Skip to main content
Right of Boom
January 30, 2025

The Cybercall: Demystifying SASE & MIM Attacks

In this video, industry experts Andrew, Gary, and Robert discuss the transformative impact of Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) on modern cybersecurity practices. They delve into the challenges faced by Managed Service Providers (MSPs) in implementing these technologies, emphasizing the importance of securing remote access and protecting critical systems without relying on traditional VPNs. The conversation highlights real-world case studies, revealing the significant improvements in security posture and operational efficiency that can be achieved through strategic adoption of ZTNA and SASE solutions.<ul><li>The importance of Zero Trust Network Architecture (ZTNA) in enhancing cybersecurity by eliminating traditional VPNs and implementing role-based access controls.</li><li>The significant role of human error in cybersecurity breaches, with up to 95% of attacks involving phishing tactics.</li><li>The shifting landscape of IT security towards Secure Access Service Edge (SASE), emphasizing the need for secure access and edge security in a cloud and mobility-driven world.</li></ul>

Guests

Andrew Morgan

Video Transcript

Kick it off here with your, uh, Andrew's just like, let's get it out the way to start. Oh Yeah. I really like to wait till you start talking, Andrew, Honestly. Yeah, I know, I know. All right. Welcome everybody. Um, Josh, I think we're at, uh, episode six or something like that. And, um, we, uh, we we're gonna do a little bit of switching gears, but before I kind of set the stage and introduce our guests, got a few quick announcements. I'll put 'em in chat first.

Um, weve got Gary, tell us a little about Schiz Fest. What's going on? I'll put that in. That's your event. What year are we up to now? Hmm. I'm gonna say this is our, I should know the answer to that. I'm gonna say you should. I think it's 12. Yeah. Okay. I think it's, I think it's 12. Yeah, 12. Which one were you at when he said to quit your job? I was at SCH Smiths Fest number two. Yeah, there you go. It was early on. Yeah. Just went around. That was Gary Stick.

You just went around telling people, Hey, if you don't have an MSP, quit your job and start one and Worked out okay for you. Yeah, it Worked out. All right. So a Andrew, the will be the third week of, of, uh, January. People can go to schiz fest.com. Okay. And, uh, again, I think it's safe to say it's not, it's unlike any other event in the industry, right. You bring some of the, that true, you know, the most high performing MSPs of all scales, not just the largest of all sizes.

And, um, a lot of perspective that we give for main stage. And then we have breakout sessions for, um, sales business leaders, uh, operations, and really a chance not only for business leaders to come, but bring like couple key team members and really see, uh, get involved in the culture of setting higher expectations. Yeah. It was also the only time, the first time ever that cyber call did something live, which was cool. Yeah.

And we're working on something else for this one with Cyber Call, so. Oh, Cool. Cool, cool. So, Gary, were you supposed to, uh, wear a cowboy hat and wear boots to this thing? How, how does this Work? You can, you, you specifically can, yes. Oh, perfect. Perfect. We're past and, uh, being Texas. Sure. Yeah. Um, okay. Just real quick, a few other things. Um, there, this is a little bit tangential to what we're gonna be talking about today.

I'm gonna explain, I'm putting in a, um, A URL on this, um, group ib. They're a security firm that's cracked. Hey, Ann. Good. Great to see you as always. Um, they cracked a, for lack of a better word, a, a, a phishing kit consortium, a ring, if you will, where over 500 threat actors can identify using this platform. Um, and over 56,000 corporate M 365 attacks in the past 10 months alone. This, this group in aggregate is responsible for, for billions and billions of dollars of BEC.

And I know one, uh, MSP in particular that has attribution to the IOCs that got two of his customers got hit very recently. So I encourage everybody to take a look at this. Um, it is a full-fledged store. Uh, Gary, they are like a well run business. I mean, in terms of everything from how you use their platform, how their customer support works, um, the different functionalities they provide are very well documented.

I mean, it's, it's, it's pretty, it's, it's amazing, yet frightening how well their business models are. I mean, so, um, I want everybody to take a look at that, grab the R rules, grab the IOCs, make sure if you have an MDR provider that they are tracking it. I'm sure they are. But, uh, it is something that, um, you definitely wanna stay aware of right now. Um, and, uh, we Get to do it all tax free. They get to operate their business and they have, you know, 40 to 50% more money, right? Yeah.

