MDR, Content, SOC

Perch Security’s MDR and SOC Strategy for MSP Partners

Perch Security, which offers co-managed threat detection and response (MDR) services, has a growing base of MSP (managed IT service provider) partners, plus investment backing from ConnectWise and Fishtech Group.

Perch is a software platform coupled with SOC (security operations center) services on top. A customer can utilize as much or as little of the SOC services as they need. Perch's team performs the overall watch -- and will pass notable and actionable events back to the MSP to handle.

So how does Perch differ from master MSSPs and SOC providers, and cybersecurity software companies that are seeking to align with MSPs?

MSSP Alert caught up with Perch Chief Information Security Officer (CISO) Wes Spencer for perspectives. Here's the interview.

ChannelE2E: Let’s rewind a bit for readers who may not be familiar with Perch. What inspired the company’s launch in 2016?

LinkedIn: Wes Spencer, CISO, Perch Security
LinkedIn: Wes Spencer, CISO, Perch Security

Spencer: Perch is pretty unique in that before we started the company, we were a bunch of bankers. The financial industry is pretty interesting to say the least. Most banks have access to a wealth of threat intelligence information, warning them about cyber threats of every kind and nature. But what’s really interesting is that most banks don’t really do much with that intelligence. Believe it or not, it just sits in their email inboxes, making them feel guilty for not doing more. Our light bulb moment came on when we saw most of the other industries were in the same boat. We saw the opportunity of creating a platform that could detect and respond to these threats as something that was simply too important to not pass up.

We always knew that the Perch platform was well suited towards managed service providers. In fact, most smaller clients won’t get true value from Perch unless an MSP is delivering the service as part of their encompassing managed service delivery. To that end, we built the platform from the very beginning to be multi-tenant. Once we got the attention of a few high profile MSPs, the entire company took off like a rocket ship.

ChannelE2E: Many MSPs are in the market seeking SOC (security operations center) services and capabilities. Some of the SOC solutions are purely software. Others involve a blend of software and outsourced SOC teams. Where exactly does Perch fit into the conversation?

Spencer: Great question. We truly believe only a blend will work effectively. Here’s what we’re seeing. For the vast majority of MSPs, building a 24x7x365 SOC is an impossibility. Most statistics say you need a minimum of 12 analysts for that kind of coverage. The costs easily get into multi-millions. That’s a deal breaker right there. Let alone all of the other challenges of staff training and retention.

Some MSPs have looked at partnering with a pure-play MSSP – you know, those big and bulky (not to mention expensive!) security service providers. While many of them can do a good job, the MSP is left with impossible sales pitch of a high cost security service option that leaves 90% or more of their entire customer base off the table. That’s not good. Now they have a large group of clients who aren’t getting the security services they need, raising the risk for the MSP by leaving most of their customers in the proverbial cyber-dark.

We knew this was a challenge going in. So Perch is both a software platform that is combined with SOC services on top. A customer can utilize as much or as little of our SOC services as they need. Our team performs the overwatch. We’ll pass notable and actionable events back to the MSP to handle. Unlike a traditional MSSP-partnered approach, the MSP is actually involved in the entire process. They are working with the customer hand-in-hand in resolving security issues. And guess what comes of that? They’re able to take their trust relationships with the clients to an entirely new level. When the client knows their MSP is watching their network for threats, that assurance becomes extremely sticky.

ChannelE2E: We’ve seen some MSPs struggle with the transition to managed security services. Are there common missteps that MSPs can avoid?

Spencer: Without a doubt, the transition can be really difficult. I think the natural inclination for many MSPs is to try and become a full service MSSP with a 24x7 SOC. But as I mentioned earlier, it’s not a realistic goal for the vast majority. As a long-time security practitioner, I can tell personally testify to just how difficult and expensive that endeavor can be. So what’s the right solution? Well, certainly MSPs need to be involved in the security practice. They need to be able to align their security products and services with their own internal sales strategy. They need to be involved in the process, things such as incident response handling and customer communication through reporting and quarterly meetings to demonstrate value. When an MSP entirely turns over their cybersecurity strategy to an MSSP, the lack control is often disconcerting and leaves them feeling as a third wheel when in reality the MSP is the critical partner.

