Skip to main content
Right of Boom
January 30, 2025

August 17th, 2020

In this video, cybersecurity experts Phyllis Lee and others discuss the importance of implementing cybersecurity frameworks and controls, particularly for Managed Service Providers (MSPs) and small to medium-sized businesses (SMBs). They delve into the challenges these organizations face, such as resource constraints and choosing the right security standards to follow. The conversation also touches on the potential for federal regulation in the space and the role of MSPs in enhancing cybersecurity for their clients, emphasizing the importance of proactive measures and community collaboration.<ul><li>Phyllis Lee from the Center for Internet Security (CIS) spoke about the importance of the CIS Controls, which are a prioritized set of actions to mitigate cyber threats, supported by 171 sub-controls or safeguards.</li><li>The CSAT (Control Self Assessment Tool) allows organizations to self-assess their implementation of the CIS controls, and there are discussions about developing a multi-tenant version of this tool to better support Managed Service Providers (MSPs).</li><li>Implementation Groups, especially IG1, were highlighted as a practical starting point for organizations to address basic cyber hygiene, which includes 43 sub-controls that are considered essential for all organizations.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right, everybody. Week 15 here on the cyber call. We have got a very, very special guest today. Phyllis Lee is with us. And by the way, this is the second week in a row. We have a female guest on the show, Phyllis, so this is very exciting. You're break, we're breaking the mold here at the cyber call. Um, I'm gonna have Phyllis tell, um, a little bit about herself, her background, about CIS momentarily, um, before Andrew. I'm a little starstruck today. What? By me? By Phyllis. Yeah.

It's exciting. Yeah, no, it is. You know, uh, having CIS with us is awesome and, and a, and a real, real honor, so thank you Phyllis. Um, okay. A few quick announcements. Um, number one, and I'll put a link in there. The Cyber Nation is live it, think of it as an extension to the cyber call. Um, it's an ongoing community, a platform. You're gonna see all your favorites in there. Um, there's a lot of sharing already going on top.

MSPs, MSPs, security practitioners, I'll put the link in there momentarily. And then on September 22nd, we don't have a link yet. But as a follow up to what pointing here to my Brady Bunch, Wes and Chris did, uh, with True Methods and Gary, we did a tabletop exercise with them on an MSP breach. Um, Chris has just a few, uh, experiences with those, unfortunately, and we're gonna do a follow up event to that, where we're actually gonna go through how to create an incident response plan.

Oh, Really good. Uh, and I gotta tell you, Chris, awesome. We, the feedback has been just so awesome from just in general, our community, um, about what, how valuable that was. Uh, really, really great. Appreciate That. Yeah, absolutely. Thanks. Absolutely. And by the way, that's some of the stuff that we've already got linked to, uh, out in the cyber nation. So let me do that. I'm gonna put that link in. And then, while I'm doing that, um, Phyllis, let me let you introduce yourself.

Um, a little bit about, I mean, I'd like to spend the, you know, a whole half hour on you 'cause I think it's just so fascinating. But, uh, in interest of time yourself and your background, and, you know, who is CIS Not everybody knows out there, so I'd love for you to kind of give it a little background of center firm security. Yeah, sure. So, um, thank you for the opportunity to be here. My name is Phyllis Lee. I, um, had 25 years of federal service at the National Security Agency.

I spent the welcome my time in defense doing, um, security evaluations of cots and gots products, as well as pen testing. I, um, did a lot of work in security automation standards, and I've been at the Center for Internet Security for almost, um, two and a half years now. So what really attracted me to CIS was the mission. We have, um, a really, you know, prescriptive set of actions and in all organizations can take and we provide that content for free. So I, I love that.

So, CIS is a nonprofit organization. They have what I would say, two sides of the house, the MS I sac, which, um, you guys had that ISAC and iso, um, talk call last week, which I, which I, which I, um, watched and I thought went really, really well. Um, so, um, an isac, uh, for the multi-state. So state, local tar territory and tribal governments. They provide threat indicator sharing, um, incident response, et cetera. Um, just quickly underneath the MS.

ISAC is the EII SAC elections infrastructure isac after 2016 elections. Um, you know, that organization stood that up. That is, um, that was created and is maintained under a cooperative agreement by DHS. So in some sense, that is an extension of the federal government. On the other side of the house is where we work security best practices. Um, we create best practices for organizations. We create configuration guides or benchmarks, as well as, um, the critical security controls.

So the nice thing about CIS is you've got offense and forms defense. You can take operational data, um, you know, get those nice summaries that an ISAC and an ISO can provide for you, and you can provide that kind of guidance that hopefully is attainable for all levels of organizations, the small ones, as well as the big ones. So there are 20 critical security controls supported by 171 sub controls or safeguards.

And those should all be, you know, hopefully, um, all, um, implementable things organizations can do. While for sure some of them are more complicated, we have come up with a prioritization scheme called implementation groups to help smaller organizations really onboard onto the controls and implement a cybersecurity program. Thank you for that intro, Phyllis. And I'm gonna put a link, uh, a few links in there.

Um, first off, um, I'll put a this, you're gonna on Kyle, this, I'm gonna hand to you to talk a little bit about what CSAT is for those of, of the people that don't know out there. Um, and maybe, uh, get a little familiarity with that with Phyllis. And, uh, I'll move on to Gary and Wes for a few things after that. But I'll let you take it from here. Kyle, Andrew, We crossed over 2000. All right, big news, big news. Um, Kyle, 3000, Here we come.

So I think we saw, everybody saw the poll that's out there, but in case you didn't write, we're asking, you know, who's using CIS controls today? And with that said, Phyllis, you know, obviously this is our first time meeting together. I tend to be one of the saltier ones, especially on security coming from a fellow background at NSA.

Um, and when it comes to, I guess, both frameworks and guidance, I tend to be of the type that we, we generally know that, like, um, at any manufacturing service, I made a joke the other day on, on Twitter about general contractors. If you don't have some sort of guidance and some sort of trust, but verify, you'll have general contractor Jimbo out there cutting every corner to build a cheaper but more dangerous house. And I kind of feel the same way about frameworks at the same time.

Like, yes, frameworks can help guide MSPs and there are good starting point, but with the, without some type of external validation, you know, frameworks are just guidance. And I think what I'm really excited about, uh, you know, CSAT are for those that aren't aware, CIS actually has a whole framework that's for assessing your implementation of your control. So that's that whole, yeah, we trust you, you've done it. But let's verify some of this.

And so I'm curious, you know, you coming from the, I guess, defensive side at NSA where we both closely collaborated. Uh, tell us a little bit about what's in csat, what's new with it. You know, our audience largely probably doesn't know CSAT is even available for them. So I, I would love to kind of dive into that a little bit. Um, you know, over the next couple minutes what it is, how it can be used. Sure. So CSAT is, um, the control self-assessment tool.

It's a free web app, um, that anyone can use. It allows organizations to just do that self-assess on how well they implemented the controls I talked about. Um, so some features of csat, you can go in there, you can delegate the questions to other organizations because we all know, um, big and small organizations, there's not one person who's gonna know all the answers. Um, you self-identify as to what vertical or what kind of organization you have.

So, um, that CSAT tool does allow you to compare yourself against your peers. Um, so you can, you get an industry average and you're only compared against your peers. It's not fair to, to, um, compare, you know, some small county to, you know, a big state like New York that's more mature. Additionally, um, it allows you to, um, self-assess over time. So often organizations are doing, um, a Microsoft Excel assessment, and that is very cumbersome.

Um, I always joke that Excel just brings my machine down towards me. So like every time I open it up just to look at my own frame, you know, the controls and all our mappings, um, it is crazy. So the nice thing also about csat, it's a way for you to track your implementation over time. So what you'll see is graphs on how you're performing over time. And I do wanna say, you know, it's also is compatible with implementation groups.

So we did come up with a new prioritization scheme called implementation groups. There are three implementation groups. It's based on the data on organization has to protect as well as the, um, the resources they have to, um, dedicate to IT and cyber. Um, our in ongoing assumption is small, medium enterprises do not have any resources to dedicate to IT or cyber, which is the exact reason why I am here and excited to be here because we believe, you know, that they're going to MSPs.

And so, um, implementation group one is, um, comprised of 43 sub controls that we are calling basic cyber hygiene. And we believe any and all organizations can and should implement. And I will say I have talked to big Fortune 500 companies who also like the igs because everyone, regardless of your size, needs to know how to, um, prioritize their resources. Not everyone has a ton of funds. So people need to know where am I gonna get the most bang for my buck? How should I be spending my dollars?

And so we are recommending IG one and CSAT is supporting that. So you just self-select on what organization you are. And, um, and then only those controls and sub controls, uh, that apply to that, um, implementation group, um, show up in the tool.

So I, I, I won't hassle you any longer, but I, I do know that, uh, you know, a lot of our audience we've talked about, like CMMC, uh, yes, NIST 800 flavors as well as, uh, I, I guess, you know, mapping things sometimes back to like Mitre attack framework. Yes. Um, CIS has done quite a bit to try to get more and more of their controls mapping to MIT's attack framework as well. Does CSAT do that right now or does it align to any framework, like, you know, for instance, NIST 800 or? Yes.

So, so CSAT does provide a mapping at the control level to NIST CSF, ISO and PCI we are working on right now an update to the tool to do it at the sub-con control level, so it maps better to implementation groups. So currently, if you were to go to our webpage, I can, I can put the URL in there. We do have mappings, not within csat, but just from our website, that's free to, um, ISO 27,001, the dash 53, the dash 1 71, um, uh, CMMC and Mitre attack as well as, um, PCI. So that's acronym suit.

But it sounds like probably right up this audience is, uh, you know, alley, I'm, I'm sorry, I'm former government. I talk, you know, like I pronounce almost any acronym that you give me. It does not have to have a vow. I can, I can pronounce it. So Andrew, I know you guys just did, uh, a presentation on some of this standard driven approach, and you've got some questions in the audience about multi-tenancy for, uh, you know, csat.

I, I figure this is a perfect opportunity for you to kind of segue into that, that, Yeah, no. So, um, Phyllis, uh, a few things you said, uh, that I love.

Number one, you said that you take into consideration that SMB really doesn't have any resources and, um, no offense to nist, um, I think they produce great documentation, but just to hear you say that, and that the NIST small business corner and CSF is all an SMB needs, um, honestly is music to my ears and hopefully everybody else's ears out there because, uh, it is a very intimidating doc overarchingly to most small businesses.

Uh, the other thing that you and I have talked a lot about in the last four weeks is, hey, what if csap was multi-tenant? And we're going to get there, but I just wanted you to know that I put a poll in, and that already came up in chat as Kyle caught and I did too. So I am gonna throw it over to Gary and Wes for a little bit. But Andrew, this is great. It says, like, you know, 75% of people said, no, not using CIS, but a hundred percent want multi-tenant.

Yeah, no, I'm not using it, but I would like additional features. Isn't that, that's why I love our community, Gary. You can't, you know, um, so I'm gonna put a URL in, but, um, Phyllis, when you said you love standards, I like wanted to pick up and go, can I just, you know, dial in Gary Pika, because I think you guys are gonna have a phenomenal conversation. Um, Gary literally built his MSP on standards. He's built an entire business model around standards.

So Gary and Wes did a, uh, uh, presentation just this past week on it, and it was rave reviews along with David Powell, who's in the audience as well. So I'm gonna put that URL in. Anybody wants to see it, but Gary, let me let you take it with Wes. Yeah. So, uh, Wes, we had some fun, you know, talking about this. So we really is a great lead up to having Phyllis on, you know, uh, today.

And Phyllis, one of the things that we're trying to help MSP solve is, um, a lot of them don't know where to start. A lot of times it's cybersecurity and, um, they, um, they need something that they can, you know, to grab onto. So we believe that standards is the way, and certainly we put CIS high on that, you know, on, on that list. But as you watch organizations implement this, what are some of the biggest challenges?

Is resource the biggest challenge, or, or what would you say the biggest challenges are to get people like moving in that direction? That's funny. I just was on a call actually with, um, a state that was trying to get their smaller organizations. So I think, um, number one is, uh, resources and then where to begin, right? And I think the lack of resources that lack of knowledge feeds into, I don't know where to go first, right? And so that's, that's common feedback that we get.

