Adoption of passwordless security takes off amid COVID-19
In this video, industry experts discuss the intricacies and benefits of implementing passwordless authentication in various business environments. They explore how this innovative approach can enhance security and streamline user experience by eliminating traditional passwords. The conversation also covers insights into integrating passwordless solutions with existing systems and addressing common challenges faced by organizations in their cybersecurity journey.<ul><li>The session discusses the upcoming conclusion of the Cyber Call series and introduces plans for weekly Cybercasts on platforms like Apple and Spotify.</li><li>The importance of implementing Multi-Factor Authentication (MFA) everywhere is emphasized, particularly due to insurance carriers beginning to mandate it.</li><li>Passwordless authentication is presented as a promising solution to reduce help desk tickets and improve security posture, with Secret Double Octopus highlighted as a preferred platform.</li></ul>
Guests
Video Transcript
All right. Cyber call Monday here. Session 51. Mr. Pika 51 Coming up on one year. Hell Coming up on one year. Can't believe it. Um, so next week that'll Be, just so people know, that'll be the last cyber call. 'cause we only had a one year plan. That's right. We're done. Um, so Garrett, we, um, we're off next week, Memorial Day. Mm-Hmm. And then, we'll, we're back the following week. Um, for those of you that haven't heard this before, a few announcements.
Uh, one of the lead authors of the Verizon Data Breach Report, uh, Phil Lwa, who, uh, used to work actually, uh, at CIS. Um, I've listened to this guy's previous presentations. He's, he's awesome. So I'm very excited that, that we're gonna have, um, have him with us. So that's gonna be great. Um, another quick announcement. We'll get through these quick in chat. I'm putting in, um, the first I mentioned this, but now we're live on Apple, Spotify should be Google shortly.
This is the first, uh, cyber cast. Um, so that if you can go in there, rate us, um, et cetera. We're gonna start cranking these out weekly. We go back in the studio, uh, on the 6th of June. We'll be working on the beginning of the, uh, CIS controls and working our way through that. Alright, Gary, um, next week, I know we're off. Give us a timeframe where we might be able to, maybe the week after Phil. Yeah. Yeah. We're gonna announce it on our anniversary. Okay.
And, um, I figured we'll wear, it's kind of like the birthday of the call. We'll wear birthday hats and maybe have a beer. Fair enough. So that, that, talk to us just real quick for those may have heard new portal, your content, what are we doing? Uh, yeah. So we're gonna, we're gonna give everybody a chance to access our content portal and with, it's all of our content, almost 200 hours of content on building a high performance MSP.
But specifically in there is, um, uh, the MSP cybersecurity track that, um, will, has already I think about 10 different videos. And by the time we launch it, we'll have about 15 videos broken up, business technical, really good stuff. Some of the stuff we've worked on together, Andrew, some of the stuff that my team has worked on. So we want everybody to have a chance to review that. Yep. A, a a. Excellent. And then lastly, uh, threat modeling workshop, which is coming June 29th.
Um, we are gonna have, um, forest Carver back. We're gonna have the folks from Red Canary West. This is gonna be awesome. Yes, it will be. Yeah, man, these two planning sessions we've had for it, like, I'm excited. This is something that people will be able to take back. Everyone should have this just the same way they should be doing tabletops. They should. This is something that's gonna really impact their security posture. Yeah. Yeah.
And Gary, you're gonna be doing a lot of the actual threat modeling on this, Aren't you? Oh, yeah. I'm the most technical person on this. I'm gonna just, only thing I gotta do is what I always do. Figure out how we package and price it and get it to market and make money. Exactly. All right. Let's get right on into it. I'm gonna put up the first whole question for everybody, and let me just give that a little backdrop.
So, quick intro, uh, Tim, uh, Fornet Radar Solutions out of, uh, Louisiana, their cso. Tim, thanks for joining us. Yeah, Thanks. Glad to be here. Yeah. And thanks always for being so active. You're one of the most powerful people in our chat, and it really is helpful. Well, it's, it's a lot of fun, right? Yeah, absolutely. It's great to have you with us, Tim. And then Justin, murky. Justin, um, love to have you here, man.
You come, I mean, you've spent time, a lot of time as an se in the enterprise space, then you built your own MSP and you're doing some real unique things here in, you know, the not only SMB but upper mid market. Um, but welcome and we're excited to have you with us. Yeah, Thank you. I'm, I'm very excited to be here. This is fun. Yeah. Awesome.
So, um, setting the stage, we're gonna do something a little different today in that Justin's going to give us maybe like a three, five minute quick screen share. And here's the rationale for it. So, um, I've been, you know, I, I'm on the phone with Tim as single week, um, and I'm on with a lot of MSPs, as all of us are Wes, Gary, here's what we're starting to see play out. And by the way, I just got one of these, uh, from one of the, uh, people in the audience, uh, before I got on the call.
So, ironically, Phyllis talked to us about CIS controls version eight, and how we should put MFA everywhere. Okay, great. That's a, that's a framework important. Well, guess what? Now the insurance carriers are beginning to mandate MFA everywhere. And what we're going to get into, uh, Gary, one of your favorite topic is, uh, lots of tickets with MFA everywhere. So we're gonna be talking about that. Go ahead. No, I'm gonna say, uh, this is great.
But what we're gonna talk about this increase of tickets that comes from this and how to, how we deal with this approach, it also goes into every change in every tool that, and every service related to security that MSPs are turning on right now. They're looking at the cost of the tool, but they're not considering the impact in other delivery areas. And, um, This just happens to be one that you can define and it's pretty dramatic. Yeah, absolutely.
So, so with that, you know, I was talking to Justin after I'm seeing all the, you know, Tim gets on the phone with me. He's like, this is the fourth one this month, Tim, where one of the carriers told your clients it's gotta be everywhere. And oh, by the way, at test station with it. So if you saw the trailer on LinkedIn, you know, this is saying basically you're, let's talk about your home, right? Hey, I don't have a trampoline in my backyard. Right? Something happens.
'cause you're signing off that you've got all this in place. Something happens with a kid in the trampoline and you go to collect, guess what? No bueno. Yep. A pool diving board. Yep. So in talking to Justin, he is like, look, Andrew, I, my bigger clients, here's what I'm seeing. They're just saying, uh oh, we're not doing this. We're not gonna deal with all these extra tickets and all this extra noise and all this inconvenience and disgruntled employees. We wanna look at Passwordless.
