CyberCall – June 22nd, 2020
Guests
Video Transcript
All right, we're live and recording. Welcome everyone. Cyber Call, week seven. Gary, Kyle West. Welcome. Thanks so much for joining. We got a lot of folks out there too. Funny. Well, I hope for all you dads out there. I hope you had a wonderful Father's Day. And, um, Wes, anything special you'd like to share with us in that? Uh, little, I mean, get up Other than, other than looking cool, you know? Yeah. What, what's special? Is he special? Look at that Now. People respect me.
They always respect you. Hey, Kyle, I was, yesterday. I was thinking, you know, all around the world, there's all these hackers and, you know, they're home on Sunday too, and they're having their father's day. Yeah. I mean, hackers are people too. Maybe shadier people, but they Probably didn't live in a little bigger houses than Us these days. Hey, I, uh, you know, it's funny you talk about that.
I'm friends with, uh, one of the FBI guys that was able to nab uh, Guer two, Kyle, you remember Guer two? I don't know if you know that guy or, oh, yeah. And he was telling me this story. This is like a, like a after event over beer story. And he was telling me when they nabbed him in Italy, uh, he was literally, they'd been watching him for over a week.
So they kinda knew his movements, but, uh, when they nabbed him, uh, he was walking his daughter to school and he and his girlfriend just come out of their flat, went downstairs walking her to school, and he, all of a sudden, he said, I came up two other agents in front three and back, uh, some guys from Italy as well because of the extradition stuff. And he said, the second he saw us, he just gave right up.
And he goes, he, he had some choice words, he said, f the USA, uh, and they nabbed 'em and put 'em in the car, and that was it. But, you know, it just really shows like a lot of these guys are just, uh, you know, in their minds, they're just regular family men. Job, working job nine to five. Well, as you were showing in the presentation, Kyle, it's packaging and pricing, right? On the dark web. It's the service. And they, and they've, I think they've got their packaging pricing down.
They're most Yeah. They're adapting it right to the m ms P market. Pretty smart. Yeah, Exactly. Yeah. I mean, and they are adapting it, right? You look at, uh, now exfiltration is like embedded in all, like all of the major actors. Chris can talk about that more than the rest. I mean, absolutely. They're nimble and changing too. No question about it. Well, excellent. So, hey, so here's today's theme. Um, we're gonna let you guys ask questions.
I hope you brought some, um, I'd ask, I mean, we certainly can keep an eye on chat, but if you can use the question section, that would be even better. I have some questions. Some of you were gracious enough, and not that you're not gracious, but some of you sent them in ahead of time, and I got those here. Um, so I'm gonna be going back and forth. I'll be looking at the questions section. Um, I'm gonna try to keep them in order in terms of the specialists. So again, who we have on the phone.
Gary's gonna handle business. Kyle and Wes are gonna be looking at, you know, some kind of the, the threat, the threats going on. Specifically, we're gonna be talking to some of the vendor threats right now. Ken trips here on data security, Chris la here on, um, uh, uh, uh, incident response and my mike regards here on, um, risk and vulnerability. Risk assessment and vulnerability. So, I just wanna start things off.
I heard something today, Wes, this spoke to me, and this is how I want to kick things off with, I'm gonna keep kick it off with you and Kyle actually, and then I'll go to Gary. But it was a comment from a Dr. Steven Prescott on the Coronavirus, and he said, as human beings, we don't judge risk very well. We pay attention to things that have just happened.
He goes on to say, you know, the best way to get someone to stop smoking is to meet with them in the cardiac care unit right after their heart attack. And, and not that, um, that's a funny thing. It just reminded me of your best way to get cybersecurity budget. Um, so No, man, I get a friend had a heart attack, you know, he was all great for about a a year. Now I just see him eating cheese steaks and drinking beer constantly. He goes by, he needs another heart attack to remind him.
It's, Oh gosh, it's what's right in front of you, right? You remember what's in front of you. And as soon as it's in the rear view mirror, right? Uh, objects are in, in mirror are closer than they appear, but they still look far away, right? It's like, there's two kinds of people. There's one that, like, they have that event and like their life has changed forever. And then there's the other group. They're like, Walter White, right? And they're like, ah, F it.
I'm just gonna do whatever I've always wanted to do, uh, in this case, go sell meth. Well, I kid you not in a past life, many moons ago, I did my master's in exercise physiology, and my internship was at St. Francis, um, hospital in their cardiac care unit. So I would work with people once they got done with their surgeries or their, you know, uh, catheterizations or whatever it may be. And I would be walking around with them. And I'll never forget this one dude.
He, like, he, I walk around with him and he disappears. I'm like, where the heck did he go? And he comes back in, I'm like, oh, I was wondering where you went. We start walking around. I'm like, Did you, did you out smoking a butt? Huh? He was out smoking a butt. He's smoking. I'm like, oh my God, No, Andrew, you know, tying this back. This is the reason why you hear us each week, right? Somehow we always bring up that security needs to be a culture, right?
Unless you have roles and process and metrics, um, you know, attention, time and attention in that disciplined way, you, you, you will forget about, you know, or you'll need something dramatic to start you down that process. That's, Yeah, that's a really good point. Which comes back to having, you know, your point of standards and roles and somebody always looking at those things on an ongoing basis. Uh, so, and, and needing to be paid enough to actually do those things.
Can I make one more quick point? I know we have a lot to do. Yeah. You and I were doing a session, uh, last week for the, uh, Cisco event. Yeah. And I asked you a question. I said, Hey, Wes, you know, there's a lot of factors, but about how many people would be on the security team of a company that had a thousand employees? And you said, probably, what did you say? Like five to seven, not counting. Yeah. Somewhere In the, yeah.
A bank or healthcare might be a little higher, but somewhere in the neighborhood of five to 10. Yeah. And, and I'm talking about dedicated FTE to security. Yeah. And I said, well, okay, if you're an MSP, who's got a thousand, you know, users under management, how many dedicated people do you have in security? Let's round down, If You were a bad guy, which would you go to? Right? I mean, that, Gary, that is so telling. Yes. Yeah. Very good point. Okay. So here's, let's start off with this.
