CyberCall – May 11th, 2020
In this video, Andrew Morgan, Gary Pika, Kyle Hansloven, and Wes Spencer discuss the evolving challenges and solutions in cybersecurity, particularly focusing on vulnerability management and incident response playbooks. They highlight the importance of preparedness, sharing insights on sales culture, security practices, and lessons learned from incidents like the Zoom credential stuffing case. The conversation aims to equip MSPs with strategies to enhance their cybersecurity offerings and better protect their clients.<ul><li>The importance of having a sales culture and security culture in MSPs to drive business success during challenging times.</li><li>The significance of incident response playbooks to guide actions during cybersecurity incidents and the need for preparation and sharing of experiences to improve collective security practices.</li><li>The emerging challenges in vulnerability management due to the increase in vulnerability data and the need for MSPs to adapt their services to include comprehensive vulnerability management.</li></ul>
Guests
Video Transcript
All right, we're live, and, uh, we'll give it a minute here or two. We're at, uh, just, uh, right at the top of the hour. Welcome everybody. Andrew Morgan here with the, uh, the crew. Gary Pika. Kyle slo, and Wes Spencer. Thanks for, uh, joining us again for episode two. And, um, like I said, we'll give it a minute here or so. Gary, any, uh, anything you'd like to share about the weekend here or what's been going on in your world up in Philly? How was Mother's Day? Mother's Day was good.
Saturday, it was winter here. It was like in the high thirties with wind uhhuh. Like it was literally winter. Okay. And then yesterday, uh, it got up into the sixties and was sunny. Got to do some stuff outside, but, uh, it's not, yeah, come on. We're in a pandemic. At least give us some warm weather. I was just talking to Kevin Lancaster. He said it's doing nothing but raining, uh, where he's, so Kyle, how was, how was everything in your world?
I, I lucked out on good weather, made some, uh, some strawberry pancakes for the, the, the mom, the wife, and, uh, kids. Gotta spoil her a little bit, but, uh, at the end of the day, it's as good as you could get for a pandemic Mother's day. Good. Awesome. Good, good. Wes? Hey, I'm doing great. We had a great mother's day. We didn't do the beach. We thought about the beach, but it was way too packed, so, uh, we stayed away and stayed home. Good. Appreciate it.
Alright, well, hey, we'll get going here. Um, people are, you know, trickling in and, um, but, uh, we'll kick kick things on off. I'll, I'll mention, um, kind of a little bit about the agenda. Today's lineup, I put that in over on the right hand side in the chat area, you'll see Kyle just, uh, where Kyle just posted. Um, we're gonna do our best today to not switch PowerPoints on and off.
So we'll put, um, URLs over in the chat area so when someone's presenting, you'll be able to refer to their slides from that perspective. Um, I put a poll in real quick to find out if you guys like the research roundup email that I had sent out post the last event, and love your feedback there. Um, there's a few polls we'll be putting out shortly, uh, as well. So the lineup today, um, I'm just gonna give a, the agenda.
I'm gonna go over just a, a, a few brief things I'd like to touch on, and I'm gonna hand it over to Gary. Gary's got, um, some interesting, I think you're gonna talk about some interesting statistics, some stats of a survey you did, right, Gary last week? Yes. On, uh, on your members and, right, Actually, yeah. Pretty interesting I think about where we are. And I'm gonna extrapolate it into some other things about business and life. Excellent. And then Kyle and maybe security. Go. Yeah. Good.
And then Kyle, um, you're gonna be talking about encryption keys and why they matter, I guess. Yeah, they, the way that we respond to incidents, so I think that'll be, uh, that'll be fun for all of us, especially this week's topic. Great. Um, we're gonna be moving on from there, Kyle, to Wes, who got quite a bit of interest in, um, playbooks last week, Wes, and, you know, I saw your, the deck that we're gonna link out to, that looks really, really enticing.
Um, anything you'd like to share there, Wes? On the, no, I'll just tease it in five seconds by saying, I think MSPs are really interested in playbooks and how would I handle the preparation side of some kind of incident. And we've got great feedback on that in the last call. So we're gonna dive into it and, uh, my little five minute session should be fun. Great.
And then on the sideline we have Kevin Lancaster, uh, CEO of ID agent, who's gonna be talking from, uh, the dark web perspective on Microsoft Teams and what's going on out there. And then, um, Steve Carter, uh, the co-founder of Nucleus Security on, uh, what on vulnerability management for SMBs. Just a, a quick overview. I'll do this right now. Um, again, while we have people coming in, you know, a little about Kevin, who don't, people that don't know Kevin, CEO co-founder by the agent.
Um, he's a career entrepreneur. Um, he was, his team was hired by the Office of Personal Management, uh, to restore and protect. The identity is of 4.2 million government employees whose, uh, whose, um, uh, identities were compromised by the most damaging, uh, data breach in US history. Um, he had a passion to bring that kind of, um, uh, uh, technology and service down to the small to medium business. And hence his, uh, uh, spawning of ID agent.