And it's like no one wants to sit in an all day training class to learn about all 171, you know, controls or the nist CSF. It's very intimidating. Plus everyone, as we all know, is very overworked. Can we spare those resources? They already have a day job, all these kind of things.

So that's really, you know, one of the main reasons why we came up with, um, implementation groups and in particular, IG one was because it really is, it's 43 practical implementable, um, safeguards or sub controls that any organization should be implementing. So, um, I believe strongly in a baseline versus here, do this big framework, it's gonna help you. Um, you really need that prioritized list of things to do. And then minimizing it, I think also is very helpful.

Um, even just, um, taking a survey, looking at csat, you know, 171 questions that's intimidating. People are like, oh, 43 questions. You know, just even knowing that I only have to answer 43 questions to see question how well I implemented something is a relief to many organizations. Wes, you like to say, you know, you're trying for a hundred percent and never get there. What can we spend time on right, to make the most impact? Right? And that kind of lines up with, with this, doesn't it?

Yeah, it, it does, it does line up. And, uh, one of the questions I had for you as well, Phyllis, is, you know, something that MSPs say a lot, and it's not just MSPs, it's also like SMBs as well that are struggling. Like take a bank, for example, they have their federal overlords, right? F-D-I-C-S-E-C, uh, one of those that, that have some kind of governing authority over them, and sometimes multiple. Yeah.

Then you have like really good like industry neutral standards and, uh, groups and agencies like CIS and others. Um, a lot of times we feel in the s and b sector that, that you almost wish you could just have one standard to rule them all, but we can't. Right. And, uh, you know, what advice would you give to an SMB that's struggling with that? Really trying to understand, do I, do I take 'em all? Do I pick one? How do I be the most effective? What would your advice and thoughts be?

So I do believe that you really do need to have that baseline, right? And, um, I think that, uh, risk assessments are very costly and expensive and hard for organizations to do, which is why, you know, one of the things that we did was map, um, the controls at the SubT control level to, uh, the Mitre attack framework. What that allowed us to do is then really determine the security value of the control.

So in my experience, it's not that organizations want to know that we, that this control can save you against, you know, some kind of tactic or whatever. It's more like, what are the, what are the attacks, the top attacks that my organization needs to care about, and how is it that I either get tooling or do something native, uh, in my environment that I can do to prevent or thwart that attack?

So, you know, I'm hoping that our mapping to the Mitre attack framework allowed, um, organizations to say, Hey, you know, um, CIS did this work. They mapped against, you know, the 2019 Verizon data brief report, top five attacks, and, um, IG one can mitigate against all via the tactics. And so I, to me, that also is really the benefit of an ISAC or an isal, right?

So if the M MS P were to have an isac, the ISAC is there for you to say, Hey, these are the top three attacks that we believe MSPs, um, are subject to. Here's a framework, whichever framework, you know, that has mapped to whatever we've done the work. And these are the top five things that every MSP can do to defend their network. So I think that would be, uh, amazing, um, you know, for organizations, uh, to have, 'cause that's what they wanna know, right?

And so then if, um, MSPs are implementing that, um, on behalf of SMBs, that's huge. That's huge, right? So you look at the, if you go to the small business administration where they, like over 90% of, um, businesses in America are small, medium businesses. So if we could actually get them, get the MSPs on behalf of that huge population of organizations to implement these defensive measures, that's huge. And that's huge for supply chain, right? So, you know, CMMC is a beast.

If we could point to MSPs, uh, to show maturity, that would be huge. And if follow up question for you too, right out of that is if we can get to that point in our industry to where we're actually producing and communicating where the s and b sector truly is and where the gaps are and where the resilient strengths are, could we potentially get that out to the federal government in a clear communicated way that they could actually provide assistance?

Right now, I feel like we don't really truly understand where the entire s and b industry is at. You might be seeing industry gaps here and there, but I would love for us to use this as a mechanism to pass unified security posture standings all the way back up to the federal government so they can have awareness for their first time. What do you think about that? I think that is a great idea. I really do.

So, you know, there's US telecom, US Telecom right now is trying to help the MSPs, you know what I mean? Like, they are looking for things to do. Same thing with G-A-O-G-A-O is updating their cybersecurity. How do we audit, right? So you wanna get it to the auditors small medium business administration as well. So, um, I think these are great opportunities. Um, for MSPs. We would, CIS we would love to help you, um, with that, uh, to try to help with big government, right?

So sadly, regulation is, um, people hate it, but it is a way, it is a forcing function, and it also is a way to get aid, right? It's also a way to get help. Um, and also a way to say, okay, these are the things that we care about. These are the things we want auditors to care about, to help alleviate perhaps some of that burden. And to help all organizations show progress. It's hard to show progress against a report card where you're being graded against 200 things.

It's much easier to show progress, you know, when you're getting graded on a smaller amount of things. It's, it's, um, and that it, you know, if it's prioritized. So I think it's important to try to bring those things together and having that prioritized, Hey, we're subject to these kinds of attacks. This is what we need to defend against. Backing that by data, I mean, I think that's huge. Yeah.

What I would say to that, and uh, Gary, I know you had something here on, on a con, you know, the, the, the box and the blob, I wanna get to that. But Phyllis, um, you know, one, the ability for us to give the MSPs out there, Hey, this is, if you're IG one, you're gonna protect yourself against these top attacks, right? Mm-Hmm. Based on Verizon data breach report.

I mean, first of all, we've talked a little bit about this, um, maybe at some point we'll get into it if people want it, but there's something called the Challenger Sale. Um, and it's a sales methodology. And, and certainly I can have Gary talk more about that, not right now, but you know, it, it, it allows the MSP to push back a little bit and to your point, not make it about a specific control, right? Oh, here you go.

Again, trying to upsell me it's, look, here's the security posture of my clients. And Gary, this is gonna tee it off to you because this is where you come in, right? This is how our clients look. Here's how you look. Is it worth, you know, five, six, $700 more? So with that, Gary, let me turn it over to you for kind of that next Piece. Yeah. So, in a simple way, Phyllis, there's a business issue that MSPs have to solve, not just a technical issue, right?