And the, and it's the Kyle and Wes and this, you know, kind of the, the title would be, you know, how do you handle cyber risk coming from vendors and other third parties? Big piece of the equation these days. And to that, um, you know, let's, let's kick it to what's gotten a little bit of attention recently is the ConnectWise automate vulnerability. So just throwing a, a general question in the sense of, are you seeing anything new with it? Wes, uh, let me get to you. Okay.
I gotta put my CISO hat on for a second. Let me talk about third party risk super quickly. 'cause there's some important pieces that I can't just leave alone. And then I'll let Kyle jump into the ConnectWise stuff, and I may add a few things to it as well. But, you know, the nature of the game of third party risk, it is a requirement in this day and age. It's always been, right? I think the big target breach who a 10 plus years ago woke us up to third party systemic risk.
But I mean, nobody is gonna go back into the old days of like being our castle and moat and never having a third party. I mean, just as throw an example out there, who's gonna say, well, I'm ripping out an RMM, never, never using that again. Roll trucks every time. Nobody Mm-Hmm. So it's, it's something we have to accept. We have to stay there and say, I have to accept the fact that I'm going to have third party risk, and I have to manage that risk. I can't eliminate it. I can reduce it.
There's a lot of things I can do in the due diligence process of reviewing my vendors to say, you know, what kind of risk is exposed? What kind of data do they have of mind? Are they processing it, storing it, transmitting it? How are they doing it? I can do a lot of those things to reduce risk and ultimately find vendors that are doing much better than others. And they may choose to go with, and of course, the SOC two and those things give you insight into that.
But the key thing to remember, and Kyle, I'll turn it over to you after this, but the key thing to remember is I can't, I can transfer some of that risk, but I can't outsource it. I still own the risk. It's always going to come to me. No client of mine, if my RMM gets hit is going to accept me saying, well, it wasn't me, it was the RMM that got hit. It just doesn't work, right?
So that's a key thing to remember when you're working through third party risk, is we're going to always deal with this. It's always gonna be a problem. Kyle, what do you think? I think, uh, you're, I mean, obviously wise, you spend a lot of time in this. Sounds like every call I usually get from a journalist that asks me, well, who's at fault for these incidents? And I say, look, regardless of the vulnerability the clients are holding the MSP responsible period. Right?
Your MSA is going to do it. And we said that before. So I don't think anything's changed with this whatsoever. What's beautiful about what you also said in regards to like risk, you can reduce it, but there is no elimination. Um, and there's, as best as you can financially do to be able to mitigate it to the level that's acceptable to you. My level of risk could be completely different to somebody else's level of risk. And that seems to be something that gets missed.
When I read, like on Reddit or forums or even some of the conferences, we all talk, talk about how we're gonna generally mitigate risk, but I usually see people forget, like, risk is your own personal tolerance, right? So it's up to you to figure it out. So I understand why people have the ConnectWise bug on their mind this morning.
There's, uh, a lot of talk for the last about month and change about manage engine, which is a, a product by Zoho that's also being exploited in the wild RMM type capability. So it makes me realize that even the biggest companies can get exploited, but that risk at the end of the day, I would think no matter who you are, probably mitigating your RMM risk is something important to you. Yep. Yep. And let's talk about that for a minute.
I do want to say a couple things about the, the ConnectWise vulnerability, because it is all everyone's talking about right now, at least in a lot of our circles, right? And I don't know if you guys have seen Jesse's post, I'm gonna send this from sis warden, uh, into the chat, but check that out. Jesse is the one that originally found and, and, uh, was made aware of all this actually is the one that discovered it.
And so if you wanna see what he published about that, definitely check that out and definitely look at it. Um, Kyle, we've been tracking a lot of the activity around what we've seen from the attack landscape around this vulnerability. You guys have been seeing some stuff around this too, right? Like I know on our end we've seen a lot of, uh, actors using private internet access, which is a, think of it as like a VPN of sorts to be able to target and do some of the scanning.
Um, we've seen continued activity around that. Our experience, most of the MSPs we've seen, uh, are aware and are patching are already have patched for it, which is a really good thing. And I know we talked about this a little bit last week, but, uh, we did wanna share some of that and just make sure everyone's well aware of, of what's going on. But Kyle, anything else you guys have on that, that you wanna share?
Yeah, I think as Jason Slagel's in here mentioning in chat, one of the benefits the cyber call community brings to these analyst calls are, uh, you know, Jesse did a great job on his research. He created a fully working exploit that goes from end to end. He could trigger this vulnerability, and the end result was ConnectWise patched it, right?
Obviously, there's some abuse of this in the wild, since the vulnerability was noticed and the patch came out, it appears there's even more people trying to leverage some of the, uh, current situation of these products to maybe do some bad things in the future. But I think where we're going here with all this is, you know, um, this is the community giving back. As for Jason's comment in chat, you know, I think there's more, there's almost always more right with tax service.
So I know firsthand and I won't, you know, steal any of his thunder, but here in this community alone, there's other people working on other bugs in some of these products to get them patched. And I think most importantly is when you have this risk, how do you constantly take care of it? I, you know, as we mentioned last week, the time to go from vulnerable to patched isn't long.
If you know about it, if you're doing it, and I would argue the most important takeaway for third party risk this week is how quickly can you go from whatever that state of unpatched or unknown to the time that something is discovered and patched and minimizing that time. Uh, it's a constant thing. But Wes, I, I think we've probably eaten up most of our time this week. Yeah, we probably have. And maybe that's a future for, uh, for another day.
One thing I did want to post out here for anybody that wants it, and what, we'll move off the topic from here, but this, if anyone is curious and is using Snort or Sirta and wants a rule to detect at least what we're seeing from the TTP side of the house right now, uh, if I can get this to work, I'm gonna paste it in, uh oh ha, it's over 500 characters. So Andrew, what I'm gonna do is I'm gonna send it to you later and you can fire it out over email to everybody, okay?
But if anyone's interested, we've got a snort rule that you can run and very much encourage you to use that in any tool sets that you have. It's free for use for anybody that wants it. Yeah. And, and Wes, Kyle, it's not that you guys are are done, I I, I'll go onto a few questions. I mean, last who, however long you can stay. Last week we, we stayed the full hour. If you can, great.
If you can't, I totally understand both of your, uh, so, so Gary, let me pose one to you and then I'm gonna bring Mike Ard up, just because Mike has to drop at the bottom of the hour. So, Gary, here's what I got from Dave. And the question is, um, you know, I'm a smaller MSP, um, and, uh, in today's cyber environment, starting off with two, you know, one or two customers, um, you know, and how do you grow your business when, you know, there's not every, uh, everyone's back in the offices yet.
I'd like to hear more about how to market, get customers, what other things, um, people are doing. Oh, I'd love to work with true methods. He even says so. But with that, maybe just questions on that. And what things do you even out, you know, out considerations on outsourcing? Because when you're small, you gotta think about build by partner, right? Yeah.
You're probably gonna have to, you know, listen, I'm gonna give you the really Reader's Digest version because this, I got like 11 hours of webinar content right on this. But the, the, but the Reader's Digest version is, yeah, you have to look around. You're gonna have to outsource, because listen, you gotta figure out how do I wanna spend my time to add that most value, value? You have to grow the business, and you have to, you know, build those customer relationships.
They're the two places you look relationships with prospects, relationships with customers. And then you ask, what else do I have when I'm small that I can outsource? Just make sure you take the time to learn, you know, the concepts we teach around pricing, because, um, you wanna know that you're gonna have gross margin, right? Today, but you know, you're gonna want to have your full 70% gross margin down the line if there's some of those things you start to bring, you know, in house.
Um, second part of that question is, if you're that size starting where, what would you do? Look, I wouldn't do a lot of like, you know, shotgun marketing. Um, I'd go out and make relationships, uh, even virtually today. You can do it without going on site with other people, you know, that have that same target market, make relationships, find other people that are also looking to build their business so that you don't need a lot of leads. You just need a few leads you can, can close.
And using security and the things you learn on these calls as a wedge is a great way to do that one. You know, um, both with finding, uh, referral partners as well as when you get in front of prospects. Yeah. Linked, you know, one of the things you taught a lot, Gary, over the years too, is like LinkedIn centers of info. You know, like, you know, looking at LinkedIn, who knows, you know, somebody else and the, you know, similar title asking, Hey, by the way, do you know so and so?
Yeah, you do a few things every week, uh, you know, in that area, and you let a little time go by and you'll start closing some deals. So this one I'm gonna ask, um, I, I want to keep you three here 'cause I'm gonna ask this and then I, wes I'll move you to the side if I could just to pull up Mike, but let me, thi this is an interesting one. It's a question in the queue. Have a TNM customer who's in our RMMI was doing some work for them.
Notice, um, SQL Server had a local user logged in, uh, logged on admin sys, asked them about it, they had no clue. I disabled the account. Also noticed any desk was loaded up at the same time, at the same date. Loaded interests and Sentinel one on the machine and not really sure where to go next. So, I mean, I, you, I'm gonna, I'm gonna kidnap this one just since it, uh, by name.
Um, obviously this isn't the, uh, cyber call troubleshoot your technical problem, but what's really great about this problem, what happens when the hackers get in and don't use malware at all? What if they're just using an extra username in your system, or maybe it's just a remote technician from whatever the, the heck the server is to be able to get in and make some modifications or changes. Where I'm going with this is security, right?
It's so easy to put the tinfoil hat on and think every single, you know, user account or anything is malicious at the same time, differentiating between the difference of truly malicious and maybe just that legitimate usage of a feature sometimes can cost, you know, tens uh, or 20 hundreds of hours if you really think about the most ridiculous issues.
Where I'm going with all of this is I don't have an easy answer to tell you in that specific case without putting the incident response hat, but I wanted to highlight, at the end of the day, your verbose logging, you're working with the vendors of this product, whatever the database is, to figure out what is your norm or what is your baseline? And we've talked about this from, for, uh, just, you know, just like knowing your business, you need to know the ins and outs.
You need to know, you know, what is different, what is typical, what's atypical. Kudos to you for finding this weird log on, but unfortunately I couldn't help you here in this call either to tell you specifically where to go next, other than start with the basics. Why is that account there? Why shouldn't it not be there? Et cetera. Kyle, you said something really good in that I want to, I want to dive into more, is, uh, you mentioned incident response.
Like at this point, this is an incident, right? We're not saying, and definitely don't say, if you think incident means like security breach, you're not thinking about this, right? Right. What is an incident? An incident is some kind of notable event that's happened that requires some kind of investigation and you are at that point right now. So you need to engage incident response.
It doesn't always mean third party at this point, but you should be able to have some kind of motions in place of what do we do? Do I need to isolate this machine? How do I look in more? And, and Kyle, you gave some really good thoughts on all of that, right? Like looking at the log data that's going on, understanding the vendor and what it does, uh, the processes around it, all that kind of stuff, right?
But this is a good lesson learned for any MSP that's on the call that walks into a situation like this, would I declare this an incident? And if so, what kind of actions would I take? And so, really good take home that if I were in your shoes, I would be saying you were in the middle of an incident and it definitely is time to start taking some investigative action. Awesome. Wes, can I just have you come to the side for a little bit? I'll rotate some folks in and out.
Um, I'm gonna, you got it up. Thanks so much, bud. I Alright. So by the way, guys, keep some questions coming there. I appreciate you guys putting 'em in the, in the questions section. Um, Mike, I'm coming to get you Mike Ard. Uh, Mike, I got one here for you. Okay. As soon as she gets up here. Good stuff. Good, Gary. I was thinking the whole time and uh, you know, as I was reading that, and Wes was talking about it, but I think he hit the nail on the head with defined process, right?
Like, when you have the unknown, it's not about having the answer to what the unknown is, but knowing how to go through there. It's funny how much, Right? Yeah. Of identification, like you said, response, repeatable, right? And then learning from it and building on it over time. That's where we get back right to, to a culture. Great. So, um, and, and cool. We got, so actually a question just came in that would be good for you too, Mike. Mike, how are you? Thanks for joining. Doing well.