ChannelE2E: We’ve also seen some MSPs struggle to lock down their own businesses, especially as hackers turn their attention to MSPs. Are you assisting MSPs with risk mitigation in their own businesses? If so, how?

Spencer: There’s no doubt about it. I would classify 2018 as the year that MSPs became a target. And if 2018 was a wakecup call, then 2019 has become The MSP Great Awakening for threat actors. For probably the first time ever, cyber criminals are finally realizing the power and control each MSP has. After all, why attack each single company when a breach of the MSP’s RMM tool will allow full, unfettered access to the entire customer base? And that’s exactly what we’re seeing. MSPs have become a bigger target than ever before. While each attack is different, the crown jewels are usually the same: the RMM. In many of these cases, the attack leverages remote desktop protocol (RDP) from the internet. We can’t stress enough how important it is to get rid of publicly facing RDP services.

When we onboard Perch with a new MSP, we require that they use our platform internally first. It’s oftentimes an eye opening experience for the MSP. We hear comments like “Wow, I had no idea this activity was happening inside my network!”. Whether it’s software misuse (such as crypto mining) or active malware, its oftentimes a day one win. Furthermore, once MSPs see their RDP services being hit from foreign countries on an hourly basis, they truly begin to understand the threat for the very first time. So we’re very involved in showing our customers exactly what their threat landscape looks like, and giving them the knowledge to reduce their attack footprint. This risk mitigation is so important for MSPs and has never been possible before Perch.

ChannelE2E: It’s been about nine months since ConnectWise and Fishtech Group invested in Perch. How have you invested those funds?

Spencer: It’s been a frenzy here at Perch, and quite a good one! We’ve poured every dollar into integrations and feature upgrades. The list is enormous. We’re integrated with the entire ConnectWise ecosystem from ticket creation, billing all the way up to leveraging Automate for instant remediation. Imagine an active threat being observed by our 24x7 SOC and it being immediately removed from the network via the power of Automate. This is exactly what Perch is now capable of, and that investment made this possible. We’ve also expanded our visibility footprint as well. Perch can be deployed essentially anywhere. Whether a customer needs threat visibility on-premise, in the cloud with Azure or AWS or even looking at the behavior and activity inside of Office 365, Perch is the perfect answer. We’ve also made some major enhancements to data reporting. Customers can create any report for any purpose using the data within Perch, including data from your other tools like the AV or firewall.

The speed of our feature development has been a sight to see. I was just talking with a customer this week about all the new things we’ve added into the platform. He couldn’t believe what we’ve accomplished in such a short time. And to be sure, more is coming! We have a very exciting roadmap over the next year that will continue to deliver some new features and changes that our MSP partners are going to really like.

ChannelE2E: Your platform has three components – Perch Web App, Perch SOC and Perch Sensors. Do MSPs have to leverage all three components – or do they pick and choose components based on a set of particular needs?

Spencer: They need all three. Call it the Holy Trinity of Cybersecurity if you will. Or at least I’ll call it that. ☺ Anyway, each component is a critical requirement to making Perch effective. The web app is where you’re able to explore the platform. In fact, it’s the exact same platform our SOC uses. It’s helpful to see the threat landscape and to generate customer facing reports to demonstrate value. The Perch sensors are the engine that drives Perch. Our sensors do all the heavy lifting – sifting through enormous amounts of network threat activity to generate alerts. They faithfully gather up all the log data to nest in the Perch SIEM in our cloud. But equally as important, if not more so, is our SOC. Imagine running a platform as powerful as Perch without a SOC behind the scenes. We were ex-bankers before we created Perch. Our tool brings and enterprise grade cybersecurity solution to managed providers, and without a qualified SOC watching over the alert activity, a platform like Perch would be nearly impossible to effectively use. We understand the majority of MSPs simply cannot build and maintain a SOC, so our team is here to help!

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.