Interviews - News - Analysis: For successful growth with Managed Security Services

We do not take responsibility away from the customer. We give them peace of mind.

Many thanks to Ralf Schwarzmaier, Managing Director of mars solutions GmbH, who talks to us about all topics relating to the use of a manufacturer's MDR solution and shows us what expertise is necessary and important in-house.

The importance of MDR and preparation

Managed Detection and Response (MDR) is a central component of modern MSS. MDR enables proactive monitoring, detection and response to security threats. As Ralf Schwarzmaier emphasizes in an interview, it is important that MDR services are not simply “switched on” without prior comprehensive analysis and preparation. A structured approach is necessary, especially in critical areas such as production and logistics, where security incidents can lead to significant damage.

Prevention and emergency plans

Thorough preparation and preventative measures are essential in order to be able to react effectively in the event of an emergency. This includes the identification of business-critical processes and the development of emergency plans. Companies need to know which areas can be shut down or isolated in the event of an attack in order to minimize the damage. As Ralf points out, holistic monitoring and firewall control is crucial to segmenting network communications and closing security gaps.

Efficiency through data aggregation

Another key to the effectiveness of MSS lies in data aggregation. The more data is available, the better security incidents can be analyzed and preventive measures can be taken. Standardized data collection significantly increases the efficiency of security solutions. This makes it possible to react more quickly to threats and continuously improve the security situation.

Challenges and communication in a crisis

One of the biggest challenges in providing MSS is communication during a security incident. Transparent and reassuring communication is crucial to avoid panic and maintain customer confidence. Ralf emphasizes that in such situations, management takes over communication to ensure a clear and calm approach.

Zero Trust and future prospects

Another important trend in IT security is Zero Trust Network Access (ZTNA). This philosophy assumes that no users or systems are trustworthy from the outset and that all access must therefore be strictly controlled. ZTNA is not a one-off solution, but an ongoing process that helps companies to continuously improve their security situation.

'As managing directors, we take care of communication with the customer ourselves because we can best put ourselves in the entrepreneur's shoes.'

MSP Journey · Managed Security Services · Sophos & Olaf Kaiser · Portraitbild Ralf Schwarzmaier
Ralf Schwarzmaier
mars solutions GmbH
Olaf Kaiser:

MDR is probably not a simple commercial product that you activate. When you talk to a contact about the topic of managed security services, including in the direction of an MDR service, what do you look at with the customer beforehand? What do you check or what do you work out together before starting an ideally standardized operation for the customer?

Ralf Schwarzmaier:

There are actually scenarios where you can simply put MDR into operation without any major preparation. Of course, the performance moments are a bit adventurous at one point or another, especially when something happens, so we definitely don't recommend it. On a larger scale, especially if we're talking about production, logistics, etc., where machines could collide somewhere and similar things could happen, there should be much more discussion beforehand. And at that moment, of course, the question is what happens in the event of an emergency, i.e. a successful attack?

Which areas can we take off the grid without any problems, which areas can simply be shut down, at which points can we disconnect the grids, etc.? It's a relatively long story and it's generally almost impossible to determine clearly without an emergency plan. What are business-critical processes, what do we actually earn money with? Which areas of the company must continue to run and should continue to run if possible, so that we are not threatened with insolvency due to unavailability, etc.? We have services at the moment where we say very clearly: If you recognize an attack, if you recognize changes that somehow look like an attack, then please contact us in any case and don't do anything on your own, so that we can decide at that moment what the next steps are. We'll lose a bit of time, that's for sure, but in the end they'll probably do a bit less damage.

Olaf Kaiser:

The more data you have, the better you can analyze what actually happened where. Is there also an increase in the security tools around the MDR service, as a prerequisite for its introduction, so that data from as many locations as possible can actually be aggregated?

Ralf Schwarzmaier:

The more data we have available and the more uniformly we can collect data, the more efficient the solution will be. And for this reason, we believe it is very important to monitor the whole thing holistically. So that we can react much earlier.

And the topic of firewalls is important, so that I have my firewall under control and control what data goes through it, what data generally goes through my network, I restrict my network communication as much as possible, i.e. segment it properly, only allow point-to-point connections that are necessary and not some wild new rules in my network, which unfortunately you find again and again.

Then I have the issue of security gaps in the network in general, i.e. vulnerability, scans and the like are topics that we usually also address at the same time. The customers who have not received very good advice in this area in the past or were focused differently for a variety of reasons, perhaps simply didn't have this on their radar, didn't see the danger or actually had it and then had their eyes opened to the fact that they can or should do much more. At that moment, my risk naturally diminishes significantly and so does the follow-up work.

Olaf Kaiser:

Many system houses are active for SMEs with 10 to 30 employees. What experience do you have here in relation to a high-quality 24/7 MDR solution?

Ralf Schwarzmaier:

Zero Trust is a very exciting topic and I believe that it is one that will be very much with us over the next few years. ZTNA is not a product, but a philosophy. It's a process of how I deal with access, authorizations, etc.

And when it comes to the question: Who needs ZTNA? If you want to answer that honestly, you have to say that everyone who wants access to resources needs it.
And then it doesn't matter whether these are internal resources on one side or external resources on another side, in a data center at a hyperscaler or at a service provider.

