Interviews - News - Analysis: For successful growth with Managed Security Services

Life’s work could be in danger

Everything about Managed Detention and Response: from customer communication, the start of the conversation and customer views to possible objection handling.

The evolution of security strategies: from a proliferation of tools to an integrated solution

In the past, companies relied on a variety of security tools to protect themselves against different attack vectors. However, each new tool brought with it additional complexity and often redundancy.
Gartner recognized this problem and established a new approach: It is no longer enough to simply detect – companies must also be able to respond quickly and efficiently. This is where MDR comes in, by integrating threat detection and response to enable a holistic security strategy.

From detection to reaction: the added value of MDR

MDR goes beyond traditional security solutions by not only identifying threats, but also taking proactive measures to combat them. IT service providers benefit from the fact that they no longer have to work in silos. A typical example: an attack is detected at the endpoint, but without MDR it often remains unclear whether it has penetrated via an email, the firewall or a mobile device. MDR offers extended detection and response (XDR), which closes these information gaps and enables comprehensive threat analysis.

Finding the needle in the haystack: Efficiency through automation

A central element of MDR is efficient alert management. Instead of overwhelming IT service providers with a flood of alerts, MDR filters out the relevant threats and prioritizes them. This allows IT teams to focus on the really critical incidents and respond more quickly. The image of a “needle in a haystack” is often used here: MDR not only looks for this needle, but also presents it to the customer in a clearly visible and understandable way so that immediate action can be taken.

Open questions as a door opener: dialog with potential customers

A successful start to a conversation about MDR begins with open questions. For example, IT service providers should ask about the size of the IT team, the number of employees with access to sensitive data or the previous security strategy. This creates trust and shows an interest in the customer’s specific needs. This approach often leads to an in-depth dialog that reveals the customer’s pain points and wishes.

Threat information as added value: cooperation with authorities

IT service providers that offer MDR often work closely with investigative authorities such as the BKA, LKA and Europol. This cooperation makes it possible to identify current threat trends and sensitize customers accordingly. A striking example: attackers nowadays often move undetected in company networks for 30 to 60 days before they strike. MDR helps to detect and neutralize such attacks at an early stage.

Creating trust: Dealing with objections and queries

Another important aspect of the MDR sales pitch is dealing with typical objections and queries. Customers often ask about the security of their data, GDPR compliance or the costs. Here, it is important to create transparency and clearly communicate the benefits of MDR. A successful meeting can also result in very fast sales cycles – it often only takes 45 days, sometimes even less, from the initial inquiry to closing the deal.

'The victim is usually much more afraid that their life's work will be destroyed than that they will lose €100,000 or €500,000.'

Sophos Technology GmbH
Olaf Kaiser:

Please describe the key points that make up a Managed Detection & Response Service?

Markus Muth: Let's bring the MDR Journey into this. It used to be the case that you actually bought a new tool for every new attack vector. And if you were working according to BSI specifications, then it was even the case that you might sometimes have set up two or three manufacturers or technologies for one attack vector. This was often the case in the firewall sector.

At some point, Gartner said we can't continue working like this and introduced a new definition of the approach to the market. You have to recognize things, but you also have to react to them. But here, too, it was recognized that you actually do more security in silos. And what good is it if I know that I recognize something at the endpoint, but I don't know where it actually came from? Did it come by email? Was it an attack that perhaps came in via the firewall? Did it come via the gateway? Did it come via mobile, wherever? So we said we had to think ahead and made the X out of the EDR, Extended Detection Response. And then came the question: Who actually takes care of these alarms?

Who is doing the detection and response now? We look for the needle in the haystack and put the hot needles on the table for the customer or partner and even put little notes on them telling them which needles they should take care of first.

Olaf Kaiser:

How do I prepare for a specific meeting with a prospective customer? Or do you go live into the lab and show something? What is the toolset that you take with you into a meeting?

Markus Muth: Let's assume that we are in a new customer situation. And I'm talking about security and managed security for the first time. Then you should work with open questions. How many employees do you actually have in IT? How many of your employees access resources that require protection? How many of your IT or your employees can actually do IT security? How many of them can also do in-depth threat hunting? And if an attacker really does get through, how do you react? Who do you call in? What is your emergency plan? There is a lot of dialog. When I'm involved in the conversation, I always provide a bit of threat information from the manufacturer's perspective. What is the current situation out there? We are working very closely with the investigating authorities - the BKA, LKA and sometimes Europol. We see trends in which direction waves of attacks are heading and then we have to raise awareness. We no longer have the situation where the attackers come in and immediately throw in ransomware, but we often have the situation where they move around the company for 30 to 60 days. Then we also have a demo where we look at attack images and also show how our team provides support.

Olaf Kaiser:

Do you see differences in who is sensitive to the topic of security? If I were to ask you now how I recognize the 30 most exciting of my 500 CRM contacts, what would your answer be?

Markus Muth: It depends on the individuality. We have often had cases where the two managing directors play golf together, and one managing director reports that he has been hit by the attack. And then the other managing director is suddenly very responsive. It is very often the case that this fear of losing my life's work, which is perhaps in its second or third generation, drives you. You're much more afraid that your life's work will be destroyed by an attack than that you might lose €100,000 or less than €500,000, where the sum is not so important, but where a lot of image is involved. But it could just as easily be a hidden champion who perhaps has 100 employees in the Swabian Alb and manufactures a very special product that he markets worldwide.

Olaf Kaiser:

What objections or typical queries do customers have during the conversation?

Markus Muth: Of course, there are objections. Of course, there are questions, which is fine. Is my data secure? What about the GDPR? What happens if the attacker gets through? Will you then paralyze my entire production? How expensive is that? How can I communicate the whole thing to my management so that they might agree to double the budget of what I paid before?

So these are the issues. Through the basic work with the open questions, the interested party already reports a lot about what's on their mind, where their pain is, where their wishes are. And if you take that on board, then the customer actually sells you what they want. And we have incredibly short sales cycles. We usually have an average of 45-day cycles from an opportunity to closing. And we've also had customers who are ready to make a decision after just 24 hours and say: Yes, I've got the budget, I'll do it now.

And that doesn't always have anything to do with the fact that the customer is currently under attack and urgently needs us, but rather that the customers understand very quickly that they are putting themselves in the hands of the market leader in this MDR, and that I am falling into a safe net and I would like to be part of it.

Profile

Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI, Sophos offers a broad portfolio of advanced products and services to protect users, networks and endpoints from ransomware, malware, exploits, phishing and a wide range of other cyberattacks. Sophos offers a single integrated cloud-based management console, Sophos Central - the heart of a customizable cybersecurity ecosystem that has a centralized data store that leverages a variety of open APIs available to customers, partners, developers and other cybersecurity vendors. Sophos distributes its products and services through reseller partners and managed service providers (MSPs) worldwide.
Sophos Technology GmbH
Gustav-Stresemann-Ring 1
65189 Wiesbaden

Related articles

The importance of starting the conversation

In this conversation, Mark Copeman discusses the importance of starting conversations and building trust in the MSP industry. He highlights the need for personalization and storytelling in marketing content. Mark also emphasizes the importance of nurturing conversations with existing clients and the role of webinars in marketing campaigns. He advises aligning marketing and sales efforts and predicts that the MSP market will become more competitive in the future.