Microsoft 365 Security Exec Rob Lefferts On MSSPs: ‘I Want Them To Make More Money’
‘If they have more powerful tool sets, then you can turn those analysts and force multipliers to cover your ground and you’ll be able to have more customers and you’ll be able to make more money,’ Lefferts tells CRN in an interview.
Rob Lefferts, corporate vice president of Microsoft 365 Security, wants to help the tech giant’s managed security services providers make more money through simplifying customer acquisition, improved analyst training and providing new capabilities for Microsoft security products including software interfaces that allow more intelligence integrations.
“If they have more powerful tool sets, then you can turn those analysts and force multipliers to cover your ground and you’ll be able to have more customers and you’ll be able to make more money,” Lefferts told CRN in an interview.
He continued: “Wherever there is a new idea about a new capability that we can offer that lets the MSSP show off more value to the customer, then they get to make more money.”
[RELATED: RSA Conference: Most Dangerous Cybersecurity Threats In 2022 ]
Lefferts – who’s been at Microsoft for more than 25 years – caught up with CRN during RSA Conference 2022, held in person in San Francisco with parts streamed online.
He weighed in on the importance of MSSPs to not only Microsoft’s security go-to-market strategy, but the Redmond, Wash.-based tech firm’s desire to provide more security to small and midsize businesses (SMBs)
Lefferts told CRN about co-selling, co-marketing and training resources available for MSSPs and sought to assuage any concerns around Microsoft’s repeated appearance in headlines over product vulnerabilities.
“Microsoft has a broad portfolio,” he said. “We build platforms, we build some of the most used platforms in the world, Windows, Office and Azure. And so those are complicated and they have bugs. And whenever we see them, we fix them.”
He wants users to know that Microsoft views its security tools as beneficial to environments with a variety of vendors – not just within Microsoft environments.
“As you look at adding new little niche projects to solve problems, but also, as you look at our suite of stuff – it’s our strategy that you can pick up any one of those components and have it bring value and solve a problem and integrate with the rest of your stack,” he said. “It is not like you have to rip everything out and go Microsoft. I sometimes hear people say this, ‘Well, if you’re a Microsoft shop then it’s great.’ That’s not a thing. There is no such thing, and that’s not my strategy. My strategy is that you could deploy endpoints or identity or SIEM (security information and event management) and have that component bring value into the environment you’re already running.”
Here’s what else Lefferts had to say.
How important are managed security services providers to Microsoft’s go-to-market?
The name of the game with security is it’s overly, incredibly complicated. The stakes are incredibly high, and so customers are just under a lot of stress. I like to joke around – I say, ‘Nobody likes security. Like even the people who are in it.’ But It’s economics, it will just keep going.
And so in the face of all that, customers are really looking for trusted advisors. I’m super excited about Defender experts because I think we’ll be able to engage more directly with customers and get that relationship.
But the fact of the matter is, we’re not going to be the trusted adviser for everybody on the planet. Not even most – let’s just be honest and clear.
Forget the business and go to market, that’s all important, but I want to connect with customers and protect them. Most of those are going to be through partners. My first advice would be – find someone you trust and find someone whom you can rely on to give you good advice.
We will have skin in the game with Defender experts, we will absolutely be driving that flywheel, but a lot of it is honestly about making that platform more capable so it’ll be easier for our partners, and they can be more confident that they actually are protecting their customers so that their businesses flourish.
Any advice to partners on keeping up with new cybersecurity training from Microsoft?
The last stat that I heard was something like 50-plus products and technologies in the security space, so it is insane.
Since we’re specifically on the MSSP angle, starting with our advanced SOC tools – SIEM plus XDR (extended detection and response), Sentinel and Defender – and learning about those is a concrete way to make sure you’re up to speed on the tech.
Everything that we’re doing is driven through those products. And so even as we think about Defender experts, we think about the human intelligence being channeled through the product, so it shows up like alerts, and incidents show up in the console.
And that’s keeping track of the ways in which Defender experts are helping you in the remediation, it all shows up in the console and through the APIs … that’s the way to get going.
I would love to see a future where – as we think about Defender experts – that becomes something our partners can rely on, they can just tell customers, ‘Yep, we’re powered by Defender experts and they’ve got all of the insight and intelligence that we’re offering, they have that that they can communicate directly to the customer and own that customer relationship and drive that customer experience and then be that trusted advisor.
What do partners need to know about the Microsoft Intelligent Security Association?
So MISA … that’s hundreds of partners (about 300 partners in MISA as a whole, with 100 MSSPs eligible for multimillion dollar investments in co-sell and co-marketing opportunities) and it is more than just APIs. It’s also very much about partnering with partners on their business, how they go-to-market and how we can help spread the word.