Uh, Steve Carter, who's gonna be, uh, with us on vulnerability management, has 20 years providing vulnerability management programs and software to DOD and, and the intelligence community as a defense contractor started Nucleus in 2018. Uh, they developed technology to solve vulnerability management programs that he experienced in his career. So Steve's got experience both private and public sectors, and we're gonna be looking forward to having him on.
The thing I wanted to touch on briefly is, um, an article I read in Forbes, which was, uh, cybersecurity and COVID-19, the first, uh, a hundred days. And, um, just the few quick things, and I put, I'll put the link out there that I found note noteworthy was what Kyle spoke about last week in terms of the infinite game, which was, you know, criminals have been matching their scams to the news, um, you know, with detections skyrocketing during the first weeks of reports of COVID-19 infection.
And, and, you know, you saw it, it immediately, what the article talk talks about is how when the UK and Australia locked down the spoofs of the WHO, uh, safety COVID-19 awareness, uh, emails just came Flo flourishing out. Um, what Gary also spoke about, which was in a sense, notated in this. It said many companies had a rush imp, uh, to implement a work from home process with staff that had never had any cybersecurity awareness training, which obviously had a negative impact.
Um, and lastly, what Ken Tripp from networks talked about last week, which was the adherence to good cybersecurity hygiene practices wane over time, if not delivered, um, reg on a regular basis. So Gary, I'm gonna pose a question to the audience and then hand this to you to kick things off. And that is, you know, businesses think nothing of spending four and $500 on attorney, um, yet prior to COVID-19, they typically view it as, uh, it and cyber related items as an expense, not an investment.
Um, so my question is, what if you believed you were worth more than an an attorney or a CPA? And what if you thought you were able to command four to $500 per hour performing a business impact analysis or a risk assessment, um, what would that do to your belief system and do you think you'd be able to sell more? So thoughts on that, Gary? And with that, I'll let you take it on over. Yeah, yeah.
It kind of dovetails into what I want to talk about in my little segment around business, um, and how much of what you said has to do with, um, belief right in, in your value and the value we bring relative to the companies that we, that we work with. So, you know, I said last week that this pandemic would accelerate, uh, the, the results gap that we've seen slowly over the past few years, how well top performing MSPs do and average MSPs. The, the, the, the gap between those two.
And, and so I did a survey, uh, last week of over a hundred MSPs and I asked them about sales performance specifically how many FTAs or first time appointments, that would be a new lead, someone you're talking to the first time. So we'll, we'll call that an FTA are you generating during the pandemic? And I said, more than before the pandemic, uh, about the same, less I'm having no luck or I'm not even trying. Okay.
And the top third of respondents, they said that they were, uh, the same or better in terms of their lead generation. Right now, they've made the pivot. The bottom third are having no luck or not even trying. So think about this. We're all living in the same pandemic with the same issues, and a third of the people are doing the same or better in terms of sales, right? And a third, you know, no bueno. Okay. And what's the difference between the two?
Well, as I dug in a little further, a little part of it was companies that had not a big sales team, I'm not talking about that, but they had some culture around sales. Mm-Hmm. In other words that they had at least goals. They had some activities that aligned to the goals. They track them, even if it's only an owner and maybe a loan or with an inside sales person or a marketing. It might be very small, but they still had that culture, right? That you don't need scale in order to do.
And I started thinking about that and what we talked about last week, that security is the same way, right? If you are having to do things now and you didn't before, it's just like with sales, if you don't have a culture around security, so here's an example how those two things play together, right? Uh, I have one of my members that's combining sales and security cultures on this, uh, their professional services revenue and their MSP, and they're about a four or $5 million.
MSP was down in April. About 50% of people just saying, wait a minute, I wanna put that on hold. What they did was they rallied around and they took a different approach and they said they came up with a project on multifactor authentication that they've been putting off, right? With their customers. It averages about five to $7,000 per they went, started going out and making the recommendation right? In their VCIO process to every customer, nine of the first 12 accepted the recommendation.
They weren't willing to spend 30,000 on that upgrade project, but they were willing to spend five to seven on something that was security related. They're gonna replace all their revenue. They have two more of these behind them that they're gonna put behind them. And so, you know, it just tells you the approach, the culture you have, how you feel your value is, it combines all those things in that example.
And so what I wanna say is, you know, customers, people are just saying like, well, customers won't buy or customers won't invest. They will make smart investments. And if you're not using the current situation to better secure your customers and open up new opportunities, you gotta think about your culture right now and it needs to change. Is everybody with me on this? Absolutely. Yeah.
Gary, I'm, I'm chatting right now with some of the people on, on the live chat, and I was, uh, telling stories about, you know, every time I see my, you know, legal counsel's fees, but somehow those lawyers convinced us to invest in doing the right thing. Now, I, I feel somewhere along the lines, we probably gotta get that accomplished for the IT side, convincing them like, look, if you make this investment right now, it'll save you in the long run.
The same reason I invest in my legal counsel to do it, right. So I don't get bit in the future. Yeah. And, and listen, right now, if some laws changed, right? Your accountant or your lawyer, they would come to you and tell you to make decisions right now. Well, we changed a lot of environments of MSPs.
