Beyond Checkbox Monitoring: Managed Detection and Response, Not Managed Detection and Report
Published
Key Takeaways
- Blackpoint Cyber has documented ClickFix campaigns that persuade users to copy, paste, and run commands through fake verification flows.
- Santiago contrasts checkbox monitoring with effective SOC operations, arguing that response and containment matter more than alerts and tickets alone.
- Successful attacks abuse trusted workflows, including verification prompts, sign-in experiences, and support interactions.
- With workloads shifting from on-prem environments to the cloud, security controls shifted from network layers to identity, passwords, and MFA.
- Attackers target MSP-managed Microsoft 365 environments as critical workloads move to the cloud.
Wilfredo Santiago, Chief Security and Trust Officer at Blackpoint Cyber, discusses why identity has become a critical security control for MSPs and how they can reduce the impact of a compromise.
Santiago’s background includes threat hunting, cyber threat intelligence, incident response, and threat operations roles across the U.S. Navy, Department of Defense, and the private sector.
Effective SOC operations, he argues, are defined by response, while checkbox monitoring often stops at alerts and tickets.
Santiago highlights that analyst intuition remains essential because activity that is technically allowed may still fall outside what is normal for a business.
Read through to learn how intuition combines with context, the question to ask when reviewing a login, and why not every cyber incident announces itself out loud in the logs.
Vishwa: What kinds of “normal” user behavior are attackers exploiting most effectively right now? If you could change one industry habit, what would it be?
Wilfredo: What attackers are exploiting most effectively right now is behavior that feels routine, helpful, and low risk. We are seeing them abuse things users have been trained to trust, like
- CAPTCHA checks,
- browser prompts,
- software updates,
- meeting invites,
- support interactions, and
- legitimate sign-in experiences.
Blackpoint Cyber has documented ClickFix campaigns that literally get users to copy, paste, and run commands after a fake verification flow, and they have also documented device code phishing and OAuth abuse where the attacker wins by making the workflow look familiar rather than obviously malicious.
On top of that, search poisoning and compromised WordPress sites are making malware delivery look like ordinary web browsing instead of classic phishing.
If I could change one industry habit, it would be this: we need to stop treating user awareness as the primary control and start removing risky trust paths by default.
- If a user should never be running commands from a website, then make that hard.
- If device code flow is not required, block it.
- If legacy authentication is still hanging around, turn it off.
- If external support interactions and remote- assistance paths are too open, tighten them.
The habit I would change is our tendency to keep dangerous convenience features available and then hope training will make up the difference.
Vishwa: Are attackers targeting MSP ecosystems differently compared to the ransomware-heavy years? Can you describe how MSPs should change to reduce the blast radius?
Wilfredo: Ransomware is still a major factor, but the targeting has changed. Attackers are going after MSP cloud environments heavily, especially Microsoft 365. In many environments, BEC and cloud identity compromises are outpacing traditional on-prem compromise by a wide margin.
The reason is simple. When the industry shifted from on-prem to cloud, we moved critical workloads into platforms like M365. But a lot of the security thinking did not shift with it.
Workloads that used to sit behind network segmentation, firewalls, VPNs, and other layers are now protected by identity, a password, and hopefully MFA. MSPs need to move toward resilient engineering.
That means:
- strong conditional access,
- trusted devices,
- trusted locations,
- phishing- resistant MFA,
- role-based access,
- least privilege, and
- better separation between customer environments.
- The goal should be to reduce blast radius.
- If one identity is compromised, it should not become a pathway into every customer, every mailbox, or every admin function.
Vishwa: How has AI impacted SOC? What are the hardest parts of running a 24/7 SOC?
Wilfredo: AI has impacted the SOC on both sides. On the adversary side, threat actors are already using generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure.
On the defender side, AI is already useful for
- autonomous action for incident summaries,
- script and file analysis,
- guided response,
- hunting support, and
- faster investigation workflows.
- So, AI is not hypothetical anymore.
- It is already affecting both attacker tradecraft and defender speed.
The hardest part of running a 24/7 SOC is keeping the team current. Threats move fast. Techniques change. The cloud changes. Attackers adapt.
A SOC cannot just sit and watch alerts. It must constantly learn, test, build, and improve. For us, a lot of that work happens in the lab.
We spend time doing research and development, building new detection content, testing attacker techniques, and turning that into operational capability. A real 24/7 SOC should be an extension of the MSP’s business.
It should help the MSP scale, respond, and mature. You cannot scale security with people alone. You need process, automation, intelligence, and a partner that can keep pace.
Vishwa: What separates effective SOC operations from what you’d consider “checkbox monitoring”?
Wilfredo: To me, it comes down to response. MDR stands for Managed Detection and Response, not Managed Detection and Report.
Checkbox monitoring is when:
- an alert fires,
- someone reviews it, and
- a ticket gets sent with limited context or urgency.
- That might satisfy a requirement, but it does not stop an attacker.
Effective SOC operations are different.
- They bring context, urgency, investigation, and action.
- They understand what happened,
- what the attacker was trying to do,
- what systems or identities are at risk, and
- what needs to happen next.
- The value is not just in seeing the alert.
- The value is in making the right decision quickly and helping contain the threat before it becomes a business-impacting event.
Vishwa: Can you share examples where analyst intuition comes into play in detection and incident response?
Wilfredo: Analyst intuition comes into play when you must apply real-world context to the logs.
- A tool may show a successful login.
- An analyst looks at it differently and asks, “Why is this Canada-based company, with most of its operations on the West Coast, seeing a login from an OVH cloud cluster in the Netherlands at 3 a.m. on a Saturday?”
- That is where experience matters.
The log may not scream “incident” by itself. But the pattern, timing, source, user behavior, and business context can all point to something being wrong.
- Good analysts know when something feels off.
- They understand what normal looks like,
- But more importantly, they understand when “technically allowed” does not mean “business normal.”
- That intuition is critical in detection and response.
Vishwa: Have geopolitical tensions changed the threat patterns in commercial environments? If so, how?
Wilfredo: We have not seen a massive increase in cyber activity tied directly to geopolitical events compared to previous years, but geopolitical tension absolutely shapes the threat landscape.
Cyber is a tool used by state-sponsored actors to support broader objectives. That can include espionage, disruption, access development, intelligence collection, or targeting specific industries that align with national interests.
The important point for commercial organizations is that they are not separate from that reality. State-sponsored actors do not only target governments. They target vendors, suppliers, MSPs, cloud environments, technology providers, and businesses that give them access to the environments they care about.
Vishwa: Which cloud environments or hybrid configurations are currently creating the most blind spots for defenders?
Wilfredo: The biggest blind spots are showing up in hybrid environments where cloud identity connects back into on-prem operations. We are seeing threat actors compromise cloud environments and then use that access to influence on-prem systems.
A good example is when attackers gain access to Microsoft 365 or Entra ID, then look for ways to modify scripts, policies, or device management workflows tied to tools like Intune or other remote management platforms.
That creates a dangerous bridge. The attacker may start in the cloud, but the impact can reach endpoints, users, scripts, and operational systems.
- The blind spot usually happens because teams monitor cloud and on-prem separately.
- Identity logs live in one place.
- Endpoint telemetry lives somewhere else.
- RMM activity may be reviewed by another team.
Intune policy changes may not be watched with the same urgency as endpoint alerts.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular