ConnectWise Exec to MSPs: Look Past Threat Detection

‘At some point prevention fails. At some point what we’re doing to stop something does not work anymore,’ says Wes Spencer, VP and external CISO for ConnectWise.

Many recent discussions among MSPs and vendors revolve around security, but what happens when prevention isn’t enough and MSPs must implement a response and recovery plan?

“At some point prevention fails,” said Wes Spencer, VP and external CISO for Tampa, Florida-based ConnectWise, at The Channel Company’s XChange+ August event in San Antonio this past week. “At some point what we’re doing to stop something does not work anymore. We have this challenge. We’re trying to come to understand that what you were doing before is not sufficient for today.”

A key point during the talk was around cyber resiliency, which Spencer explained as a measure of a business’ ability to continuously operate and deliver on its intended outcomes despite adverse conditions, stresses, attacks or compromises.

Only 47 percent of SMBs can detect a breach within days or less, he said from a Verizon Data Breach Report.

Spencer said he’s worked with many MSPs that have been breached, and there’s a comment they all frequently say: “I had no idea this was happening.”

“We have a visibility challenge in this industry,” he said.

[Related: Ask A Solution Provider: What’s The No. 1 Threat To Your Business?]

He said the hardest part is communicating that, even though the client doesn’t see them, there are vulnerabilities in the system that must be addressed.

“It’s less about you and more about your plethora of clients,” he told a room full of MSP executives.

The typical ransomware outage is about 16 days, or more, according to Spencer.

“We’re smaller,” he said of MSPs. “We‘re not as well-resourced as threat actors are today. They certainly have a lot of advantages.”

They key, he said during his speech, is knowing the process.

But vendors can’t solve the problem, he said. They can augment the issue. It’s important for MSPs, though, to ask themselves where the gaps and challenges are they see when it comes to cybersecurity.

“Cyber resiliency is all about when something happens, what is going to be done about it and to continuously operate through these adverse situations,” he said.

And it’s not all doom and gloom, he told MSPs. It’s about how the situation is handled and the success an MSP has coming out on the other side.

Another challenge in security is people.

“It’s what I call meatware,” he said. “We have hardware, software and then we have meatware.”

“When we start getting past identification, and we get past prevention as control sets and we start delving into maturity into detection and response recovery, we realize it’s a little bit more people-intensive than we thought,” he said.

That’s where it gets difficult, he said, because many more resources–people­­–are needed.

When prevention fails, detection picks it up. But what are MSPs doing about detection, Spencer asked.

A threat actor goes through many steps to get into a server, so he said there is time to detect something and then implement a response and recovery measure. While prevention is important, detection is critical.

“When we put an alarm system in our home, the alarm system tells us when someone is probing the home to say that we‘re seeing signs of something odd. That’s the purpose of it,” he said. “And your job is to say [to clients], ‘That’s what we’re doing for your network.”

What happens next is all about response and recovery, he said.

“It‘s about you going down this journey. What does this response look like? Do I have a response plan? Do I test it? Do I know how to isolate a host?” he said.

Sandra Batakis, founder of Sandra Network, a Peabody, Massachusetts-based MSP, attended the session and said it’s always good to learn how about cyber resiliency.

“I’m just always looking for different inputs on how to approach security,” she said. “I’ve got the antivirus, I’ve got firewalls, I’ve got ransomware protection…but what am I missing?”

As she’s not a ConnectWise partner, she said it was good to sit in and listen how a different company is approaching cyber security.

“As a business owner, I’m also looking at how they’re displaying information that we can go to their site and see all the things that they’re doing,” she said.