Pre-empting the Adversary’s Next Move: Why Managed Service Providers Need to Level Up - Photo by Philipp Katzenberger on UnsplashThe digital economy is rocketing upwards. It is all thanks to tremendous momentum from pandemic related pressure to operate remotely in all aspects of daily life. Attracted by the promise of fast, agile operations and the efficiency of as-a-service models, businesses are aggressively pursuing ‘cloud-first’ and ‘cloud now’ strategies as they digitize rapidly.  This transformation has only been accelerated by the impact of COVID-19, as organizations have urgently switched to digital tools.

Nowhere is this more evident than among mid-sized enterprises. They are under huge pressure to get mission-critical workloads into the cloud so they can compete with agile born-in-the-cloud start-ups. Gartner predicts that, by 2021, 75% of mid and large-sized organizations will have adopted a multi-cloud or hybrid IT strategy.

The race to the cloud has huge implications for security particularly in the mid-market. Many businesses don’t have the in-house resources of their larger peers. It has created a demand for a different type of Managed Security Services Provider (MSSP). One who is capable of pro-actively protecting the assets of their extended enterprises and pre-empting attacks in this fast-paced, high-stakes environment.

To understand how cybersecurity demands have changed as a result, and where the MSSP industry needs to focus – both now and in future, it’s worth taking a look at where the industry has come from.

Reactive, static, behind the curve

In the early days of cyberattacks, businesses were entirely reactive. When an attack took place and malware got onto the network, a post-mortem was conducted to establish how the adversary had gained access and what they had taken. Preventive cybersecurity didn’t exist, and anti-virus wasn’t keeping up.

Incident responders were analyzing what was happening on the perimeter. They wanted to get better at spotting the tell-tale signs of an attack. They found that adversaries were getting sophisticated about evading perimeter detection.

At this point, MSSPs were typically selling anti-virus, firewalls and monitoring for alerts. When malicious activity was spotted, the customer was informed and then would have to devise and carry out their own response. As cyber-attacks escalated in volume and sophistication, it was clear that this was not enough. Customers lacked the in-house resources to deal with incidents. They could see their security investment was not paying off, as adversaries were circumventing all the appliances they had purchased, and they were only finding out about it after the fact.

Next-gen AV changes the playing field

The emergence of next-generation anti-virus was a huge and very necessary step up as the network perimeter expanded exponentially due to growing digitization. The ability to detect not only known threats but also new threats, targeting endpoints gave vastly more visibility into attacker behavior. Telemetry data from endpoints enabled security teams to track the specific types of behavior associated with malicious activity on the endpoint and prevent attacks, becoming proactive instead of reactive.

The availability of this technology saw MSSPs move to offer basic Managed Detection and Response (MDR). So now, rather than just telling customers that there had been an incident, the MSSP was proactively detecting threats and advising what needed to be done to fix the problem. For mid-market companies, however, this wasn’t enough, as they still didn’t have the resources to fix the problem in-house. It meant MDR advanced to where we are today, where a fully managed response is conducted on behalf of the customer. Malicious behavior is isolated, and attacks are stopped or prevented before they can have an impact on the customer. Ultimately, we have visibility of endpoints, we’re analyzing telemetry data and spotting the attempts before they succeed.

The next level up– security that goes beyond MDR

So, what’s next? Enterprises are maturing in their digital transformation. With infrastructure, workloads and IP in multiple locations, cloud and on-premises, they are demanding more than just MDR. They are looking for partners with the capability to hunt malicious threats before they even reach endpoints. This means detecting credential abuse, blocking bad users and eliminating suspicious emails from inboxes before users view, download, and click on them.

This kind of cross-domain detection and response (XDR) capability is what customers are seeking now because it is proactive. Rather than waiting for a malicious email attachment to hit an endpoint and neutralizing it there, when it may already have caused damage, what if we detected that attachment when it reached someone’s email and deleted it instantly from everyone’s email? That way we’re proactively eliminating the problem, removing bad emails before the user becomes a victim.

As an industry, we need to move towards this extension of response capability because we are now in the arena of needing to drive value around customers’ cloud investment. We need to be picking out the suspicious behavior, such as signs of credential abuse and blocking that user before they go on to masquerade into the network and install malicious software. We need to be hunting threat actors and neutralizing their underlying tactics they deploy to evade detection and persist in the network. And we need to ensure we are not doing this in a vacuum, but in the context of other data and intelligence, that better informs what kind of actions we take and what policies we develop.

Time to stop threats before they reach the endpoint

The industry has gone from merely responding to threats on endpoints after they happened, to actively preventing threats on endpoints. Now we need to make the next step up to stop threats before they reach the endpoint.  By managing security across the customer’s entire cross-domain ecosystem of assets and networks in this way, wherever they are, that’s adding real value.

As businesses continue the journey of rapid digitization and their ecosystems become even more dynamic and complex, MSSPs must evolve alongside them. An approach that values proactive detection and response is essential to deliver a pre-emptive managed security service that is not only fit for the digital economy but enables customers to stay one step ahead of adversaries.


BlueVoyantBlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers, and advanced threats.

Led by CEO, Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200 and GCHQ, together with private sector experts. BlueVoyant services utilize large real-time datasets with industry-leading analytics and technologies.

Founded in 2017 by Fortune 500 executives, including Executive Chairman, Tom Glocer, and former Government cyber officials, BlueVoyant is headquartered in New York City and has offices in Maryland, Tel Aviv, San Francisco, Manila, Toronto, London, and Latin America.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here