Of, of margins that they can invest in growth that we are in partnership with the government, as you know, as small businesses. It's really good point, Gary. It's an excellent point. They don't have to worry about advantage. Massive. Yeah. It's a massive advantage. Much more secured be if we didn't pay taxes. That is great. You should run for office, Gary, that, with that moniker right there. Um, okay.

And then last thing I promise, um, I just want to put in, um, I'm with that, uh, kind of in part and parcel to that. I'm doing a webinar on Wednesday at one with, um, and you know, this gentleman too, uh, aside from Eric Tills being on it from a legal perspective, um, Gary Oli Thorson, who's ABA Networks, who's been in the business for probably almost four decades now, runs a, not only a good MSP, but oh him. I said if I'm the godfather of M Ms P, he's the grandfather. Yeah.

He's been around a long, He's someone I knew since the very first day. Yeah. He was MSP back in 2000. And, you know, six, What's really interesting about Oli is they work with some very large corporations and co-managed and, and different scales. But about 3, 6, 7 years ago, he saw where the whole, um, ransomware business was headed and he spun a piece of his business off into that. And he, he's worked some of the, arguably some of the largest, uh, ransomware recovery cases now.

Um, and so we're gonna be talking about, we call it the tele of two MSPs on preparation, both for your Ms P and your customers in light of these, um, W three L and obviously the most recent ving attack on MGM. So things that we should take away for from a tabletop perspective. So, alright. Enough on the, he also race his cars. What's that, Kara? He also races cars. Oh yeah. Yeah. And, and, and very competitively and very good at it. Okay.

We are switching gears this week a little bit, um, and gonna focus a little bit on the marketing jargon world. But specifically in this, there are some very specific ramifications of the components to the cyber attacks that we're seeing right now. Specifically man in the middle attacks and a lot of the, uh, proxy type attacks that we're seeing or compromised account attacks.

Uh, and so, um, Gary reached out to me this week with a, he started asking me a bunch of questions on sa e and, and ironically I the same time I was going with Robert heads up sales engineering at, uh, and I'm like, you know what? This is a perfect, um, time to talk about something like this that's, you know, a developed, um, industry jargon, um, term where we could look to demystify it a little bit.

There's obviously really critical components of this with the shift toward cloud and mobility, but, um, so I think this will be a really educational and fun, uh, cyber call for all. So Robert, thank you so much for joining us. Appreciate the time that you're, uh, gonna give us today. Uh, you got years of experience in this world, so can you give us a little, uh, overview about yourself, um, and what you do there at Agate? And then I will hand it over to Gary. Certainly. Thank you Andrew.

And, uh, hello everyone. My name's Robert Ock. Um, I currently live in Dallas, Texas. Uh, my background, um, a military veteran and it actually, it was during that time, during the Cold War, I ended up in Insco, which was just after the Army Security Agency. So one of, a lot of the foundations of internet and all those things were taking place. So I got my curiosity, my troubleshooting skills, all those things really got honed when I was in my military service. I left that time.

It was really pre of a lot of things that were going on. I went into other areas. I was looking for other work. And it wasn't until prob about early nineties that I got a chance to go into it. Spent years in support. I've worked in financial services, managed service providers, managed hostings, a lot of different areas. 2015, I took a break, went and started a business in something completely unrelated. I needed to, needed to walk away for a bit.

And, uh, I got a call in 2019 to come work for a company that was spinning out of another company called Six. And, uh, joined the company and I absolutely love it. I've been around long enough. I remember pre VPN days, um, we were still using bricks in one hand and, uh, SkyTel pages in the other. And we were thrilled. Yeah, absolutely thrilled. We didn't have to drive into the office to fix things and, uh, unless it was something that we had to do hands on. And it's a different world today.

It's a very different world today. So that's a quick background on me. Um, I've got a lot of different experience in a lot of different areas and lived a lot of the life. So looking forward to the conversation today, however I can help. Thanks Robert. Really appreciate it. Alright, Senator, you're up. What we, you running on the tax free, free platform away. So, um, yeah, this came up 'cause I was, you know, texting this week with Andrew.

You know, I get to see, uh, a lot of, you know, software startups in the industry find their way across my desk and like recently, they all do something different, but they all start by saying they're sassy, right? And so I wanna start there, like, in your opinion, or the way you're looking at your definition of sassy, right? Secure access, secure edge. Tell me when I say that, what would be your definition? Yeah, I very good question. And, uh, you're right about context is everything.