If we're not going back both in our offering and what, what we need to do in our offering as well as these kind of projects, we're not really, you know, we're not really keeping up with our responsibilities to our customer right now. We're letting them down. Right? Right. And, you know, Gary, if there were regulations and things like, you know, if we were doctors in this industry or some type of regulated environment, you'd, you'd think nothing of it. You just go in and say, we need to do this.
And youre Absolutely, absolutely. And five to $7,000 project for most of the companies we deal with is not that big of a deal. So what, what can people out there right now take away, Gary? What should they do? What's, Yeah. So one thing, and I think they fit together, right? You have to know what to do technically. Hopefully you're gonna pick up a lot of great stuff from the experts. You have the best people here right, in the business about what to do. But then part of it is sales.
It's either a project or it's enhancement, and you gotta be able to sell that value. So you have to have a culture of security, but you also have a, have a culture of sales that's backed by the value of understanding the real value that we bring to people relative to supporting their business. We're more strategic right now than the accountant or the lawyer is because their technology is way more complex, Andrew, than their books for most of the customers. Yeah, I agree. I agree. Great job.
Gary. Kyle wife. Yeah, I'm ready to kick things off. And, uh, with that said, I, I joked earlier that I was gonna be throwing some shade in my, uh, my five minutes today. And that was just a, uh, you know, an allusion to the shade ransomware authors who just released a whole bunch of decryption keys for the ransomware to GitHub. So, you know, keeping it punny, keeping it going.
For any of you that wanna learn a little bit more about this, I've just pasted a boatload of links, but the reason I'm bringing it up for is the business problem behind this. I can't tell you with my life living in incidents, right? This incidents that slip past prevention and looking for those, I can't tell you how important those first couple of minutes, hours, and days matter when you're in an incident.
And sometimes the actions that you respond will have, once again, like Gary was mentioning about your legal, your MSAs, your investments, and making sure you're showing value. The same thing can be said about incidents. If you do something wrong, it could cost you a whole lot more in the long run. A great example of this, for instance, the Shade ransomware authors, they claim to have released over 750,000 keys.
And part of the links that I pro, uh, provided was to their GitHub repos, which ironically was tore down this weekend. But where I'm going is, see if that number's real, 750,000 people uniquely infected, and all those master keys truly are working, how many of those 750,000 people do you think actually preserved their encrypted files? Right? So for instance, oftentimes it's, oh, I have backups, but they were only good for a couple days ago, right? That's a couple days of business lost.
And sometimes people, you know, throw away those encrypted files 'cause they're, they're not thinking about the long haul or the long run. Um, other times I wanted to share this was, uh, you know, going back and keeping on this theme of preserving things, uh, for the future. GaN Crab was arguably one of the nastiest ransomware families in 2019 to 2018 when they went outta business or they claimed to go outta business.
Uh, what was interesting is FBI, Europol and the vendor Bit Defender came together and they believe, uh, you know, the, the rumor for all the security people is FBI, Europol and Bitdefender managed to gain access to the back end of the Bitdefender servers, captured some of the decryption keys as the rumor, and then released this decryptor. And what was wild about it is, once again, there were plenty of people that had these files ransom, and they said, sorry, you didn't have backups.
We're just gonna wipe and reload. But nobody kept that hard drive full of those files. And let's be real in 2020. There's not a lot of these decryption tools that come out from time to time. But it's always wild that if you think about it in those moments of restoring sometimes just the little actions that you can take and set you up for success in the future. I'll give one more example of, of this, of how this actually plays out.
And then I'll, I'll I'll, you know, end with a little bit of q and a for, uh, you know, my, my fellow analysts here on this call. So, uh, when WannaCry, we all heard about WannaCry. That was supposedly that, you know, that NSA tool that was repurposed, uh, for the initial access. It was used to infect all kinds of computers. And supposedly the North Koreans were behind that as a chance for the hermit kingdom to make a little Bitcoin, right?
What was wild is some researchers found during the middle of that incident that if you left the computer on, because of the way that the hackers implemented the private key that was used to encrypt your files, that key was still floating in memory. And I just pos uh, posted a whole bunch of links to the tools that were used to scrape that key from memory.
But what happens is, almost right away, our own guidance tells us even best practices, as soon as you're infected, isolate that computer from the network. Sometimes we talk about unplugging the computer or powering it off, but if you make some of those knee-jerk reactions, even if they are the best practice, sometimes it actually can hinder you.
And for those of you that immediately shut down that WannaCry computer, it actually wiped your private key password that was in memory as a chance, you know, and it, it prevented your chance from restoring. So let's distill this back down to the business case, right?
So, 'cause ransomware is that I can't tell you how often when there's truly an incident that I've been on some, like large citywide incidents where people didn't actually have the remote administration capability to shut down like a core switcher router.
And I can't tell you when stuff is moving laterally this way, someone had to roll a truck, which effectively allowed this malware propagating to infect tens, twenties, thirties, more sites, not computers sites to allow it to spread from a single city to a multi-county type incident of we've seen these happen.
So you need to really be thinking about all this in your business that when something hits the fan, like the proverbial it, which is going to segue, I imagine into some of our playbook conversation later, if you don't have that plan ready to go, I'm arguing, right? We all know that your plan doesn't survive first impact, but if you haven't even considered what you're gonna do, there's no chance you're gonna be able to adapt that plane for success.
And that, uh, more or less will conclude my, uh, five minute rant this week. Thanks Kyle. Really good, Gary. Really good. Something you want? No, it's just like, uh, it's funny, I, I equate everything back to sales, right? Because to me it's all the same. And what I always tell people in sales is that 80% of what happens on a sales call happens before you walk through the door, right? Right.
And it's kind of equating to what Kyle is saying is that not only do you have to be prepared, but you gotta be doing some drills the same way. You know, we're doing, uh, you know, in sales we're doing, uh, you know, role plays and whatnot. Prepare for that one time that's important. Again, sales calls aren't so important. You know, prospects are like potato chips, right? There's always another one in the bag. Uh, and everyone is salty and delicious.
Um, it's not putting your business at risk or your customer's business at risk if you s**t the bed on a, on a sales call, right? So this is much more serious and that one time comes right, and you get one chance and you get one instance to make the right decis decisions and not have those unintended consequences that are potentially disastrous. So really great point on that. Hopefully that changes people's perspective a little bit on This. Yeah.
And one thing I wanted to say too, Kyle, you gave me like the easiest gimme into my section. 'cause this just follows it perfectly. But, uh, something I get asked often is, well, how can we anticipate everything? Right? I could see an MSB thinking, okay, Kyle, you're right, but how could I anticipate making sure I've got access to that local switch? Right? Well, it's impossible to anticipate everything.
So as we have the playbooks that guide, one of the things we also need to do is, I think historically security people keep incidents too close to the chest of like, oh, no, I had an incident. I can't tell anyone. I hope no one knows. But when we share the outcome, we share the lessons learned. Those are extremely valuable for all of us to pick up on and say, I never thought about that. I hate that I have to learn from your like, trial by fire, but at least I can learn.
So having a community by which we communicate these best practices and we communicate the aftermath, that is really valuable. Awesome. Wes, you're on up and, uh, I put, I put your link in there. I'll put it in here again, uh, below Kyle's, uh, last few posts, but there's your play, you know, quote unquote playbook for today. Um, and I'll let you take it away. Perfect. So here's what we're doing today.
I I got a lot of good feedback on the, the last week of, hey, we'd love to learn a little bit more about playbook. So I've got a really, it's, it's a several slides. We're not gonna go through all of it, but it's a, think of it as a leave behind. Grab that deck, use it as you want it. You, it may spur some questions. I've got some links for you all throughout it, but we're gonna talk about that and can we get that first poll question up?
I wanted to get some audience engagement coming back as well. I'm really curious to know how many of you guys are actually using playbooks of any kind right now? So, uh, fire back on that poll question. I wanna get some answers and results. Um, but let's talk about this for a minute. So like, why we even have, uh, playbook. So I don't know if you've thought about this before. I've been a CISO for a while.
Uh, I've been in IT leadership for a, a, a major portion of my career, and I've dealt with more than one incident. And, and I've been in situations where some incidents are like this flurry of activity. No one knows what to do next. It's difficult to focus and the outcome. All of that is you miss those critical things. Like, Kyle, you said it best just a second ago and you said, you know what? Those first moments are really, really important, uh, based upon what we do.
And, and, and I think there's some elements there to where if we're not truly prepared and we don't have some way to guide, we make mistakes and we go with gut feel. And, and most people, when the pressure is on them of like, I've gotta do this now I've gotta do this, right? This is not good. We don't think critically really well, do we? You guys see the same thing? I think. I think that's human, human nature, right? Uh, we get flustered, we get nervous, we make rush decisions.
Uh, you know, uh, that's why special forces operators will tell you there's nothing special about 'em. They're just masters of the basics. So they're cool, calm, and collected when things, uh, hit the fans. So I think that's just human nature. Okay, so this brings up what I wanted to talk about. Most of us, if you see the poll results, there are not using playbooks. So it probably, it's probably good reason for me to say, let's even define what a playbook is.
I kind of think, and you see this on my slide four if you're looking at my deck, but a playbook is a way to guide and bridge that gap between our policies and procedures, which most MSPs already have those tucked away. And then what we should do about it. And when we say like, automation and orchestration is one of the definitions I use there, don't think about it as like some very sophisticated automation, organ, organ, uh, uh, orchestration. Maybe it's something your RMM does.
Maybe it's just human automation. If things we immediately begin to do to collect, to think about, to report, to communicate, those are things. So like another way to look at it is, Hey, what is this problem? How big is this problem? Who needs to be involved with this problem? And how do we deal with it? Those are like the big things of what a playbook is all about. They're not super, super technical. They're more about what do we do in each of those next steps?
And I'll give you a really simple example of this. As a banker, one of the things that I produced for every branch of mine is what we called the cybersecurity branch Response Playbook. And this was, if you suspect you have a malware incident and you're trying to get a a hold of it and you don't know what to do, pull out the red folder. It's in every branch manager's office, it's red, it says cyber playbook on it. You pull it out and it's got pictures of do this, do this, do this, do this.