And that's why every customer has to deal with this issue. The question is whether the customer stands still and only has their classic VPN activated. Or whether they want to go on the ZTNA journey. And I believe that this will probably move us in a similar way to how the cloud brought us into an uncertain future 15 years ago. And today, it's impossible to imagine life without it.

Olaf Kaiser:

What did you discover when you asked how security issues can be integrated into your overall managed service portfolio?

Ralf Schwarzmaier:

Our customer spectrum starts with ten PC workstations and goes relatively far upwards, and it has to be said that the smaller customers now have a great affinity for MDR. This simply has to do with the fact that the costs are lower. I have to allocate the costs to each employee and if I set them against my salary costs at the end, then there are minimal units left over. And that's what we no longer do at all, this selling by price. And it's easier in a small environment because there's usually just one IT contact there, i.e. an external one, there's usually no one internally and they trust them.

Olaf Kaiser:

Then let's take a look at IT operations. What do you do now, not in the worst-case scenario - we'll come to that in a moment - but in the positive case that nothing really bad happens? What is your service level after the sale?

Ralf Schwarzmaier:

In general, we see it as our responsibility. So it is perhaps an important point: we do not take responsibility away from the customer. We want the customer to be actively involved. They should be able to concentrate on their work and, if in doubt, we will approach them. In principle, we also make sure that we manage the entire network in all areas relating to prevention for customers who are fully equipped. We check that all the security vulnerabilities that we notice somewhere, which we monitor, are patched. And if they possibly cannot be patched due to some strange software versions and dependencies, we then lock down the systems so that nothing can happen in this area. In other words, we actually make sure that we keep the security level as high as possible at all times without incurring any costs for the customer. On the one hand, there are no additional costs, but we see this as our service at the moment.

Olaf Kaiser:

You said that it is important to you that the customer is not left out, that responsibility remains with the customer. Let's move on to the case where something has actually happened. Or perhaps nothing harmful has happened yet, but you have these wonderful lateral movements. What do you do then?

Ralf Schwarzmaier:

At that moment, two technicians from the security team are grabbed, who deal with precisely this issue and first analyze the reports that are there, analyze the situation that exists at the customer at that moment. So is there more and strange behavior? Has an administrative user been created? On the other hand, we actually establish direct communication with the customer. At the moment, however, we are not yet in panic mode. In such cases, communication with the customer is always initiated by our management team, who are also involved at management level right from the start.

Plus the request that if anything interesting occurs anywhere in the network, any strange phenomena that shouldn't be there, customers should please contact us immediately and not try to analyze anything themselves beforehand, etc. The moment we are actually unsure what is going on there at the moment, that we actually have an incident, we shut down or disconnect small customers relatively bluntly.

For example, if I have all the data outside the infrastructure and therefore have all the information available for the time being, I can shut down the systems without any problems. And in doing so, I simply prevent a lot of damage in the first place.
And we also do this when we're not sure what to do. We don't have the customer's approval to do it, but we can't reach the customer. If we ourselves believe that we can avert a lot of damage at the moment, that's when we bluntly shut down.

Another challenge in addition to this deep technological expertise is communication in the event of a crisis. This communication between a party that may now have scenarios in mind about what will happen to my business or my life's work. I imagine that's very challenging. As managing directors, we are responsible for communicating with the customer because we are best placed to put ourselves in the situation. It's different if I'm employed by a company and therefore perhaps have less insight into what's going on behind the scenes.

A lot of the communication actually happens in advance because the customer knows that we will get in touch, even if it's not yet critical. This means that they are not necessarily frightened at that moment, but the message is very clear at that moment: nothing has happened yet, but we have to keep our eyes open to make sure nothing happens. And it makes no sense to panic in that case. The important thing is to maintain communication. Because the moment the customer feels uninformed or doesn't feel taken seriously, that's the moment you have a problem, and then things turn very, very quickly. But the moment you maintain communication, stay in conversation with the customer and are calm yourself, it transfers relatively well. So you simply can't let panic get the better of you. That's the most important thing and that's also what we always communicate to our technicians, etc. Concentrate on what you are doing.

MSP Journey · Managed Security Services · Sophos & Olaf Kaiser · Portraitbild Ralf Schwarzmaier

Profile

We see ourselves as a service company and offer a diverse portfolio that covers the following IT services: consulting, patch management, pentests and security solutions, hosting/housing and cloud services from our own data centers, outsourcing, electronic signatures and 24/7 service for all customers, rollout and calculable IT.
Ralf Schwarzmaier
Managing Director
mars solutions GmbH
Robert-Bosch-Strasse 8
73037 Göppingen

Related articles

MDR is not a technology, but a service

From the customer's point of view, it is about how Managed Detection and Response (MDR) is used to test and introduce stronger security performance and, from the MSP's point of view, how a central MDR service is linked to important systems via APIs through to the establishment of alarm chains.

Managed firewall in focus – from service definition to reporting

What services - both planned and unplanned - are included in your managed firewall packages? How can the customer purchase the whole bundle of hardware, software and services? All as one fixed monthly price? Are there really helpful reports for customers from the firewall? Which services are not included and are provided on demand or on request at the firewall? How do you deal with customers who already have another firewall in use?

Ongoing development as a model for success with managed security services

Everything you need to know about setting up Managed Security Services: How is the security model structured? How do customers decide between the three modules for endpoint protection and what tips the scales in favor of the higher variants? What is the customer response to your managed approach? Does the monthly notice period play an important role for you? Which automations are most important to you?