I mean, SS e came from Gartner in 2019, I believe it was. And, uh, just before the pandemic hit and the company I actually worked for focuses on an element of sass E So sass E by definition is secure access, secure edge. And it was Gartner's way of looking at where we live in the world of it. Today. Things have changed quite a dramatically, I mean, since before v PN days. And, you know, we built these hard perimeters, we built these moats, these huge castles.

But with the advent of technology, things have gotten pushed out to a different area of the world. And so they're now operating at the edge with mobile devices, with laptops. And, and that perimeter is just really expanded. iot, ot, that's the wealth of technology and endpoints is expansive. So Gartner took a look and said, we need to focus on secure access and securing the edge. Now, for me in the industry, especially since I live in the sales world, I still see it as a heavy marketing term.

It's hard to cut through exactly like you said, what does this mean? And, um, it's confusing. So I found the best way to explain SASS e to a person is to think of blade servers, especially if you're in, in the industry, think of all the components and we'll talk about a little bit, but all the components that can go into sass e and secure access, secure edge. These are maybe tools that you already have, tools that you might think you need.

But I think about it as a blade, it's a combination of a lot of things. It's not an easy button, that's for sure. There's no one size fits all for this. And, uh, you know, we can talk a little bit deeper. I can, I can just take it from there and run, but I know we've got a lot of different areas and questions. Gary? Mm-Hmm. Like, you know, in, in the little, like trying to prepare for this and looking, they talk about three core components, 20 up to 24 technologies.

It's kind of overwhelming, right? So yes. From the marketing jargon standpoint, like how, how would you, in the simplest way, you know, categorize this and really some of the key components so people absolutely have a frame of reference. Absolutely. And that's the best way to take it. So that in, in our view, there's three primary things that are core to sass. E So there's internet things, things that kind of live outside us, um, outside that old perimeter, you know, the internet itself.

And we have tools that can work in that realm. We have secure web gateways, we have Cas Bs, we have remote browser isolation, DNS Next Gen firewalls. There's a lot of, there's a lot of tool sets that sit there at that internet of things. And then there's private things. Those are the things inside your organization that you wanna keep secure. And that's where secure access comes in.

And that's where principles of Zero Trust really, really, really, uh, uh, come into play that role-based access control, those principles of least privilege, which to me, zero trust is a marketing term. I know it's a framework, it's an architecture, but for me it's all role, role-based access controls and principles of lease privilege. There's one more element that does play in, I kind of feel it's more marketing, but wide area, network site to site networking comes into it as well.

So those three things, internet things on the outside, private things on the inside, how do we get to those? And then site to site networking. How do we connect an enterprise? So that's, that's where I always talk typically start Gotcha. At those Elements. Mm-Hmm. So with all of that, like all the threat reports that we've, you know, have reviewed, you know, recently, they're still looking at social engineering, right? Mm-Hmm. As, and credentials as the top attacks, right? Techniques for tax.

I mean, we just saw it with MGM, like no one can gamble, which is absolutely disastrous. I mean, I, I can't even think they can put a number on the cost, right? Yeah. Of what this, what the impact is gonna be across. And it's so great that all their hotels are tied together. So it's Yes, convenient. You can take down every one of them, you know? Yeah. Across the world. Ironic, ironically, it's, it's Black cat who is the threat actor de jour. We last year and write a boom. Mm-Hmm. Yes.

So, so with that, there's all these advancements. We're talking about these big companies. How does something like this happen? Oh, you nailed it. I mean, ultimately it comes down to this, in my opinion. The one main thing that really impacts all of this, it's people. People are the one element in the equation that we have the hardest time working with. Because people we're, people we're human. We're we, we click on the wrong thing at the wrong time.

We read the wrong email, we go to the wrong site by accident. People are human. I mean, it really comes down to that. And I think, you know, I've seen reports where 84% is a common number. I've seen them as high as 95% of all attacks are based in phishing of some way. And, you know, you could have the best training program out there, you can put out tools, and it's still that human element is the hardest one to work with.

So, you know, we always take a look at how do we minimize the blast radius when these things happen. I always expect in one or two things, either we've already been popped or we're about to get popped. If we think of it in that mentality, and we take that approach to how we look at security, I think we have a more holistic view working with that training. But that's really what it comes down to. Combating phishing is one of the most difficult things. I get hit all the time. We all do.

And I think you guys in the MSP world, you're a walking target in this world, in this Industry. Gary, can I ask you a question to Keith? Maybe from the MSP perspective, Keith, with something like the MGM, you know, we don't, I, I'm wondering, you know, with voice channels as it were, like we don't really, th I I don't, I don't, I don't hear a lot about that. Right? Hey, let's, let's look at maybe some isolated way in which, you know, you know, your telephony work.

