Skip to main content
Right of Boom
January 30, 2025

August 10th, 2020

Guests

Andrew Morgan

Video Transcript

All righty. Welcome everybody. It is week 14. 14. So we're in month here of the cyber call. Hard to believe, but, uh, welcome everybody. This is threat sharing, uh, isac, iso, and does it matter for MSPs? And so, uh, one of the things that's pretty cool, I don't know if you guys notice we have five and we could have six. So now we can pull people from the audience, Gary, and put them on stage.

Um, I'll have you, you know, pick people and, you know, kind of, and when they're in trouble, we can pull 'em up here. Gary, what do you think of That? Sounds great, man. That's good. So, hey, we're gonna get right on into it. I wanna make an introduction to Christie Coffee from the Maritime isak. Um, Christie has a ton of experience with ISACs and iso. And so Christie, what I'd like to do, um, what's wonderful is I thought we'd have to have you over here initially in the audience.

We have you right up here right now. So from an agenda perspective, why don't we get into, you know, you could just give a quick overview, your background, et cetera. And then I'm gonna turn it right over to Wes, um, because he's got a ton of experience. He's chaired, um, you know, the FS isac, which is, you know, the largest, um, uh, isac, uh, worldwide at seven, over 7,000, 7,500 members.

And so to just kind of set the stage on what the heck are these things, um, and then, uh, we'll get into some q and a. And, uh, I've kind of outlined an agenda for Wes, Gary, and, and Kyle to ask you some questions. And we'll, we're gonna have an awesome conversation. So with that, Christie, let me let you take it away. Welcome. Hey everybody, it's great to meet with you. I'm Christie Coffey. I am the VP of Operations for the Maritime Transportation System. isac, it's kind of a mouthful.

So MPS ISAC is what we go by. Um, I've been working in the threat information sharing space now for about seven years, maybe even just a tiny bit longer. So I started off when I transitioned from, I used to be a computer scientist from remote software, transitioned into cybersecurity about 10 years ago. And, um, one of my first jobs was with intelligence platform vendor who wanted to really bring together communities, work with ISACs and icehouse.

So I started there and then transitioned into the maritime space, really dedicating my focus to information sharing, um, community in the maritime transportation system, try to protect that critical infrastructure stakeholders. So I've been doing this for a little while. I've got some kind of background and lessons learned, things that I would, um, I would encourage folks to kind of consider when they're joining in ISAC or starting a new one. Excellent.

Wes, let me ta turn it over to you to kind of just set the stage on what are these things called ISACs and ISOs, um, why they're important, why they work, why they don't, you know, just kind a little background on it. Yeah. And, and your experience. 'cause you've, you were intimately involved on the practitioner side with, with an isac and, and so it'd be cool to let you set the stage for everybody. Yeah. So, by way, did You get a, did you get a camera upgrade?

'cause you look really clear, like, uh, Like Professional, like a movie, like a movie star today. It just depends on when I have time to set my lights up. But I appreciate that very kind of you. Hey, look. So let's get started with this. Um, let's go to the chat because we have Christie, who's a personal friend of mine, and, and Christie, thank you for joining us today. Um, feedback from the audience, because Christie, I want you to see this as an msp. Are you concerned?

And would you like to have the ability to share threats with one another? Yes or no? Let's watch this. I would never, who wants to share information, Right? Who's terrible idea, right? Right. My Goal today is to encourage everyone to share. So hopefully we can change that dynamic on this call. Good? Yes. Uh, Christie, I wanted you to see the yeses flow in, because That's right. Uh, obviously it's gonna be a yes, right? Who would say no to that question, right?

This is, but the, the, the key thing is how do we do this in a way that is going to be beneficial to us, right? Because, so I can tell you from my experience, having, you know, been involved in these threat sharing groups for a long time, there's a right way to do it. There's a lot of right ways to do it, and there's a lot of wrong ways to do it. We're gonna talk about that today and really want the feedback from you as the members for all of this.

And, you know, as, um, Andrew mentioned, without turning this into a history lesson, I don't want to get into all of that. But what I do want to talk about is, you know, for us, I'm gonna share a link here in chat. This is something I wrote a long time ago. It's just a little shameless plug.

Um, when I was in my banking days and I was learning to explore and learn what sharing groups are all about, you know, what they are, if you distill them, is they're just a community of people that are wrapped around a common good, a common industry, a common mission to say, we're gonna share threats with one another because the sum of all of us is better than the single one of us.

And Christie, what I noticed at FS ISAC when I was there, and I'm just gonna say this quite plainly, I had, I was elected as the member chair for about 4,000 banks and credit unions. And Christie, 90%, maybe 98% of them weren't really effective with the isac. They were just collecting a bunch of emails. They weren't doing anything with it. Uh, it was noise in their inbox. They, it, it wasn't built for them, it wasn't customized for them, and they just really struggled.

And so, I guess my opening question for you, Christie, is what makes a really good isac? Like you've been around these for the longest time, what makes a good one? Well, I think, I think there's two things that every ISAC should aim to achieve. And we, we use this all the time in our mission statements. One, early situational awareness.

What's happening that I need to know about so that I have proactive knowledge and can take, uh, protective measures for my organization and the two actionable intelligence. So you want early situational awareness. You want actionable intelligence.

Now, you know, if you think about like the capability maturity model, I don't wanna get too technical here, but everyone should be at least have a kind of a situational awareness and maybe have the ability to consume, they could take some more mature organization to contribute. But there are little things that everyone can do, um, even if they're not like sharing information. I think a lot of times people just don't know what to share. Like, what do I share?

You know, we kind of, I think the basic building blocks of information sharing is what I call a request for information. As an example, I'm seeing this, is anybody else seeing this? Or is it really just targeting my organization? You know, even just a, a yes or a no, or a plus one can be a very meaningful way to kind of begin that information sharing dialogue, right? So that, that's kind of like at the very smallest level.