And we only had to use it once. But I, the feedback I got was that was extremely valuable because they, they had no idea what to do and how to handle it, right? So very procedurally based of what to do and how to handle it, if, if, uh, that makes sense. So I've got some examples of this. The thing to remember about a playbook is it's not exact science. These are living documents. They should always be thought through. They should be checked.
Like, just like we were mentioning before, we should be willing to update them to talk to others. You know, it'd be really awesome. I'd love to see a day when MSPs get together and they just bring their playbooks together and they learn from each other and they're like, Hey, what are you doing? How can I incorporate and add the things that you're doing into this? I never thought about X, Y, Z. Have you ever thought about A, B, C?
That's what we should do with these playbooks is really get all of them going. And so I've got examples for you in slide nine, I think it is. I've actually got a, uh, kind of a, a a DA DDoS or a distributed denial of service playbook that just runs through those processes. And if you look at the slides, you'll see it's very procedural. It's very do this, then do this. If this thing is not done yet, then you've gotta go back and do this over here.
It organizes your thought processes, it makes sure everyone's on the same page. Make sure we're kind of, you know, operating together. Clearly sultry voice. I like that, Kyle. Thanks. So here's what I was asked to do is talk about data X fill. And I only have maybe 45 seconds to talk about this. So here's what I'm gonna say about data exfil. We mentioned on last week's call that a lot of ransomware authors are now shifting towards.
If you get hit by ransomware and some kinda like buffalo jump attack where all of your, your, your RMM is compromised, all of your clients are hit. One of the things they also do is grab your data. And if you don't pay up, they're gonna exfiltrate. They've already exfiltrated, but they're gonna leak it to everybody. And we ask that question among MSPs, how many of you prepared for this? How many of you're ready for it? And most people are like, not ready for that at all. So how do we prepare?
How do we think about it? Well, playbook's perfect for that. So I don't have the time to go through all of these, but if you go to incident response.com, and I've got a link in the deck that you can kind of pick this up, it goes through a pretty verbose, and to be honest, probably too much information for an MSP, but at least it's that starting guide. And I'd rather start with too much than too little.
But what I really want to focus on is I kind of close my little segment, is this last slide of 17. There are things you really need to think about when it comes to data exfiltration. And if you talk to somebody like Chris Laer and you're, you, you know, as an instant response person, say, Hey, I'm under attack. I think they've got my data. I think they're, they're threatening to leak it. He's gonna have questions that come right out of the gate.
He's gonna say, do you have any healthcare clients? Do you have other clients that are regulated? And if so, are there guidances around all that data? And are you aware of how to handle that? Because regulated customers are different. What's your communication plan? What has been communicated so far? Who's providing that? Communication? Communication? He's gonna ask things like that. The things like how and when do you engage in law enforcement, insurance, incident response customers.
Uh, all of those questions are things that your playbook should be talking about and give guidance of who does what, when do we do it? How do we do it? And I know it takes some thinking and it's almost a little scary to tackle that at first, but it's really, really valuable in the middle of an incident. Great stuff, Wes. Great stuff. Your your playbook was your, your was one man. Spot on. Thank you. Wes, can I have you, um, go to the audience and I'll bring Steve up. You got it.
Uh, vulnerability management. Thank you so much. While you're doing that, you know, a couple things come up. I I don't have time to get into all of them, Andrew, but, uh, as I'm listening, two things came to mind. One, how much more we need to do today, how many more tasks, time process around security that didn't exist five years ago, right? And I still get people asking me like, what do you mean people are charging 1 75 a seat or 180? And I'm like, well, how are you not right?
'cause how, how we have to do everything we used to have to do and now we have to do all this. And then the second thing came up is he asked, the first question was about regulated customers. If you're not charging regulated customers at a different rate than non, you just heard it, the first question they ask is, you have to look at them and protect them differently. So, right. That's just two things I I picked up from that, that people should be thinking about. Yeah. Really good points.
Steve, welcome. Hey, Thank you. Thank you. It's great to be here, Andrew. Yeah, well, thanks for joining us. You, you are on for five. Thank you. Okay, awesome. Well, it's, uh, yeah, it's, uh, great to be here. And, um, oh, so By the way, my bad. Lemme just do that. What's real quick, let me get your slide deck up and I told everybody about you, Steve, and so, okay. Awesome. You can take it away here. Yeah.
So, so like mentioned earlier, I, I, uh, I have the privilege of working a lot with, uh, lots of different types of organizations to solve vulnerability management problems. And probably a third of our customers or so, are, are MSPs or MSPs, uh, that provide some form of vulnerability management service to their customers, right?
So what I want to do is kind of share, uh, some thoughts on how I see the world of vulnerability management changing and, and honestly, some opportunities I see in this area for MSPs and MSPs, uh, that are offering or planning to offer, uh, vulnerability management as a service, right? So, so, uh, you know, vulnerability, we all know vulnerability, vulnerability management has been around a long time. It was never an, uh, extremely, uh, interesting area of cybersecurity.
Uh, but the last few years, in the last few years, we've seen vulnerability management, tooling and practices changing a lot. Um, there's a lot of different reasons for that. I think probably the biggest reason is that we've seen a lot of new, uh, tools kind of, uh, emerge in the market to, uh, assess and, and identify vulnerabilities in all the new technologies we have, right? So things like containers, uh, container images, third party libraries, right?