So I call it the box in the blob, like your box is your standards. Okay? So whatever that is today we're talking about CIS and the blob around that is every customer's environment, we're trying to push 'em inside the box because we know when they're in that box, that's the best investment. The securest, they're gonna be, right, the most productive.

And, you know, I probably have drawn that box in a blob in front of 1500 customers when prospects, when I was a, you know, when I was an MSP, 'cause I have to go out the prospects and customers, and I have to get them to make the right investment in my monthly fee, or I don't have the resources that I need to be able to do the continuous, uh, you know, alignment.

And so on this call, we're trying to make people aware of security, but also we're trying to have them understand how to operationalize things in their business. Because we see that when you look on here and you see that 75% of the people aren't using CIS Phyllis, that's the reason why. So we're trying to help 'em to get in a position to say that the box is the starting point. Otherwise, if you have 30 customers and no box, you just have 30 blobs. And that's pretty blobby. Does that make sense?

That makes 100% sense. I really, I really like the way that you put that as well. I appreciate that, Gary. Um, maybe, and, and the, the last piece I'd like you to touch on if we could, is I, I love your, your, and I think you said this in the, uh, recent thing with Wes is you said you don't get more secure by investing less. So can you tell, you know, you right now you talked about the, the MSP side of the business, getting 'em in a box, getting 'em in a standard.

But can you also give the SMB side of it as well, because you sat around, like you talked about with a bunch of friends during covid and had a conversation and these guys own SMBs. Yeah. Realizing they're not secure. So Andrew, we, again, we gotta figure out some way we have to have just to go to a customer and say, look, we want to be more secure. Or we go buy a tool and say, oh, I bought this tool. I'm gonna implement this tool and raise your price.

And then the customer says, in the next month, it's a different tool. And like there, there's nothing that they can make business decisions on the way they make decisions in the rest of their business. 'cause they're not afraid to invest in the right thing. They'll spend a million dollars on a piece of shop floor equipment, but we say you gotta spend 10,000 on security. And they act like we shot their dog. So that's why the, we were so excited, Phyllis, to have you.

'cause this is kind of where it starts. Like if Wes, would you say if people aren't right now as a baseline using CIS, they're probably not doing a lot of other things. Is that a good, I think, I think generally speaking, yes. Um, certainly I know many that, that are here that are not aligning to CIS but have chosen to really align towards, you know, CSF is a great example, but mm-Hmm. I think generally speaking, Gary, yes. Yeah. Good. Andrew. So, you know, I just a thought popped into my head.

So one of the things that, you know, what we do is we create guidance for organizations, right? And so we, again, we try to make all of our content for free. One of the things we are working on is, um, a guide for small medium enterprises on, you know, what is it that you should be asking from your service provider really around implementation group one to, to get that. We also wanna create a guide that says, and this is how much it's gonna cost.

So I'm soliciting, you know, anyone who wants to help or provide input, we're happy to do that. We are a consensus driven organization. I think a lot of organizations are intimidated. It's gonna be too costly. And so while certainly we lift a lot of free tools, but again, you know, our free tool's gonna help, uh, a strapped organization who doesn't have the knowledge to, to, um, download a free tool. We think it's easy, but it's really not.

Instead, you know, how much is it gonna cost an organization to, at the very least, implement implementation group one. And then how is it that that organization can make sure that they're getting what they need out of their MSP? 'cause I find that a lot of organizations, they don't know what the, they don't know what they want and they don't know how to ask for it, and then they're intimidated because they're worried about cost.

So these are things that we're working on, um, uh, on my team, and I'm hel I'm happy to have any help or recommendations from anybody. Yeah, there's some, I'm, I'm putting my email in the audience. JMC, uh, hit me up. I'm working with Phyllis. Anybody that would like in on that, because again, what, talk about a piece of content, like what should you be spending, you know, to be at least to take care of these, you know, top five attacks from the Verizon data breach report. You know?

So again, validation of a third party. Kyle, I'm gonna ask you to tee up really the second part of our conversation. So let's picture this. Um, if you could talk, we've talked Mitre attack, people have heard it here, not everybody knows it. Could you briefly talk about that with Phyllis?

And then if you guys could segue into, um, you know, conversation with Chris on, you know, top attacks, you know, who's going after the MSPs and just really, you know, Phyllis was on a call with me and it just, you know, I, I was just really taken aback where she's like, I would love to help the MSPs with a reference architecture, a reference guide on here are the things you would need to do. Almost like implementation group one helps the SMBs based on these attacks, here are the top attacks.

You know, if Mitre, you know, ha framework ha happen to attack framework, happen to, you know, articulate what those top attacks are. So, Kyle, let me let you take it. Yeah, will do. So Phyllis, if you haven't seen in this group, what we love about this platform is everybody can chat live. And I've been doing a whole bunch of it.

Um, Andy earlier, a member of the audience actually said, Hey, look, um, I'm in a situation where, you know, I, I believe MSPs generally have a hard time at communicating. Wes and I have done presentations together over and over about sometimes the hardest part of cybersecurity is actually demystifying just, and having common talk.

So what I'm excited about, like on Mitre attack, it was one of the first efforts, uh, to actually say, Hey, we've always talked about these tactics, techniques and procedures. Let's start categorizing them and make 'em easily to reference, especially for non-technical people that they could still say, oh, this is where this falls on there.

So I find big value in that, but I actually feel like CIS even before Mitre attack, kind of with their top 20, and I just shared a link in chat for anybody who missed it. CIS kind of did the exact same thing with the top 20 in saying, Hey, look, I realize there's so many controls. Where do you start? We suggest you starting with these top 20. So maybe the way that I wanna open this up is, you know, MITRE tech's important.

You called out that part of, uh, the, the new CIS controls were to better a map to other frameworks. Do you wanna either build on that communication gap and see where we can, maybe as this type of group of the cyber call or members that are watching, might be able to help on that communication side? Because I think we still have the gap of how do we go from this technical audience, let alone to the people who aren't technical. Yeah, I think that would be great.