Happy Monday. Thanks. Good to see everybody. Can't see you safe today. Yeah, no. Um, Mike, here's a question on, uh, here's the question. So compare, you know, when, when you get asked this, you know, compared to other companies, how do you rank when, you know, when it comes to cybersecurity preparedness? So in other words, you're talking to a customer and they want to know how they compare to others. Um, how do you handle something like that?
And do you use that, by the way, as a sales motion in your, does your, do, does your teams use that as a sales motion of, because I, I could imagine Gary would of how, how you might compare to others, but, um, does that question make some sense? Yeah, absolutely. Um, yeah, first and foremost, we always talk assess, right? You, you have to assess, you have to identify really what the risks are. You have to identify different things, um, just in conversations that like you and I've had, right?
There's, there's tools out there to identify known risks that are quantifiable. I think vulnerability scanning is the easiest one that comes to mind. You can run a tool like cyber CNS or Nessus or something like that. You can, you'll get vulnerabilities, you'll understand what those are. Um, you know, I've heard things like, uh, comments like patch management is not vulnerability management. I couldn't agree more with that.
So first off, you know, knowing that I'm talking about vulnerabilities a lot, um, just kinda where those go. It is beyond just patching. And I think that's important to identify for our customers, right? It's not just applying windows patching. I think knowing that our tools are working is a good thing to do, but we have to take it beyond that. What are all the other risks that are actually exploitable on their network? And I think that's the next one.
So when I hear vulnerability management, first thing I always hear is it maybe a myth is it's patch management, it's not. We know it's more than that. The second thing that I always get into then is how do we prioritize that, right? There's a quantifiable component to that, and I think that's a really easy thing to show a customer how they stand against other organizations is through vulnerability management. That's a quantifiable metric, right?
We can look at exploitable, um, vulnerabilities versus non exploitable, and that should tell you your prioritization. Um, that can, I think in some cases place an organization as well. But then there's the, the risks or, you know, they're the unknown risks or they're not easily quantifiable, and that's a conversation. So I think that's understanding with the customer. It's a q and a type thing, right? We have to understand their, their line of business.
We have to understand what their risks and fears are. And, and I had this conversation with our internal sales teams last week. It goes above and beyond it, it gets into that challenger sell model, right? I think I heard this on a different conference call, so I wanna mix, mix things up here, but you've gotta challenge a little bit. And I think too often our contacts are, you know, it's the front desk gallery, it's an HR manager, somebody like that.
And they're not necessarily the right person to make the call for a larger organization. Chris l has spoken about, um, you know, some of the ransomware events that we get into and recently going through one with him for a, a prospect customer kind of a thing. And they're in a pretty tight spot. They're going through, they're in the middle of transacting their business. A cyber event happens in that process. It's literally the worst time possible.
And their CEO didn't even know some of these risks existed in their environment, right? So it's, it's identifying risks and really getting 'em to the right audience within the organization. And I think quantifying that to the CEO, hey, these are probably the top three to five risks to your business that's important. There's a quantifiable component to that, and there's a non-quantifiable component to that. I can't show them statistics around certain things that may happen as organization.
I can show 'em general industry-wide statistics, but I can't tell 'em that, Hey, there's a 75% chance you're gonna get hit by this this year. Right? We don't know that. And that, that, but knowing that that risk exists, understanding what the impact is, I think that's, that's critical. That's, that's great. Mike, Gary, you were writing, did you have some comments? 'cause this is, I think, up your wheelhouse, if least in terms of comparison, right?
You know, how do you, So you, you hear how Mike's right, his response to that, like his perspective, his knowledge, like, you know, it comes through in so many ways. What has to happen in the sales process? How do we paint in big, broad strokes then to take all of that? And again, when you're with decision makers, uh, they, they, they don't want to hear those percentages, right?
Like Mike said, like, you know, it turns into a p*****g contest or they just feel like it's a, you know, like, you know, the, any vendor can say the same thing. But when you talk about, again, what you're doing with process, how you dedicate, you show 'em some samples of some things, whether it's, you know, uh, assessment, whatever, like you show 'em samples of what you're doing and then you, they can kind of start to paint that picture back to other op options that they have.
And of course, one easy way to start with is to use price. 'cause sometimes that helps you out if what they're paying or other vendors are less. Now it's really simple to weaponize low price and you can make that the risk of what's possible and not possible at a price level. Yeah. Well, I, I think the first time in a long time, well, I shouldn't say that, Gary, you've always used low price to help, but more than ever with what's going on with cyber, can you use low price as your advantage?
Absolutely. Yeah. Like I said, I like to use that term weaponizing, Right? Oh, so, so just real quick, Mike, before you leave us, um, there's a question in the queue. Um, are products like Rocket, cyber, black Point, uh, cyber, uh, defender, a TP meant to to be a complete replacement, a partial replacement or an add-on to current, uh, uh, next gen firewall for SMBs in regulated industries like healthcare, uh, and HIPAA compliance? Did, did I read that? That makes some sense to you.
Yeah, I think I got the gist in, you know, I'll be upfront, I don't know all of the products that you listed. The, um, when I look at any advanced threat protection or ETP type product, I typically see them as complimentary, right? I think that's, it goes back into the, you know, don't go on price. If you're going in on price with a, hey, the cheapest firewall's gonna win kind of a thing, you're already setting yourself up for failure. And that's the, it's a comprehensive solution, right?
Understand the strengths of those products, how they compliment existing products. Um, you know, hunts, we run into this, I'm gonna pick on Kyle 'cause they see him smiling at me there. We run into this with Huntress. It's the, what is the additional value of a product Like this one, I already have a web route. Yeah, but we know that doesn't catch anything, right? So we want to build those layers in the defense and, and again, sell that story.
You know, I, I like Wes' dental analogy kind of a thing. You put advanced threat protection or an a TP type product on something else. That's like putting a sealant on your teeth, right? You go to the hygienist, you get your six month cleanings, you also put a sealant on to hopefully keep things from happening. Um, build those layers, build that layer of defense. Thanks Mike. Great having you as always. I'm gonna bring up, uh, Chris with us here and, uh, Mike, uh, all the best.
Hope you had a wonderful father. Thank you. Care bud. Alright, Here's the real troublemaker here. It's always, uh, after a holiday weekend, father's Day, I'm wondering how much ransomware time he spent. Yeah, yeah. Come on, Debbie Downer. I was thinking, you know, how you can, you cut a tree and you can measure the rings and how old it is. I was wondering if we could measure the bags to see how many incidents he handled this weekend. Oh, man. All right. Hopeful.
Hopefully we can keep 'em on screen. Uh, uh, and you know, we don't have this, it says he's coming on up. So I just wanna add, we're talking about talking to prospects. We get a lot of those questions now, you know, in translating value, listen, that's what we have to get better at.
That's the reason why there's, you know, seven people in security department for, you know, a thousand user business and you know, one or zero in a thousand user, uh, you know, MMSP, because the CISOs have learned to translate risk and value to the board better than MSPs have done it to their customers. They've been dealing with so much longer too. Like Gary, we talk about, you know, five pounds of, you know, 10 pounds of sugar in a five pound bag.
It's 20 years of security in what Yeah, a year, two years. Yeah, absolutely. They've had a lot longer run with, yeah. Yeah. Chris, can you hear us okay? Even though you're coming in and out there on my video? Yeah, I can hear you. Okay, great. Welcome. Happy Father's Day. Um, what do you have 25 kids? Yeah, divide by five. Okay, five, that's right. Um, alright, so Chris, happy Father's Day.
Hey, um, some questions on ir, um, and great to see people are, are looking to talk to you about your business. Funny, you, you're the one that always gets, uh, more business on this than any, but, Well, Kyle and Kyle and I said, it's a weird deal. These guys keep us busy even though we hate 'em. So, Okay, so how often should you be testing your cybersecurity incident response plan?
Um, and, and you know, again, I guess maybe we could even throw out tabletop because that's something we're gonna be doing. We'll make sure we keep everybody in, in, in, in touch with that when we, when that comes up in the next month with Gary and team. But go ahead, Chris, thoughts on that? I got a few questions around that. So usually the, the correct answer is this, at least annually or whenever there's a material change in your environment.
So, uh, a lot of people like to, um, just sit back on the annual and check that box off their list and then move on. But when we're talking about a significant event, that could be, hey, you're, you've migrated all your stuff to the cloud and it was all on process. You could have acquired an, uh, a company, you could have acquired a larger, a large client and you went work. You, you put everybody to work from home. Yeah, There you go. Yeah, that's exactly right.
Uh, your principal goes to rehab and so he is not around anymore. That's another one that can happen to you. So, um, yeah, tho those, those are the ways you need to do it. I mean, you need to feel comfortable, I would say that quarter. So I think there should be one massive, you know, incident response test that you do annually at a minimum. And I think if you're not actually reviewing it quarterly, uh, you're not doing a good job because there's a lot of things that changed.
I mean, just us talking about this automate vulnerability recently, um, that's, that may make you think about, Hey, let's get that incident response plan and dust it off again. I mean, right. You know, Wes, Wes was on and coming from the banking world, these are things that are touched upon all the time are when you're at a bank, the auditors are, are making sure you're doing this stuff. The examiners are reviewing what the auditors did to make sure you did this stuff.
And then if you're a publicly traded bank, you have even more auditors looking at your, you are making sure you do this stuff. So it's very important. And so, you know, Mike comes from the banking background too. And so we were just accustomed to doing it. It's become part of routine. And so Gary touched upon the culture earlier.
And then once you have that kind of cultural feel for it, you'll, you'll, you'll force your, I guess I'm gonna say it'll become more natural for you to do it, and you'll want to do it more often rather than having somebody like us sit on a call every Monday telling you to do it. Got it.
When, you know, there's questions around a little bit about like what Wes was saying, you know, an incident versus, you know, hey, this is an actual, uh, breach and can you maybe demark, you know, those types of things, Chris, like when should people, you know, clarify it is indeed, you know, a bonafide incident when when's law enforcement brought in those, any kind of rules you could give us there? Yeah, I'll kind of work in reverse.
You know, law enforcement's an interesting thing because a lot of times, and especially in the cases that we work, there's not much law enforcement is really gonna do for you. Okay.
Um, unless it's one of these, I mean, there is the, the oddball exception, if there's a new variant or if you're a larger MSP, we've seen 'em get involved, but not getting involved from the standpoint of they're standing in your office working the actual case with you more from, hey, they want all the information that you can gather for them so they can collect that information and move on. I mean, typically local law enforcement's not gonna do anything from you.
Maybe the only exception could be New York City, but you know, overall, you, you, you definitely, it's up to you. And, and of course your attorney will advise you on this as well as, you know, when and, and how to let law enforcement know now. So that, that's kind of that point.
I mean, we we're working an interesting case right now where, um, the attackers did not state that they stole information whatsoever, but I think what ended up was the attackers screwed up and how they encrypted the environment and because of the way they did it, they ended up getting a lot less money than they thought they were gonna get.
So basically, I think they were looking for a big chunk of change in the, uh, double digits of Bitcoin, and they ended up getting one Bitcoin, uh, just 'cause of the way they screwed things up. And so they got p****d off about it, and they decided to, after the fact say, oh, by the way, uh, we stole some data. And we're like, uh, that seems kind of weird. Most people don't tell us that after the fact. They kind of tell us ahead to kind of justify why there're put so much money out there.
And so unfortunately in this particular case, uh, I can't get into two specifics, but they provided some links and those do not appear to be anything related, but they provided links indicating, uh, some pornographic nature of an underage guy. And so when something like that comes into play, law enforcement comes in immediately. So I do not wanna underscore that you never call them, but there are cases, sometimes insider issues and that type of thing.
We've been involved in a number of those cases where we think a former employee, there's a, you know, clear signs that they were involved. And so you do want to bring them in. But again, I think that is really more for an attorney to advise you on. So I'm giving you some examples, but that's where you really want to lean on your attorney as much as you can. Now, going back to, you know, kind of where the question is is, is what is an incident?