So Justin, why don't you share out your screen three to five minutes, if you could give us a sense of what this technology's like, why you're so passionate about it. And then I'll get Gary, uh, to kick things off and, and we'll really get on into it. But screen's yours, take it away. All right. Thank you. Uh, just to confirm, everybody can see my screen? Yep. Yeah. Alright. Excellent.
So, you know, when it comes to Passwordless authentication, um, it, it's been around in the browser for, for a little while now. Things like, um, UB Keys and Fido, uh, protocols can do passwordless in the browser. But when you're in the enterprise or small business even, right? And you wanna log into your computer, and, but you need MFA everywhere, passwordless is really a great approach.
So what I'm gonna just show you here really quick is what the end user experience looks like, uh, for a Windows machine using Secret Double Octopus as the password, this authentication platform. So on the left here, I have my Windows 10 active Directory domain join machine. And on the right you can see my, my Mobile Authenticator app. So you'll notice here, there's no password field, right?
All I have is a, a spot for my username, and I can select, uh, a dropdown that is configurable as to what authenticator I want to use, whether that's, uh, the Secret Double Octopus app, a FI oh two Authenticator. And, uh, secret Double Octopus also supports multiple third party authenticators, such as Octa Verify Duo, RSA, ForgeRock, and others. Uh, so for this demo, I'm gonna show you the Octopus app.
Um, what's gonna happen here is once I hit enter, I'm gonna get a push notification over here on my phone. I'm going to approve that and then supply my biometric. It will also work with an unlock pin for a mobile phone or face id. Once I supply my biometric, there's gonna be a little popup that happens down here at the bottom that says, your password has been changed per company policy. So while there's no password for the end user to see, right?
Active Directory still has a password on the backend. So what Secret Double Octopus is doing is actually changing that password on the backend, taking control of it, managing it, and eliminating the password from the end user's perspective, all while providing multifactor authentication on top of it and a and a more seamless end user experience. So let's see what that looks like. So I go ahead and enter in my, my username and I hit enter. I get the push notification very quickly on my phone.
It tells me what computer and what user's trying to log in. I'm gonna go ahead and hit approve. I'm gonna supply my thumbprint here. And you'll see here that my password was changed in active directory and I'm now being logged in. That is the entire end user experience with full multifactor authentication to get into your, uh, into your Windows machine. Uh, Macs are also supported, um, radius ldap, ldap, s SAML 2.0, um, and custom integrations via REST can also be supported through this.
So really most anything in the enterprise, uh, can be supported in, in this type of, uh, scenario. And so if it's supported in the enterprise, Justin, you, you've had good experience down market obviously, is your point. Yeah, absolutely. I, I've worked with customers as small as 10 users and then companies as large as 200,000 employees, uh, deploying out this, this technology. Very cool. Okay, so let's stop the screen share. If we could bring everybody back.
Um, and then, uh, Gary, let me turn it to you because, um, let's talk about where the rubber hits the road here. If these insurance carriers are basically saying, you know, Hey, put MFA no big deal. Just, you know, put MFA in about 10 different places and go ahead and sign in a test to make sure your MSP's aware about it. Um, no increase in cost there for an MSP, huh, Gary? Yeah, exactly. It it's not just cost Andrew. Like, like that's one thing. Like there's a cost to it. Yeah.
Like, there's upfront cost, there's an ongoing cost. We're talking about increase of tickets by, you know, and I've heard anywhere from 10 to 30% once they turn it on everywhere, like that's massive. Okay. Cost, that's like gonna be, you know, you're talking about that impact on your cost per se alone, aside from everything else. But then there's the other part of it, um, which is unhappy customers, right? And this is one of the reasons why, what did we just say to the poll, Andrew?
How many people don't even have it on email today? Yeah, I, I, I wish more people would be active answering, but in this case it's 50 50. I'd love for everybody to just, if you could take a moment and help us with the poll. 'cause again, this is for you guys, right? The more people that answer, again, we can get you the right solutions right people, but, but basically it's 50 50 Gary people, the MSPs aren't making it mandatory. What if, what if the carrier all of a sudden says, guess what?
Tough. Yeah. And Oh, by the way, you don't, No bueno. Yeah, no bueno. So Justin, first question I have is, again, are you looking at this the same way? One side is a solution that's Passwordless allows you to kind of imagine, manage it in a way that impacts all these things, but also how do you look at it in terms of how secure this is relative to just multifactor? Yeah, absolutely.
Um, so when you look at multifactor authentication, um, it, it is a much needed step in the industry compared to just password authentication. Uh, but depending on how that multifactors implemented, it may or may not be as secure, right? I mean, we see countless attacks with like SMS, uh, you know, breaches or redirection, uh, where it's SMS just isn't that secure. And unfortunately, a lot of companies are, are still doing SMS.
Um, and then too, when you look at a lot of the multifactor solutions out there, they're great when they put a credential provider on the system, right? But not everything uses a credential provider to authenticate. So if those credentials can still be, uh, compromised on the backend, there are still ways to attack active directory and get access to credentials on the backend.
That's, that's actually why we have chosen the secret double octopus platform specifically in the passwordless space, because it actually changes those credentials on the backend. Yeah, and you know, I hear Todd saying they reviewed some, uh, you know, eight different insurance applications. They all asked about MFA, but they didn't require it. But that's the first step they're asking, right? But I, I don't see a scenario where this is not a baseline, right? It's part of insurance.
Like we're seeing it in the enterprise already. So it's just a, a, a timing issue, wouldn't you think? Yeah, a absolutely. Um, we're seeing this come down to smaller companies. Uh, we're dealing with multiple companies right now that are in the 300 to a thousand user range that have reached out to us, uh, because they need to quickly get multi-factor authentication implemented. And they see the only real way for them to do that is to go straight to passwordless with a managed service. Yeah.
And so, like, this is something let's just make, like, again, I think we need to make the assumption that that's where we end up. So now we have to think about the reality of that and all of these options. And, um, you know, just turning on as we're saying, just turning on MFA everywhere probably isn't the best option for MSPs and their customers.
So if looking at this, what does it take, again, we deal with MSPs, they're small businesses, um, maybe limited in, in, in, in varying levels of, uh, technical and security, you know, you know, kind of bench what's required in terms of understanding this and, and, and implementing and managing it? Yeah, no, that's a great question. Um, it, it depends on, on the vendor that you, that you select. Uh, for us, we, we went with Secret Double Octopus, um, as I think I've seen in the chat, right?