So that it, I couldn't use that as a threat factor or it would be much more difficult, or there's an authentication to that. Do you foresee that coming? Or have you had any of those types of implementations or conversations and is that making some sense, Keith? Yeah, I mean, I, I, I think that what you're talking about is authentication of users, right? To make sure that that's the right person on the other end of the line. And oh yeah, that's a big, big deal.

It's something that we got really aggressive with, um, about a year ago to put those controls in process and to do text top verification. Another several tools out there that, that do that. But, um, integrating that into your PSA and making sure there's a mechanism to authenticate users before you provide service. And it, it, it's a, it's a pain. Like you've gotta it educate your users because, well now they've got an extra step.

Now they're gonna have to read off the, uh, pin number from their text message. Um, but, um, it's necessary. It's just like, uh, bar transfers. I mean, you, you gotta get better and better at authenticating that. You gotta do the same thing with tickets that come into your service desk. It's brilliant, right? Mm-Hmm. It's brilliant to think about.

All you gotta do is, you know, call a help desk with, as the name of someone you know, and how many, if there's no verification process, MSPs, you don't know all your users like you, you know, you support thousands, right? Right. It's, I'm surprised that, that this hasn't been exploited more. Yeah.

It, it's almost like, um, Keith, we're, you know, we've gotta take that authentication piece to another level, but it, it's, it's, and not to digress, but it's almost like with all the phishing that's going on now and the phishing kits, it's almost like if you haven't gotten people to adopt MFA in the traditional sense, would you just simply go right to a phishing resistant?

Like if you're gonna try to upgrade a customer, are you just moving right into, you know, some type of YubiKey at this point, then try to get them to do something that's is getting spoofed so readily these days? I, I think it's gonna get there real quick. I, I already, if you're migrating any clients doing any project, that's just part of it, right? It's default. And that client should be kicking and screaming to remove that. And even if they do, you probably should just say no.

Like, they're not the right client if they want remove MFA. Uh, but yeah, I think you're right. Going to UB key and going to additional controls in that should, should just be a part of it. That's just gotta be a default standard you build in your projects, Gary. It's almost like you're, you know, the, the wedges these days is like, if you aren't kicking and screaming, I'm not doing my job A hundred percent.

Look, we're getting now what we're talking about today, and we start to talk about things around that we've talked about around zero trust. It, it is, uh, there's not only pushback from the, the, the customers, right? It impacts them, but it, it's overwhelming for the average MSP, right? I mean, like, you can implement a new tool and maybe need a full-time equivalent of full-time resource, right? Mm-Hmm.

You know, to manage it on our side and understanding it and costing it in this is difficult. This is one of the most difficult commercial things that we've had. Both because of what we have to do operationally, how we have to sell the value and the buy-in we need on things that impact end users. This is really hard. Yeah. Really hard. And I wanna talk to Keith about that. But Robert, I wanted to say, so I, I watch what happens from sometimes just going to the shows and seeing mm-hmm.

In the solutions pavilion. Like, and I've been doing it for so long, and some of them come and go. Not just the companies, they always come and go, but the categories, I, I remember this year there was a bunch of people with electronic health records 'cause MSPs were gonna be the ones, and that was gone. And then, and then we went through the phase where everybody had a, you know, had a, a like OS 33 and 10 other companies with, you know, cloud desktop and that whole category. Yes.

So now I'm watching this category, right? So when you look at that, and if I'm an MSP and I'm going to DA Ocon in a couple weeks and I'm going the, you know, the solutions pavilion or I'm going to IT nation, what, do you have a recommendation? Like what kind of solutions or categories would you be looking at to start? If I'm at the beginning? Yeah, no, good question. And you know, you're absolutely right.

I was, I think I told Andrew this before, I mean, RSA in 2020, which is before the, when the pandemic just hit, we were there. And I think there were just right around 50 vendors that were labeled as zero trust. And when we went back, back the last year, it approached 200 easily, if not over. And it's hard. It's almost impossible. They're, they're, they're popping up in all different places. And, uh, so very good question.

So the numbers are out there, things that I always look at it, and this goes back to old security principles. I like solid foundation. So, um, I look at it from this standpoint, when you're building a system, you can go out and buy a system that's labeled as SaaS, but you really need to understand the components that are in there. And some of us already have some of the components to build a SAS architecture. So let's look at the gaps that are in there.