And I, you know, it's, it's a, maybe somebody has a better one, but if you just don't know, I think it's worth calling it an incident. You know what I mean? So, I mean, if it's something clear that you see an alert on, and that makes sense, you know, an account was created who created that account? Oh, Edward, I created the account yesterday to do this and this and that, or there's some evidence in the ticket. Okay?
But if you have like the example in the q and a where there's an unknown SQL account and no one knows what's really about it, I think it right there, right there in that point is where you, you, you start to handle it as an incident. Now, again, an incident doesn't mean, just like Wes had talked about, it doesn't mean there's actual breach or even an actual attack. It means that you're initiating this process to investigate this event. And that's where preservation comes in, right?
That's where you're gonna say, Hey, look, we are, the, the world is stopping for however long we needed to do to make sure that we have something from a preservation, a snapshot, or collecting evidence whatever's necessary on this box just in case when we start to bring someone in to help us analyze it, that we have everything and we don't destroy anything.
And so, I know I was on something else last week, and the number one thing is when MSPs kind of go on their own to try to figure it out, because we're all problem solvers by, by nature, uh, that's where we kind of bite ourself. And so at that point you're like, Hey, look, see something weird. Let's make sure we have firewall logs. Let's make sure we do whatever we need to, uh, on that server.
And let's start, you know, detailing as much information as we can around just an a, you know, a preliminary analysis if you wanna call it that. Excellent. Thank you Chris. Um, got a few more to bring up here. So I'm gonna, um, let you continue to chat with Tim and the other folks out there in the community. All right. Really appreciate you coming on as always. Not a problem, Andrew, why? We've got one, one more, right? That we're bringing on up Two. I got two, two more.
So what, while we bring 'em on up, I would, I would thumbs up the celebrating the incidents, right? Um, sometimes it's just great about being able to show your history of how you respond. I've seen a handful of these go into court where like expert witness type, uh, testimony was needed and sometimes it's that history of even when the issue wasn't, you know, a breach. We still respond in this process that we follow no matter what goes great for establishing your credibility.
So I'll, I'll double down on that. Okay, great. Great advice. Hey, Kevin. Hey Kevin. How are you? I'm Well, how are you? Good, good. You in the office today, huh? It the home office? Yeah. Got dogs running around and electricians and fun work from home day. Well, I appreciate you jumping on for a few minutes here with us, Kevin. Um, your questions come in the form of, I think just one level setting for people regarding dark web is not everybody knows what to is.
So can you give us, you know, maybe just an overview of what, what is tor? And then the other is how does a company like yours stay up to date? You know, like I see you guys constantly publishing information and you know, there's a lot obviously, you know, infinite amount going on out there. But that, those were the questions I got around, you know, your your domain expertise. Cool. Now, uh, so starting with tour, right?
So it's a, it's an, an area of the internet that you're not gonna access through your typical browsers, like your Chrome or Firefox, uh, edge. Uh, you'll use something like a, a tour browser, like tor project do.org.
Um, but, uh, use a tour browser and, and, you know, you're, uh, let's say up and running in minutes, you gotta be very careful when you're using such, uh, such browsers, uh, when you're setting 'em up and, and, and searching as you can immediately, uh, expose a lot of things, your privacy.
Um, and so generally we, we recommend people stay away from it unless you have a really compelling reason or, or, um, uh, or it's part of a, a job requirement, uh, you know, with regular folks just going out there trying to access, you know, markets and forms and what have you. Um, just because of, of privacy for one, um, ways we stay up to date. I mean, it's, it's like anything, it's a whack-a-mole, it's a moving target. Um, some markets are up, some markets are down.
Generally speaking, a lot of markets are down lately. Um, I think, uh, uh, can you explain, Can you explain what what you mean by that, Kevin? Yeah, I mean, you know, so the idea behind tour or just the, the, the deep web, dark web is that it's, it is an anonymous way to communicate, anonymous way to, you know, provide data, get data out there and, and an anonymous way just to interact even, you know, provide e-commerce, what have you.
The term dark web came about, you know, is it, you know, because people realize that it's anonymous and you can go out there and do very bad things. Um, and it's often hard to track back, you know, who's doing the very bad things or selling the very bad things, uh, that are out there, right? Uh, so law enforcement has gotten, you know, wicked good at detecting and tracing and interjecting and, and eventually shutting down these markets.
And so you saw this mass proliferation of markets and a lot of, you know, sensationalism over the last couple years. Um, and you've seen a, a big, you know, a big, um, push from law enforcement to crack down on pedophilia sites on, you know, illicit or illegal drug, uh, transactions or, or e-commerce sites, I think you guys have talked about earlier. I mean, it's, this stuff is very, very well organized, very well funded, well organized.
And it's almost like going on to, in some of these forums or some of these marketplace is going on in amazon.com and you have, you know, ratings, reviews provide feedback, you have customer support or what have you. But in general, um, you know, most of you know, so there've been, you know, dozens and dozens of markets here, um, over the last, uh, couple years that gained a lot of traction and popularity and, and shut down quickly.
Some have been mirrored and moved over to another area and, and they're up and running, but, and that's part of that whack-a-Mole. So it's, you know, in, in general, I think, um, you know, law enforcement's doing a pretty darn good job of catching up, uh, to the areas that are really, really bad. And then, you know, where they can monitoring as much as they can. Uh, the areas that are, are less offensive or less, uh, I don't know, hostile or salacious, I guess. Got it. Got it.
Um, you, you know, just in closing, Kevin, well one, always thank you so much for coming on two, um, I, I love what you guys send out every week. How do people get, can you explain that in closing? What, what can people do to get that, that, that, um, information? 'cause I think it's really useful. Yeah. So we try to, uh, on a weekly basis, you know, aggregate everything that we're seeing out there.
So we're looking at, you know, all the, all the, the breaches, all the notifications who's actually gone out there and acknowledged they've had a public or they've had a breach. Um, it's one of the tricks that we have, the challenges we have, we're able to find so much data, um, it looked like it could be attributable to a specific organization.
And so there's often, you know, giving folks a heads up that this is out there and, and, you know, you want them to be able to acknowledge, you know, publicly before you start going out there and, and putting, you know, people on notice. So there's a lot of that going back and forth. But, you know, in general, we're, we're trying to harvest as much data and find out as much relevant information that we can package and bring back to the community.
