Guest Column | January 21, 2021

How After-Breach Cybersecurity Augments Prevention

By Matt Tomlinson, Huntress


Years ago, “good” IT security meant focusing on prevention: putting a firewall on the edge of your network, tossing in some antivirus for good measure, and moving on with your life. Today, things look a bit different.

Some predict that we’ll see a ransomware attack occur every 11 seconds in 2021 (compared to every 40 seconds in 2016)—and that the cybercrime market will generate upwards of six trillion dollars globally.

Interestingly, one of the bigger contributing factors to this growth is not a lack of tools or tech; in fact, it seems that no matter how many breaches or ransomware attacks we hear about, most organizations still rely almost entirely on preventive measures to protect their environment. In reality, however, prevention-based defense doesn’t always prevent attackers from gaining access.

The Problem With Preventive Security

What happens to an organization when preventive security measures fail? The answer from most businesses is that they’ll simply restore from a recent backup. But when you’re spending an average of 150 to 290 days to detect a breach or incident, is that backup protecting you and helping you resume business as usual?

Cybercriminals today are establishing persistence, quietly dwelling in IT environments, and living off the land (using your embedded OS tools and installed applications against you) before carrying out their next big move. And during that time you’re likely overwriting backups or pushing archived data to the cloud, running the risk of having your “current” backups or snapshots infected.

If you’re forced to restore to a healthy backup that’s 180 days old (which doesn’t include an attacker’s persistence), what does that do to your business? You’ve just lost six months of productivity—a loss that many small businesses would struggle to recover from.

There has to be a better way of handling breaches! There’s a missing piece of the security stack that’s not talked about nearly enough. We spend all of our cycles covering two ends of the spectrum—prevention and backups—but what happens in between?

What’s equally important is the lack of proper security education that exists today.

The Power Of MDR & The Importance Of After-Breach Security

This is where something like a Managed Detection and Response (MDR) solution comes into play. The concept is to identify malicious actors very early on in their process and kick them out. From what I’ve seen, most either don’t know this is a gap or don’t see the real value of an MDR solution until after a breach happens. With hundreds of products “left of boom,” why aren’t we educating more and focusing more on “right of boom” or after-breach?

Utilizing MDR and “right of boom” solutions, we can start to solve some of the larger issues that have plagued us for years. How did that pesky attacker get past my prevention tools? Once I know that, what should I do as a partner or end user to harden my environment? Is that where I should stop? In my opinion, no.

You can now build out a longer-term security strategy that enables you to not only prevent—but to truly protect your environment in a multitude of ways. This is also an opportunity to introduce some standard hardening of the environment, with added peace-of-mind that if something does slip past all of that prevention, you’ll still have something that can protect you.

We are years past the days when backups could be relied on as your ransomware savior. The cybersecurity industry has to get better about enabling users of security products with education. Attackers are constantly looking for new attack vectors, attack types, and exploits in existing prevention tools. But they are also preying on the organizations that aren’t following cybersecurity best practices, by continuing to leverage exploits that are years old.

Ask yourself the following questions:

  • How do I protect myself against all of these threats or attack types?
  • Where do I start?
  • How much does it cost to be truly secure?
  • How do I manage all of these solutions once I’ve invested in them?

This is where partnering with true subject matter experts in the cybersecurity space comes into play. Find people you trust that are leading by giving education back into the channel and leverage their understanding of the landscape to help steer your organization or your client's organizations into the right security stack. If you don’t have the resources to support the solutions, perhaps your partners can help.

No longer can we try to fight back against a multi-trillion-dollar industry alone. We have to work as a community to protect ourselves and our clients against an industry that—if it were a nation-state—would represent the third-largest economy in the world.

About The Author

MattMatt Tomlinson is the director of channel partnerships at Huntress, responsible for cultivating relationships with all partners, broader channel strategy, and sales. Previously, Tomlinson spent over 10 years in the MSP space with Carolinas IT and Logically, where he streamlined the sales process, improved relationships with channel partners, secured better financing options for clients, and led the companies to record profits. When he’s not working, he enjoys watching the Seattle Seahawks, playing pool, and spending time with his wife and their two children. Matt lives in Cary, N.C.