And then from there, you can get into all different kinds of information sharing, but really, you know, putting something out there and asking if anybody else is seeing it, that's really a great way to start a conversation, right? Yeah. It, it really is. And this is one thing that Christie MSPs today really desperately need this, right?

So I don't know how much you've been like in touch with what's going on, managed IT providers, but they've come under the crosshairs of very sophisticated threat actors for the first time. And then in the past three years, and many of them are being hit by these systemic, what we call it, purchased a buffalo jump attack where an MSP gets attacked themselves, and that's used as the leveraging launching point to run ransomware against all of their, their clients, right? Right.

And so for the first time, MSPs are in the need of where enterprise has been for a long time of, hey, we have to defend ourselves against very sophisticated threats, right? Um, and that, that's a big deal. That's something that I think threat sharing is, is a, a key cog in that wheel and something we should all be thinking about. Um, and I definitely want to turn that over to Kyle and Gary for a minute too. Kyle, I want to ask you a question.

Um, you know, from your perspective inside of, you know, federal government from Air Force, from, uh, from NSA, um, how have you seen effective threat sharing groups work, uh, in, in a way that works for the members? I usually look at three key things on my end, and the two that I'll focus on for this conversation are, one, it needs to be timely, right? What, what is the use of information? If you can't act, do action upon it. The other one is probably relevance.

And somebody actually already hit this Kyle in there as well as some others Kelvin have already in chat said, look, I would like something specific to our target audience, and I can't tell you how often that threat intel on re regards to one topic has no benefit for somebody elsewhere. So to have, obviously, in this situation, having Christie come in and talk about maritime is super relevant.

And Kristy, I've got all kinds of questions to ask you later on, but I'll give Gary a chance to, uh, chime in and, and, you know, in regards to how threat intel might be relevant for this crowd. Yeah. So, you know, the same way I study the MSP model right now, uh, I'm studying the hacker model, the business model.

And so the ti when you said timeliness, I think the importance of that is becoming more critical day by day, because you see this business model where, uh, there's a threat and now they're able to proliferate that out. They're building their distribution channels, so they'll be able in a shorter timeframe to make more of an impact. So I feel like that timing piece, um, I is just, uh, it's a, it's gonna be a, the value of it's gonna be at a premium for, for here on out.

Hey, Christie, talk to me about the benefits that, um, MSPs would get if they banded together and formed in ISAC or an IS l um, especially from like the federal government side. Talk to me about what they get out of all of that. Okay, so the CO a couple things before I, I take that though, there's, one thing I do wanna say is that the maritime transportation system, a lot of our poor critical infrastructure stakeholders use MSPs.

So what we're talking about today is actually very typical and important for me and my customers. Um, and, you know, maritime is a big deal. I mean, I can give you examples of how it's a big deal, but that's not really why we're here today. We can take that another time. Um, so a lot of things about sharing information that everyone should know. And one of the primary benefits of working through an ISAC is that, um, there are cyber information sharing, um, liability, civil protections.

And also, um, csa, the CSA Act of 2015 was intentionally put out by the Obama administration to help ISACs and ISOs and communities work together without repercussions of harmful consequences. So, um, no FOIA, no sunshine laws, liability protection, civil protection. So those protections from working together in a trusted, you know, entity like an ISAC or ISO is, is really helpful in helping break down kind of one of the barriers.

Now on the, on the benefit side, one of the things that we're seeing in maritime space is that participating in an ISAC is becoming a competitive advantage. And I'll just give you an example that I think everybody's gonna kind of be able to understand.

Um, and this is, to me, fascinating in maritime, some of the ports in the United States are now being asked by vessel owners and operators, you know, what, what kind of cybersecurity posture they have and participation in, in ISAC is becoming kind of a key factor in making a business decision as to whether, you know, if you wanna participate, if you wanna, you know, dock your ship at this port and unload your cargo here, or if you wanna unload it somewhere else, right?

So we're starting to see, and it's, I think very, very early, but it's exciting that, you know, cybersecurity in the past where it's been the right thing to do, information sharing is a good thing to do. Um, now it's actually, you know, becoming a conversation point for business, um, folks at, you know, different organizations. I don't know about other industries, but at least in our industry it is becoming, um, becoming that way. We're also seeing some insurance companies.

Yeah, we're seeing insurance companies as well take a real interest in the whole ISAC ISO model. And I'm hopeful, um, that, you know, as insurance organizations start to better understand risk, um, we may see some, you know, some financial benefits associated with participation in, in ISACs and iso. So lots of good things happening there.

So Kristy, you said one thing that I want to, I want you to talk about a little bit more, and this is an area I think you guys are innovators in, is most ISACs and ISO are very classically like focused on their industry and only their industry. Yeah. So for example, like take finance with F Fs, since I'm so familiar with them, you must fit within their charter member. You must be a bank credit union, or a very narrow list of others that they allow in.

And yet you're mentioning something that, you know, MSPs are a critical cog in the infrastructure of all smb. That's right. And yet they're kind of kept at an outside and, and have no ability to join all of these. So can you talk to us a little bit about why ISACs and ISOs need to include MSPs in their threat modeling and their membership decisions?

Yeah, I think it's absolutely necessary because, um, I mean, the adversary is, um, you, I always use this kind of representative example, and I maybe it's oversimplified here. Adversaries are always going to look for the weakest link. And they, they're business people too, right? So they want big bang for their buck.

And we see it all the time where, you know, just at a very simple level, a phish email goes to this port on the west coast, and then we see it go to a port in Florida, and then we'll see it hit somewhere else in the, in the, um, in the Gulf of Mexico. Well, why do they do that? Because they want return on our investment, right? Right. Once used many times. It's, it's the same thing we've always done, you know, from a software development perspective as an example.

So I think, um, we have to break these barriers down. We have other examples too, where you would think, well, how could maritime transportation system if in financial services be related? Right? Financial services would never, I don't think, understand that they are relevant to us. Well, a lot of the poor and maritime critical infrastructure stakeholders that we work with every day, um, actually use financial service providers to handle all of their financial transactions, right?