Secret Double Octopus was really geared initially towards the enterprise space. Their customers were tens of thousands of employees and they were meant to be on-Prem and things like that. There are other vendors that have SaaS offerings. Uh, we have actually built our own SaaS offering for Secret Double Octopus. And the reason I bring this up to answer your question is that, you know, a lot of the smaller companies, um, they need a SaaS offering, right?
They don't have servers on-Prem, they don't have load balancers, they don't have all of these different things. Uh, when it comes to managing it, again, that really depends on, on the solution as well. Some solutions out there, they, uh, they require a PKI infrastructure, right? They're ultimately taking certificates and, and adding a nice, uh, interface to them with a nice mobile app to, to do the multifactor and, and the passwordless.
Other solutions, um, may be a little bit, uh, you know, involved in terms of the integrations that have to occur. I would, I would count Secret Double Octopus as one of those, right? You need to tell your applications to talk over here. You know, if it's a, if it's a VPN appliance, right? You need to configure it to do LDAP or LDAP s or Radius over to the SDO, uh, solution.
Uh, but managing it overall, once you integrate the applications and you get your users enrolled, we, we have very, very few tickets. Um, I know one Enterprise specifically that had, um, I I won't mention a specific brand, but had had a vendor with about 10,000 users on MFA, they had 10 full-time admins we had. Um, and then I was, I was working with them, uh, on SDO where they had about 10,000 users enrolled and they had a part-time admin. Yeah. Right.
So MFA versus Passwordless is a huge difference. And listen, we see this in different solutions, but this is a great example of one that's really hard to translate to MSPs, right? 'cause if you're talking about an enterprise, and they have even 50 applications. Now I'm an MS p, I got 60 customers, I, you know, and every one of 'em has a different set of apps. They're all evaluating, changing. I mean, like, the level of complexity, you know, around it is so exponential.
That's where we run into problems as MSPs. Some things aren't that way, right? Some things translate pretty well. But Wes, would you agree this is one that's more difficult to translate because of that? You mean from like the client's perspective? Yeah. Implement implementing this across an MSP compared to in an enterprise Clients? Yeah, it can be. You know, it, we went down this journey at Perch and, and it was, this makes me think about this.
Gary is a bunch of our devs were not super interested in this. And once they went password list, they're like, dude, this changes my life. Like, this is so easy. And they fall in love with it. This is definitely a show don't tell kind of thing. And you, you might have to go through a little misery to get there, but, um, I just noticed our devs, which I couldn't believe how much better life was once they truly moved Passwordless Gary. Yeah. Just as an example. Yeah.
So, Justin, knowing what you know now and, and, you know, an average MSP kind of what you're like, how, how do they start? Like part of this is r and d, which you gotta have some resources even to start to, you know, do some resource. And, you know, there isn't a major MSP vendor like there is for, you know, some of the other security errors where there's four or five and everyone knows what they are and, and, and have it.
So starting from scratch, any recommendations at least to start the process. Yeah. So, you know, if you're looking to, to offer something like this, you, you've really have gotta make sure that you've got the time to, to invest, to really learn the platform, whether that's SDO or any of the other, uh, vendors. I, I'm a partner of SDO, that's why I'm comfortable saying their name. But, uh, you know, they, they all have their nuances. They all have their things.
Just like you would have to learn, uh, a lot of the MSPs out here use DUO for, for MFA, right? And DUO is looking to, to have a pass with this offering as well. Um, I think they just announced that, um, you have to learn the platform, you have to understand the nuances, and you have to understand your customer base on how to, how to integrate that. It's, it, it can be quite a bit.
Uh, we've spent a year building out our, our platform testing, um, integrating, you know, we had a lot of customers that would just sign up with us and, and, uh, you know, we, we gave them basically free licensing. We bought a few hundred licenses, and we signed up some of our smaller customers just to say, Hey, test this for us. Give us your feedback. Uh, you know, we found the gotchas, we found the things that we challenging.
Um, you know, like one, for example was we had a customer that wanted to do all FI oh two, right? With the, with the UBI keys, well, office 365, the actual apps, when you go to do modern authentication, that's using Internet Explorer on the backend, which does not support FI oh two. So our customers couldn't actually authenticate into their office or their outlook that anybody that had the full version of Outlook had to use the mobile app, right? Yeah. So little, little gotchas like that.
There's a lot to learn in this space. Um, but it's really time and willingness to invest. This isn't something that you're gonna sign up for and then start selling the next day if you're hosting it yourself, right? So, um, I want to pass over to Wes before I do. One final thought that I have on this is, I hope what people are hearing, we're just talking about one thing and every week we're talking about, you know, one or two things.
Think about how you have to build in the resources for r and d today compared to two or three years ago. You need, you can't, when I say that 10% margin, you know, is the new break even. I, this is the reason why Andrew, like, we have to figure out how to run profitably because we have to make our margin and some percentage of this.
We have to have time and resources, not just to be proactive with customers, but this is not gonna end the things that we're gonna need to understand and consume and figure out. It's gonna keep going like this. And so I hope that message is getting through to everybody. You have to look at your business model differently today. Yeah, yeah. Absolutely.
And I think, I think, Wes, before you take all, you know, we did, Wes and Ryan did this great thing on you in, in the cyber of resilience thing, on the people process technology Yeah. Of it. And some of this is gonna have to be partnering, you know, and you know, Justin, uh, if you want, uh, you know, information, Justin works with MSPs, um, I'll show you out Justin, that's okay.
But, uh, but, but seriously, you're, you're not gonna, some of us aren't gonna have a year, but we're gonna need this kind of technology. So Yeah, I was gonna say, Andrew, we've seen the power in, like, the value of the peer groups increased through this because both within their groups, they're having these conversations and can kind of share the r and d. And then overall we get to look across 185 customers, look at your tool stacks and, and kind of push this along.
But you're gonna need, you're gonna need help with this one way or the other. Yeah. Excellent. Wes, for yours. So just, I wanna get a little bit more maybe technical with you. Um, talk to me about use cases for Passwordless. Um, you know, I kind of just gave a fun story of the eyeopener from, you know, my dev team, our dev team, uh, when they experienced it. But beyond that, talk to us about like, use cases for this. Sure.
Uh, the three primary use cases that we see, uh, with most of, like the s and p customers is gonna be, um, active directory authentication, right? Windows or Mac. Um, and then you're gonna have Office 365 or G Suite, right? Your, your big email applications and then VPN, right? Um, even when a lot of companies are starting to move more towards a software defined VPN or, or networking, um, those are the three big use cases. Um, you also have applications, can you Repeat the first one again?