We would love to partner, um, with MSPs to actually, uh, create that dialogue and create that guidance. You know, we were just talking this morning, um, I was on another call. I, my, my, my day is filled with calls and meetings, um, was, you know, hey, um, what is it that we can actually provide that is the most minimal amount of guidance, um, for organizations who really know what threat they're worried about? And so, um, yeah, we would love to have that dialogue.

We'd love to create that community, contribute as much as we can. You know, one of our, our, um, you know, we are conveners. We, we would love, you know, either hosted here, hosted, um, at CIS to discuss what kind of products do people need. You know, so much everyone talks about customization, but it's very, very difficult to do. Um, and so, you know, what I like about what we did with, um, MITRE attack is that that is a framework.

It's not perfect, but it's something that provides a common language, right? It's something we can all point to. We could discuss it. Um, we can say, here's this pattern, here's what we care about, and we can use that as a starting point. And then from there really kind of create, um, guidance that is more meaningful to MSPs. Yeah. So Phyllis for that said, if, if we're agreeing communication is, you know, obviously key, it's a key to all of us understanding better.

Um, one of the examples in chat was about communication that, you know, it was an example of an M Ms P or security partner saying, great, here's the cost of this. You know, I see it takes time from knowledgeable person to do this, right? And then the customer immediately coming back and saying, Hey, we should do this the cheapest way. Do you think part of this conversation in bringing this down to these non-technical audience is gonna help there?

And if so, do you have somewhere specific where you think that this could actually, uh, you know, help whether it's, you know, it's time to money to prevent X number of incidents, or how, how do we coordinate and how do we communicate this to that audience? Right. So I think it is important to make it non-technical, right? So, um, no one cares about the attack technique. Boards care about ransomware. I mean, this is a problem that even big Fortune 500 companies care about, quite honestly.

We often get approached and say, okay, great, I have all these technical controls, but my board wants to know what's the tool that I can buy to help protect me against the, right. I mean, and these are companies that are willing to throw a ton of money at that problem, right? No one wants to be the next target or, or whoever.

Um, so I think that what we need to do is, um, for that communication is really if we could get that list of what are the top things that we care about, if we could provide that type of guidance and say, Hey, um, when you do this, you are protecting yourself against these X number of things, and these are the basic, basic things that an organization needs to do. I'm happy to host that community at CIS I'm happy to host it at Cyber Nation.

We're happy to lead that community to start that discussion, to foster it, to talk about, you know, what is it practically speaking that, that organizations can expect from MSPs, right? Is IG one too big of a lift? I I would love to have that, that feedback. Um, yeah, well look, It looks like there's people in the audience that want to have the chat, so it looks like, uh, kind of right time. Yeah, I think that would be great.

This feels, this really, um, you know, helps our wholesale versus retail. I don't wanna go to millions of small, medium businesses and get feedback and ask them what they think when, you know, they don't know what they think. A lot of the, no offense, but, you know, they just aren't resourced that way. So yeah, this is great. Let's, let's talk to the MSPs. Let's get something started. I'm, I'm excited to do that. Yeah. Yeah. There's no other way to the SMBs than through people. That's right.

Call. That's, that's the only way to get there. Yeah. Gary, uh, likes to say, and Chris, I want you to come in here, but Gary says, uh, Phyllis, uh, to, uh, his prospects, um, hey, bad news, you're not qualified to tell, you know, in terms of, you know, choosing your IT and, and your security and Right. And, you know, and, um, you know, we're not MSP experts at CIS. We wanna do what's practical. And so if I get feedback that says IG one is not practical, then, you know, that's great.

Let me know. We wanna back everything that we do by data, right? Um, if I need to do, uh, if we need to create a special document for MSPs, that that's, that's easy for us to, to, to make that happen. But we really need that feedback from the community to make sure that the recommendations that we make, um, in that guidance, that they're, um, you know, they're realistic.

So, so with our, you know, time, just keeping a sense of it, we have time, but I'd really like, you know, Chris, can you give, um, an overview for, from a, a perspective of top attacks, what you see. Um, and, and Wes, feel free to chime in a little bit here too, because I know you have, uh, been involved in these a lot as well, Kyle, and you certainly know you have. But give Wes a little bit of the floor here. Um, go, go ahead Chris. Love, love to help, uh, share this with Phyllis. Yeah, sure.

So from the s and b perspective, I mean, RDP is still number one top of the list by far. We'll get, we'll get an attack. They go, no, we don't have RDP open and ta, little showdown query. Boom. Yeah, you've had RDP open for two years. Um, that's just, that's just the way it goes. Or we, we know we have r you know, we have remote desktop services gateways. Great. Well, why do you have RDP open as well? Uh, you know, so that by far still number one easiest attack that hands down.

I mean, obviously the next side is the phishing attack, uh, from an email perspective. So either that's, you know, obviously some word attachment or we've seen some new, new newer stuff lately with, um, some Java stuff. Uh, but again, starting with the Phish and going in and, and typically when we look at those environments, they don't really have anything sophisticated set up from a email security perspective, right? So I'm not shocked and nothing from a security awareness perspective.

MSPs, yeah, we see the RDP, but they're, they're still attacking the tools, uh, whether, you know, you know, it's a vulnerability or more often than not, it's an, it's not a vulnerability. And MSP hopes it was a vulnerability, but in the end it's a, it's a credential, it's a credential theft type deal, and they just get into the tool and off to the race as they go and, and they do it very quickly.

So it is, um, you know, this, um, there's nothing really sophisticated we see we've yet to come across an SMB attack where we are like amazed and, uh, at how technically savvy these attackers are. 'cause they're really not. Plus, as you guys have been, you know, watching these week, weekend, and week after, uh, we're seeing that these attackers are being given these suites of tools. They just sign up for ransomware as a service and everything is laid out for 'em.

I mean, you could not ask for a better tools based documentation platform, right? If you were coming up with a way to actually onboard your new employees on an MSP, you might as well go look to these ransomware as a service, uh, type offerings. 'cause they do a pretty damn good job of setting everything up and almost making it dummy proof for people to attack and, and, uh, you know, infect the network and get paid. Got it.

Wes, anything you'd like to fill in there for Phyllis In terms, well, no, um, no. I think Chris really pretty explained it really, really well. Um, and the one thing that I want to come back to that he said, Phyllis, is Chris is, right. Like, there are sometimes something that's very, you know, like a new exploit that comes out that somebody just didn't patch for.

