating why MSPs need threat hunting, according to Sophos’ Brittany Deaton.

Sophisticated and persistent cyberattacks linked to nation-states such as China are just one reason demonstrating why MSPs have a growing need for threat hunting services, according to Sophos’ Brittany Deaton.

During a keynote session Tuesday at XChange March 2025, Deaton emphasized that cybersecurity tools alone will often fail to uncover adversary activity—particularly when it comes to nation-state threat actors who are often “two steps ahead of our security tooling.”

Deaton, senior sales engineer for MDR at cybersecurity giant Sophos, walked the audience of MSP executives through a real-world case where a nation-state actor linked to China was found to have infiltrated a Southeast Asian government. XChange March 2025 was hosted by CRN parent The Channel Company and held this week in Orlando, Florida.

There’s no question that while detection tools are essential, the intensification and sophistication of attacks today requires a broader approach to security, said Yoel Alvarez, vCISO and senior security consultant at Appalachia Technologies, a Mechanicsburg, Pa.-based MSP.

“You have to come with a layered approach,” Alvarez said. In particular, “that’s where threat hunting comes into play.”

With threat hunting, “the level of visibility that you gain into the environment — and the things that you find you were missing — are where I see the most value of that being implemented,” he said.

Persistent Attacks

Sophos had earlier onboarded the Southeast Asian government onto its managed detection and response (MDR) service, but “what we didn't know at the time is that they were already dealing with [an intrusion by] the Chinese nation-state,” Deaton said.

Even after being discovered, however, the adversaries continued to adapt in order to maintain persistence in the government’s environment, she said.

The “coordinated attack” took place over the course of several years, and “we constantly were rolling out new tooling to block” the attackers, Deaton said.

The case clearly underscores the limitations of relying solely on automated security tools, she said.

“You need hunting. The tools are not enough. The tools are going to miss stuff,” Deaton said. “The tools only work when you say, 'I have a pattern — block this pattern.’”

Ultimately, “there are people on the front lines of these attacks, and we need to think like people,” she said. “And you need to make sure that you are prepared to respond to attacks when you don't have a pattern of activity that is already recognized.”