Sure. You said Office three five VPN, And, uh, like active directory authentication. Oh, okay. Right. Windows or Mac logins. So, uh, outside of those three, I mean, we've seen wide varying applications, whether it might be an electronic medical records system, it might be, um, you know, I've integrated in Adobe Enterprise via saml, salesforce.com, sugar, CRM, any of those SAML 2.0 type applications. Um, any of the, um, network management, right?
If you have to log into, you know, Forti Gates or Sonic Walls or anything like that, from an admin admin perspective, those can be integrated in as well. Uh, really any application that a customer has that can do ldap, um, radius, uh, custom rest integration, which isn't as common or, or saml, uh, is really what we're seeing.
And, and it's really a focus on getting everything pointed back to your Passwordless solution and having a consistent sign-on experience for your, for your end users and your admins. And, and really this is a, a key tenant, uh, to getting to zero trust, right?
Like identity is the centerpiece of zero trust, and this is a huge step in that direction because it's not just the onboarding and once it's set up, the ease of integrating new employees, but even offboarding employees as well, and making sure credentials are taken care of and access as well. It's a huge tenant or piece of this, isn't it? Justin, can you talk more about that? I know you weren't prepared for that, but just was my mind is going No, no. That, that's, that's absolutely right.
So when, when you're talking about offboarding, um, the great thing is, is when MFA is required or passwordless is required on, on every authentication, all you have to do is quickly, at least in the case of secret double octopus, is quickly block that user. That can be done via API calls, logging into a, a management interface. Uh, depending on what your processes are.
If you have, if you're a larger organization and you have one of the identity and access management solutions in place, whether that's Okta or SailPoint or, or Ping Federated or any of those, you could have a user offboarding process that makes an API call over to something like Secret Double Octopus and blocks that user immediately while it's waiting for a synchronization from active directory or any of that type of stuff. So this brings up a good thought.
Uh, I, I've worked with a lot of, like very large orgs, like think Fortune five hundreds in my career. Even at Perch, we had some really big companies that use perch, like household names.
And one thing that they mandated in, um, uh, the contractual agreements with us is making sure that we had integration in, uh, to their SAML so that we have some capability by which they could enforce, create, and, um, have, have identity management that purchase using this just to reflection off their, their infrastructure.
And I know why Enterprise does that, because, you know, every time you have a username and password running around for every SaaS app that's out there, you know, the potential of sprawl, of missing all of that kind of stuff until it's too late, um, is is pretty significant, right?
And so don't you think like this should be something that even MSPs themselves on this call should be thinking about of like, I need to go to all the vendors I use and make sure that they have the capabilities that I need in place to handle identity management, to allow me to be able to do the same things, right? Like so, so that I don't have a bajillion usernames and passwords hovering around all these archaic old systems I use. Don't you think that's a, a huge thing that we need? Yeah.
I, I, I think on top of passer list identity and access management is the next thing that MSPs are going to be implementing even internally. Yes. Um, I think it's gonna become part of their stack, and it's going to be how they provision all of their customers.
They'll have an active directory connector, a G Suite connector, an Office 365 connector, and eventually we'll have things like ConnectWise connectors and SolarWinds connectors and synchro connectors, and all of these things to ensure that you create a user account, everything is updated per your policy and your mappings as required. Yep. Yep. And I love that.
And, and I mean that when I say, like, I'm seeing big orgs now in the procurement process, though, legitimately tell a vendor, we, our selection criteria includes this capability, and we will not use you if you don't have the ability for us to integrate or you to integrate with our infrastructure via SAM or whatever it may be. So, um, I, I really like that. Um, I, I think that's a big, big thing. And I, I agree with you. I think MSPs need to go that way. What about fringe use cases?
Any like, like off stuff that you've thought through or you've seen that are useful that would be worth talking about? Yeah. Um, so one, one of our customers is a surgery center. Um, so they have, uh, 18 pre-op beds, tons of different nurses, right? They're using shared accounts. And when, when we came onto them, they were using one account across all the 18 machines. It was obviously very bad practice, right? Ability to move laterally, whatever.
Uh, so what we actually ended up doing is we created a unique machine for each one of, or unique account for each one of those computers, right? And then enrolled that in the secret double octopus platform. While it's still a shared pin, it is a pin that all of, only the staff there know. Uh, so when they go to log on now, they have to type in a four digit pin, and then they have to physically touch the, uh, the, the FI oh two token, the UB key to be able to get logged on.
But it's very quick for them. It's actually much faster for them now than it was when they had to type in a password that was complex. Uh, so that's like one of those fringe use cases. Um, you know, we've dealt, um, I, I've talked to a lot of, um, places like SCADA networks, so they need offline authentication. So the, the FI oh two has actually been really, really critical there, where they won't allow, um, you know, specific network connectivity and things like that.
They, they can't rely on having a phone. It's mission critical. Um, you know, if it's an oil or gas pipeline, they gotta be able to shut it off. They gotta be able to log into that machine. Uh, Fido two has actually been really critical there. Um, I'm a big proponent of the Fido two, uh, use cases. And that I, I actually use a UB key full-time, uh, you know, for, for all of my logins. Um, I also have the mobile authenticator.
But, um, yeah, I mean, there's, there's a lot of different variations to use cases. I've worked with really large retailers with 25,000 plus employees mapping out their various retail applications and processes and procedures and all of that. I mean, e every business is different as to how they do things and what they need. So there's, there's tons of use cases out there. I agree. You know, user usernames and passwords have been a broken system from the very beginning, right? Yeah.
Like, humans are just, our brains are high hardwired to be the worst with this. And, you know, no, no user likes it. Um, and I do think that a lot of this is going down that journey and sort of forcing and prodding along our users and our companies to get there, and even to some degree forcing it. Um, I like seeing as there's been in chat a lot of like communication around insurance requiring and mandating at least MFA, 'cause we know why they're asking for MFA everywhere, right?
What they're really getting at is we have got to get past single use password, uh, mechanisms because they're just so broken, which we all know. So maybe my final thought, and this is just the security practitioner coming out of me, um, we know there's no one control that stops all the bad things. If there were, we'd all use it. And end of story.
Have you seen, if I'm a, if you're a bad guy, Justin, put on your bad guy hat for a minute, or bad gal hat, whatever it may be, uh, and you're gonna go after, um, exploiting this or bypassing it or phishing around it or whatever, what would you do from, like, how would you bypass passwordless? Yeah, no, that's a great question. So, um, passwordless solutions today for like Windows and Mac, they, they're software that gets installed on, on the machine, right?
So for Windows, it's a Windows credential provider. There are still tools that can send passwords, you know, to the backend directory, uh, without invoking that credential provider. So that's actually why we chose to use Secret Double Octopus. 'cause they actually have a patented process to rotate that password on the backend. Other vendors that I am familiar with don't change that password.
They just put a, a nice interface on top of it and say, Hey, your passwordless and it's secure logging into your computer. But that doesn't help when an actor is able to get somebody to click on a link and get something to run on their machine, right? There's still password scraping, there's still all of these different things that can be occurring. You know, I think the, the statistic is still a little over 200 days to detect the average breach, right? In that amount of time.
If somebody's able to grab a copy of the active directory database and they're trying offline to, to break the hashes and, and get passwords, if you have one of those solutions that doesn't change the password on the backend, they may be able to, to compromise those credentials and start moving east west within the organization more, doing more things.
That's why we really like the the secret double octopus piece, because even if they do that, let's say they're able to get break into something after two months, right? We've probably changed that password 2, 3, 5, 10 times, depending on the policy. Yep. I like it. And, you know, the advantages that we're solving for are, you know, no longer do we have to like, have these conversations of here's what is a good password, here's a bad password. You know, passwords are like underwear.
You should never leave them hanging out. You should change 'em often. All this stuff that we talk about, like, we can finally get past all of that by abstracting passwords into the backend, at least for now because architecture requires it. And then make life easy for end users and abstract away those requirements of stuff we know they hate and don't wanna follow. Anyway. So I love it.
Tim, I'll, I'll, uh, let you jump in with questions, but, um, you know, I, I do think this is big and, and I just want to come back to the, like, the center point to me is that thi this is one of the key tenets of getting into zero trust, is we've gotta make these decisions, we've gotta hold fast to them, and we've gotta decide like we're going down this direction with our entire MSP and all of our clients, and we're gonna crank down pressure on every vendor, uh, that doesn't support give us these capabilities of SSO.
So thank you Justin, for joining us today. And Tim, I'll let you jump in. Yeah. I have a couple questions about, uh, user adoption and justification. Uh, but yes, good question so far. It's definitely got my wheels turning. I've got some retail use cases in my head now that are suddenly I may have an answer for.
Um, so, um, in terms of these requirements, these regulations, do you get any pushback from auditors or anyone saying that the password list isn't traditional MFA and, and maybe doesn't, uh, check the box the right way? Yeah. Um, so I, I've been asked that once. Uh, for the most part today, our customers have just had to attest saying, yes, we have multifactor authentication.
Um, and I, I've been asked that once, and I actually got on and gave a very similar demo to, to what I did here today, uh, to an auditor. And they said, oh, I didn't know that's how that worked. And then they were totally fine with it. So I think it's, it's just, uh, not understanding what the technology is and, and, and how it's secure. And I, I talked to 'em about the backend and you know, how secret now Octopus does shair secret sharing and protects the channels and all of that.
But Do you have a video of that document so we can just give it to them next time? They have Yeah, I, I'll work on getting one. I Got it right here, Tim. I'll splice it and send it to you. Go. Uh, so in terms of user adoption, you know, we, we get pushback as usual. You know, I don't wanna use my cell phone because it's mine, I paid for it, and the company doesn't have a right to install an app on it. Um, any other types of, uh, whining or pushback that we get from users? Yeah.
Um, so I'll give you the, the typical stats, and I'll give you a funny anecdote for, for a customer. We're, we're rolling out right now. Um, you're, you're absolutely right. There are typically gonna be people that will just say, I'm not letting Big Brother on my phone. Right? Unless you pay for my phone. Okay. That's fair. Right? That's, that's their right to, to do that.
Um, what we tend to see is the users will get issued a, a phyto two token, UB key fat and whatever it is, and then they'll see all of their, um, their coworkers using the mobile app. And most, most of our end users like the mobile app more than the UB key or, or the FI oh two token, which surprising to me, but everybody always has their phone. They're used to their phone. So typically after about a month, they'll come back and say, can, can I just put this on my phone? I'd rather have that.
I don't, I don't want to have to have this 25 or $50 UB key that I'm responsible for. I wanna give it back to you. Okay. That's what we, we tend to see. Um, and we also see some organizations that will just say, okay, well, we'll, we'll reimburse you, right? We'll give you a, a stipend. And if they work it out with their, with their employee, great. Then they'll put it on there. Uh, the funniest one I've had yet was a, a company we're rolling out right now.
One of the, their branch managers was refusing to put this on to, to do anything with it for her or, or her employees. And she said she had to check with her, her brother-in-Law, who's an IT guy first. And, uh, she checked with him. He looked it up and said, that's amazing. Why aren't you doing this? And she got all of her staff enrolled. So it, it just, you know, we, we get different reasons behind it, right?
People are, are fearful of the unknown, One of, one of the pushbacks we get sometimes, and you know, obviously everything is wrong with this, but, you know, we have people saying that, I want to know my subordinates passwords and I wanna be able to log in as them. How do you address that with 'em? I tell 'em, that's an absolutely ridiculous thing. I mean, really, like, uh, I, I, I mean, we don't own their, their processes.
If they need to log in as an end user, um, you know, we go through and say, look, this is why you can't do that, whatever. Um, but you know, if they own the company and they're like, I wanna do it, fine, go ahead and put in writing to us that you need us to change their password so they won't know it, and you will.
So we can audit exactly who was getting on at the time, have the paper trail, and we'll make them jump through hoops to be able to do that, and then all of a sudden they don't really want to do that Anymore, so they don't get the irony that that's exactly what you're trying to avoid someone else using the password. Right. That's, that's awesome. Yeah. They're usually the exact definition of why you're doing it as the reason that they don't want do it. Right? Yeah.
And, and, and having these requirements on the backend is, is really helping to justify that I know where, you know, we can go back and point to them and say, Hey, we're following these frameworks, we're following these requirements. If you don't wanna do that, then yeah, we need to call your insurance provider and tell them that this yes, we, we clicked as a, as a no now. Yep. And we can deal with that.
Uh, so how do you start up the conversation with a prospect or a client to, to get them on board with it? Do you talk to the executives? Do you talk to the, the techie people? Yeah, it really depends on the size of the customer. Um, so typically we see our customers that are under 200 employees might have an IT person.
Um, but typically we're talking to, um, either a compliance officer, uh, or, um, A CEO or, um, like a finance, like a, like a CFO, uh, typically is is what we're doing, but really it's, you know, in sales, it's whoever we can get a contact with to get in into a, a prospect. Um, that's really where we go. And do you just bundle this in with your services, or is this some something you add in? Yeah, so this is actually now part of our, uh, bundled service.
Um, so right, we're, we're an all you can eat shop, so you pay this much per month and you're getting, um, you know, every, every aspect that we have to our stack because ultimately it reduces cost for us. I know that might sound counterintuitive, but it really does actually reduce cost for us. So we, we really try to get every customer on board with this.
We, we have some customers that, you know, the margins aren't there for us just to go give it to them, and we're trying to get them to, you know, sign up for it. But yeah, this is, this is in our stack going forward. Okay. And it's, uh, I guess been pretty easy to come back into them and, and tell them, we're gonna make this change and we have a process for it, and here's what we're gonna do. Yep. Absolutely.
Uh, we ha we actually have, we've made our own videos around, you know, what an Office 365 authentication looks like, what the desktop authentication looks like. Um, you know, if they have a VPN, I'll go configure their VPN. We usually have spare equipment here. I'll show 'em what a Fortinet authentication looks like, or a sonic wall or whatever it is, and I'll show them the videos and they're like, oh, that's really easy. And typically it's, you know, a director of a 50 or 75 person company.
They're like, yeah, let's just do that. Cool. It, it sells itself. So talk to me a little bit about shared accounts. And I'm thinking about, you know, devices, routers, switches, uh, things that we as an MSP would need to log into that isn't necessarily going to support multiple accounts or need to, but then as an MSP, we want to be able to make sure that we know who has logged into what device and, and when they've done it and, and why they did it, hopefully, uh, right.
Is there something for that? Yeah, so, you know, most of the modern equipment, right? If you're looking at like Cisco, Palo Alto, Fortinet, those types of firewalls, the management interfaces, most of 'em can do Radius or ldap. Um, and even now starting SAML authentication into something where, um, you know, you can authenticate against a, an LDAP directory, for example. Um, you know, that that's what we do for, for our network equipment.
The SDO solution is a full LDAP proxy, so you can still see all the groups, all the users on the backend when you, when you bind through it, you can still do your role-based access control, granular, um, you know, rule sets, all of that through that. So we can give individual people access to the backend directory, so we still know who's authenticating. And it still does the, even though you're doing LDAP or LDAP s over over to the SDO solution, we can still authenticate those end users.
And then there's full audit logs of this user authenticated for this system, and you can match everything up. You can export everything out to a sim, you know, log rhythm, Splunk, any of those types of solutions out there as well. Perfect. That was my next question, but I think I, that falls under the concept of something that you want and almost never, ever use. Like it's so rare you want to have it in case, but it's so rare that you actually have to go back and check it, you know? Yeah.
What, what's really neat what we do for our customers is, um, you know, we, we manage everything, uh, for all of our customers. We, we don't, we have one customer that's shared it. Um, so for their firewalls and things like that, it's all part of our service, right? It's, it's all included. So even though they may have their own instance of secret double octopus, that is for, um, you know, their own authentication, right? We have our instance as well.
We will actually take those firewalls and configure against our instance. So like everything's just tied right back into our own active directory. We know exactly who's authenticating into the equipment that we own and manage, even though it's on-prem for them. So it's, it's quite nice. We can, we can have it all configured up at the office and sent out, and then it's all ready to go. That's excellent. Great. Tim, is that it for you? Do you have any others?
That's, If you have a thought, get, go, go, let, let it rip. Um, I mean, I'm just curious, is SDO now we're ever going to be an identity provider? Or is it, uh, So passing Along? That's a great question. They are not an identity provider, right?
So, so they still require a backend directory for their source, source of truth, whether that's Active directory, um, Okta's Universal Directory, ForgeRock, um, they can, they can do the LDAP s interface into Azure AD and Open LDAP directory, you know, Oracle, um, it, it's, they're, they're, they're very focused on authentication. That's what they do really well, and that's what they're focused on. Um, and that was, that was the, the gap we were trying to fill.
Um, you know, we have other solutions that we're constantly, you know, tweaking our, our stack and bringing in along the lines of the identity and access management space, right? We have a, a third party vendor that's got something coming to market that we're actually gonna be bringing in and, and hosting like we do for Secret Double Octopus very soon. So, Okay. Yeah. What about a, I mean, we've got more and more clients now who are going ad list because they're small. Mm-Hmm.
Um, and maybe that's Azure ad, maybe it's nothing at all. Is there something in there for those guys? Yeah, Um, so it still requires a directory on the backend, but what we do for, for those those folks is, uh, we actually have a, I'll call a customer active directory environment, right? Where they each get their own ou, nobody's actually logging into Active directory. We're just using that as our directory source for these customers, you know, 5, 10, 20 employees.
They get a bunch of laptops out there, a bunch of sales guys roaming the country, some Mac, whatever. So we'll create an account for them, an identity for them in the backend directory. And, uh, secret Double Octopus has the ability to handle local users. So you specify, uh, a format. Typically it's like my, my backend directory account is first, initial last name. That's what my user ID is on the local machine. And then you specify that mapping.
And then since SDO runs as a credential provider, it has system level access. So it will actually change the password in the backend directory, but then also change it on local machine to, to synchronize and still go passwordless. Cool. That's really cool. Yeah. So I know one, one other question we, we tend to get quite a bit is, um, how much is this actually like saving your managed service provider, right?
I mentioned that it's cheaper for us to put this in into our stack now than it is for us to, to not have it in there. And that really comes down to reduction to help desk tickets. So we, we see an average of 30% reduction in help desk tickets across the board that, uh, for customers that have this, um, we've, we've worked with some companies that, you know, they know that 75 or 80% of their tickets are password resets, right?
The, the ROI on something like that, you know, especially when you're a larger company is millions of dollars, right? Smaller companies, it's not that big. Uh, but it's still a big reduction, right? Us getting rid of 30% of our help desk tickets is huge for an MSP, right? That's profitability right there. Yeah. Excellent. Okay, so, um, we've got about 15 minutes left. We've got some questions. Uh, I was wondering if we could throw some of these your way, Justin, if Sure.
You could not, don't mean to put you on the spot for all of them. Like I saw a question in there on CMMC, so let me bring 'em up. The other thing I just wanted to do, do, um, and this is, I'm just putting something, uh, in chat on, um, an upcoming webinar. I forgot to mention if, because someone said something on CMMC, it kind of jogged my memory. For those of you that don't know, uh, Ryan Bonner, um, he is fantastic when it comes to Cmmc. He's one of the top compliance experts out there.
Um, so he is gonna be doing something and you can actually two different kind of webinars where you can actually win a consulting engagement, uh, with Ryan. So that's there for you. CMMC, uh, DIB, uh, guru, you know, people that are in that space. Uh, it's in there if you wanna just learn more. So some questions. Gary, by the way, did I saw you chuckling? Did you have something you wanted to share before I get into these here? Well, I was, I was just chuckling to myself.
'cause I was saying like, sometimes MSPs will go in now, you know, to a prospect and their fact finding, you know, they're gonna ask, Hey, do you, do you know what multifactor authentication is, Mr. Prospect? And, you know, do you guys, and then when they say they don't have it, they're like, Ooh, you know, now you can go in and say, Hey, are you using multi-factor authentication? Oh yeah, we are. Ooh, now we can remember.
Go up one level to, Yeah, it's like, it's like Spinal tap, yours go to 11 Gary Date myself. But if any of you guys know Spinal Tap. All right. So we had a question in here. The first question I saw was from Ed. Um, what about CMMC and password change requirements? Justin? Does Passwordless take you out of compliance? Uh, I think that's going to depend on the passwordless solution that you implement and what the exact requirement is, right?
So WW this is one of the reasons we, we chose Secret of Octopus because it does change that password on the backend, right? And that can be configured to, uh, change at every authentication if you want. We don't do that typically, uh, in the demo environment that I showed, I have it set that way just to make sure it happens. Uh, but that generates a lot of, uh, replication traffic and active directory synchronization traffic out to office, you know, Azure AD Office 365.
Uh, but typically our customers have their passwords changed every week. Got it. So this got the most, uh, votes when implementing m and we, and we might have kind of touched on it, but I'm gonna bring it up again. Justin, when implementing MFA, we have users resisting, you know, resisting, installing MFA apps on their phones, their personal phones. Are you seeing that as a problem, you know, when implementing and, and are you getting around it? Yep. Uh, we definitely see it.
So we're, we're actively implementing a a 400 user organization right now. Um, we've gotten about 350 of the users enrolled, uh, 20 of flat out said, no, we're, we're not gonna put this on a personal device. Um, I think that's a, a pretty consistent metric overall. Uh, you're gonna have a percentage that just won't use the mobile authenticator. Uh, and in those scenarios, right, the organization, you know, before we sign on with them, we, we let them know that this is probably going to happen.
Um, they will either work something out with the end user where they might give them a stipend, you know, for their phone or break it into their plan, or, uh, they'll get a FI oh two token UB key or a Ian Token, uh, that work with, with our solution. Interesting. It was the same, they were the same 20 employees that didn't get the vaccine. Alright. Um, okay. Is Windows hello for business Usable for Passwordless login? So Windows, hello for business.
It's been a little while since I've looked at it, so forgive me if my information is wrong on this. Um, that is, that is Microsoft's approach for Passwordless on-Prem. Um, right. There's also, you know, they also have Windows, hello in, in the Azure space. Uh, but the windows, hello for business is, uh, from everything I've heard and I've, I've worked in large companies that have tried to roll this out. It, it's kind of a non-starter for most of 'em. They've tried, it's failed.
We've gone in with SDO and, and kind of, uh, you know, put in a different solution for them. A lot of it came down to, um, just the sheer cost. A lot of them didn't have cameras that would work with it or they didn't have fingerprint readers that would work with it, and they're gonna have to buy a ton of hardware just to make windows hello for business, uh, work for them. Um, and then there's also the fact that like when you set a pin, used to be this way.
I don't know if it's still the way this way, but when you set a pin, it was specific to that computer. So if you had roaming users, it didn't work very well for, for a lot of roaming users. At least at the time. They, they may have changed that. I'm not certain on that. Got it. Alright. Uh, is the insurance carrier requiring MFA everywhere or only critical systems? Tim, I'm gonna throw this one to you. 'cause you've gotten four of these in the last month.
Um, or critical systems, do they have guidelines on systems, uh, that do not support MFA? So, uh, thoughts on that, Tim? Yeah, so I, I posted the, the one I got the most often, the travelers one, uh, in the chat earlier. I can, I can post the URL again, but it's, it's pretty clear that it requires it everywhere for internal and remote access. Uh, and it's a requirement, you know, I know not every policy is the same. So there may be some who are, uh, not requiring it and some who are.
And, and this is an addendum page that's being added, uh, to the existing policies that are asking all the other typical controls about do you have a IR plan, do you have backups and, and you know, all those things. Uh, I'll go ahead and post the link again in case anybody missed it. But thanks for do doing that, Tim.
But, uh, yeah, it's, it's, it's seems to be pretty cut and dry for the most part, uh, that these things are required and if you don't have 'em, you're, you're not getting anywhere with us. Yeah. Uh, So, so, so, and by the way, I just wanna throw this out there for those that have said we haven't seen this yet from our insurance carrier. That that a hundred percent. I get it. Here's the point I wanna make because again, if you think CIS controls, right?
Version eight MFA everywhere, well guess what? CIS is also the home of the multi-state isac, right? Wes? Um, and guess who consults with CIS quite a bit? State agencies. So, um, and I know Lewis is out there and he might wanna even chime in and chat 'cause he works with some states, uh, state agencies. Um, I don't think it's long before, if you're an MSP working with a state agency, Wes, uh, we're gonna see like whether it's an insurance carrier or not, this is coming our way. Fair.
Yeah, it's, it's certainly fair. Um, we're seeing, like I said before, we're seeing the changes in the wind. I think large Fortune five hundreds are seeing this as such a requirement. They've been able to pitch it to the entire procurement process. Um, we, you know, we still have a lot of legacy technology to get through and a lot of old stuff hanging around that we're either gonna have to build around or it's gonna have to be updated and adopted.
Um, so, but yeah, no, I think we're gonna see this, this is going to continue and, um, might as well get on board with this now, uh, for sure because yes, I think state agencies and, um, insurance regulation, even if it's, um, you know, in intra-agency requirements, um, yeah, we're gonna see this continue to come forward. Andrew. Awesome. I'm just putting, 'cause people are asking, I'm putting Justin's, uh, you are, uh, LinkedIn below in the call to action. It's in green below there.