We're seeing a lot more tools, uh, to, to discover vulnerabilities in, in that tech. Uh, but then on top of that, we've got this, um, uh, you know, this kind of widespread adoption that we're seeing of DevOps practices, right? So we're seeing, uh, much more continuous scanning where companies that we're scanning maybe every quarter or every month, uh, in the past, now, a lot of 'em are scanning daily, sometimes multiple times a day if they've got, you know, dev teams and whatnot.
Um, so all of this, what all this really means is, uh, you know, you have, most organizations have a lot more vulnerability data to analyze, to triage, uh, to respond to than they did just a few years ago. And so that's kind of the reason why we're seeing, you know, this changing and, and this change in vulnerability management. And so, as a, you know, as an MSP and MSSP, um, you know, where do you begin? Where do you, what do you, what do you do? What's the next step?
Um, I like to tell people to take a look at, uh, something called the sans Vulnerability Management Maturity Model. Um, came out, I think a few, maybe a few months ago, been a lot of vulnerability, vulnerability management maturity models out there. This is the best one that, that we've seen.
But it does a great job of helping you identify kind of where you're at, um, maturity wise with your vulnerability management program, and then what those things are that you should be doing to kind of get to the next level. Um, you know, I could literally spend days talking about the, the details of that model, but since I only have another minute or two, um, I'll just kind of hit on a couple of big ones, right? So asset inventory is, is a, is a great first step, right?
Um, it's, it's critical to have a, an accurate inventory if you're gonna do vulnerability management. Well, and it sounds like common sense, and it sounds really easy, but you know, in practice, we, we rarely see people doing this, right? Uh, and so you actually see a lot of new tools coming up to help you just with asset inventory, do a better job of that. Um, the second thing is, uh, prioritization and, and business context.
So the, the scanning vendors actually are doing a really good job of monitoring threat intel feeds, monitoring, vulnerability, intelligence, you know, basically prioritizing vulnerabilities correctly with the information they have. But what they're not doing a good job of is really taking to account, you know, which of your assets are hosting sensitive data? Which ones are the most valuable, which ones are the most mission critical?
And if you're not taking that into account, you really aren't prioritizing vulnerabilities correctly. Um, third thing I like to mention is KPIs. So once you go down this path of, uh, of vulnerability management maturity, right? You wanna start measuring things and monitoring things to see where you're doing well, where you're not doing well. Um, frequency of scanning is a big one. Um, your vulnerability scan coverage.
So what, what are you scanning versus what is in your is in your inventory, uh, time to remediate, you know, high, high critical, um, high severity vulnerabilities, things like that. You want to track these things over time. Um, I think, uh, a little shout to Wes here. He had a good video on LinkedIn last week about peer-based KPIs, uh, have resonated really well with me.
I mean, if you're offering a VM service to a number of clients that's in the same vertical, in the same industry, and you can do peer based KPIs, that's a huge bonus because yeah, I mean, business leaders and decision makers respond really well to that. They're really interested in how they're, you know, how they rank among, among their peers.
Um, Go, I didn't mean to interrupt Steve, but I, uh, I did, I did wanna ask, uh, you know, considering everybody work from home and we know, know thyself is the beginning of almost all of these things, before you could figure out, you know, what vulnerabilities do you have of what do you figure out, you know, like you mentioned at, uh, asset discovery and identification.
Any recommendations for some of those people who are now for the first times ever, maybe maintaining some of that work from home environment? It's a little bit different now that your appliance that used to sit on the network and sniff all the packets now isn't, you know, protecting people at home. Yeah, yeah. I mean, there's a bunch of tools out there, uh, that, that we've seen come to market that are, that do a really good job.
Um, you know, our, our software we develop, integrates with a bunch of, uh, a bunch of these types of tools. And I'm not here to plug that. Um, but there's a tool out there. Um, I think it's axons is a really good one. And the idea is that, you know, it can hook into every, you know, every source of, of inventory, right? Again, it can hook into your, you know, GitHub repositories. It can hook into endpoint, it can hook into everything and give you that kind of full picture of your inventory.
And then that, you know, that is what you would need to use to kind of compare, uh, and look at in your vulnerability management program to, to ensure you're getting that coverage. Well, look, Steve, you, that, that was awesome. I'd love to have you back for a part two, but I will say in, in my closing comments, this, it comes back to Gary. You know, Gary, I think a lot of people think a scanner is vulnerability management.
And to your point of having to charge more, and now you just talked about, you know, um, uh, regulated customers and where's their data and what's most critical, we're gonna have to change our mindsets as an industry in terms of what we charge, how we approach customers. Am I saying it correctly? And based on just what Steven gave us and what you just said? Yeah. I mean, each week now, right?
This is our second week, each expert, you can see what you need to do the perspective, you need to have the process in different areas, right? It's building, I think as we get into this over time, people will get a clearer and clearer picture of the commitment that this takes. And when you think about the average MSP that spends most of their time billing hours and closing tickets, you're gonna have to make space right? In your business, uh, you know, for this moving forward.