And we've literally seen vessel impersonation emails, an email that impersonates a vessel owner operator that we see actually also go to a financial services company. So, you know, there again, right, once used many times we're all connected in ways that are not necessarily obvious. You might think that we would have a reasonable, um, relationship and bilateral information sharing with aviation, right? We're both transportation, ONG kind of the same.

You lo move a lot of petroleum on ships, right? So those are pretty obvious relationships. But what about retail? What about financial services? What about MSPs? Yeah, really we all need to be connected together. We're solving the same problems, and we need that force multiplier to really have eyes on what the adversary's doing. Christy, I I really appreciate you bringing that up.

Uh, just because we, we've talked about critical infrastructure out here from time to time, obviously in the ports, people understand, you know, the, the boats themselves or vessels have critical infrastructure or are critical themselves. I just shared in our chat the Al Jazeera article that, uh, you know, claimed Israel was, uh, responsible for the Iranian port attack. And I don't think many people think about that, that right?

Not so much the vessels themselves, but the ports, the facilities and the interconnectivity of those ports and facilities. It's just funny on how many people don't realize it. So huge. Thanks for highlighting, you know, that financial maritime, unless you're in that space, you, you usually don't have an idea that those are so closely linked. Um, right. Which just sweet to have you here, uh, to be able to share some about it.

I, I'm curious, obviously we've talked a little bit on here about the connectivity. Wes, you and I know that IOC sharing and so, and the threat intel side too was something that, uh, you know, all ISACs at the end of the day play a really important piece. I'm curious, Christie, do you see there being a role with the MSPs interacting, not just obviously with the ports, but being able to drive some of those IOCs and how they might be used? Yeah, I, I absolutely do.

I think that, you know, when we talk about community, community is bigger than just one of us, right? We all need to be connected. And I, I've seen time and time again over the past four years in the maritime transportation system, whereas, you know, let's just use ports as an example.

'cause I think people can understand that very simply, um, as the ports really improve their cybersecurity posture, and they're doing a great job, not just through information sharing in their participation in our organization, but we always say people, processes and technology, right? It's a layered approach. But as they're doing that, the supply chain becomes the weak link, right?

And we're seeing tugboat operators and financial services and law firms and, you know, just everyone who works around the port now, um, being the target because adversaries, um, they want in the door, right? And it's a lot easier for them now to come in through the supply chain or attempt to come in through the supply chain, a compromised vendor who works with the port every single day than it is for them to get in through the, through the front door.

So, um, you know, MSPs are a big deal for us, and they're a big deal for multiple industries, right? And as you know, part of the problem or the opportunity for MSPs, I think is that there's a shortage of resources, right? Um, there's a, an affordability problem and there's really a shortage of resources. So MSPs have a very important role to play, and that role is just gonna increase over time. So it is absolutely critical that we all start working together and we get connected.

And I'm fully supportive of what you're doing here and you know, of, of, of a community forming around this particular group of organizations. So I had, I want to ask a question for Wes. So Wes, um, you, you've been in other industries, we're here Chrisy talk about, uh, what, what she's done. How is it that an industry that controls so much of SMB infrastructure can kind of be so far behind in this? Yeah. Uh, there's, I think there's, there's a lot of re it's a great question.

And you know, I always say it's better to start now than not at all. True. So I think's an element of truth there. True. I'm so glad we're at the maturity level now. Like when I first got exposed to MSPs, when PERCH really came to market, you know, in 2016, MSPs by and large were not ready for this. They didn't know what nyac ISO was. They, they didn't understand why they were, you know, why, where the importance came from. Any of those kinds of things.

And there's an element, Gary, to where there's a, like we've talked about the right and wrong ways to do an isac to start one and create one. Yeah, it's gotta be member driven. It's gotta be about the members. And let me share with something, um, and here's an example of this I'm gonna show, I don't know if any of you guys have ever seen like sticks and taxi before, but this is the, this is really what drives threat intel sharing from an automation perspective.

And I wanna put on my nerd hat for a minute. Like, when you read all of this, you're like, what am I looking at? Like, I don't understand any of this nerd that like standards and, and how this all works. Like none of that helps us at all inside of MSPs.

You know, what we really need is we need the ability for this to happen, just like the small banks that I had experience with, they are not going to be the ones that have like a full-time intel analyst that are producing and searching and correlating intelligence. No. What they wanna do is this, they want to say, tell me about threats that matter so that I can see if I've seen them in my network. And also give me a conduit by which I can share threats that I am seeing out to others.

And I don't have to worry about it being super clean and precise because the ISAC and the is will protect me and my ability to share it and also clean it up so that it makes the right sense to the right folks that are going to get it disseminated too. Christy, wouldn't you say like that's a big need that I think the s and b sector really needs in, in an isac? Absolutely. And it, it doesn't take a thousand people.

It takes, you know, a hundred people or five people who want to, you know, get, get things started and are willing to take a leadership role. And really getting the conversation started, getting the conversation started is always the hardest part. Um, and, you know, once you get started, I mean, there's no stopping, there's so much value right from the get go. I always think of, you know, ISACs and ISO seems so formal, but think of them more as a co-op, right?

Everybody has different skills and, and contributions and seeing different information and, and situation, uh, situations arise within their own, um, infrastructure. And I think this co-op model is something that, you know, everybody can kind of wrap their heads. It makes it less formal and a little bit more, um, less, I, I, I guess people just understand better, you know, for when you think about, you know, the FSI sac, it, it's 20 years old, right? Thousands of members.

And if, if you think that's, that's probably the long game that everybody hopes to achieve, but it doesn't have to start that way. Nothing starts that way. They didn't start that way. It just takes a, an army of cyber defenders that really wanna get together and, you know, start protecting, um, their own organization, their customers, and are willing to contribute what they can into the co-op. So, Chris, do you, you, oh, go ahead Gary. I'm sorry. One question that came in. It's a good one.

