Cybersecurity Whiz: MSPs Should Develop Threat Detection and Response Practices

MSPs would be wise to double down on security and take advantage of the greenfield opportunities around managed detection and response (MDR) in the SMB space, according to an industry expert.

Just 15 percent of enterprise and midsize organizations will have their own MDR services by 2020, creating an opening for MSPs to deploy programs like CrowdStrike or FireEye on behalf of the end user, according to Mike Buratowski, senior vice president of cybersecurity services for Bethesda, Md.-based Fidelis Cybersecurity.

"You have that opportunity to pivot, because by 2020, the midmarket isn't even saturated," Buratowski told more than 700 attendees of Continuum's Navigate 2016 user conference Thursday. "If you can monetize something like that, it's huge."

[RELATED: Continuum CEO: 6 Steps MSPs Must Take To Increase Their Valuation]

Sponsored post

MDR services are still mostly focused on the enterprise and upper mid-market, Buratowski said, meaning that MSPs can beat the competition to the punch by extending MDR services to SMB customers.

"The opportunity is pretty big for you guys," Buratowski said. "It is an easy pivot to be an MSSP."

A strong incident response team involves far more people than the typical MSP initially realizes, Buratowski said. In addition to a client's CEO, chief financial officer, general counsel and human resources director, Buratowski said it's absolutely critical for clients to bring in a public relations specialist with expertise in crisis communications.

Firms that suffer an incident would be wise to explain what happened, how the company responded, and provide enough information to ease customer concerns, Buratowski said.

"You need to message this," Buratowski said. "If I don't know what's happening, the absolute worst gets plugged in."

Attorneys can also help with messaging, Buratowski said, both from a public relations and a legal protection standpoint. Additionally, Buratowski said any phone or email conversations that include an attorney typically don't have to be turned over during discovery and aren't admissible in court due to attorney-client privilege.

"If you have an attorney in the conversation, then it's covered," Buratowski said.

From a legal standpoint, Buratowski said an MSP should go beyond achieving mere compliance and instead strive to have what could be considered a responsible amount of defense for a company of its size and revenue. Being able to assert you had reasonable protections in place will provide a much stronger defense in court or against a class-action lawsuit, he said.

One of the most valuable things an MSP can do is build strong relationships with law enforcement prior to an incident. Specifically, Buratowski said MSPs should get to know their local representative from Infragard – a collaboration between the FBI and private sector focused on sharing security information – as well as a police department representative in the computer crimes unit.

MSPs can also benefit from establishing relationships with cyber-insurance providers as that market comes into its own, Buratowski said. Traditional insurance agencies don't have enough actuarial data to properly calculate the risk around cybercrime, so Buratowski encouraged MSPs to partner with the insurance agencies and provide data in exchange for discounted rates for themselves and their clients.

The partnerships won't necessarily increase revenue for MSPs, Buratowski said, but they can provide an equivalent boost to profitability by decreasing costs.

Finally, Buratowski said MSPs must have a good baseline of what normal activity looks like on their clients' systems so that they can immediately recognize if strange events are taking place.

"If you don't have a baseline of what 'system normal' is, how are you going to know when there's an anomaly?" he asked.

GTI, a Continuum partner based in Foothill Ranch, Calif., is focused primarily on protecting client data, but would be interested in getting into detecting and resolving threats, according to its president, Ali Karimi. He said he is looking for larger partners to work with in developing a full-fledged security practice since GTI doesn't have the staffing to provide end-to-end security services on its own.

Similarly, Interphase, of Blue Bell, Pa., had been focused on providing security protection, and is just now starting to get involved in incident response, according to Jon Prange, managed services director for the Continuum partner.

Interphase still needs to fully formulate and work through the details of its incident response plan, Prange said, particularly as it relates to enlisting the help of legal and public relations experts.