And you know, those people that I, that I've watched do that, yeah, they're, they're at 20, 30% on average higher seat price because they have to be, Right? And you're, They're the ones that sell the most and add the, because they have the highest value proposition to their customers. Sure.
And you're seeing, by the way, if you're a, you know, before we kind of collapse this, you're, if you're an MSSP, you think nothing of charging these much higher rates to do certain things, whether it's pen testing or et cetera, et cetera. Steve, that was awesome. Thank you so much. I'm the pull, Kevin Lancaster in. That was great.
So Gary, obviously we're, we're bringing somebody up here, but in my mind, I can't help but think about like when you're billing per user, yet they go home and spreads, you know, the network is now twice as large. Right? How does that, uh, convenient billing model handle when you double somebody's network size and sprawl? That obviously is something we could maybe pull into like a, uh, future episode theme, for sure. Yeah. Yeah, absolutely. That's a great conversation to have.
You should, uh, Andrew, make a note of that one. Well say that one more time. I'll get it, Andrew. We'll get it. Got it. You Got it. Alright, thanks Kevin. Welcome. Hey, thanks for having me. Yeah, thanks for being here. You know, a few things about, uh, well, first of all, these two gentlemen on the, on the call here with you, but, uh, a little bit about, I was mentioning, uh, identity theft and working the largest case in, uh, the government history.
So love for you to take it away and, and bring us home here today. Yeah, just, just on that and thanks, uh, for having me. Um, I'm honored to be, uh, sharing, uh, the, uh, the stream here with, uh, such esteemed, uh, gentleman. So, thank you. Um, it's actually crazy to, to believe or think that it's been five years now. I think this month, we'll mark, five years since the, uh, the, the US government, the OPM data breaches, the two, uh, data breaches.
One was the current former, uh, government, uh, employees, the OPM, you know, one data breach. And the second one dealt with the SF 86 population. So 22 million, uh, additional, uh, individuals, uh, involved in that, uh, in that second data breach. So it's, it's actually kind of crazy. It's been five years now, but probably the worst, uh, thing about the fact that it's been five years we're thing is that, uh, our, our behaviors haven't changed.
Uh, we see this, you know, time to time again, and I think the topic that you, you'd, uh, suggested to talk about, uh, uh, related to, uh, to Zoom, right? And, uh, a lot of the challenges that Zoom has had here lately, uh, around credentials. But before I get into that, when I was researching, uh, you know, what Zoom has gone through over the last couple of months, uh, it's actually pretty, it's pretty, uh, incredible. Um, so here's a couple things that Zoom has been, uh, up against.
And keep in mind, these are all really self-inflicted issues. These, these don't just normally or generally deal with passwords, right? First thing is that they went out publicly as a publicly traded company, made false statements about the total number of users that they have. They sit somewhere in a neighborhood of 300 million users. Uh, and that 300 million users is really, they, they do about 300 million, um, hosted sessions a day, right?
So that's first thing, you know, out there, out there as a public company, uh, kind of making, uh, false statements. Second one is they got caught passing customer data to Facebook through the SDK and how they, how they exchange or handshake with, uh, with Facebook. So that's, you know, they got caught out for, uh, for sharing customer data. Uh, the third thing is that, uh, they, uh, have an integration, a dataminr integration within LinkedIn.
And, uh, that actually triggered an exploit within LinkedIn where you can see other people on, on sessions, you can see their profiles and what have you. So that's a third issue that they've had, uh, come public here the last couple of months. Couple more. Uh, they, uh, let's see. They've been obviously notoriously or, or infamously now known, uh, for Zoom bombing, right?
Where, you know, you can go out to GI GitHub download, uh, uh, a nice, uh, a Zoom script and start, uh, zoom bombing all these different, uh, zoom sessions. Now, fortunately, they, they started putting passwords on by default for all these, uh, sessions. But, uh, you know, even my, my son was on a, on a Zoom session at the school, and they unfortunately had a, a, a really, uh, bad incident, uh, somebody hopping on and saying, you know, some very derogatory things.
And these are, you know, a bunch of young, uh, you know, seventh graders. So that's the next thing that they have dealt with, uh, in the last couple of, uh, last couple of weeks, you know, the Zoom bombing. Then it comes out that, uh, they do not provide end-to-end encryption on their platform. And all their servers are hosted in China, right? And most of their, uh, customers are based in North America.
So that's another kind of knock against, uh, zoom here, and not that you'll keep piling on, but, um, you know, so they have these scripts running, and then, uh, then they have what was, you know, widely reported as a data breach, which really wasn't a data breach. What it was, was that some enterprising, uh, knuckleheads figured out that they could go back through billions of records of, of previous, you know, credentialed dumps from other third party data, data breaches.
They could normalize that data com, you know, combine it, blend it, and then they could start credential stuffing zooms, uh, zoom servers, right? So they, at, uh, I guess at last count, or I guess when it was, uh, made public on April 1st, I believe, right? You thought it was a joke, but it wasn't, uh, at last count, they, uh, they had 530,000 successful ping backs for, for logging into the Zoom platform. And so, you know, the no normal circumstances, right?