I think a lot of people are thinking Tim said, Hey, so I, do I need to be part of one of these, 20 of them, 21? Like well, I do, I, yeah, that's a great question, right? Because you guys are all over the place, healthcare financial services. Yeah. So my recommendation, you know, just kind of off the top of my head without really having an opportunity to think about it, why not form one, you know, and, and become a member of the National Council of ISACs like we did.

Because if you become a member of the National Council of ISACs, that gives you 24 ISAC partnerships right out the door, right? Um, and I think that's a, that's, that's definitely something that can be very valuable. It gives you the ability to have these bilateral information exchanges and conversations with, you know, healthcare and retail and, you know, financial services, DOD, all of the, all of the places that you guys work, maritime, here we are. Yeah.

You know, I think one of the things that holds it back, like in our industry is, um, like you said, it has to be organic and, you know, as soon as it, you know, any type of vendor gets involved, it's no longer organic. Right. And literally said the same thing in chat, Gary. It's gotta come the bottom up. Right? Exactly. Uh, or, or it or it has to, we're like, it's not something that could be monetized, right? Right. That's exactly right. It has to be, it has to be pure of heart, Right?

That's that's exactly right. And, you know, my experience with vendors is that at the end of the day, they're trying to sell product, right? And, and that's the wrong conversation to have in this community based model. Um, they're, you know, matter of fact, we've gotten to the point where most of our customers throw vendors at us. They don't even wanna talk to vendors anymore, right? They just, they don't, they have a thousand people knocking on their door all the time.

So they just throw vendors to us at the isac and we, you know, kind of filter through them and, and try to determine if there is actually an opportunity for a, you know, a vendor kind of partnership. But our board, we have no vendors on our board of directors, zero. And that was very intentional, and that was how the board wanted it. Um, you really want those critical infrastructure stakeholders, you know, participating in this ecosystem around cyber threat intelligence and information sharing.

So, so well said, Kristy. And I think, I love where the chat's going to, I think everyone's identifying it's gotta be member driven and member run. Those are the most successful and representation of all of them. If you only have, for example, the largest of MSPs that are running it, you're gonna have a problem down market, right? It's not gonna, not gonna match.

Christie, would you answer this question that just came in from Dennis ISAC and ISO used interchangeably, but you know, quickly, what's the differentiation between them? Can you explain that really quickly? So I mean, it, it's, they are, they have the same mission. They have absolutely the same mission. So there's no different in difference in terms of their mission. Um, ISACs have tended to be formed along, um, critical infrastructure stakeholder.

I mean, the critical infrastructure 13 critical infrastructure, um, sectors that are, um, determined by the Department of Homeland Security. So that's kind of how ISACs. Um, but in terms of like cyber information sharing, liability, civil protections, it doesn't matter whether you call it an ISAC or an IS o um, those two terms and what they do are really interchangeable. So, I mean, you could call yourself an isac, you could call yourself an iso, but just settle on one.

I think the ISAC model is much more widely known because if you look at the information technology, ISAC has been around for 25 years. FS ISAC is 20, 21 years old. So people kind of understand that terminology. ISO has been a little bit confusing for organizations, but the whole idea behind the IS OS really too was that, um, when the Obama administration pushed out CISA and was really kind of, um, trying to propel the ISO is o movement.

It's bringing together groups of researchers, it's bringing together organizations, you know, within a particular geography. It's not always aligned with critical infrastructure. Yep. So it's a more, it's a more flexible kind of dynamic. You know, if you wanted to spin up a community or an ISO around, you know, all the stuff that's happening with ransomware, or Im motet or, you know, whatever is happening tomorrow, um, then that ISO model is, is kind of the way to do it.

Where ISACs are really more aligned, critical infrastructure Chrisy, I don't know if you saw, but you were alluding to, you know, Rome was never built overnight. Yeah. F ssisac wasn't built overnight. And clearly the efforts of MSP is not gonna be done that way either. A beautiful case just in case that nobody noticed in the polls. We opened up two polls just showing how, you know, what a little, you know, thing like the cyber call can make a difference.

And how many people before this conversation had never even considered that their MSP and the threat intel generated from that MSP could actually help thwart maybe a nation state attack on something like a port or critical infrastructure, because you are supporting those things. So a huge thanks on that piece there. But if you haven't participated in those polls, please chime in so we could get a better state of what the community's like. Yeah.

Christie, I was just gonna ask, we, you know, you and I talked offline, and I know it was talked about briefly here, Christie, but did you, did you share what percent, give or take that you feel MSPs work with your members? Yeah, so I, I mean, if you think about, you know, you think about ports, right? You drive by, uh, a a major US port, and you see these giant gantry cranes and you know, all this infrastructure and pipelines everywhere. I mean, it's just fascinating.

I absolutely love this stuff. But at the end of the day, there are so many small to medium sized business ports, and even some of the larger ones just don't have that, um, the resources to handle, you know, the infrastructure. Uh, I would say, uh, I would, I would speculate that probably 60 to 70% of maritime ports in the US are probably using MSPs. I mean, easily.

If you look at places like Washington State, I mean, they have hundreds, hundreds of small to medium ports in Washington state, right? You know, I mean, Florida, Louisiana, a lot of water. Um, and you don't just have the coast, but you have the riverways too. There are a lot of small to medium ports on the, on the riverways as well. So, uh, MSPs play a really important role in, in maritime critical infrastructure. And it's a big deal. I mean, MTS is a really big deal.

People tend to think of like, you know, ships at Christmas time delivering TVs and new iPhones, but they don't necessarily think about the fact that there is no petroleum pipeline that runs from Louisiana to California, right? There is no pipeline. All of that, all of that crude moves from Louisiana to California by boat.

And if there's a problem in Louisiana with a port that is responsible for getting that, that crude out within two to three days, there are lines at the pump in California because they have a special blend of petroleum. So, I mean, when we're talking about critical infrastructure, it's more than moving iPhones and medicine and food. It's, uh, keeping the com country running and, and obviously there's a huge, um, e economic aspect and dimension of of trade in the US as well. Got it.

