It’s Time for MSPs to Offer Threat Hunting as a Service

Protection from today’s advanced threats needs to be round-the-clock, to keep up with the always-on nature of cybercrime. As enterprises today face attacks from every direction, from vulnerable cloud misconfigurations to devastating RDP exploits, they need to be able to detect and respond to threats quickly, at all times.

With that in mind, and to stay a step ahead of competition, many MSPs are moving beyond a prevention-centric approach to security, expanding their offerings to customers to include threat hunting as a service, in the form of threat detection and response capabilities.

In some cases, MSPs may be best served by building their own security operations center (SOC), but others will find more success outsourcing these activities to a trusted security partner. Regardless of which path an MSP chooses, building a detection and response practice is as much about developing teams and processes as it is about buying products and services.

How can MSPs kick off or evolve their detection and response capabilities–whether in-house, outsourced or mixed–to deliver an effective and well-defined service that performs for both their customers and their bottom line?

Let’s take a closer look at some key areas for MSPs to consider when deciding to offer detection and response services.

Tools, People and Processes

MSPs need to offer measurable and demonstrable protection, detection and response capabilities. This requires tools, people, and process.

In terms of tools, prioritize prevention over detection. Then, make sure detections cover the gaps where machines cannot make an adequate determination. MSPs need to be able to see deep inside the network, gathering information from disparate sources to figure out when and where threats are occurring.

Once that information is acquired, MSPs need adequate manpower to sift through and investigate the alerts that matter. One of the main issues that MSPs struggle with is human capital–threat hunting is complex work, and it’s difficult to recruit, train, and retain the talent needed to perform effective threat detection and response. MSPs simply aren’t going to have a thousand security analysts at their disposal in their SOC who can evaluate the data and prioritize what matters. Outsourcing helps here, but so does establishing effective processes.

How do you make sense of the data, and how do you figure out what to look at, what to prioritize, and what needs action? How do you filter, and, more importantly, how do you avoid filtering out alerts you should have looked at? How do you identify assets and containers and secure them? How do you know when you’ve looked enough, and how do you decide when to act? Answering these questions is difficult, but creating parameters and setting up processes enable MSPs to identify the detection that matters most and determine how to respond.

Responding to threats is another area where the additional resources outsourcing brings can be beneficial, whether the threat needs to be neutralized, isolated, contained or removed altogether. Having more manpower can only support your efforts.

Proactive Security Approach

How can MSPs measure the success of their threat detection and response service? Of course, their customers should experience improved overall security as a result. But at a higher level, it’s all about achieving the ability to be more proactive instead of reactive.

By evaluating the telemetry on an ongoing basis, either internally or through a trusted security partner, MSPs can give customers proactive information about their network and devices. For example, higher memory usage could be a sign that an attack is happening. Or, MSPs may be able to notify customers about events on their network if they’re seeing high volume of alerts generated from a single device, which could be another sign of an attack.

Rather than simply offering services akin to cyber liability insurance, MSPs need to provide effective security capabilities that prevent, rapidly detect and neutralize threats.

This guest blog is part of a Channel Futures sponsorship.