Like, we're seeing some of those things right now, but, but it's really configuration stuff, lack of patch management, lack of just awareness of what's going on around them. That is the number one problem. As, as Chris said, Yeah, I mean, 100%. When I was at NSA and I did participate in blue teams, I don't know how many times we're like, if you could just patch, if you could just, you know, it's, it's always the same thing over and over again.

And actually, as a matter of fact, I just assigned on my team, let's look at these services like R-D-P-S-M-B, um, you know, uh, like the, in the inroads of phishing attacks and what guidance can we give around these services that many organizations feel like I must enable RDP, because right now everyone's remote, right? And so what is it that we can do? And again, what's the minimal guidance, right? Um, between a configuration and a control, right?

You kind of start at the host and then, you know, you kind of go up towards the control. What is the minimal guidance we can give, um, to actually, you know, for prevent, maybe sometimes the best you can do is detect, um, against those, uh, attacks and, you know, can you configure them more securely, you know, or, or, or something like that. And, um, yeah, I mean, you know, 'cause uh, we have the MS iec, I was like, you know, we need to go over to the MS.

iec look at, see how organizations, um, are, are getting, um, pounded or whatever. And, um, and, and work for work towards that. And you know, honestly, if you guys have feedback or input into that, I'm also happy, um, to, to get that feedback. We're gonna kick that off and we can make that a community effort.

Um, The other thing I wanted to add in here real quick is 'cause we keep talking about how we're having conversations with our clients about this, and one thing you can kind of get a little bit into the demographics of it as well. Um, you know, let's just use an example.

If you have a client that may be in the age range of a Gary pika, for example, you might have to have a conversation about RDP differently than you would to have, have a conversation about somebody that's in charge of somebody that's maybe in the Kyle age bracket. Whoa, Whoa, whoa. So there's the, so, so I I, I shared lightly there. I just use that as as, as a sample, but, or as samples. But, but, but it is true, right?

When you're having a problem, are you Saying maybe talking with someone very wise as opposed to a little bit yet still? Yeah, I, growing, I wouldn't doubt that you still check your aol.com email address. Uh, so the, uh, the point is, is is I think we try to have, you know, I'm talking to MSPs, they wanna try to have this one script fits all, and it's not necessarily the case.

So if you're dealing with an SMB has a different type of, you know, history behind them and, and RDP is super, super easy, and it's, that's just a different type of conversation to explain to them the risk associated with that versus somebody that may just wanna throw all their stuff into Google as an example and throw it all out there for anybody to get access to. So you, you gotta be thinking about things like that when you're having these conversations.

I do, when I'm incident response, I can't have the same conversation with each victim. Uh, it just doesn't work that way. It's just the different personalities. And with security and managing their risk, you gotta tailor that conversation as well. Andrew, can I just zoom out for one second? Yeah, no, love A couple people as we're going through this saying like, oh my God, it's so much, are we in the wrong business? Should we open a coffee shop?

And, uh, you know, and what I wanna say is, I just was going back and looking at, um, some numbers. My peer group wanted to see what my numbers look like from my first MSSP. So I threw 'em up and I saw we had 37 employees. And of those total employees, that's sales administration, everyone, nine of them were technology alignment managers. So purely proactive, three of them were V CIOs and a couple people to support them. So 15, almost 50% right? Were proactive roles.

The point I want to make here is doing the right thing to reduce your risk and your customer's risk is also a good business decision because we threw 33% to the bottom line. So it's, it's not mutually exclusive. Doing the right thing for your customers, starting with standards, seeing what it takes to invest is also the right thing to do for your business. It's a good investment, Andrew. Yeah.

And look, considering 50% of businesses according to Yelp and the, uh, food and rest retail went out, um, I'm, I'm still bullish on MSPs, and I think, you know, in terms of, you know, what did you say in your most recent peer group, uh, like the numbers were, what, what were they, Gary? Yeah, the 35% of our peer members in a pandemic last quarter throw over 20% to the bottom line. So that tells us the resilience of this space that we're in.

Um, I, I don't know that you're gonna get that kind of growth at a coffee shop. Yeah, yeah, absolutely. So The answer might be changing the way we do business, not abandoning the business. Yeah, I mean, if there's one thing, you know, we've seen over and over in the years we've been doing this, Gary, is, you know, there, it's change, right? And, and I would say right now, although it's, uh, here's my prediction.

The MSPs that embrace, you know, this tough, uh, relative to all the others, like the Ms p, the RMM revolution of automation, that was the easy button really. I mean, the last 10 years have been a relative gravy train for MSPs until the last three years when we've started to get attacked and security has become the forefront.

And, you know, again, Gary, I'll use a, you know, a PIKA is that you can't give somebody something you don't have, and you can't be good at security if you're not good at your internally first yourself. Mm-Hmm. And, um, this is the first time, but the good news is if you do embrace it, man, the companies like, and like, you know, Jennifer's out there.

I know, and you know, from, uh, F1, I mean the companies that, uh, steel roots out there, the companies that are embracing it, and Jason Slagel, man, they're killing it. They're, because they're the confidence right in front of a customer. So billis in, in our time remaining, could we, I'd like this to be a little interactive with the audience. It's already been asked, and we do have some questions, but CSAT and multi-tenancy.

So as Gary likes to joke around, you know, we have less than 50% of the people using CIS controls, a hundred percent want multi-tenancy. But, um, for, for conversation's sake, we'll set the stage like this, pretend you had this assessment tool, right? That was relative to NIST pretty easy again. Mm-Hmm. So I'm air quoting that, right? Everything takes work. But very easy to understand. Uh, I highly encourage you to do the self-assessment. It's a beautifully designed architecture.

You guys a great job, Paul. The question is, can we talk a little about what multi-tenancy looks like? Um, what it could look like. You know, you and I have had a lot of conversations. This isn't a guarantee, everybody, you do have multi-tenancy today. Could you talk about how that works? But, you know, in offering it to an MSP, you and I are in discussions. We welcome people getting involved. So let me let throw it to you, Phyllis. What are, what are we thinking about?

Um, let me please go ahead. Yeah, sure. So, um, we certainly have gotten feedback that organizations don't want their data in our cloud instance. And so we have created, um, a csat, it's called CSAT Pro, which will be your own on-prem instance, right? So, um, we've simplified the scoring in there so that currently the, um, the scoring asks you four or five question, four questions for each SubT control. Uh, we've simplified that to just one question. How well have you implemented it?

Um, so that way you, the MSP can be the top level organization and your constituents or customers can be the sub orgs. Currently, um, we sit at the tippy top, right? And so, um, while an organization like a big bank or a big whatever manufacturer can have their own instance and have sub controls, um, and certainly we have had some consultants using it, um, you know, people aren't comfortable with, with getting, um, with doing that within our cloud. And so you'll have, um, much more control.

You can see over time how well different organizations are performing. Um, you can, um, compare them against each other. There is an option you could opt in to get the industry average. You would have to open up, you know, um, and, and get some data back and forth. Um, but, or you could opt out what whatever you, you, um, want to do right now that is, um, being charged.

Uh, you know, it, you have to be a secure suite member, which is a way that we generate income, um, while we are a nonprofit, we do need to, um, pay employees, et cetera. So, um, so that is how we generate income. However, you know, we're working with Andrew to see, you know, what is it that we can do, um, with MSPs, et cetera. So more to come on that front. Yeah, that's great.

Um, so just maybe if you could say, you know, in chat, you know, what, you know, comments, thoughts, would, you know, yes, we know you'd like multi-tenancy, um, but you know, again, I I put my email in there. What are your thoughts? Would you like to be involved? Would you like to explore potentially a monthly, um, again, this hasn't been written in stone, you know, a monthly payment model, uh, um, you know, uh, you know, a model based on your employee size like CIS has today.

Um, obviously the, you know, the CIS employee model to use CSAT is relatively reasonable. Like, so I, we're, we're debating now, like, again, if it's a, you're a 15 employee organization using multi-tenancy, it's very reasonable annual fee, but you could be managing a, a, you know, a thousand endpoints. So we're, we have to take that into consideration. It may change, it may not.

But again, any feedback you guys can give us and, or if you wanna just reach out to me directly and we are going to set up some conference calls with Phyllis Kyle, you had a recommendation you, Gary said was a good idea. I missed it, but can you bring that up? You're on mute, bud. Oh, you're on Mute. Okay, no worries. Yeah, I know What he was asking though. He was, the idea was, yeah, go ahead.

Yeah, he wanted to have some people come on and, um, someone was mentioning they, they've closed four of their last five deals based on a security first approach. Really. There's a lot of good news, and because of the nature of security, you know, it's a little doom and gloom kind of thing.

So we thought maybe next week we could have the hopeful, uplifting version and people can share these positive stories, how this has been something that's transformed them into better value, better relationships, better business. Yeah, absolutely. Yeah. The positive, the positive hopeful, uh, episode of the cyber call. Well, I Why do we see this as, as a negative, Gary? Like I I, Yeah, no, just people, just because we talk about so many.

I, I don't, you know, I'm always here for the opportunity, but people jump on and, you know, they're hearing the reality of, of the fact that there's so many more security risks out there. So we want to just take an episode to completely shine a light on the other side. Yeah, that, that would be great. A success story is, is who is, you know, who, who out there said it? I mean, if we out, we, You'd have to go back and look.

It's moving so fast right now, Andrew, out there, there's so many Andrew. Uh, without spending too much time in logistics, I think the best way to do it would just put on Cyber Nation, do a new post, see who's interested in communicating and say, Hey, I want to join. And then we set the date on it. We just bring people in, have them say their piece, they can exit out and bring the next one in. It'd be awesome. Okay. Yeah, I love, I love that idea. That would be great.

In fact, next week, I think we have the next two weeks set, but Phyllis and I are gonna be working offline to again, email me. I'll put my email in one more time. It's Andrew at the Cyber Nation, um, cyber nation.com. You email me if you'd like to be involved. And then, um, Wes, we have next week, um, uh, we have Global Cyber Alliance back, however, um, we have, and you know them well, uh, Phyllis you've worked With. Yeah, we're friends with them. We're good friends with them.

They're good people. Yeah, they're good People. Nonprofits have to stick together. Yes. Um, we are going to have, um, gosh, his name's drawing. I I'm killing, oh gosh, I'm drawing a blank right now. Um, but, um, they're gonna come on and talk about, um, you know, how they present bootcamp style, uh, to SMB. So how Ms, how the MSPs can use it.

They're also gonna be talking about, um, the myth of, um, uh, I think it's, uh, yeah, DAC, um, and how it's being used and the, like, the top five myths that people think setting up DAC in micro, in, in micro, in, in office, um, is the way to do it. And it's, and the, they were telling me it's, it's actually not. Um, the following week, Wes we're hoping to get the gentleman that wrote the book on Honey, Chris Sanders. Does anybody here know Chris Sanders?

He is a personal friend of mine, and I think we're gonna be able to get him on the call. Yeah. Anyone here in chat know Chris Sanders or read of his books Practical Packet Analysis, uh, new honeypots book coming out next month. So yeah, we're pumped to have him. Also runs a nonprofit. Phyllis, uh, the, uh, cyber, uh, uh, rural cyber defense fund, which is really, really cool. Okay, I'll be tuning in. Yes. Uh, and I remembered, by the way, thank you for that, Kyle.

It was, it's actually, he works for Phil, it's Shazad Meza, and, and he worked with you guys as well. He worked for CIS, if you recall, right? Phyllis? I dunno if you remember Shaza. I know Shaza did definitely. Um, Adnan did Okay. Adnan did. He's over there. Okay. Um, and so with that, let's wrap things up. Um, Kyle, do you, let me see if I can get you back up here. I see. In the audience.

Um, but we'll, Hey, while you're doing that, Phyllis, maybe one last question for you while you're getting that going. So we've talked a lot in other calls about impending regulation coming into the MSP space, and we've also talked about how regulation sets the minimum, not the maximum. And we do have a problem with the minimum in security today.