Well, we, we certainly saw the, what logistics and supply chain look like, you know, just in the past few months. So, Wes, I I just kind of stepped on you, you had a question. No, no, that's Okay. Yeah. So, uh, there's, we just wanted to re reiterate if you have questions, pop 'em in there. Um, there is one question that came in. Is there any structure in place for MSPs to get involved? And how do we plug in Christie, from your side of the house? I want, let's answer that in two ways.

I want you to answer on your side. If an MSP ever has need of the, uh, what you guys are doing at your, your isac, can they get in touch with you? How would they do that?

So, the way we have kind of the model that we've implemented so far, and I'm not saying, you know, we're interested in working with probably MSPs in a more grand, grand way, but if we have a port or a maritime critical infrastructure stakeholder that has an MSP that they work with, or an MSSP, then, um, our relationship would be from a business perspective through the port, but from an Intel perspective with the MSP, if that makes sense. Yep.

So the, the, the MSP would be kind of more of the organization that we work with every single day on threat intelligence, information sharing, you know, bilateral exchange, things like that. But the port would have to, um, structure the working arrangements so that our information sharing agreement and all of the, all of the services and things that we offer kind of, um, go down to that MSP. But we, we do that. We have done it where, so we, you know, we have, we are working with MSPs today.

Um, those that support a, you know, a, a maritime transportation system, critical infrastructure stakeholders is who we would work with. Yeah. Great. And then to, oh, go Ahead. But, you know, we're open to other models. That's just where we are right now. Okay. Um, yeah, and I want everyone to hear that, and then to answer that on like, our side of the fence, just stay tuned. There's, uh, big things that are happening, right. So, uh, just stay tuned for all of that.

Um, Christie, maybe one last question I have for you. That'd be great. If you could answer, can you just tell us like what a day in the life of Christie coffee is like? Yeah. Um, you know, I know you've had some EMA stuff that have been shared. I'm not asking you to disclose anything from the members specifically, but can you just share what a day in the life of Kristy is like? Yeah, it's a bit, it's a bit chaotic on days, but it's always a good day. I mean, honestly, it's always a good day.

And one more thing too is if you guys were to form, um, you know, an MSP kind of isac, you know, one of the things that we have is a, a vetted TLP green distribution list, right? Of trusted partners and trusted organizations who are not necessarily customers, but our trusted organizations. We've probably put out about 25, um, TLP green advisories over the past three months.

Um, and, you know, those could be really useful to the MSP community to know what we're seeing and be part of that TLP green vetted community that we have. So there is, you know, you don't know how to start the conversation, right? Nobody wants to, to be the first one on the dance floor. Well, we're already on the dance floor.

And if you come to the dance floor and you have a trusted, vetted community, you know, there's an opportunity for us to work, work together right out, out, out of the shoot. You can start seeing some of the stuff that we're seeing, um, a day in the life. We have a lot of information during coming in. It just, it varies day by day. We have some regular kind of rhythm to things.

Um, in terms of, you know, some of our organizations, one of the things that we're seeing a lot of activity right now on is, um, office 365 and adversaries targeting O 365, because they're shaking your heads. So we're really kind of honing in on that right now, understanding kind of what's happening in that space. We've put a lot of, um, energy into, um, some advisories looking at, you know, failed O 365 logs and things like that.

It's, it's a bit surprising how much activity there is right now targeting that particular infrastructure. So, um, you know, we get a lot of that kind of stuff. We get a lot of scanning, malicious activity. Um, we get a lot of emails in from our customer base. We, right now we're seeing, um, quite a bit of, of mtet, um, malware probably attempting ransomware, um, kind of traffic through email. So, um, every day's a little bit different.

And then we get different things in from, you know, the National Council of Ax. We get different things in from DHS, but I can't remember a day in the past two months where we didn't have things coming in from our customers that needed, you know, actionable intelligence opportunity for us to, um, push that daily share out with indicators of compromise situational awareness or advisories every single day something's coming in. So we're really moving at a pretty good clip right now.

Christie, what is that my high level, that mechanism to go from, I get the information piece, right? Getting it early to getting it to actionable number two. So how do you get from one to the other? How does your organization approach that? Yeah, So I, I think we've, um, because we have some experience with this, I think, um, you know, we have a, we have several operational processes that we're, we're we've put in place and some that we're still putting in place.

Um, you know, our operations guide, we're like six months old now, and our operation guide is probably almost 50 pages every, every, every day. And every piece of information comes in, we try to kind of match it up and align it with our ops guide, but there are always some tricks, right?

You know, if we see something that is super harmful or we think has a wide variety of, um, organizations potentially impacted, you know, we may take a TLP Amber piece of data and downgrade it to TLP Green to get it out to the community and to our information sharing partners, um, DHS, the Coast Guard and others. So, um, a lot of it depends on what it is that's come in, um, what it is, uh, you know, how we need to action it, how big of a deal it is, how wide we think it needs to be distributed.

And, um, you know, we, everything we do, it goes through the first and foremost. It goes through a a redaction process where we eliminate and, um, any personally identifiable information from our, that, that would attribute something to our customers, right? That's how you build trust in the community. And that's really, I think, the most important thing. And back to what Wes was saying about kind of a vendor led isac, I think that doesn't work, right?

Because at the end of the day, you're handling sensitive information and is a vendor led community where you want that data to go? Or do you really need a trusted, neutral third party, right, that can handle the data properly? Um, at the end of the day, I think we're gonna see a lot more isac, ISO community kind of activity bubble up because everybody's trying to get into the big data game, right?

Um, everyone is trying to get into the big data game, but that's where I think ISAC and ISAs really have an opportunity to shine, because if they're constructed properly, um, that data can be, um, collected, um, neutralized, actioned and, um, and be used appropriately by critical infrastructure stakeholders. Christie, I, I brought up Carl Bickmore. I wanted to introduce him. Carl raised his hand.

He, you know, he's got, um, he's on many councils and, and, and advisory boards throughout the country. Uh, you know, so he has a and Carl perspective. And, and Carl, you, I think you wanted to share just like a little bit about your thoughts and, and, and so I thought it would be a relevant point to when you were just saying that You never know when you might get called on stage. That's what I'm saying here, right? Hey, everybody, how's it going? Love the call. Love the conversation.

This is a fantastic topic. You know, I guess the thing for me, when we talk about, uh, MSPs and the concept of a, of an ISAC and, and, and what we're doing, I, for me, I'm still trying to figure out where is the community behind this? Like, I know, and I appreciate what, uh, what ConnectWise and, and, uh, what end up landing in CompTIA's, um, lap.

I, I appreciate what their effort, the effort they're trying to do, but I, I'll be honest, for me, I'm trying to figure out where the community involvement is. I, I, I guess I just, at some level, wish there was one that was by MSPs and four MSPs. I, I, you know, I feel like, uh, until we get our us all participating in doing that threat intelligence sharing together, it's not going to be what we want it to be.

So, I guess from, from my perspective, I, I love that there's effort and energy towards this. I think that there's still a grassroots movement needed here of MSPs willing to say, raise their hand and say, I wanna participate in a meaningful way. I wanna begin sharing threat intelligence.

Now, I think there's a lot of providers and tools that we can leverage in that process, and it would, it'd be great to get backing, but I would love to see it led by MSPs, not by large organizations, which, you know, I love and work with, and I'm happy. Just, I think it would be better if we ran it for ourselves. Yeah. And I agree.

And the thing about it is, and this is the hard part, the role that vendors should play is if it's neutral, uh, you know, they have the audience so they can help promote something, but no one of them will do it if they feel like it's gonna be used by another one. So unless it's completely organic, 'cause that really is also part of it, right? Wes, you want vendors to help be an engine for the right reasons, right. To build, you know, to help they have the Yeah. Shortest route to people.

So it's very, like, you have to get it just right. Well, to that you do. And, oh, go Ahead. Yeah, sorry. Go ahead, Wes. No, I wanna hear from you, Carl. Well, I said to that end, you know, I applaud that ConnectWise was willing to, to originally get involved in something and then, and then help it find its way to CompTIA and, and CompTIA has a level of vendor neutrality. I just feel like they don't have the pulse of the MSP space like so many of us do.

And I welcome them participating, and I welcome anybody. Look, here's the thing. If we don't have people from all sides of the aisle involved in something like this, we're cutting off major streams of threat intelligence. And if it's not practical and meaningful to the MSP, which I think is only really doable from our own voice, um, then it, it, it falls flat. So that's the fundamental issue I have with it. Um, You Wanted to turn to you I can you Yeah.

Can tell you just real quickly, I, I'm not aware of a, of a, a vendor led ISAC or isal that has really been successful, I think, um, think I can tell you something Failed. Uh, Yeah, exactly. I mean, that's right. What's that? And the thing is, I mean, who has the energy to put into something that's not really gonna work? We don't have the time and we don't have the energy, right?

And, uh, one story I love, this is what got me really excited about community seven years ago, was working with, um, a major, um, oil and natural gas producer. Okay? So big organization in Houston, you could probably figure out who, and the way their community actually started was a, a not quite virtual way of this. They, they wanted to start kind of understanding what adversary, what threat activity each other was seeing.

So they met for burgers, um, every other Friday, and that's how they kind of got their community kicked off. So I think, you know, seven years ago, burgers on every other Friday was how threat sharing actually happened. Now, you know, you have this call here and you have a whole group of stakeholders who are saying, yeah, we need to do this, so you need to do it. Yeah. Excellent. Um, few Questions. Kristy, how are you on time? Just real quick.

Uh, let me do, check you, I know you have something going On. I do need to, I need to leave pretty, pretty soon. Okay. Let's, let's just wrap up, you know, uh, just a few questions here just to see, um, if it makes any sense. So, uh, does perch so I can, I can bring that up after. Where do you feel, uh, okay. Where do you, yeah, can we have Carl elaborate on that one a little bit more? You know, Carl want, you're the one, you're the one, Ms. P that's here in this video feed. Right?

And if anyone else wants to raise their hand and join, yeah, we'll bring Adam in. But Carl, what do we, if for MSPs, what do they need out of this? What are the core requirements to make this thing successful? Well, so I think it needs to be led by MSPs. That's the simplest, simplest piece. I think that there needs to be, uh, you know, a formal organization.

Um, there needs to be people that raise their hand to wanna participate in leadership as well as, um, take on on duties and helping put it together. The reality of it is, is if a lot of people pitch it, it actually won't be, uh, many people make the workload light, right? That's right. Um, but it's just a matter of focusing and, and, and, uh, putting together some leadership on that.

So for me, I welcome an open call the industry to, to, to think about, oh, a group of people we could put this together with. And once again, the other thing I think to be successful is we want participation from people of all walks of life that are in this space. Uh, I think without that, uh, we, we lack visibility that we really, we really could use a need.

Um, you know, as far as, uh, beyond that though, I mean, uh, we'd have to come up with some infrastructure choices that we'd need to make. We'd need to put a few things together from, for the formal organization, but I, I know some people that have done that before, you know, so from, from my perspective, it's just a matter of, uh, of getting some people together that wanna do it and reaching out to those resources that have a little experience in building it. Yeah, that's Good feedback.

And don't wait. Don't wait. Yeah. Yeah. Kristy, I know you're short on time, but this was really valuable, um, really important topic. And, uh, hopefully this is something, uh, you'll be able to check back on and see that this was the start of maybe something good in our industry. I know, and you guys didn't even realize we're related. Maritime and MSPs we're all related. Yeah. Seriously, I, I mean, anything that I can do to help get you guys moving in that direction, let me know.

You've always been. Chris, thank you for joining. Okay. Bye guys. Take care. Take care. Fantastic. I, I think anything The crowd might've realized, there's, uh, quite an opportunity in supporting, uh, you know, important maritime efforts, uh, because they are, I know The Old mm. SP, maritime managed service provider. Hey, so now that we've got six screens, you know, Calvin said, Hey, uh, there's no ba basically like kind of saying like, I guess, uh, where, where was it? Here?

