The Do's and Don'ts of Transitioning to a Managed Security Services Model
The global managed security services market is expected to reach $65.5 billion by 2026.
![Do's and Don'ts Do's and Don'ts](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt7a1ef7e8c872ba6b/65244945d81fb24f5ab7bead/Dos-and-Donts.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
When transitioning to a managed security services model, it’s important to know your install base because that’s where you’re going to be able to start, said WatchGuard‘s Mark Romano.
“There are clients out there that you’re either doing that kind of business with or are interested in moving into that style of business,” he said. “Will you be able to offload some of their overhead and provide them with a better service than they could have done on their own? That is one of those key areas.”
Make sure that you’re not going too wide and too fast when transitioning to a managed security services model, Romano said.
“If you go too wide too fast, you have to not only restructure your entire cash flow of your business, but you’re going to have to figure out how do I pay my sales reps differently as well, because they are a true key to your environment,” he said.
To succeed with managed security services, you have to know the value of what you’re selling, Romano said. If you don’t know your value, you’re never going to be able to sell into new business opportunities.
“I always tell MSPs, don’t sell on price, sell on value,” he said. “The price comes along with that. Secondarily, never break up your pieces price by price; [for example], I’m paying this for endpoint security and paying this for network security, and paying this. That then gets you into a debate over price, not a debate over value. Value is the real key because that’s what you’re providing.”
If possible, bundle your security with other IT services, Romano said.
“Most VARs are already doing different things for their customers, and they can now bundle that all together,” he said. “In doing so, you need to figure out how am I going to buy these products so that I have money in my pocket so that I can go ahead and sell those on a monthly basis. For example, WatchGuard has what we call FlexPay. We will allow resellers to buy from us on a monthly basis, so they buy from us monthly, they sell monthly, and it allows them to keep a lot more of the money in their pocket than having to buy a product outright and then sell it monthly. And we have a variety of resellers that have moved into MSP or managed security services that will be in a continuum along that line.”
The managed security services model may be a little bit more expensive up front, but over time, expense to revenue goes down, Romano said.
Setting up a tiered value system for your customers is also important, Romano said. For example, offer bronze, silver and gold service packages.
“It allows you to bring people into your program at a certain price,” he said. “But as their needs change, you already have another package to provide to them. And an important part of those packages is you have to remember to report back what you’ve done. So whether you have blocked a certain attack, you have updated certain patches, you’ve done whatever it is that you’ve done, you need to have either monthly or quarterly business reviews with that customer so that they will remain intact with you. I talk a lot about stickiness in this business as well, and managed services are incredibly steady and predictable, and over time create increased revenue.”
LockBit 2.0 hackers stole client-related documents and work materials in this week’s ransomware attack on Accenture.
According to CyberScoop, LockBit 2.0, threatened to leak more Accenture data after providing purported proof of the breach. Accenture acknowledged the attack on Wednesday, but has downplayed its severity.
However, some reports say that 2,500 computers of employees and partners were compromised.
Justin Wray is director of operations and security at Core BTS, an IT consultancy and managed service provider.
“We know very little thus far because Accenture has declined to comment further on the situation,” he said. “However, this is par for the course, as is not common for organizations to share extensive detail after a ransomware or cyberattack. We may learn more given strict reporting requirements about attacks involving certain types of data, but we are still early in the sequence of events.”
Lockbit is a ransomware-as-a-service provider, Wray said. Instead of executing the attack themselves, they enable affiliates to execute the ransomware attack after providing payment via the infrastructure they’ve created.
While Lockbit has a large prevalence as far as number of attacks, the actual dollar figures that they demand from affiliates is not as high as other established ransomware groups, he said.
“While an important factor of ransomware recovery is to get and restore your stolen data from backups, that’s only the beginning,” Wray said. “Restoring your data doesn’t help if the adversaries have taken your data and decide to leak it. It also does not solve the root problem. It’s essential to ensure your restore point is clean from any type of compromise or external access. Backups do not prevent data theft, so it is important to ensure adversary access is removed and that you do not put a compromised system back into your environment. Additionally, you must address the security gap through which adversaries entered.”
Saumitra Das is CTO and co-founder of Blue Hexagon, a cloud security provider.
“Lockbit group has been known to recruit insiders for payout to impact malware or provide open RDP, VPN access as well as credentials,” he said. “While there are reports that an insider was involved in this case, it is not known whether it was via compromise or other means. While the data stolen is claimed to be not high impact it still is internal data and shows that organizations need to assume infection and focus on external to internal as well as internal lateral threat movement detection and keep an eye out for malware that may already be inside their networks. The perimeter alone will not be able to stop this type of initial access.”
Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability that allows local attackers to gain system privileges on a computer.
This vulnerability is part of a class of bugs known as PrintNightmare, which abuses configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print feature.
In its advisory, Microsoft said a “remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.”
“An attacker who successfully exploited this vulnerability could run arbitrary code with system privileges,” it said. “An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. The workaround for this vulnerability is stopping and disabling the Print Spooler service.”
