In today’s rapidly evolving threat landscape, proactive and continuous network risk and threat visibility are crucial for Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDR) service providers. Despite advancements in cybersecurity measures, attackers still find ways to breach networks, bypass endpoints, exploit IoT devices, or leverage social engineering to compromise credentials.


The Problem of Attacks Getting Through:

Attacks that successfully infiltrate networks pose a significant risk to all organizations. Unfortunately, many service provider offerings still lack proactive and continuous network monitoring capabilities, instead staying with the legacy approach of collecting network traffic into a SIEM and manually searching or threat hunting for indicators of compromise. This deficiency grants attackers ample time to expand their reach, identify valuable systems and data, and execute devastating attacks. The key metric that illustrates this issue is dwell time—the duration between an attack’s entry and its discovery.


Understanding Dwell Time:

Sophos’ 2022 threat report provides valuable insights into dwell time across organizations of different sizes. For organizations with less than 5000 employees, the average dwell time ranges from 20 to 52 days, while the average ransomware attack completes its attack cycle in under ten days. While the threat-hunting team at the managed service provider is searching for an IOC (indicators of compromise) needle in a haystack, the attackers have ample time to penetrate endpoint defenses, compromise the network, and laterally move to locate sensitive data. Then both steal and encrypt the data.


The Need for Rapid Detection and Response:

As an MSSP or MDR service provider, your detection and response offering must be capable of swiftly and accurately identifying attackers within your clients’ networks. Anything longer than a few days increases the risk and consequences of an attack. Timely detection and response can minimize damage, prevent data exfiltration, and prevent the attacker from encrypting the data. Simply put, if you are properly monitoring the network, you can detect and stop an attack.


AI is the only effective means of continuously monitoring the network:

Network traffic (North-South, East-West, On-premise to cloud) is voluminous. It is more data than a human can analyze, but it is perfect for an AI engine to analyze. Hackers’ activities during the attack exhibit highly anomalous behaviors that AI-powered monitoring systems can quickly and accurately detect. Even if attackers exploit valid employee credentials, AI-based monitoring can uncover their activities and surface their malicious intentions.


AI-Driven Network Threat Detection Solution:

Network Threat Detection and Response (NDR) is a software or hardware solution designed to monitor network traffic, detect suspicious activities or anomalies, and respond to potential threats in near real-time. They utilize multiple types of machine learning to continuously monitor network traffic, analyzing packets and protocols to identify any abnormal behavior or suspicious patterns. The tool generates alerts or notifications when a potential threat is detected and can automatically respond to a threat with built-in remediation actions. They can isolate compromised systems, block suspicious traffic, freeze a user account, or initiate other response measures.


What a managed service provider should look for in NDR:

Network Detection and Response (NDR) technology traditionally requires the significant deployment of hardware at each location, which is not a feasible approach for a managed service provider due to ongoing high support costs. Newer, cloud-native NDR utilizes data feeds from existing on-premise and cloud platforms. The AI engine enrichment, analysis, and correlation are all done in the cloud, significantly reducing cost, increasing scalability, and unifying threat intelligence. For a managed service provider, this means lower operating costs, faster deployment times, reduced service billing time, and greater detection and response efficacy.



To combat the rising tide of cyber threats effectively, MSSPs and MDR providers must prioritize proactive and continuous network risk and threat visibility. The ability to detect attackers swiftly and accurately within clients’ networks is paramount. Leveraging AI-based network threat detection and response technology like CyGlass enables service providers to offer comprehensive protection and timely responses. By embracing innovative solutions, service providers can ensure that attacks are swiftly identified and mitigated, reducing dwell time and safeguarding their clients’ critical assets.


Go here to learn how CyGlass’ AI-driven, 100% cloud-native NDR platform can increase your managed services’ top and bottom lines.

CyGlass MDR & MSSP Solution Page


Bill Munroe

VP of Marketing, CyGlass