And my view in like building a house is having a solid foundation and the solid foundation that's common across all verticals, across everything that we do, is access. You need endpoints, connecting to resources to get work done, no matter whether you're iot, whether you're laptop, whether you're voice, whatever your widget is in this world, there's some type of connectivity that goes on. And if there's connectivity, there's potential for exploits.

So if we can secure access and then take a look, be strategic, and find how we can apply other tools, we can start look at building a good po uh, SA sassy build that's appropriate to the industry or the vertical or the business that you're in. Um, 'cause not every tool fits every occasion. And, you know, it's, so in today's world, a lot of times, companies, organizations looking at their bottom line want the quickest fix to solve a problem or respond to the board, whatever it may be.

And, you know, it really comes down to those foundational aspects. And I want, I myself, when I was managing an IT department for financial services, I wanted best in breed elements. So I always looked for best in breed and found a way to build from there. So that would be, that's always my suggestion For those you could afford them. Yeah, that's true. Yeah.

And you could until thousand one thing, but it's a lot different if I'm, uh, if I'm a financial institute with a thousand users and I need one or two headcount to, for security, that's a process I go through. If I'm an MSP and I have a thousand, I have 50 customers, and I have to commercialize that, and I gotta deploy it much differently across 50 customers. Mm-Hmm. That's, that, that's why we're here, Andrew, is to stay, is is to be in between that. So, but that's a good answer. Robert.

Keith, can you talk about the real, in the real world, like implementing something that, um, is this complex, right? Can you just share briefly kind of what you have been through both internally trying to figure out and mature it and get buy-in and understanding the cost, and then on the client side of getting clients to understand and pay for it? It's tough. It's, it's real tough.

It's, it's what you've always said, Gary, is the, uh, uh, change the tires down the road while you're doing a hundred miles an hour, right? Yeah. Like, like, I wish we could just put pause on tickets and sales and all operations and, and do big security lifts, like, like this. But that, that's obviously not possible. Um, zero trust is a big lift. And I think for us, it, it is a matter of going, okay, where are the low lying fruits?

Um, you know, there's some obvious things like we're, like, we were talking about the, uh, the user authentication and having the, uh, we use quick pass, others use traceless io, things like that. PSA people out there, you just need to build this in. Like, come on. Mm-Hmm. Because say ConnectWise, like, like, let's build this in and integrate it. Um, you gotta look at things like that and look at where, uh, PAM and privilege access management is another one that's just obvious.

You, you need that. So Cyber Fox, that's, that's what we use there. Um, Wes' team, I, I think other areas like this where you've got VPNs in place, the first and obvious is if you can eliminate VPN, eliminate VPN, right? Go SSO, um, set up architecture, move things to the cloud, just eliminate it. But if you can't eliminate it, let's start by documenting what those use cases are, starting with, you know, client zero, which is your own MSP, and go down that list and just go, where are my risks?

And obviously if you have VPN, you have to have v pn, it's probably a risk. You need to get real serious about how you architect that in terms of prioritizing your clients. We're gonna look at some clients that are regulated or they, they've got a lot to protect your DMMC type clients, your ones with financial information, um, protected data, and they gotta be at the top of your list. Certainly if there's a VPN that their users are, are, are using, document those use cases, prioritize it.

And man, I, Gary, I think it's just a matter of going back to those clients and going, times have changed. Like everything, you're hearing us say this every quarter, but this is a huge threat vector. And I, we've, we've met with your users, we've gone through this use case, we gotta make the wall a little bit thicker because people are getting through it now. Yeah.

Um, but I And Keith because of that, because like people can hear Right, just from what you're saying, they can figure out the posture you have and that's what comes first. The second piece of it is, I see the deals you close, right? I get to, I get to watch the emails, I see deals that are over a hundred users at over $300 a seat. Every just, just, if you can just tell everyone that they can do it and that they pretty much have to, they can't do the thing we're talking about today. Yeah.

Unless you get there, you're not gonna have a secure edge. Y you can do it. It, it's, it's really looking at those businesses and understanding how they work, understanding what the impact is. If A VPN gets popped and going, look, this is gonna take some work. It's gonna take some additional software and some architecture changes, and that costs money, costs money to do it. Right? So I gotta charge you. Yeah.