Jake Williams is co-founder and CTO of BreachQuest, an incident response provider. He said there is little question that this is a significant vulnerability.
“When a user is compromised via a phishing email, what actors typically don’t have is local admin permissions,” he said. “On unpatched systems, successful exploitation provides that. Once the threat actor has local admin, it’s usually only a matter of time before they gain domain admin permissions.”
The reason there were so many variations of PrintNightmare is Microsoft “desperately wanted to retain the ability for non-administrative users to install printers,” Williams said.
“The reality is that this behavior relies on too many legacy functions in the principal or service, written long before administrative access was a security concern to be performed safely,” he said.
Yaniv Bar-Dayan is CEO and co-founder of Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation.
“Windows Print Spooler handles all print-related functions, including queuing, managing and canceling print jobs, and runs by default every time Windows boots,” he said. “It remains running in the background until Windows is shut down. This makes it a perfect target since it is certain to be running on nearly every Windows instance. This is a very attractive vulnerability to hackers. Since the print spooler is found on all Windows systems, it is easy to exploit and comes with a massive potential payoff in terms of damage to the targeted systems.”
Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability that allows local attackers to gain system privileges on a computer.
This vulnerability is part of a class of bugs known as PrintNightmare, which abuses configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print feature.
In its advisory, Microsoft said a “remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.”
“An attacker who successfully exploited this vulnerability could run arbitrary code with system privileges,” it said. “An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. The workaround for this vulnerability is stopping and disabling the Print Spooler service.”
Jake Williams is co-founder and CTO of BreachQuest, an incident response provider. He said there is little question that this is a significant vulnerability.
“When a user is compromised via a phishing email, what actors typically don’t have is local admin permissions,” he said. “On unpatched systems, successful exploitation provides that. Once the threat actor has local admin, it ’s usually only a matter of time before they gain domain admin permissions.”
The reason there were so many variations of PrintNightmare is Microsoft “desperately wanted to retain the ability for non-administrative users to install printers,” Williams said.
“The reality is that this behavior relies on too many legacy functions in the principal or service, written long before administrative access was a security concern to be performed safely,” he said.
Yaniv Bar-Dayan is CEO and co-founder of Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation.
“Windows Print Spooler handles all print-related functions, including queuing, managing and canceling print jobs, and runs by default every time Windows boots,” he said. “It remains running in the background until Windows is shut down. This makes it a perfect target since it is certain to be running on nearly every Windows instance. This is a very attractive vulnerability to hackers. Since the print spooler is found on all Windows systems, it is easy to exploit and comes with a massive potential payoff in terms of damage to the targeted systems.”
VARs and resellers are increasingly interested in offering managed security services to generate recurring revenue and business growth.
But offering these types of services creates a variety of challenges for the provider. Those involve procurement flexibility, partnership program requirements, portfolio range and more.
The global managed security services market was worth nearly $22.7 billion in 2018 and will exceed $65.5 billion by 2026, according to Verified Market Research.
Mark Romano is WatchGuard Technologies‘ director of worldwide channel and field marketing. He said managed security services are in high demand among VARs and resellers. A real push has been the lack of talent available to provide security services at every company.
WatchGuard’s Mark Romano
Security has become even more aggressively necessary, he said. That’s because cybercriminals are coming after data and/or company assets more than ever before.
“Cellphones, Microsoft products, cable TV, you name it — everything went to a monthly service,” Romano said. “It now makes a lot of sense that if I can bring on a security provider to take care of all of my security needs and do that on a monthly basis, I’ve just reduced my capital expense significantly and I could spend that money somewhere else. Now, I’ve made it an operational expense. That’s also the challenge for MSPs to get it right. Because if they’re not priced right or they’re not providing the right service, they’ll lose clients or lose money. So that’s really that driving factor of why these things are changing.”
Redesign Plan Crucial
When VARs and resellers transition to a managed security services model, “you’re taking what is a traditional break-fix business where you’re acquiring a certain amount of income every single month and breaking it up into little pieces,” Romano said.
“It’s a matter of how I redesign my business so that I can move into that space,” he said. “Whether you’re going to become a hybrid reseller … or am I going to move completely into managed services or managed security services for the clientele that I’m servicing? The next big thing is, you need to become that trusted adviser if you’re going to get into that business. Do you know enough about the space? It’s not enough to say there’s money to be made here. Do you know enough about the space to say, ‘I can become your trusted adviser in the security space and have you trust that I’m going to be able to provide these services effectively over time and prove to you that I’m doing them and still make them cost effective for you?'”
It’s probably not the right time to go 100% managed security services, Romano said. A business model that includes 50%-60% managed security services is an “incredibly safe spot to be in now.”
“You’ll be able to balance your business and your books much more effectively along with your cash flow,” he said.
Scroll through our slideshow above for Romano’s five tips for transitioning to a managed security services model, and more cybersecurity news, including the latest on the Accenture ransomware attack.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like