Managed service providers (MSPs) have proved invaluable for companies that want to focus on their core business by outsourcing IT and security needs to experts who can keep them protected from everyday threats. Your MSP clients prize the ability to avoid major capital expenses to scale their technology environment as they grow and change, and to add emerging tech capabilities when the need arises. You have most likely heard from clients, especially smaller businesses (SMBs), that they need technical help from you beyond infrastructure and applications. Among the most critical challenges they face is finding reliable assistance with cybersecurity.
In this year’s Verizon Data Breach Investigations Report, 58 percent of the victims were classified as small businesses. A survey of small businesses (under 300 employees) by Nationwide found that 57 percent of owners do not have a dedicated employee or vendor monitoring for cyber-attacks. In the same survey, 20 percent of attack victims spent $50,000 or more to recover and required more than six months to get back to normal.
The costs of recovery and loss of data are often insurmountable, especially for smaller companies. SMBs usually don’t have the security or public relations expertise to respond effectively to incidents, and often do not have sufficient backup and disaster recovery systems in place, making them especially vulnerable to ransomware.
MSPs that haven’t yet built an information security practice may be subject to similar risks, and often share the responsibility and costs related to SMB clients’ vulnerabilities. A failure to protect your clients may seriously damage your MSP’s reputation and affect your business financials.
Most MSPs settle on providing only the most essential security components to defend against everyday threats; these typically include antivirus, email scanning, network firewalls, and similar protections. You may decide to take this approach in your MSP business in order to offer a new chargeable service, to reduce the cost of remediation via a Remote Monitoring and Management (RMM) feature, or to augment service commitments.
However, you might want to go beyond the bare essentials (i.e., AV, firewalls) to provide your customers with a more powerful combination of endpoint protection, monitoring and threat detection, compromise assessment, forensics, and incident response. If your MSP is currently focused on core IT tasks related to managing customer environments, deciding to ramp up to this next level of security offerings is no minor undertaking.
Your MSP’s new security offerings will be most successful when your carefully considered plans account for all types of associated costs. Inevitably, there will be hidden expenses, especially when it comes time to respond to an infection that wasn’t prevented by AV. Not-so-obvious costs include, but are not limited to:
- Time spent diagnosing the issue and performing root cause analysis
- Time spent cleaning, reimaging, and replacing infected endpoints
- An unhappy and unproductive customer
- Lowered customer trust and credibility
- Public relations, legal, regulatory, and notification costs
Beware of assuming that you can “set it and forget it”. Deploying one or more mainstream security solutions is not sufficient to cover you or your customers. At the end of the day, signature-based solutions rely on detecting the presence of malware based on its similarity to previously seen malicious programs. What happens when malware is smart enough to avoid detection?
The majority of malware today employs one or more techniques to avoid detection. There are hundreds of thousands of such evasive techniques; many are readily available to download from the Darknet. As these insidious methods become simultaneously more sophisticated and more widespread, the effectiveness of detection-based solutions is further undermined.
Types of evasive techniques include:
- Staying under the radar of security vendors by testing the target environment to see if it has certain defenses in place. If the malware sees something it doesn’t like, it just won’t run, extending its lifespan in the wild before security vendors fingerprint it.
- Embedding itself within document files that appear to be work-related, then leveraging Microsoft Office macros and other scripted languages to execute malicious code. This allows malware to blend into its environment in a way that most AV products won’t detect.
- Injecting itself into the memory of legitimate applications to avoid the use of files (which could be scanned) and to reside inside processes that AV considers good (thereby making the malware look like something as benign as Notepad).
Antivirus solutions will stop nearly every routine, non-evasive malware attack. It’s the evasive malware that’s going to eat up your time, energy, and profits.
The simplest, most effective way to avoid recovery costs is two-fold: first, ensure you have the best possible chance of malware never getting a foothold on your customers’ endpoints. Second, minimize remediation work by ensuring early detection and containment of infections, breaches, and ransomware.
There are a few high-level ways to accomplish this:
- Think Layered Security — A single solution or methodology is far too easy to bypass. Think along the lines of multiple solutions, such as endpoint-based AV, an email gateway, web scanning/filtering, etc. At a minimum (i.e., for an RMM offering), consider AV solutions that employ multiple approaches (signatures, heuristics, behavioral, computer-based learning, etc.) to identifying threats.
- Address Evasive Malware – Implement a solution specifically designed to fight evasive malware. To be clear, this is not a replacement for customer endpoint protection (or any other component), but a means to strengthen AV and cover gaps created by evasion techniques in order to prevent as many malware attacks upfront rather than chase detection-based alerts.
- Have a Response Plan Ready – MSPs intent on putting a security service offering in place need a plan of what’s going to be done when (not if) a breach or attack hits. You should have this plan ready before you define your service commitments, so that you know what you will be doing and what your customer can expect. This plan is critical to keeping the recovery workload to a minimum.
- Include Backup and Recovery – Security solutions can fail. It’s imperative to have backups of and a recovery plan for critical endpoints, servers, applications, and data sets in the event of an attack that involves infection, encryption, or data manipulation.
By leveraging a combination of security solutions that address both non-evasive and evasive malware, you keep malware out — resulting in a more predictable workload, an increase in your techs’ productivity, a more profitable MSP business, and happier customers.