Uh, a company that faces even one of those in incidents, right? They, you know, are dragged through the cold. There's tremendous pressure. And I think this, what's really interesting right now is it's, it's actually, uh, we're seeing this through the, the lens of covid, right? I mean, some of these are unsustainable events or, or catastrophic business ending events for some businesses.
And because everyone's really dependent on, on platforms like Zoom these days, you know, they've kind of, kind of skirted by while everyone's, uh, you know, thinking about, uh, social distancing, what have you. But the moral of the story, right, is that it's, it's, it's, it's the simple things, right? Um, it's part of what, uh, ideation was founded on, right?
Is, is making complex things very simplistic, making, you know, people understand that, hey, your email address and password is out on the dark web, and here it is, and you need to do something about it. So, uh, again, it's, it's, it's interesting.
Five years on right from OPM and all these other, you know, massive data breaches that you hear about, you know, you got, you know, you know, publicly traded companies still doing very, very, you know, stupid common, you know, unfortunate things, uh, that, that are exploiting, uh, you know, people and, and, uh, and exposing people, you know, day in and day out. So that's my, my rant for the week. I, I think the better your technology is, the more you get away with it, right?
Like the Zoom technology is really good. Like we use it in ways that I can't use anything else, and maybe especially during this, it buys you some things, but as you're going through all this, I'm wondering, you know, those are just obvious big things for a publicly traded company, right? And they're only being exposed, right, because of the publicity right now. But how many other software is in the same boat like that?
There's all these additional vulnerabilities that you don't even think that, you know, to ask about. And how many software programs we run and our customers run on a daily basis, and I'm guessing none of them are locked down completely, right? Right. Yeah, no, these are the salacious ones, right?
The ones that you hear about in the media, the big ones, the ones that deal with, you know, million, 500 million, billion credentials, you know, you'll hear, you know, you'll hear that, uh, make the, the nightly news and, and all the, uh, the websites, what have you. But you know, behind that there are thousands of smaller, you know, platforms that are compromised every day Yeah. That you don't hear about. Uh, and that, that's a shame, right?
And, and again, unfortunately, most of, generally speaking, most of them, you know, could have been avoided with just little more, uh, I don't know, some care and attention, right? And yeah, yeah, to your point, right, you know, 300 million, I think they went from like 10 million, um, uh, sessions a day to like 300 million or something like that, and, and a period several months. That's incredible.
I mean, so on one hand, yeah, scale is, is is tremendous, but, um, just some of the, the basics that they, that they forgot about along the way, really, you know, I think will ultimately come back to haunt them. And it's kind of goes back to what you said, Kyle, which is, when you think about all this, it just says that you, you know, you can't be prepared for everything, but you have to have your hands on the levers that you do.
Control and preparedness is a big portion of how you do that, right? I'm right. I mean, preparation, preparation not a surprise, obviously. I think, uh, you know, there's a lot of things that you could pull away from the zoom situation. A lot of things you could pull away from anybody's topics this week.
But considering our whole goal, right, is a a half hour to kick this thing off, I think this is a pretty great introduction to, you know, this week's headaches and things all of our partners and viewers could, uh, learn from. You Know, really good stuff. Andrew. Kevin, great job You guys. Thank you, uh, Kevin, I'll bring up Wes, thanks for coming on, and we'll close on out. Appreciate anything, uh, closing comments from you, Jen, and, uh, thank you. Thank you once again for, for being here.
Yeah. Gary, do you mind if I go first and maybe you take us out on some words? Go ahead. Mine would be just the, as episode number two, hopefully this evolution of how we conducted this week has already showed some, uh, adaptation and improvement on our end. We encourage everybody, like one the recorded, so you can always watch, but you could see in the chat it's interactive, it's live. I prepared a boatload of features and boatload of links for people that are, uh, watching this thing.
But, you know, invite your audience, invite your friends. We're gonna keep this going. One, uh, you know, I guess every Monday until the, uh, the cows come home or cybersecurity solved. So, uh, i, I think that probably means we're gonna be here for a while, at Least a few more weeks. Yeah. Wes, any, uh, thoughts from you? Hey, uh, I think the theme this week is be prepared, uh, be prepared for what could happen through playbooks.
Be prepared what's going on with your vendors and partners around you. Uh, that's the theme. Yeah. And, and to that point, what a great way to approach prospects and or our customers. Like how do you define, you know, how would you define cybersecurity success? I don't know if people can answer that. And then it leads you right into, let's talk about preparation. What are you doing today, Gary? Yeah, great job, Andrew.
I think each week will continue to evolve, but uh, you're starting to see each week a a we're painting a little picture, right? And people are staying up on things that are happening, getting different perspectives. And that's really where it starts understanding, having perspective and understanding the gap between which everybody has right now in security. Every MSP, the gap between where you are and, and, and where you would like to be, right?
There's no one that doesn't have some gap right now. Right? Really good, really great stuff. Everybody was on point today. Yeah, they were. Thank you everybody. Steven out there. That was wonderful. Kevin, Wes, Gary, Kyle, really appreciate you all. We'll see you next Monday. Thanks everybody. Take care, everyone.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois