It’s no secret why small and medium-size businesses (SMBs) have become attractive targets for cybercriminals. SMBs rarely have the resources or expertise to build expert in-house security organizations, but the data in their infrastructures can be just as valuable as larger enterprises. The result is an uneven battleground, where modern threat actors are not only more technically sophisticated than their SMB targets, but often better resourced.
In response, SMBs have increasingly turned to a new partner to defend against evolving threats: managed security service providers (MSSPs). It’s an open secret, however, that most MSSPs serving smaller clients are SMBs themselves. They don’t have the resources of huge global security vendors, but their clients still expect them to operate at that level in protecting them from threats. For the most part, they do. Indeed, the evolution of MSSPs into highly effective, proactive partners in modern threat defense has been one of the most impressive cybersecurity success stories of the last several years.
Recently, we spoke with several MSSP leaders about how they’re navigating the security landscape, the changes they’re seeing among clients, and how they’re preparing for the next attack.
Staffing, Cloud Visibility Named Biggest Historic Barriers
When we asked MSSP leaders about the biggest challenges they’ve overcome, they pointed to the mismatch between the vast amounts of information that must be continually analyzed and their relatively small security operations center (SOC) teams.
“Our biggest struggle historically is just executing a true 24/7/365 security program and maintaining the expertise to power comprehensive incident response,” says Colby Rogness, CTO of Complete Network Integration in Richmond, Virginia. “That talent is really hard to find and build, and also expensive.”
MSSP leaders also pointed to explosive growth in clients’ adoption of cloud infrastructure and applications like Microsoft Azure and Google Workspace, which, until recently, were challenging to protect with their toolsets.
“We saw a fivefold increase in attacks in the cloud and, for a long time, we could only handle them after the fact, which just wasn’t good enough,” says Stephen Hicks, Security Practice Manager for Endsight. “We had clients who took every one of our security recommendations, drank the Kool-Aid, did everything we said they should be doing, and they were still successfully attacked.”
As clients moved more of their day-to-day operations to the cloud, the lack of visibility became a widening gap—and a significant source of stress within MSSPs.
“It was like living with your hair on fire,” recalls Michael Pfaff, director of operations for Network Data Security Experts. “You’re always looking over your shoulder. I would go home at the end of the day and sit down to watch TV with my wife or spend time with my kids, and I’d ask myself, ‘Am I OK to look away? Even just for the evening?’”
Embracing Proactive Protection
Fortunately, the industry has made huge strides in all of these areas. The evolution of managed security tools, in particular, has helped MSSPs build more effective anomaly detection and rapid response capabilities. No change has been more important, however, than the broad industry shift towards proactive defenses.
“The ability to recognize a potential threat in progress has been one of the most important achievements we’ve accomplished for our clients,” says Pfaff. “The growth of technologies to look for these threats, and the skillsets of the people getting in front of them, have come a really long way.”
That change is embodied in modern toolsets like managed detection and response (MDR) solutions. By augmenting traditional endpoint defenses with deeper real-time visibility and analysis, MSSPs can now detect threats even in cloud environments that their clients don’t control. They can also take preemptive action, instead of constantly waiting to react to issues.
“Knowing what’s coming before it hits will stop most of the damage,” says Hicks. “You can reduce an incident from hours of investigation and remediation, talking with insurance companies and lawyers and clients and federal regulators, down to a 15-minute intervention.”
Among their most valuable proactive capabilities, many MSSPs now specialize in validating client environments against security and compliance frameworks, like CIS Critical Security Controls and the CSF Cybersecurity Framework.
“Being able to paint a picture of where a client’s security posture is today, versus where it needs to be, has really changed our ability to compete in this landscape and make meaningful improvements for our clients,” says Rogness. “That visibility can drive budget, policy, user training. Clients know where they stand with their security posture, and they’ve either accepted the risks, or they have a plan in place to address them, with a timeline and budget attached.”
Scoping Current Threats
From their perspective on the front lines, MSSPs often have important insights about how threats are evolving in the wild. Every MSSP leader we spoke with put one trend at the top of the list: Increasingly advanced phishing attempts.
“You can tell that threat actors are using AI to make their emails sound more convincing,” says Pfaff. “They keep getting better and better at convincing folks to click that link.”
Phishing threats also increasingly represent one part of a multi-pronged attack, where adversaries steal cloud credentials, like Microsoft 365, and then pivot back to the on-premises IT infrastructure.
“The fluidity of adversaries’ ability to move up and down from a cloud environment to a network and back with ease is a new trust boundary consideration that many organizations really haven’t considered,” says Rogness.
“We’re seeing more attacks using third-party tools as an entry point,” adds Pfaff. “They might not get into the infrastructure, but they can capture access credentials. They can piggyback off of a user logging into a third-party site and do data gathering from there. So, we have to be vigilant about monitoring and filtering DNS, and making sure our clients are practicing good browser security, not storing passwords or OAuth tokens in browsers.”
MSSP leaders also noted growing threats associated with multi-factor authentication (MFA).
“We’re seeing a lot of MFA bypass attacks now, where a user logs into an invisible forwarded website, enters credentials, and then the attacker can do whatever they want,” says Hicks. “We don’t currently have a way to protect against that. All we can do is detect anomalies and shut down the account, which is one of main ways we’re using MDR.”
“Many of our clients and partners have finally gotten aboard the identity train but, in 2024, MFA is often insufficient,” adds Rogness. “There’s this false sense of security that MFA creates, where people don’t realize that there are a number of widely available and commonly used techniques to bypass it. So, adopting a Defense in Depth methodology is really important.”
The good news is that, even among smaller clients, MSSPs have seen a major shift in security mindset. Combining state-of-the-art tools with better client education, MSSPs are making major strides in leveling the playing field for SMB cyber defense.
“You rarely run into people anymore who believe that nobody is coming after them,” says Pfaff. “That mindset is changing. We’re beginning to see recognition from business owners, even at the SMB level, who now realize, ‘Wow, I could actually lose everything very quickly, so I need to invest in protecting my business.’”
About the Author: Wil Santiago is SVP of Blackpoint Response Operations Center at Blackpoint Cyber . He has been tracking nation-state advanced persistent threats (APTs) and cybercriminals for 12 years in both the government and the private sectors. A US Navy veteran, he has worked for the NSA and the Department of Defense. Wil is experienced in threat hunting, penetration testing, incident response and open-source intelligence (OSINT). In his role at Blackpoint, Wil heads up the 24/7 Security Operations Center (SOC) and the Adversary Pursuit Group (APG).
Edited by
Erik Linask