Calvin's, like, hosts are vendors external. I, I think he means about, maybe this, I'm not sure, but, um, we can, we can bring people up here now. So, hey, if you wanna raise your hand and talk a little bit about, you know, what you'd like to see, um, you know, or, or just your comments on threat sharing, et cetera, you know, this, this would be great. So, um, uh, anyway, just real quick, uh, we'll, we'll keep, if someone can keep an eye on, say, raise your hand.

Um, Wes, um, there was a question on, um, and you might answered it, but, you know, I got, I I, I'm, I've been fascinated with Perch for a long time. And, and again, we're, we're not doing the, the question came up so it's not a sales pitch. The question about, so you guys intersect with all the major ISACs, correct, Wes, so whether it's most Of them, Right? So it's really cool to see how you might be working with an MSP with a bank focus.

And, you know, previous to you guys coming on the scene, it would be like, of course they'd be involved in the audit by the fsi, uh, by the F-F-I-E-C. And one of the controls they're gonna ask about is threat sharing Fair, I think, is it domain five or something like that? Yeah. So, you know, yeah. Quickly without, again, turning it into like the old classic, uh, nerd talk again, right? Um, the, the answer is this, is that, uh, yeah.

Uh, financial services are probably the most mature around threat intelligence sharing in terms of the regulation landscape, kind of circling it. I'm not saying they're the best at it, but I'm saying they're the ones that the examiners actually understand this. I've spoken personally about DHS and FDIC about this specifically, and they are very finely tuned. You can see it in the cybersecurity assessment, uh, tool that they use the CAT from the FFIC.

I'll post a link in a minute if anyone wants to see it. Um, the challenge that banks have in credit unions have is, how do I do this in a way that scales to me, right? When you get 200 emails that come in every day, you can't do anything with it. And that was one of the reasons I joined Perch, is, you know, I'm sitting here hearing loud and clear from all these banks and credit unions. Like, I feel like I joined FS iac 'cause I got forced to, uh, that's not good.

That doesn't help anybody, right? And they just feel like it's a black hole that they can't get out of unless your name is Bank of America, what are you supposed to do about that? You, you don't have the team to handle all that. And so I can tell you from my perspective, this is something I'm really passionate about because I've seen the power of the community. This is what MSPs are actually really, really good at.

Go ask Gary Pika, you know, what he's done inside of True Methods for the longest time communities. We understand them really well. We just need to add to that, like Carl was talking about, cybersecurity is a layer on top, and there's, again, there's a lot of right ways we can do it. I, Carl, I'm with you. I think the members should dictate that the members should speak, and the rest of us should say we're gonna follow along and support that. I totally agree with you, Carl. Yep. Cool.

And another great point, like it can't be like most things where it's the same 20 people and maybe they're the biggest this or big, it's gotta, like, you gotta have representation of all aspects, right? Of where people are in this industry, and a lot of the ones that need to be part of it and representations in the normal world aren't the people that are, that are involved with a lot of these things. So I think, uh, Carl, great point.

Some thoughtfulness, uh, has to go into what that would look like. Yeah. So there was a question out there. Sorry, join. Hey, Raffi, join late. How does this differ from CompTIA efforts? There's, there's no, there's no difference here, Raffi. We, in fact, the irony, I had this scheduled up before the CompTIA announcement, uh, in MSSP alert just the other day.

But, um, threat sharing is something that, um, I've been involved with for, you know, in several years now since, well, three years since I've been working with Perch. And, um, when I was at ConnectWise had the early filings of their, uh, iso. So, um, it was just to bring up a point, uh, and I hope that makes some sense. So, uh, again, threat sharing isn't something that MSPs do today. Um, it's critical.

You know, imagine if you knew hypothetically you're running an RMM to, to be named and that any RMM and we know that there's a specific threat directed at that RMM, wouldn't it be great to let the 5,000 other people know that run that RMM the exact same way that that's the whole thing And there's nothing designed that way today. Correct. And announcements, it's not designed that, not designed in a way to be able to get, um, a uniform kind of acceptance, right?

Because there's issues and, you know, just, yeah, I mean, you know, Gary, including, what did you say, rule number one, no vendors on your board? Yeah, I mean, here's the thing. Uh, if there's a problem with a vendor, a security thing has been found, they are not always forthright about it. And MSPs need to know when a problem is identified. I mean, that's a fundamental reason why there's a conflict of interest for a vendor and a board. It just, just is what it is.

If they can vote down something being ha something happening, so it's to their advantage or, uh, you know, helps them with a competitive issue against a another vendor, you know, we, we can't be having that conversation. We need to stick to what security and what helps, uh, MSPs protect our clients and themselves. Right. Very good. Hey, um, just one thing, um, I forget who said it way earlier on, but there was a mention of Mitre attack. Just wanted to make a reference.

Next week we're gonna have CIS here, center for information, uh, center, gosh, center for Center for Internet Security, CIS here. Um, they're gonna be talking about how they've simplified the CIS 20 and why I mentioned Mitre. What's really cool, guys, um, I was, I've been on several calls with them for the past few weeks. Tech, this is really wild. They're, so, they've broken it down to basic foundational organizational, where the controls fall.

So if you're at a basic, you implement the basic level of controls, like these five basic controls or six basic controls. I forget they rejiggered it even, it used to be six. But what they do is they've mapped it over, how cool is this? Wes, check this out. They've mapped it over to Mitre on the threats for the past, the top threats for the past year. And then if you implemented these controls, it shows you specifically what percent of threats, these top threats. That's cool. Block.

Exactly Gary. And then you could go to, you know, talk about a challenger sales methodology, right? Imagine being able to block these 68% well, that if we put these next set of controls and it made you foundational. So that's where they're taking it. And they're highly interested in working with the MSP community. So we're gonna be bringing them here next week. So really excited. And oh, by the way, there was a comment, Hey, there's a woman, there's gonna be another woman.

Phyllis from CIS is joining us. And, uh, so cool stuff. And we'll eventually have a lady by the name of Ruit from, uh, who's, uh, a red team pen tester expert on, so we're, we're Wesley and Gary even challenged me and Kyle May even actually, I think Kyle did. It's like when you get us some women on the, on this program. And, and so we are going to, uh, we're gonna start doing more of that. So any, any closing thoughts, comments?

Carl, thanks for coming on and, and giving your perspective on things. I know you're somewhat bashful about doing that, and, uh, but, uh, Wes we'll start with you closing thoughts? Yeah, closing thoughts. I mean, I'm, I'm just, I am so excited to see where we're at today compared to three years ago. The fact that we can have this conversation, the fact that MSPs are not just saying, I agree, but they're saying, how can I help? How can I join? How can I be involved?

And ultimately to me, yeah, Kyle, I was gonna say that. How can I lead it? Because that's what we're looking for, is MSPs gonna take that flag, that banner and say, I'm gonna lead this thing because I'll tell you this at Perch, I will commit Perch. And Kyle, I'm sure you'll say the same thing. If you lead, I will follow, uh, I will follow your direction where you want to go as an industry. And I think that is so important to making this thing work. Very cool. Uh, Gary?

Yeah, Andrew, um, first off, another great job, uh, today, right? Bringing interesting people. Timely. And I think that, uh, I think this is, this is a program number 14 that I think we're gonna look back on at some point in the future that maybe we can start to implement, um, something organic, something good will come, uh, you know, from this to make a, you know, to make a difference. But, uh, I, I agree.

We're so far, we have so far to go as an industry, but we're so far ahead, you know, even compared to a year ago. I know the time that I'm spending with my community now to get them really focused on this and, uh, like, so we're, we're getting, there's a spark there, right? Yeah. To protect MSPs and protect our customers. And, um, uh, really good, really good stuff today.

Well, To, to that point, I, you were kind enough to bring me up to Philly before covid a year ago, and I got to speak to your members and, you know, I, I, some of them call me or talk to me now and, and the conversations are radically different. So great job on how you're maturing your MSPs. Um, Kyle, thoughts and closing comments? Yeah, so there's a lot going on. I remember when myself, uh, Aaron Riggs and Wes got together, uh, with my co-founders at, I guess it was in IT Nation a while ago.

And we said, how can we put the security community in control of the MSPs? And we joked about it years ago, and Gary, this is gonna be the episode where we look back and say, holy crap, it came together here today I'm most excited about. Like, no offense, I don't, I got invited to joint CompTIA's advisory board. Anybody who knows me knows that's not the stuff that I'm excited about on cybersecurity. Like, advisory boards are not my jam.

I like to do not talk about doing, but I realized that was, um, my way to be able to dramatically influence. And I would say for anybody out there asking about that TSP ISO thing, it is yours for the taking. There's money behind it, folks have put cash behind it. You should vote yourself in, you know, as a community, take control. I'm all about the hostile takeover type idea. You should absolutely take control of the is o it's there for you.

And even if that isn't the end all, be all, you know, maybe it's version 1.0 that then, you know, gives birth to 2.0, we'll figure it out long term if we break on it and iterate on it often enough. So for everybody out there, I'm just really excited to see like this is the beginning of something probably much bigger. Uh, what's exciting is when you are part of an isac or is o whatever it is, you now get the credibility that allows you to collaborate with others.

So think about that future headline when it says, MSP is o enables the finance ISO to protect against some threat targeting small business through payment systems, or protects against that port because that is where we will hit if we keep this, uh, momentum going. Yeah, absolutely. Carl, any thoughts from you? And thank you for coming on. Yeah, no problem. Uh, look, here's the deal.

There's been plenty of times where we've come across something that we would've been willing to share, uh, had there been good resources and places to do it. We also love places like MSP Geek and other Facebook groups, but I feel like there's a lot of fractured communities that have different bends and different focuses and different vendors that they love and hate. And so, from my perspective, I guess I'm just looking for more of a neutral playing ground.

I love my vendors, uh, and I'm very happy with them. That, that being said, I think when it comes to this, I'd rather a very wide community. So from my perspective, I'm, I wanna know people on this call. Are you ready to participate? Are there people that would join me? I would be willing to raise my hand. I just want to know if there are other people out there because, uh, if, if it's something that we want to do, I'm for beginning that organization and figuring out how to do it. Yeah.

And I can tell you this, we will end with this. You know, Andrew, I work with many of the vendors, right? Yeah, of course. Um, have a positive relationship with, with most of them. And I, I know for a fact the majority of them have reached a point where something designed in the right way would get a lot of support. Yeah. The right thing will get a lot of support. I, there's no doubt in my mind because they wanna protect their businesses too. Yeah. So, um, and, and their customer base.

So, uh, that I'm sure of. Well, excellent. Well, gentlemen, uh, and Christie and everybody out there, thank you so much for your ideas and, and, and thoughts and, you know, continued support. Um, something good out there, Carl. Oh, My ex solid joke right there. Oh, okay. Carl, is that, is that guitar behind you a seagull? Uh, it actually is. How did you know that? I recognize, I recognize the Headstock on it. Nice.

I, by The way, I'm here, my temporary office guys, I'm our new one's still in construction, so I've got things all over the place. But yes, couldn't go without my guitar. Nice. Last thing I'll say is we kicked off the, um, cyber trifecta today. We've got 144 in the Capture the flag competition. We've got 640 some odd total, I think 500 and something total register, maybe six, close to 600.

So if you're not registered tomorrow, Wes, Gary and David Powell speak at one o'clock on a standards based approach to managed security. Tuesday, uh, Wednesday, uh, hunts has brought on John Hammond and the guy is a rockstar. Red team. Capture the flag, um, uh, expert. And then Thursday at one is gonna be Kevin Lancaster from ID agent. So, um, love to See you. You don't wanna miss us. Wes and I are saying with David, all your dreams will come true. That's right. We promise without fail.

All right, everybody have a day. Thanks again. Take care guys.

Related Videos

August 10th, 2020 | Right of Boom