A journey, not a destination: how MSPs can build a robust cybersecurity service, with Harri Hadjikyriacou

A security operations center, or SOC, is essentially a team of cybersecurity analysts. We often say you can never compare apples to apples with SOCs—they come in all different shapes and sizes. But ultimately, it’s a resource that an MSP or a customer can use to offset that cybersecurity strain on their own teams by leaning on a team of experts.

Typically, it’s a 24/7 team who are keeping an eye on everything all year round, all night and all day.

For us, XDR—Extended Detection and Response—encompasses that extended visibility. It’s looking at everything within the infrastructure, wherever it might be, whichever vendor may be providing it. There are going to be gaps and holes in your infrastructure, regardless of what tech is in use. EDR (Endpoint Detection and Response) is really good at focusing on that one specific area and looking at the risks and the misses and the gaps within endpoints. Whereas an XDR goes one step further—what’s going on in your Cloud environment, your switches, and your network.

It goes further and looks across the entire infrastructure to cover off any gaps. 24/7, or proactive monitoring, is at the heart of it.

The SOC works as an extension to an MSP’s team. Ultimately, the SOC needs help as well—they need tools to help them do their job. So our XDR includes a SOC.

The important bit is, not only is it outsourcing for MSPs, but it’s also the reassurance that all the tools are there: SIEM tools and SOAR, as well as things like threat intelligence platforms (TIP) and AI-based technology—stuff that becomes a critical part of compliance, certifications, insurance. We’re getting more demand for this. So knowing that your XDR service is ticking a lot of those boxes can really help an MSP.

[Note: For those who are new to the game, SIEM is Security Information and Event Management, and SOAR is Security Orchestration, Automation, and Response.]

Everyone! I know that’s generic and very vague, but anybody with security concerns and security risks. The reality is everyone has security risks. I think what we see and what our MSPs tell us is that there’s a huge difference in customers’ understanding of that and their appetite for change, so that is something we certainly help our MSPs with.

Then there’s MSPs who’ve got limited internal security teams, and MSPs who are looking to consolidate if they’ve got a lot of different products. And what we’re seeing more of is XDR becoming a requirement. We’re seeing more customers saying, “My cyber insurance is asking me about XDR and NDR [Network Detection and Response] and what I am doing around there”. So we are seeing it become more mandated.

I think the beauty of an MSP is that they can really help drive their customers on this. An MSP is a trusted advisor, helping drive and support their customers through those questions and ultimately adding the security.

No two MSPs are the same. And ultimately, no two customers are the same. It can be a bit cheesy, but it’s a journey, not a destination, because it’s evolving. The IT landscape has changed hugely in the last 10 years. Our threat landscape has changed. We’re not up against kids just trying their luck anymore. Sometimes, that is the case, but there’s a lot of geopolitical attacks happening, with crime organizations launching cyberattacks. So the reason cybersecurity is a journey is because it’s always changing.

What we do at Barracuda is try to make sure we’re one step ahead of the attackers. But we’re driven by the attackers—if they suddenly change their approach and their methods, we’ve got to keep up with that.

We aren’t going to finish cybersecurity one day. We don’t go, “Right, you’ve finished it, you’ll never be breached”. It’s always changing, always evolving, and we’re always working hard to make sure our MSPs as well as end users have the education they need to stay secure.

I think it depends, customer to customer. Every customer is going to have different goals. Customers need to identify what’s going on in their infrastructure, understand what their key assets are, where their critical data lives. Being aware of that is Step One.

StepTwo is to protect. What are you putting on top of it? What compliance requirements are you putting in, what policies are you arranging and what solutions will add that protection?

Next, it’s detection. The 24/7 piece, that monitoring. Then the response—what does the MSP do next? And then, it’s recover. This is something we very much follow. Each of those pillars is equally important. We would never say to a customer, “Well, you’ve got a backup now, so get rid of your firewall”. That’s just not how it works.

The reason I love this kind of framework is because ultimately, we’re all doing our best. No one product is 100% effective. No vendor will claim their product is 100%. Risk is always there and having that backup piece really shows customers why it really matters. So that’s what I’d say good looks like. We get customers who do a variety of those different options, but we’re always driving them to tick every single bit.