Uh, just a few more questions I think we have time at. We can get to. Alright, let me work my way up. What happens when we're trying to log into a local pc, small company, small company, you may have, sorry, if you, if you mentioned this, but small company, uh, when they lose, don't have internet access for SDO to work. Um, and SDO is, you know, changing passwords every time it's used. That, that's a great question.
So, uh, SDO does not change a password if the machine is not connected to active directory when it's time to rotate the password when they log in. So, um, you know, cache credentials are still used just like you would without a password that's authentication, right?
It's all cashed in Ls, A and SDO, um, you know, your, your mobile authenticator or the machine having crypto credentials on them and then use, um, your authenticator to decrypt said credentials and then to transfer them down to the machine to log in with them. So in the event that you're offline, let's say you've got an executive who's out on a pontoon boat in the middle of the lake and they wanna get on their machine, there's, there's a couple of ways that that can happen.
One, if they're using the mobile authenticator, um, most modern laptops will, will support this. Uh, the Octopus app actually supports Bluetooth low energy pushes. There's no pairing required. It just sends a push notification out over BLE and the mobile app understands how to respond to that and they get a push notification just like they were in the office and online it will respond and it will send the decrypted credentials back through an encrypted channel to, to log in. It's really cool.
Gary, This is perfect for your new boat, man. Yeah, I got got, I have, I have, uh, access, don't worry. Alright. Yeah. Um, okay. Can SDO be used in environments that aren't leveraging? Oh, you said at Yes, they can, right? If if they have something like yours, Justin, right? They, they're gonna need a directory of some type. You, you, you, your quote unquote managed service created that you're creating OU for them, et cetera. Correct? Yeah.
Alright, Taylor, when you Get to the end, I have a question too. Yeah. Uh, almost done Garrett. Uh, Taylor, thanks for, by the way, for sharing that stuff. Taylor, uh, Tochi did, I hope I pronounce that correct, Gary. Hey Taylor. Uh, how does, how does an MSP handle this when you might have multi-use admin account? IE support login for your support team, multiple engineers, um, use to support the client environment? Yeah. You know, shared, shared active directory accounts get pretty tough.
Um, we, we, we don't do them. I, I, I mean I know that can be a pain. Uh, you know, if you just want to have, you know, one account at a customer, you can do it. Um, it's just not necessarily the, the, the best thing to do. Uh, because if you enroll multiple admins, let's say you got a five admin team that are all, you know, supporting a, a, a customer when you go to log in, all five phones are gonna get that push notification, right? Anybody could respond to it.
So it's, it's really not a good practice to do. You really wanna have unique logins anywhere and everywhere that's possible.
Um, now we have the ability to potentially map, like if you had local user accounts, like if you wanted to take the local admin account, you know, it's got a specific name, you can enable, uh, some feature sets to allow that and you can map your individual user IDs on the backend to be able to authenticate as that local user where you put in, like, I wanna log into, you know, dot back slash administrator and then I put my username down here and it sends the push notification just to myself, I authenticate and all of that is audited, logged and tracked within the, the SDO platform.
Excellent. Alright, so Gary, you take it away with your, we will have your final question and then we'll get to wish everybody an awesome memorial day. Uh, we'll, we'll take that time off and we'll close things out. Yeah. First, um, first thing I wanna say is this was really great Justin. So, uh, great response, all the interaction here. Awesome. And also Tim, uh, really great having you, uh, really great. Awesome. Justin, so here's, I got a question.
It's not, uh, as you can probably, if you've been on this before, it's not related, it's not related to password list or MFA, um, sounds like you put, look, you're way down your security journey. You're, you're obviously maturing it. Can you give me an idea or a ballpark of what your average seat price would be to sell a new customer? Uh, for, just, just for the SDO piece? Nope, I'm saying you're said you're doing everything for 'em. Oh, everything. Yeah.
So we're, we're not in a major metro, so just pointing that out, right? So our prices might be a little different. Um, we are, uh, averaging $125 per user per month. Um, and that's including our entire stack including, you know, cyber CNS, vulnerability scanning, including, uh, you know, the password, this authentication, full managed endpoint detection response, all of that.
Alright, so listen, you helped us out today, so I'm gonna help you out, uh, raise your price to 1 75 immediately and you'll get it all day long. I, I just connected with you on Facebook. I probably could tell you in a couple sentences now. Yeah, I know, I know. We're a little under, it's uh, You're welcome by the way. Yeah, thank you. That's one. I don't care.
I don't care if you are wherever you are in this country, someone with your knowledge and experience, what you just subscribed, you're at 1 75 all day long plus backup. Yeah. Yeah. Everybody listening to this? Yeah. Keith's saying two 50 minimum. I'm with you on that. I'm, I just don't, I don't want him to have a coronary. Alright, so, uh, Wes, I two, two minutes left. I get to ask you about closing thoughts finally. Ah, it's been a while, hasn't it? It has.
Uh, hey, I just want to come back to the threat model workshop. Um, it's gonna be fun. I wanna see you guys all join. Share it to your friends, share it to your peer groups. Uh, I don't think anyone's ever done any. In fact, I know no one has ever done anything like this before for the channel. Uh, so this is gonna be a really cool event, um, by Ryan Weeks. Yours truly Gary and others. Um, so our, our guests that are gonna join.
And so, uh, I will say Gary or uh, Andrew, thanks for putting this community together. It's so much easier these days for us to reach out to people like Red Canary and be like, Hey, we're the cyber call. They're like, we know the cyber call.
Uh, and uh, so thank you for this because, um, if you guys have ideas of, of you know, guests you'd like to spring on topics, I think we have a lot of command and influence now on this channel to where we can really do some things that were more difficult at the beginning. So threat model workshop I'm big on and just continue to give us feedback on what to cover in the future.
Yeah, I, I would echo, uh, thank you for that Wes, but I would echo man, it like if, and again, I would just ask everybody to, you know, next week we're off, but could you just let people know I don't think the Verizon data breach has report, has ever done anything for the channel, uh, that I can know in my 20 years. Gary, have you ever heard about them come to speak to MSPs? Nope. Yeah, so if you guys, you know, spread the word, et cetera, um, Justin, Tim, thanks.
Wait, I was gonna say, and if, uh, and if you guys can get us to 3000 subscribers, then who knows who we can Get. Yeah, good point. Um, so Justin, Tim, thanks a million. Gary is always great insights. Great call today man. You guys were awesome. Yeah, you guys absolutely were. Thanks everybody. We'll see you in two weeks and make it a great day. Take care. Alright, thanks everyone.