I mean, you've seen this in the chats, a lot of people saying, yeah, I'm having to compete with, you know, these people that want the, the cheapest bottom dollar security solution. And there's another MSP next door, that's gonna do it way cheaper. How do I compete against that? Right. So my question for you is, do you see impending federal legislation and regulation coming to MSPs? And if so, or if not, what are your thoughts on it? Um, I personally have not done much look into that.

I don't, we, we do have someone actually who follows the, the legislation. We do believe that there, you know, Congress does want to do something around like a minimum standard, certainly DHS and cis a do. Um, I would say that MSPs do fall under the purview of US Telecom as well as cis a as a, um, critical infrastructure. Um, and so yes, I think there will be a minimum standard, um, required. Now what that looks like, I don't know, we want it to look like implementation.

Um, group one, we have met with other organizations to talk about that. And so I do think, um, I do think having a minimum standard actually is a good idea though. Yeah. I think that we really, calling a whole framework, a minimum standard is, is a bit much, right? So within there, having that prioritization I think is really one of the strengths of the controls.

And, and this is like a big turnaround from someone who worked at the National Security Agency who did food testing and made a living off of that to say, what, just what, you know, it only takes one, right? But you know, now, you know, I'm, I'm older, I'm more mature. It really is about, um, you know, like you said, how many times do you have to see the common attacks? How many times is it over and over again? The same thing.

It takes a while, you know, working at the NSA, like, oh, why aren't they patching? Why aren't they doing this? Like, instead of just calling them out and making fun of people and calling, you know, oh, that's so dumb. Like, what is it that we can do to help these organizations? Right?

And so I really do believe in this minimum standard of, um, you know, there is this obligation, there's an obligation, um, for organizations to protect themselves as well as protect other organizations who rely on them. I think MSPs fall into that category, right? Um, you know, kind of like we talk about public health, there is this, um, obligation.

You know, people say wash your hands, not just during a pandemic, but there are these, um, you know, that's why we call it like basic cyber hygiene. There are these hygiene things that we just rely on the CDC to tell us to do. Wash your hands, take your temperature, do these basic things to maintain a healthy lifestyle, eat right, et cetera. Um, in cyber, we need to establish those, um, same norms.

These are things that every organization should do, not only to protect themselves, but to protect others who are relying on them for a cup of coffee to protect my credit card information, you know, for a service that, you know, I'm expecting you to protect my data, right? So we have to kind of get to that place.

Um, one of the things that I like about the controls is we really try to fill that and we wanna, we wanna provide that, you know, kind of best set of best practices based on, um, not just what we think is the best thing to do. Not every organization needs to do pen testing, but you know, that, uh, different organizations with different obligations need to, need to implement. Yeah, great question Wes and, and Phyllis, thanks for the explanation.

You know, we know we, with Louisiana, you and I talked offline about that. People out there probably do know about what Louisiana's already done, which is if you're an, a state agency and in Louisiana and you're working with an MSP, the MSPS to disclose and register. So I, I, I think things are in the works, and I think you were, I could be wrong, but I think Las Vegas is, is considering a similar thing already. So, Gary, closing thoughts. Thanks for, um, an awesome, uh, week 15, Gary.

Yeah, no, just, I just wanna say, Phyllis, thank you so much for, uh, being here today and, you know, just getting this information out right to, to MSPs, like, you know, building this base and have everyone build that base is so critical. So we appreciate all the work that, uh, that your team does. Thank you. And thanks for, thanks for having us.

I did wanna say, I forgot to say there is legislation in the states as far as like implementing frameworks and they do reference CIS like the state of Nevada, Michigan, Idaho, Ohio. So we do see that up and coming through the states and some safe harbor laws for, um, companies as well. Great. Chris, um, I appreciate you spending the hour with us, and I know you didn't get a lot of time, but I always appreciate your perspective. Any closing thoughts from you Mr. Lee?

Hey, the, um, the thing about is we're, I'm starting to see a little bit uprise on the MSP attacks again. Uh, we're starting to see more ransomware groups get involved. We got, uh, we got a case last week with a, a new type of variant called Avadon, A-V-A-D-D-O-N, uh, has a lot of different features and functionalities built into it. Definitely data exfiltration part of it. And, uh, it seems to be another very kind of GaN kraish soda NABI type style of website and that type of thing.

And so, um, it's just not stopping. And so, um, and we've had a rash, um, for the last week or so, a rash of nonprofits get hit. So, um, again, can't speak to it enough. Make sure you, uh, and just one other thing. We've had a few cases where the MSP has just tried to go and handle the situation themselves, and then two weeks later we get called in and the customer's been down for two weeks. That I, i, it's still, I cannot figure out why you guys continue to do that.

And I don't wanna stereotype and throw everybody in a group, but if you're trying to save the customer's tail in a ransomware situation, think twice, think three times about it because, uh, it's a lot of times you're gonna get in over your head. I'm not just trying to brag about us or say anything bad about you, but just bring people in that can get that thing started. 'cause you don't wanna leave your customers lying around for that long.

It's, you're not gonna get their business back if you do that. Kyle, Chris, nailed it on the technical side. Uh, you know, I think maybe we saved, uh, that little best little tidbit there at the end, uh, for Chris just to really hammer it home. It is ramping up. Um, I'll call out since he hit the technical. So well think about last three episodes. Global Cyber Alliance, maritime isac, and then we just nailed it with CIS and Phyllis here.

A lot of big, heavy hitters come in to contribute worthwhile resources to make the community better. Uh, please keep up the suggestions for the community. We get these ideas from you all. Please continue to abuse Poor Andrew's mailbox and, uh, we'll, we'll keep bringing the good conversation. So huge. Thanks Phyllis, for making today. Just such an awesome, uh, go ahead. And I don't think I have anything else to add. Yeah, Wes, Hey, nothing else to add. Thanks.

Yeah, Phyllis, um, really, really appreciate you spending an hour with us. Um, so, so, uh, appreciative of it. And so looking forward to working with you, everybody out there contributing. I think this is gonna be an awesome year for MSPs, MSPs and CIS. So Phyllis, uh, have a fantastic rest of your day and week and we'll look forward to talking to you soon. Yeah, thanks for having me. Bye now. Thanks everybody. Take care. Thanks Phyllis. Thanks everyone. Bye bye.

Related Videos