Some of that’s as simple as marketplaces, but a lot of that is about, ‘Hey, let’s make sure that the rest of the ecosystem understands what you’re doing.’
And it’s one of those things where, as I look across the breadth of the people who are engaged in MISA, it’s actually gratifying. … Because the goal is quite simply – protect the customers.
And so anybody who wants to work with us, we’re open. We are definitely interested in any idea about somebody who wants to work in a new unique and different way to protect some customers.
Do you want to see more partners in MISA?
Yes. More partners means more customers protected.
I will tell you the metric that I would love to see – that I will never be able to actually figure out because it’ll just be too complicated – is, I would love to make sure that our partners are making more money.
If I could find some way to just add up the amount of money that our partners are making on top of the platform, that is the metric of success. That’s winning for me. … The message of this is in service of actually protecting customers. … I want them to make money. I want them to make more money. I want to make it easier for them to make more money. But at the end of the day, let’s keep our eyes on the ball on how we actually keep these customers safe, and that’s how we end they will have returned customers.
There’s this funny tendency in the security industry for companies to vanish. Things turn, and if you aren’t actually delivering value, protecting your customers, things will turn against you.
So let’s make sure that we are playing the long strategic version of this and that we’re thinking about how we’re going to be helping customers a decade from now.
How are you working to help MSSPs make more money?
One is, I want to make it easier for them to find new customers. And so certainly like, ‘Oh, I’m going to connect with customers who are using Defender products and I’m going to offer them services. That’s a target-rich environment to go look at – to ease and accelerate the sales cycle.
The second is I would like to make their analysts more efficient. … (With one in three security positions globally unfilled), if you’re running an MSSP shop, the bottleneck you are actually facing is can I hire talented individuals to actually help me do the monitoring of these customers?
So if they have more powerful tool sets, then you can turn those analysts and force multipliers to cover your ground and you’ll be able to have more customers and you’ll be able to make more money.
And then the last thing is new capabilities. I want to offer them the ability to do more. And we build some of that in the product, like you have access to remediations inside the product.
We’re building APIs so that they can actually integrate their intelligence into the product and deliver that experience to the customer.
Wherever there is a new idea about a new capability that we can offer that lets the MSSP show off more value to the customer, then they get to make more money.
What’s helping the hiring bottleneck, if anything?
There are formal academia programs for this – I’m gratified at the rate at which they’re spinning up. I think academia has caught on that there’s a problem and so they’re building more programs.
There’s also more informal skilling – some of that is like our certification programs.
And then the last thing is finding the breadth of talent. There’s a stereotype of a security analyst type, and we could go broader. We could pull more people into the funnel.
What would you say to MSSPs interested in investing in Microsoft security as a practice but are concerned by all the headlines around vulnerabilities?
First is – you see incidents in the news. Microsoft has a broad portfolio. We build platforms, we build some of the most used platforms in the world, Windows, Office and Azure. And so those are complicated and they have bugs. And whenever we see them, we fix them.
The conversation about MSSPs and advanced security tools is not about bugs in the Windows platform. Sometimes people think of it that way. But that’s really not the right framing. … The next thing I would actually say is be confident that every single piece of technology you add into your security toolkit actually solves the problem and brings value.
As you look at adding new little niche projects to solve problems, but also, as you look at our suite of stuff – it’s our strategy that you can pick up any one of those components and have it bring value and solve a problem and integrate with the rest of your stack.
It is not like you have to rip everything out and go Microsoft. I sometimes hear people say this, ‘Well, if you’re a Microsoft shop then it’s great.’ That’s not a thing. There is no such thing, and that’s not my strategy. My strategy is that you could deploy endpoints or identity or SIEM and have that component bring value into the environment you’re already running.
That said, there’s also kind of unique and magical things that we can do when multiple ones of these start to come together. And this is where you start to think about – How do attacks actually work? How to bad people think about infiltrating an organization? And the answer is, they aren’t thinking about it one security domain at a time.
They’re not like, ‘Oh, I’ll do this on the endpoint and this in the identity system and that on the email system.’
They’re drawing a graph that cuts all the way through it, and they’re going to look for the least friction path that cuts that path. So the answer is, if you can actually start to pull together visibility that runs across all of that and think about it as a whole system rather than individual pieces, then you can start to do unique and really interesting things.
It’s not just about the email that the person in the finance department got that they got tricked into running the macros in the Excel spreadsheets – because, of course.
It’s not just about the malware that got downloaded, and then it’s not just about the ‘golden ticket’ attacks that got launched from the domain controller. It’s about how those got threaded together. … They call them ‘attack graphs.’ And the whole idea behind this magical thing we can do by combining stuff together is if you can pick up one piece of that attack graph, then you can actually use that and the power of a bunch of machine learning that we built to run an investigation and find all of the other pieces and then you have this generous picture.
Any information for MSSPs on upcoming security services from Microsoft?
We actually laid out a pretty broad roadmap about what the next six-to-12 months is going to look like and things coming into preview. So I’m excited to deliver on that (with more information coming at the annual Microsoft Inspire conference, held July 19 and 20).
Is there room for improvement with the security capabilities available from Microsoft partners, generally speaking?
The answer to that is always, ‘Yes.’ Like, ‘Are you paid enough money?’ … The thing I will say is, Microsoft has been serious about security, but about eight-to-10 years ago, there was a dramatic sea change in what we were doing.
It was this stance of, we need to … keep protecting Microsoft products, but then we also need to think about how we protect the whole estate.
And that really shifted investments eight-to-10 years ago, and then you saw that – it took a long time, but it finally broke through as the picture started to come together.
I want to say three or four years ago, there was a sort of like, ‘Wait a second, Microsoft’s a security vendor.’
What do your partners need to know about adding security as they bring new devices to customers to use cloud and internet of things technology?
Technology is all about making life easier and drawing connections together and making more things possible. And it turns out it also makes more things possible for attackers. So every single one of those good things has the abuse and misuse potential – and a community of people dedicated to finding it.
What’s The Takeaway For Partners On Microsoft’s Big Presence At RSA Conference 2022?
It is a conversation about trust. If it’s a trusted advisor … that really does depend on a whole breadth and depth of, ‘Are we doing the right thing with data-handling practices?’
And that’s something that not just Microsoft has to think about … it really requires that if short cuts have been taken in the past, I would take a step back and think about how to address that.
And frequently these things are not cheap. They are difficult and important.
The other things that I would want partners to think about – I appreciate and empathize with the sheer volume of security technology that Microsoft generates. And we’re not going to stop. We’re not going to slow down. We definitely would love to find ways to help make that easier to consume. But it is important to stay abreast of that because, I assure you, the innovation rate among the tech communities is going even faster.
What would you say about the financing of cybersecurity tools, especially for smaller businesses concerned about the price?
There are two motions that I’m really interested in – one is really concrete and one’s a bit more fanciful.
The really concrete thing is in making that advanced security technology become simpler and easier to consume over time so that it’s useful for SMBs (small and midsize businesses).
And actually, we recently shipped – not related to our Defender experts at all – we released Defender for Business, which is essentially a repackaging of that technology in a way that tis for SMBs, easier for partners to dock into.
We have this phrase for apex attackers, these are like the most sophisticated nation-states and those are the hardest ones to lock and prevent. We push technology fast at the cutting edge in order to help the customers that are likely targets in those apex attacks.
But over time, it has to become more broadly available. And that’s absolutely a motion that we want to make sure that we push on.
The second thing is, I’ll call it the endless, thankless to-do list of security – I can talk about XDR and SIEM and all this fun, cool, fun for some people … and it’s the news stories, and this hacker did that, and we caught them and we chased them down.
But the endless to-do list is just help customers get on top of patching and turning off open RDP (remote desktop protocol) ports on the internet and making sure that they have gone through the nitty-gritty details so that those attacks don’t work to begin with.
How important are MSSPs to the reporting of new vulnerabilities?
Most of the external reporting comes in from researchers. And so researchers, some of them live in the higher-end MSSPs.
But the issue for MSSPs is that, frequently, they’re contracted to do the monitoring. And so they’re sort of at that point stuck in a box, and I would just encourage them to up the game.
Think about, ‘How are you actually protecting the customer?’ And how do you get out of the box and think about, ‘Oh, I need to help them think about their broader estate.’
Avoid getting comfortable?
Some of that’s not their fault. They frequently get called, like, ‘Please watch the alert streaming off on this piece of UI.’ OK, great.
Any message to MSSPs on improvements to how Microsoft communicates new vulnerabilities and threats?
We have a bunch of in-product technology that we want them to look at.
There’s a feature called ‘threat analytics’ that actually gives them briefings about the things we see on the landscape and cool queries to see.
Again, there’s a ton of informal things that we do, blog whenever one of these comes out.
One of the things that we do pretty intensively now is help customers find where they are vulnerable to new attacks as they come up, and that shows up inside of threat analytics, and it’s built on top of this module called ‘threat and vulnerability management.’
And that’s a place where I would actually encourage MSSPs to be looking. I made that comment earlier about ‘don’t get stuck in the box’ of like, ‘I just cleaned the alerts.’
People literally say this, like, ‘I cleaned the glass – my job is to just get these alerts off the page.’
Go look at that threat and vulnerability management tab and have a conversation with your customer about all the other things they could be doing.