(no title)

Many businesses outsource their SOC to third parties like Huntress, Carbon Black, SentinelOne, all of whom offer very fancy Endpoint Detection and Respone (EDR) tools. Just about every EDR solution is a Cloud/SaaS offering provided either directly or indirectly through a third party Managed Service Provider (MSP). We call this Managed Detection and Respone (MDR). From technical and privacy standpoints, it probably sounds like a huge risk, but it's also worth acknowledging that EDR companies operate immense threat intelligence platforms through real-time monitoring of customers. From a C-suite perspective, it makes a lot of sense to offload the specializations of real-time protection and malware analysis to EDR solutions. There are risk managers who have quantified the risk tolerance for these types of products/arrangements. The company legal department, the CFO, and the board of directors are all satisfied with the EDR solutions placement on the Gartner quadrant and SOC Type 3 report saying the EDR provider follows best practices. Sometimes it's even a requirement for "cyber insurance" which a business may need depending on the industry. For better or for worse, EDR is how most institutions secure their IT infrastructure today.

> For example, if the government purchased Outlook licenses, I'd assume DoD can read clerks' emails, but Microsoft employees can't.

Funny, my automatic assumption when using any US based service or US provided software is that at a minimum the NSA is reading over my shoulder, and that I have no idea who else is able to do that, but that number is likely > 0. If there is anything that I took away from the Snowden releases then it was that even the most paranoid of us weren't nearly paranoid enough.

Oh, absolutely. There are some ways to avoid this--customer managed encyrption keys, for example--but there will always be some kind of trade-off. The less an EDR (endpoint detection & response) tool can see, the less useful it is. Going with a customer managed encryption approach means the customer is then on the hook for watching and alerting on suspicious activity. Some orgs have the capacity and expertise to do this. Many do not. It often comes down to deciding if you have a budget to do this yourself to a level you and an auditor/customer is comfortable with (and proving it) or outsourcing to a known and trusted expert.

EDIT: For additional context, I'd add that security/risk tradeoffs happen all the time. In practice trusting Huntress isn't too different than trusting NPM with an engineer that has root access to their machine or any kind of centralized IT provisioning/patching setup.

You would think so, but in general the kind of attitude to security that results in these kinds of products actively encourages increasing the number of entities that have very highly privileged access to your system. 'Supply chain attacks' and 'attack surface' don't really register in this area, but 'buy this and you will be more secure' sales pitches very much do, especially with a dose of FOMO from 'industry standard' rhetoric.