So we've published a, a essentially a report review week called the Weekend Breach. And so we'll summarize, we'll summarize some of the smallest of the small, because there are so many of 'em, and we'll publish or, you know, talk about some of the larger ones that are out there as well that you'll, you'll pick up on a, on a, you know, the, the news, the cable news outlets or just the general, you know, uh, publications out on the internet.
So it's a tool that we developed that helps our partners, you know, our MSPs, you know, you know, show value to their customers, say, Hey, you know, they can repurpose this, we can breach and send it out as their newsletter, let their, you know, customers know what's going on and keeping them up to date on all the things that are, are, are bad in the world, unfortunately. So try to, you know, bring about the awareness as much as we can on a weekly basis. Fantastic.
Well, if you could throw it in the chat how people can sign up and get that, that would, that would be great. I really appreciate it and always great to have you on with us, Kevin. Absolutely. Cool. Will do. Chris, would the, uh, appreciate letting me come on. Oh, always. Ha. Great to have you. All right, so lastly we'll bring up Ken on data security. Um, While you're doing that, it's fascinating right, to hear like, you know, how advanced everything is, right?
That really what he's explaining on the dark web is very well organized, mature, you know, process, right? In exchanging things. Yeah. It's Market. Ken. Hey, how's it going? How are you? Glad to see the minions are backwards. You bet. So Ken, here's some questions around data security. Sure. Um, so, you know, hey, we understand the importance of data security, um, but we have trouble with our clients paying more.
Gary, this is kind of to you too, clients paying more for our services to provide it, which is kind of ironic when you think about it, like, isn't that the most important stuff? But, um, uh, yeah. Uh, you know, so, um, do you, do you hear that a lot, Ken? And if so, um, do you get the, how are other MSPs ha you know, how are other MSPs doing it? How are they bundling in or selling data security?
Yeah, we, we absolutely hear that all the time as a vendor, and we have this conversation quite a bit with our partners and our MSP partners that are successful. And, and Gary, this goes right back to what you were saying earlier, is not a shotgun approach, right? They're kind of creating what they call an ideal customer profile, right? And that's by vertical, by size and where there's actually gonna be a fit and a need for it, especially with, uh, gaining a return on their investment.
And kind of breaking that into twofold, um, I think the go-to market strategy for new clients is much easier. You can be it in that CCOs, you know, say, uh, here's what I'm doing versus as we've been talking about all day the competition and, and why my price is set where it's at. But there's also that upsell to their current client base, right? And that can kind of be a little bit tougher sometimes.
And, um, one of the things they're going to, uh, say with those clients is, you know, how can I protect what I don't know? Uh, when you're looking at data specifically, uh, from a security standpoint, I mean, it's changing every day. It's modified, it's created, it's moving. Uh, so how can they do that?
And interestingly, some of our partners have adopted kind of a cool strategy of when they go to not maybe necessarily pitch it, but recommend, uh, the upsell in their security stack, whatever it might be, they're documenting that recommendation. So it's become kind of a, what the term is a CYA, but now we're looking at it A CYB, right? Cover your business.
Um, and what they're also too, in identifying too, in this case is sometimes the drainers there, there's a few legacy customers out there that might be draining their business, not willing to move forward with them. They leave their MSP at risk as we're talking about with the RMMs and, and the vulnerabilities excess there. But, uh, sometimes some of those legacy customers just are no longer profitable too. Got it. Garra, any any thoughts around that?
Like, just, I mean, again, you know, pulling, you know, just taking a step back, you're like, how, how can you not say your data is worth paying more for? And you know, we've, we're these IT companies, legacy IT companies that really didn't focus on data, we focused on really the plumbing, if you will, Infrastructure. Yeah.
Look a high level, I would think of two or three things, you know, considering the fact that 80% of what happens on a sales call with a customer or a prospect happens before you walk through the door. Okay? It's not everybody wants to be trained on what to say, but it, you know what to say. And the way that you get there is from, is two things. One, um, you, you, you build culture and process where you see the amount of work that takes to really secure a customer.
And then two, you have command over the cost factors so you actually know what it costs. So when you know what it takes to protect the customer, you know, and you understand your business, it's really easy when you walk through that door, um, to be able to get in front of a customer and, and again, be able to create value.
And, and again, if you have the last thing, which is always remembering what a small cost we are, uh, as MSPs to the overall cost of any business we work through, that's the third leg. And amazing things happen as you push forward with this. You look back and you think, wow, it's easier to sell at $180 a seat than when I was selling at one 20 and I couldn't get any separation and customers wouldn't spend five more cents with me. Hmm, Right. Interesting.
Yeah, because there's no differentiation between one 20 and 1 25 hypothe. Now I'm all fired up. Me too, Gary, Ken. Lastly, is there any low hanging fruit people should look for for, for example, you know, I'm gonna give you a software here, but regulated, why, you know, if you could share with that, you know, preparing for audits and things like that, why is it that, that they're gonna probably go be a lot lower hanging fruit for these people? Yeah, absolutely.
So, I mean, regulated, when you start looking at compliance overall, it's, uh, you know, the basics to try and protect the business. It's good hygiene, um, it's least privileged model who has access to what, what changes are going on. And really, when you start looking at all those security defenses that you're talking about, and that hygiene, it's to protect the data, right?
Uh, so yes, obviously you're looking at, you know, from HIPAA to PCI to all those different regulations that are out there.
What we're seeing right now is the financial industry lending mortgage, people that have a lot of data on the consumer are big hits and big wins for MSP partners that are protecting, uh, even the, you know, the smaller credit unions out there Um, so there's definitely some markets that are transitioning quicker than others, um, in the SMB space Because Is that because of the data privacy, the consumer data privacy laws that are forcing these companies now to have to be ready to handle that?
Yeah, and it's kind of been an eye-opener for them on the larger side, uh, of data, right? So once it affects their consumer, affects their consumers, which ends up affecting their business real quick, now it's like, uh, oh, how do I go find it? And that aha moment comes up of, I don't actually know where all of it is. And unfortunately, it's, it's, it's on the move, right? Because so many are migrating from on-prem to in the cloud and, um, you just gotta have a really good handle of it.
Awesome. Alright, thank you, Ken. Um, I'm gonna move you back over and, um, really appreciate you coming on as always. Great. All right. Take care. All Take care, Ken. Um, does anybody want to come on screen? Gary? Kyle, do you guys have a few more minutes? Yeah, um, I do. There's been some awesome chat. I I, I'm normally quiet today, but, uh, chat has kept me busy, so, uh, it'd be cool to get some of that out of the chat room. Anybody wanna, anyone wanna pop up?
Raise your, you know, uh, I'll look in chat. Anyone brave enough to come on and got a question for the folks here? I mean, really, you only have to be wearing a shirt, right? Uh, you know, there's no standup rule here. Yeah, Yeah. You don't have to wear shoes. That's exactly where I was going, Gary. Yeah, No shirt, no shoes, no dice. All right. Well, doesn't look like anything's coming in. Let me, um, let me get Wes and we'll close things on out here. This was, I, what'd you think, Gary?
I'll start with you. Yeah, good. And I'm, I'm hoping that people, if they're new to this, if you can go back and listen to some of the prior episodes and you can really start to feel what it feels like to have this much time and attention in your business. Like, it'll be clear about where you need to be and where you are.
And as you close that gap, um, assuming you have command over those cost drivers, you're gonna see everything and see your sales process change, your margins, change a lot of good things, uh, while your risk profile and your customer's risk profile is going down. Yeah, Actually, Kyle, it's Going down. Um, I think probably what's, uh, for me, there was a couple first on this episode. One is the recurring theme of us mentioning things and being able to elaborate.
There was a couple of those that actually got to turn into action today. For instance, we've talked about vendor risks before, but got to give more specific advice in regards to very specific vulnerabilities. Yeah, the other one that really got me excited was, you know, somebody act asking for tactical advice. Obviously Chris and Wes both on here to give very specific, I think you're having an incident doesn't mean you're having a breach. Let's err on that side of caution.
And then the last piece is, you know, Gary always wins when it comes to some of the sales analogies, but probably what got me most excited today was just the very simple, like, look, you're putting all these things in place. You're doing some of the stuff you're learning on the cyber call, but just bringing it back to home of this is how you truly sell, this is how you actually make a difference.
For me, I think it's finally proof in the pudding that we're seven episodes in and the cyber call's paying off. It's, that's love, love the feedback. Wes, thanks for, um, for, for giving us, um, uh, the, some, some room here and hanging in the, uh, audience. Um, any takeaways for you? Uh, other than, uh, sorry I missed most of that. My audio's in and out, so, uh, no, other than, uh, hopefully the questions are good. Hopefully you guys enjoy that.
We're always wanting from a content perspective to go exactly what you guys want us to focus on. So we just noticed there were a bunch of questions rolling in and we thought, Hey, this week let's just tackle a bunch of those. So if you guys have more, uh, want us to get in depth into something we cover, but didn't feel like we got enough into, all we need is a plug from you. We just need your input and, and ideas. And that's what kind of makes this whole community come alive.
So that's just the only thing I wanted to plug, Andrew, is, uh, just continue to let us know the things you guys want to us to cover. 'cause that's what's most fun for us. Wes, one thing, I don't, I don't, I may have forgotten to answer this, and the one person out there, I, I just saw it. Did I ask you about the, um, false positive events and things like that for a soc? Wes, you there? He's having audio issues. Oh, is he? We maybe Tee it up for next week. Okay.
Yeah, there's a question here on we get Some time on that. That's a good question. Yeah. Yeah, yeah. And I'm sorry for the person that asked it. Um, okay. Um, lastly, can you guys who are still on, we still have, uh, 150 down, I don't know, 153, um, but we had a packed house today. Um, love it. If you could let us know some additional things you would like to, um, hear about from, you know, this great group of, uh, practitioners. Uh, email me, um, I'll put it in here, Andrew at code Red Msp.
P And great question you asked like, Hey, are you using things in your business? Seems like a lot of people are. We'd love to hear about that so that other people can hear what people are taking away, how they're using some of the concepts in their business. Yeah. That and anything like that.
Because again, if you're thinking it, believe me, um, you know, again, I I spent five years with Gary, if you're thinking it, you know, and speaking with thousands of MSPs when I was with Gary, others are as well. Um, and so if we can bring those questions up and everybody can start to collaborate on, it's only gonna, you know, rising tide floats hall boat. So About actually making changes Yeah. In your business, right? Yeah. Um, uh, do we have time for, um, uh, Mr. Cardell? How are you, sir?
Good to see you out there. Any thoughts on the 6 21 statement? Wes, this might be something, uh, or to any, anybody, uh, on statement on their security trust site. Do you guys know about that? Any comment or should we leave that for next time? So this is a topic that Wes and I both have direct knowledge of this vulnerability.
Um, long story short, ConnectWise has temporarily disconnected some authentication, uh, to prevent a more or less a, a, a, a lucky guest slash targeted attack, being able to have access to some of your clients' tickets. Uh, I'm gonna let ConnectWise publicly disclose the rest of that as it gets patched. But, uh, multiple of us on here have already tested this vulnerability. I wasn't even aware that ConnectWise made it public.
Um, and on Friday it was when we first, uh, became aware of it at, uh, Huntress. Okay. Was this, uh, was this the managed, uh, piece, the one you're talking about now, Kyle, That that's exactly what it is. So, uh, for those that aren't there or haven't seen it, I'll, I'll post the link on, uh, connect Wise's page, but that's exactly it. It's Okay. Wes, so you, did you get audio back? I think so. Can you hear Me? Yeah, we can. But major poo. Uh, well with that, um, appreciate everyone's time.
Uh, our, our, our, our community keeps growing. Please share it. Um, as it continues to grow. We're only helping each other. Um, so I want to thank everyone out there as always, Gary, Wes, Kyle, Chris, Mike, uh, and Ken, and all of the folks that contribute their time to help everybody. Um, this is our community and making each other. Oh, and Kevin, my good. Thank goodness, Kevin Lancaster, thank you as well. So with that, everybody signing off. Have a fantastic week.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois