Understanding Huntress’s EDR and 24/7 SOC Services for MSPs
In this episode, hosts Adam Morris and Daniel Welling welcome guest Phil McGowan to discuss the innovative security solutions offered by Huntress, particularly focusing on their endpoint detection and response (EDR) and 24/7 security operations centre (SOC) services. They dive into how these tools help Managed Service Providers (MSPs) enhance their security offerings for small and medium-sized businesses. The conversation covers the key benefits of Huntress’s products, including ease of integration, affordability compared to enterprise solutions, and trial opportunities. The hosts also explore the practical ways MSPs can explain and sell these security solutions to their clients, ensuring clarity and value. The episode highlights the importance of making enterprise-grade security accessible and manageable for businesses of all sizes.
00:00 Introduction and Welcome
01:03 Understanding MSP Security Challenges
02:32 Explaining EDR to Clients
04:32 Huntress’ Unique Approach to Cybersecurity
08:05 The Value of 24/7 SOC
12:19 Commercial Considerations for MSPs
19:05 Affordability and Democratization of Security Tools
27:01 Conclusion and Contact Information
Listen on Spotify or Apple Podcasts
Connect with Phil McGowan on LinkedIn by clicking here –https://www.linkedin.com/in/mcgowanphil/
Connect with Daniel Welling on LinkedIn by clicking here –https://www.linkedin.com/in/daniel-welling-54659715/
Connect with Adam Morris on LinkedIn by clicking here – https://www.linkedin.com/in/adamcmorris/
Visit The MSP Finance Team website, simply click here –https://www.mspfinanceteam.com/
MSP Glossary: MSP Finance Glossary Explained | MSP Finance Team
We look forward to catching up with you on the next one. Stay tuned!
Transcript
Daniel: [00:00:00] Phil. Hello. Welcome to the show.
Phil: Hello, Dan. Thank you for having me.
Daniel: You are,
you’re very welcome. And as we were discussing in the Green Room, a short moment ago, this, this actually follows on from, Nick, O’Donovan being on the show.
Phil: probably about six months or so ago now. And, we definitely felt that there were lots of really interesting things that huntress were doing, and we definitely needed a follow up, to really get into the weeds, both
Daniel: technically
and commercially to help. Our MSP listeners sort of unbundle this whole security topic
And,
as we talked about before, we, we are enjoying the benefit of the, the NFR Neighbourhood Watch program. So Adam and I are
at the same time learning about. how Hunters works and, and how Hunts is supporting MSP finance team. So, we’ve got a, we’ve got a little bit of understanding, but, Adam and I definitely need your help today, Phil, to, to help [00:01:00] un unpack, this, this topic. So,
ma maybe where to begin, if you were talking about this to, to a new MSP, how would you start the conversation?
Phil: interesting question. we’d probably start the conversation by, understanding what the managed service provider currently does in terms of the security offering they will already have in place for their customers and any kind of challenges they’re facing around that.
and the. The challenges will vary from MSP to MSP. It might be, the unfortunate situation where they’ve, experienced a breach, a cybersecurity incident for one of their customers. Unfortunately, that does happen, you know, not only to the, you know, the very large skies like, like, marks and Spencer and Herod’s, but it, but also happens to, to the smaller customers that an MSP might support. so I understand have there been any kinda recent breaches that certainly is a challenge that we maybe need to look at through the lens of is there something we can do differently with that MSP to prevent a, a recurrence? so that comes down to, to, to [00:02:00] mitigating risk. but we’ll also, explore.
How easy the kind of existing, cybersecurity offerings that, that MSP sells onto their end customer are for them to consume. So is it affordable within the customer’s budget and also from an operational perspective, you know, how much time and resource does it take from the MSP to ultimately deliver the service to the end customer? So these are all interesting things we can explore as we, we kind of open-mindedly. Ask the question first to the MSP. Why are we actually having this conversation?
Daniel: Right. Okay. And Jo, jokingly, I often talk about this whole sort of security topic as super antivirus or even super antivirus as it has become, but I’m wrong on all counts when I talk about hunters because you don’t actually do antivirus, correct.
Phil: That’s absolutely correct. Yeah, so I think our founders looked at the cybersecurity landscape and saw there’s something like 80 or so antivirus products out there, [00:03:00] and the world probably didn’t need an ath. First antivirus. So we decided to do something a little bit different. the product category I guess we would fall into on the endpoint.
So if we were protecting a workstation or a server would be EDR, endpoint detection and response. But we actually offer managed, endpoint detection and response. So, what we are really. Keen to introduce for our MSP partners and ultimately for their end customers is the Hunts humans, we call them.
That’s our twenty four seven soc that’s included with that, that hunts, EDR and that’s true as well for our other products. Right? So that’s really what we’re trying to do. We’re trying to get the best security talent available to businesses of all sizes. Partnerships of MSPs are really crucial to that because your MSPs will work with businesses of all sizes.
Adam: just on, EDR. I was explaining earlier, Phil wasn’t either, I used to know this stuff and now I don’t. I’m not sure if that’s a good thing or a bad thing, but, but it [00:04:00] does raise a question here. An interesting question. you know, your clients MSPs have to sell this to business owners.
small business owners, they don’t have a clue about this stuff. They dunno what EDR is, right? They kind of knew what AV is. So they kind of get their head around that. Now. now these guys are out there trying to sell EDR. So give me your best pitch. What would you say to Ms. P Ns out there right now?
How should they explain what EDR is? Simplify it into business language so that, a double glazing company out there can, will buy it from them.
Phil: Yeah, sure. So I wouldn’t say it, it’s a pitch so much as, education, as you rightly say, Adam, the business owner, for a small or medium sized business may not, you know, understand the terms we would use when we talk about EDR. so, so, so the way we would break it down is a very simple framework called the NIST Cybersecurity Framework, which has these different kind of categories that any sort of product could ultimately.
Fall into, so you start off with, identify, and then you move [00:05:00] to protect, detect, respond, and recover. and a way to explain those different stages to, a business owner would be if you think about a house, right? and you
Adam: I did exactly this, but keep going. I did exactly this, but keep going because it’s a really good example. And then I’m really interested in the EDR, where that bit slots into each of those five.
Phil: Yep, absolutely. and the key point, Adam, is it actually doesn’t slot into all of those five, right? so if you think about protecting a house, right? Identify, first of all is where are the entry points for, in this case a burglar, right?
So it’s gonna be the windows, it’s gonna be the doors, and then you move on to protect, which is how do I actually secure those, right? So that those would be yours. On the windows and the doors. Very simply as we move on to detect this is has something gone wrong, right? Has the burglar got inside the house?
So maybe you need motion sensors or you need cameras that are pointed inside your home to detect that. You then move on to [00:06:00] respond, which is, you know, calling the police. It’s some. Burglar alarm, and recover is then, well, we work with insurance. We’re trying to recover stolen goods. It actually works in very much the same way for a digital asset.
So let’s say you have a computer or an MSP managing many computers, many different cloud accounts, right? They have to identify that digital attack surface. They have to. Protect it. and this is where antivirus, I think as mentioned earlier on, fits in because that’s kind of like the lock on the door or the bouncer on the door, whatever analogy you want to use. and that av, that antivirus is looking for the already known bad threats that it can very simply just block from entering the building. Apologies for mix. My analysis here. then when it comes to detect, that’s where EDR really shines. ’cause endpoint detection and response will be looking at, well, what’s actually running on the computer or what’s happening inside that Microsoft 3 6 5 account. And does what’s happening differ [00:07:00] from the kind of normal user activity? Is there something there which suggests an attacker has a level of access to that device or to that cloud account. And then we can move on to respond something that, you know, EDR does for partners as well, where we can clean that up, right?
So maybe we have to delete things that are malware, kill certain processes, and then recover. That’s also an area that would be technically outside of, the huntress product set. because at that point you’re looking at your backup technology, right? you’re recovering data. So, fortunately I probably fell into the trap of mention answering a few products a along the way there, but to, it helps people conceptualize
Adam: Yeah, that’s really good. and, we, as I said, we use that model ourselves, in my own MSP work really well, was a really useful way to stir. explain what is a complex subject area and, but just elaborate. or if I, if I was a, this double glazing business, I might come back to you and say, hang on a minute, I’m buying extra for, detection and response.
What? I already get response from you, so why am I buying extra for response? [00:08:00] what’s better about this response? What would your, what’s your, what would your answer be to that?
Phil: that? Yeah, so, so, often the answer revolves around, the 24 7 nature of the service, right? Is the managed service provider themselves in a position to offer a 24 7 service to their end customer? because. Security is absolutely a 24 7 sport, right? You could be attacked at 2:00 AM just the same way you could be attacked at, you know, during the business hours. so Huntress provides a 24 7 sock with every single Huntress product. There’s no way for you to buy a Huntress product without the Huntress 24 7 sock being part of the solution that, that you’re buying. so that allows our partners to offer that service to their. Their end customer. And that may be the answer to the question that comes then from the customer’s business
Adam: yeah, indeed. I like that a lot. And of course you would also say, well, hang on a minute. There’s hundreds of,
Phil: hundreds of, highly technical wizards, following the sun. Now, being alerted to anything [00:09:00] that’s on any of your endpoints and they will jump on this, you know, anytime of the day. I think it’s just, I think it’s just really important, to be clear on what, you know, effective, effectively, the benefits are of all these things.
Adam: And ’cause actually a lot of the owners out there, clients out and clients out there just going, well, I’m already paying for this. I’m like, what? You know, they’re already looking at their invoices. So that kind of real clarity on what the differences are, I think is vital.
Phil: That’s fair. And I think that the other approach, we can take here is offering, a trial, right? we can offer a Hunts trial, of course being huntress, but you know, MSPs may find other products they’re interested in.
We will also, allow for trials. that way the technology can be put into the environment for a period to see what value does it actually provide during that trial period. Because a lot of people are quite rightly minded to see well, the kind of proof’s in the pudding. A lot of MSPs think like that as well as the business owner themselves that may be, you know, challenging the monthly bill they’re getting from the msp.
So they’ll rightly turn around and say, [00:10:00] I already have security tools in place. I already pay for service X, Y, and Z. why would I pay for this extra service if we can run a trial? Or we can uncover some threats that maybe were not stopped with the tools that were already in place, then that’s one of the best kind of pieces of evidence you would get for actually then, you know, taking that service on as a
Adam: I like it. I like it. Can it backfire though, where it returns nothing and so you go, yeah. There’s no, no value in having this,
Phil: We wouldn’t necessarily consider that back backfiring, but I suppose that there’s different ways to look at that scenario.
Um, we would say that’s, that, that’s good news, in the sense that if you have. the right, you know, security posture right in your environment. it’s very feasible that we might have a trial that’s exceedingly quiet or there may be no findings, at all during that trial period. we’re not afraid for that to happen because in many respects that is good news.
if we go back to that, you know, house analogy, we are the [00:11:00] alarm system when somebody’s got inside the house. So you don’t want those alarms to be going off. All of the time. if they are going off all the time, then frankly you’re probably doing something wrong in terms of the way you are kind of configuring your devices or configuring your accounts, or even with maybe some of the preventative, security controls like email filtering or other controls that you have in place probably aren’t doing their job correctly. So I guess the way we as, Huntress would kind of counter it would be, well, let’s cast the net. For an MSP as wide as we can, right? We make it very simple to install hunter’s technology. And we’re really keen to do these trials, and they’re full featured. So why not install to every single customer you have to all of your managed endpoints, your managed identities, and that way it just increases the chance that will get some data back. that again, hopefully is not the most high or critical severity threat, but it might be a more low severity threat. It might be, the remnant of. Previous attack that we can [00:12:00] find. so it’s still a valuable security audit even if you, even if you don’t have any kind of Yeah. Blaring red sirens, we would still consider it a valuable exercise.
Daniel: And that then leads me on to perhaps
the commercial approach to this In so far as would we. Typically advocate that this is a, this is an up or an additional cell in addition to an MSP’s baseline service. So the therefore the implementation of it to prove that.
There are things to resolve. then leads CMSP to charge in the client for the service or, would this normally be a, for the MSP to confirm that they see the value in it? and then MSP then somehow integrates, bundles this into their overall stack and proposition. what’s, what’s your experience there?
Phil: I think it’s more common for it to be the latter. Where the MSP will first perhaps you do a trial with a [00:13:00] technology like, like Huntress and get to understand the value they believe in that, that technology provides as an MSP, and then they’re in a position to say, well, let’s build this into our kind of standard bundles, into our standard stack and have it be that baseline of security for our customers rather than leaving it out there as an optional add-on because it’s fairly common for customers to say.
No to those add-ons. And when it comes to something like security, you don’t really want to be leaving things to, to chant. So coming back to that, that 24 7, security operation center, that, that comes with a techno technology like, huntress, if the MSP cannot provide that themselves, then they have to partner with a vendor, right, in order to provide that, that to their customers.
And most MSPs, we. Speak to would agree that is essential, you know, to make sure that the customer is secure. So you don’t just have software that’s generating alerts, but you actually have [00:14:00] human beings on the other side that can look at, interpret an alert and do an investigation and respond. All of that can happen 24 7. Um, so, so yeah, we would. Encourage it to be a ba a baseline. Frankly, we try to have that opinion when we speak to our, you know, partners or potential partners. We believe it should be a baseline. and if there are challenges to that, that then we can kind of work through the challenges.
So, so the challenge could be maybe something like, you know, affordability. How do I secure the budget from my customer? And that’s something that then we can help our partners with. Can
Adam: can I just then, because this, I think this is kind of where we were going. At the start really, and pulling this together. what would be your advice out there then for MSPs? Looking at their stack of products, looking to simplify, what they sell and how they sell it,
Phil: it.
Adam: you know, so let’s say we’ve got a bronze, silver, gold type of approach.
What would be in the bronze, right? What would be in a, an additional piece in the [00:15:00] silver and an additional, again, in the gold in your view.
Phil: view, um, that varies from MSP to MSP?
it’s not unheard of for the bronze, if you like, the entry level package to not include EDR. but that would typically be for perhaps a smaller or perhaps less mature. MSP in terms of their security offering. So what we are seeing is the EDR technology is moving to be a true baseline.
Then across all three of those kind of offerings, the MSP might put in front of the customer. but you might find that things like, I don’t know whether it’s you DNS filtering or web filtering, those are something that’s introduced as you step up from the bronze to the silver. or the gold. and you might find as well that depending on the partnerships, the MSP has to deliver the 24 7 service, that they actually keep the 24 7 offering behind a silver or a gold package rather than that be entry level. ’cause although I’ve [00:16:00] kind of come on here today and said, you know, very confidently Huntress has a 24 7 stock. We still partner with MSPs of course. Right? So we will send an instant report to an MSP rather than directly communicating with an end customer. So there’s a little bit of almost devil in the detail of that, where the Ms P still needs to, you know, be working with us to provide the service to the end customer.
So, they need to be confident they can deliver that service.
Daniel: if I did have a co-managed, MSP client though, for example, would I be able to, request or allow you to communicate with the end user directly?
Phil: There are ways that can be set up. Yes. So, you’re able to define under your account in your Huntress portal, separate organizations.
so we can look at communication options specific to, an organization. but ultimately we provide, very favourable MSP pricing, because we expect it to be that partnership between Huntress and the MSP. So, I’ll give you an [00:17:00] example. We might, uncover an incident of, you know, Microsoft 3 6 5 account takeover, right? Which is. Pretty serious thing. Right? maybe we found, an inbox rule was put in place, that was, you know, maybe forwarding emails that were payment related to an external domain. Hunters can go ahead and, disable. We can even delete that inbox rule. but those would be, assisted or active remediations that hunters.
You know, does for the partner, but there may be in the remediation plan, we produce a series of manual remediations. So huntress cannot reset the credentials. You know, rotating the credentials is clearly key. If an account has been taken over, you know, hunts would not be, at least of our existing technology, and enforcing multifactor authentication.
So we will still provide to our. our partner, a remediation plan that includes not only the bits that we’ve done either with their approval or just we’ve gone away and done as active remediation, but any outstanding tasks for the [00:18:00] cleanup. So that’s why we say it’s a partnership to, to provide the service.
So yes, if appropriate that, that could be, you know, delegated if you’d like to a co-managed client, but it wouldn’t be appropriate for all of the MSP’s clients.
Daniel: Got it. Okay.
And I guess while we’re on the commercial topic, you know, don’t wanna hold you to anything that, you, you don’t wanna, that’s not appropriate.
It to divulge. But, I recall when, the sort of soc. the availability of a soc to the MSP,
stage of business.
F first came about it, it was, I wateringly expensive and, you know, we’re talking 40, 50 pounds, a month for, a device. and of course at the time there were plenty of MSPs. Well. Today that they don’t even charge that for their base service. let alone just for a SOC service.
so, I’m guessing over the last, five years or so that price point has come down, and that, that improvement in affordability, I dunno, what can you talk us [00:19:00] around that to, to sort of help us, build this picture of how to pitch it to the end client.
Phil: so affordability, I think, traditionally has been a real challenge for small and medium sized businesses to take advantage of the security controls that are available to the enterprise. Right? So a 24 7 Security Operations Center would. Definitely fall under that. even this kind of software aspect, aspects of EDR technology, in some cases would fall under that.
and technologies like, like SIEM, which is something else that Huntress provides, that again traditionally has been an enterprise tool, due to the cost, right? The cost not only of procuring the service, but also the cost to, really. Take advantage of the service for any kind of manpower that’s required on the side of the customer. so what we’ve tried to do with Hunts is provide those enterprise grade tools for a much wider audience. So make the technology available to the 99% of businesses that, by definition are [00:20:00] not in that 1% of the Fortune 100. Um, and make sure they can afford the tool. So, so we’ve had to come up with a price point that is palatable for those businesses.
Right. and particularly as well, working as closely as we do with MSPs, provide it to, at a cost to the MSP that allows the Ms P to make a good bit of margin. So we’ll often find we are a third or a quarter of the price of some of our competitors, where our competitors have actually started out.
Maybe more so targeting those enterprise customers. That’s really not where Huntress started as an organization. we wanted to democratize these technologies.
Daniel: Democratize was exactly the word Ive. Thinking of as you were describing it. So, and,
and so, my, my end user, my double glazing, end user client as Adam, Adam Postured earlier. They’re probably gonna ask the question. Well, Daniel, you were telling me that, that if I was an enterprise, I could be paying, you know,
Hundreds of [00:21:00] pounds. A an endpoint a month for a sock. And how are you able to do it for tens of pounds? Pounds of pounds? like what’s different? It’s great that it’s not as expensive, but why is it, why does a larger company pay so much more for this than perhaps a smaller business?
Phil: Um, sometimes it’s the price that, vendors can get away with selling to, to enterprise customers, frankly. Ha You know, having worked with different technologies in my career that were sold to, to, to enterprises.
your likes of kind of banks, for example, and government organizations. so sometimes the list price you will get from those vendors is something that the vendor could actually take probably 96, 90 7% off as a discount as part of the sales process. So the starting point, for vendors that sell to enterprise is often very different to the starting point that Huntress would take because we actually, we’re actually advertising that we have a technology. Aiming at businesses of all sizes. So we want your even very small MSPs, your [00:22:00] kind of one man bands to be able to consume as well as the larger players in the market. so yeah, so that, that’s definitely part of it. and then we’ve also had to, you know, carefully kind of think through how we design solution, right?
So. We do a lot of, our technology stack is really key to being able to control this, right? So we have to look at our, you know, detection, engineering, right? And what are we actually bubbling up to our soc to, do an investigation on? ’cause we want that to be really finely tuned so that we’re getting the most high fidelity signals that are from real threats in front of our SOC analysts. So they can quite quickly investigate that, confirm it as a threat. And then go onto the response element where of course we’re communicating with our partner with an instant report and going through, through the remediation. So we have a, an eight minute mean time to, to response. and that comes from really honing what we do with the detection.
So where we own the technology stack, end to end, we have our [00:23:00] own agent software we install, we run our own detection logic against Microsoft 3, 6, 5, and firewalls, et cetera. This allows us, and also owning, well,
ownings the wrong word, but having a soc in place, that, that is a hunter sock. Um, this allows us to, to be in control of essentially the cost of the solution to us so that we can then offer it at a affordable price point for our partners
Daniel: And those early tools. Of course, the other issue was there was just so much noise and so many. False positives or, investigating, topics to, to investigate that you’d never find the needle in the haystack. That was the genuine thing that needed action and activity. So it sounds like there’s, there’s an improved efficiency that’s been.
that’s Been achieved and actually, well, I’m sure very few enterprises will be listening to this podcast episode. So, so I’m sure all the enterprise vendors are, are safe with their business model for now. But, but really interesting to hear how, you know, what the genuine differences, like I, I would [00:24:00] imagine there’d be some sort of simplification of dumbing down, would be required to, to achieve the difference in price.
Phil: Yeah,I think there are cases where there, there are bells and whistles that are maybe not there within our technology that will be there for, you know, the technologies you might see in the top right of the Gartner Magic
Quadrant for, for what we are really focused on is outcomes.
W we want to, we call it wrecking hackers, right? We wanna stop hackers from doing that criminal activity. Coast causing so much damage to businesses. That’s ultimately our mission. So when we build our tool, we are building the features that make a difference to that, to actually stopping the attackers rather than building this kind of long list of tick box features that might show up in your RFPs, right?
Your long kind of questionnaires that come from. The procurement that happens for a larger organization. we may be missing some of those, you know, bells and whistles as it were. But we’ll happily kind of stand toe to toe when it comes to actually [00:25:00] stopping the attackers. ’cause ultimately what our tool does is it sends the signals to our security operation center to, to analyse and investigate. And to your point around false positives, I think that is in some cases a real challenge for organizations that consume, you know, security tooling. Um, so, so we track that very closely to make sure we are not kind of spamming, you know, alerts to our customers, right? So we have a not 0.7% false positive rate. and the way we track that is how often our partners would be approving a remediation plan versus clicking, reject and telling us this was a false positive or some kind of false alarm.
Adam: If I am, considering, your solution stack here with the, the socks that you have in place, do I need to augment my team with some additional skill sets or manpower? In order to deploy this and ma manage, and interact with my clients appropriately. Now that I’ve got all this increased level of awareness and monitoring going on, is the more work I’ve gotta do.[00:26:00]
Phil: gotta do. No, there’s the, there’ll be no need to hire, you know, additional staff or staff with particular skill sets in order to, you know, put in place huntress technology. a lot of our kind of approach is taking that, that heavy lifting of a security investigation. Off of the plate of, an off of a managed service provider, right? So what we then provide is the output here is an instant report that’s not full of jargon. It’s easy to understand, to say, this is what we’ve detected, this is what we’ve done to remediate, and this is anything and outstanding to complete that remediation.
So. the theory, and this is what we see in, in practice, is e even a level one junior technician would be able to take that instant report without having any kind of security specialism and understand, the lay of the land or understand the status of this incident and can they bring it through to resolution, which in many cases from our partners perspective is just clicking resolve against the incident if they’re happy with everything that we’ve already done.
Daniel: [00:27:00] Okay, so. I almost feel like we’re gonna need an another episode after this. I feel like,
again, we’ve only touched the surface, on this topic, and so much more for, for Adam and I to, and I’m sure some of our audience to, to consume and understand.
but, but yeah, been, it’s been very interesting, listening to you and I, I’m sure many people up and down the country will be describing, h House security in a conversation with their end user client over the coming weeks and months. And, well, again, not normally at this time of an episode, we, we offer a shameless plug.
but, maybe suffice to say, if anyone is listening has questions, how best to get a hold of you with, to talk further.
Phil: that. I guess one of the things we’d really point at as a way to, to get involved with Huntress in a way that we actually give back to the MSP community is what we call our Neighbourhood Watch program.
So, any managed service provider, even if they’re not, you know, currently selling hunts onto their customers, that they’re more than welcome to use Huntress tools to [00:28:00] protect their own house. That is to protect their internal environment. So, if you’re interested in, in, you know, taking advantage of that neighbourhood, watch. Program and protecting yourself with Huntress. then please just visit our website, huntress.com. and you’ll be able to see the details there to take advantage of, neighbourhood Watch.
Daniel: Very good. It’s
been a pleasure talking to you today and, I certainly feel like I’ve learned a lot. Adam, any final thoughts from you?
Adam: No, I mean,
Phil: I mean,
Adam: just so much to this, isn’t there? We could talk about it for hours and, yeah. You know, let’s have your back, and dig a bit deeper into all the, into all this stuff, because you know what, we haven’t even touched the sides of where it’s going and where AI’s, you know, where does our AI feature in all of this, right?
So, you know, what are the conversations that, that Ms. P owners need to start thinking about? For, for what they should be, you know, talking about with their clients moving forward. So,
Phil: no, been really good and, definitely have you back. Perfect. Thanks guys for having me. Thank you.
Daniel: Thank you.