MDR Is Critical For Countering Growth Of Insider Threats: Sophos Execs

Managed detection and response that includes threat hunting is also a must-have in the current threat environment, according to Sophos executives.

Managed detection and response (MDR) that includes threat hunting is a must-have in the current threat environment, according to Sophos executives.

This includes threat hunting for insider threats — an issue that executives say has been on the rise.

During a session at XChange August 2024 in San Antonio Tuesday, MSP executive Reagan Roney said his team has been observing a “significant uptick” in insider threats at its customers.

This has particularly been an issue at government clients, where attempts at data theft by malicious insiders have been on the rise, said Roney, principal and chief experience officer at Solvere One IT, a Sophos partner with offices in Dulles, Va., and Washington.

In one recent case, where a malicious insider attempted to steal data from a major government organization, Sophos spotted the threat and proactively called the team at Solvere One IT, Roney (pictured right) said.

“Immediately Sophos called us and said, ‘You need to know about this,’” he said during the session at XChange August 2024, which is hosted by CRN parent The Channel Company.

Rather than simply being informed about damage caused by an attacker after the fact, Sophos instead was able to say, “‘This is what we saw, this is what we did and this is what we prevented,’” Roney said.

“That is the best conversation for me to have with my client,” he said. “If I say, ‘These are the results, this is what was prevented’ — I win every single time, and that's thanks to MDR.”

Austin Cloward, senior solutions engineer at Sophos, said during the session that while isolating an impacted system is helpful, “we don't think that that should be the only thing we're doing when responding to a security incident.”

And notably, with the MDR service, “we’ve opened up the platform to be very flexible with your security stack,” Cloward (pictured left) said. “It's opened up the door for you to really leverage the tools you want and the tools you're currently using.”

Without a doubt, insider threats are a growing concern, said Harold Mann, president of Mann Consulting in San Francisco.

The increase also has implications for how organizations of all sizes hire and build out their teams, Mann said.

“Unfortunately, it then creates a trust problem, if you're trying to build a team,” he said. “Because you basically have to distrust the intentions of the people that you are collaborating with.”

Ultimately, “we’d be foolish to pretend like it's going to just somehow go away,” Mann said.

Scott Barlow, vice president of global MSP and cloud alliances at Sophos, told CRN in an interview that the vendor’s broad range of capabilities can be crucial with shutting down insider attacks.

“If there's a threat within your organization, there's a lot of things that Sophos does to prevent that lateral propagation,” Barlow said. “If there's a threat on an unprotected device, our firewall can actually talk to our endpoint, and isolate an endpoint internally to prevent that lateral propagation.”

Additionally, network detection and response (NDR)—which integrates with MDR—“will actually detect IoT devices and whatever traffic is within the network where you can't put a sensor,” he said.

“I think that's going to be the future for MSPs,” Barlow said. “It's going to be one of the top components to protect a customer's environment — especially in the SMB and midmarket, where they don't have huge dollars to spend to combat a lot of these threats.”