And if not, it's, you know, one of us is going to get fired when something happens and I'm gonna make sure it's not us. Right? Right. Those aren't mm-Hmm. Not easy conversations at, at all. But they're easier. The fifth one is easier than the first one. That's right. That's right. And, uh, once you get past it, you get past it. So with that, Keith Mm-Hmm. I'm gonna hand it over to you. Yeah. Yeah. So on that topic, Robert, Mm-Hmm. We know it's not about eating elephant all at once here. Mm-Hmm.

Boom, let's implement this. Let's put it across the board. There's some technologies where that's the case. Uh, MFA obviously, like just do it, like Yes, Do it and make the client, uh, opt Out. Make it done. Exactly. But, but this one in particular was zero trust. What's your recommendation? Like, what are the best practices and where do you start? So I, I look at the two, the two core things that go along with this. So principle of least privilege and role-based access controls.

Those are rooted in identity. And I always suggest that yes, we're looking at technology for connectivity and for access. I always suggest the first place to look is a tech debt that may have built in your directory structure. You know, do you have everybody in there? Have we been copying the same policies over and over and over for Harry? Because it works and he's always worked.

And so he may be overprivileged, but I don't get a trouble ticket by copying Harry's profile, um, understanding, you know, start the work and understanding resources to end points, because that's gonna be the communication path for any platform that you put out there. And then second, the next thing to stop looking at.

I agree with you a hundred percent, those VPNs, I mean, they were great when they came out and they were great for the intended purpose, but in today's world, I don't think they have a place anymore.

There's technology out there, and I'm not here to promote ours, but there's technology out here that will allow you to remove VPNs and still provide remote, solid, secure access into resources and also secure the access the resources while the customers are sitting inside the office or at that remote branch or at that store that you're covering for your msp. And there's ways to do that today that no longer reference, uh, uh, VPNs.

Um, there's technology out there that's incorporated into some of these zero trust network architectures that help cloak your environment. And they leverage tool sets that help defeat man in the middle attacks, which is what's going on everywhere as well. We talked about the intro, but I always think identity first, get rid of the VPNs and then take a pause, do a new assessment, be strategic, and see where you need to go next. Okay.

So, so yeah, you, you've got Robert, you've got two big, I guess, use case areas. O obviously with work from home being mm-Hmm. A big one of those areas. And yes. You know, obviously if, if your users weren't set up for that, covid certainly pushed it there. But then the other is, uh, remote offices, satellite offices. Mm-Hmm. Connecting together.

And if growing as an MSP and then being able to service larger clients, you have more and more of these clients that have branch offices, uh, with offices that are connected, VPN between them, VPN from home. Maybe just talk us through those considerations and where SSE and zero trust plays a role there. Absolutely. Um, we've been working with companies and of all different types and partnering with MSPs as well, to understand those, those different pieces.

From a remote access perspective, I think the biggest thing in the MSP world, both internally and externally, is ensuring that the device that's coming in meets your security policy. Um, I've heard stories that just are, I can be nightmares, you know, I left my laptop at the office, so I'm gonna borrow my kid's laptop to get connected and to do remote support for an MSP or for, for an enterprise.

Those things scare me because you have no idea where that device came from, what's installed on it, but you're under pressure to get work and job done. So that's, that's one area. Um, so remote access and users, there's a lot of different things that are important in today's world. Uh, from a company's perspective, remote users need to be productive. And I think that that's one of the key things and a a lot when we put these VPNs in.

And we have environments that are hybrid that locate resources in multiple locations. Sometimes it gets confusing for users to figure out where they need to go for what they need to connect to. And I think that opens up vulnerabilities in that phishing aspect as well. If they're not con entirely sure about how they're supposed to go to things, how they're supposed to connect, how they become productive. Employees want something that just works.

And so looking for a, a platform like that, branch offices, you know, we, we've come from, you know, I grew up in the, in the days of frame, really circuits and, uh, you know, I, I kept seeing the expenses on our WAN going up and up and up, and then software defined way, uh, WAN came out. SD WANs came out. Great platform doesn't include security by default. A lot of people put their dollars into SD-WAN environments to promote connectivity, but you still have to consider that secure element.

Um, these new technologies, like software defined perimeters, give you the ability to connect things in different ways and to do it securely, whether it's an individual or a branch office. They describe hub and spoke networks where branch offices become a, spoke to a hub network that's centrally located, providing connectivity just like an sd-wan.

But a software defined perimeter identifies the user to endpoint the user to resource relationship on demand, and ensures that they, that the person that's requesting the connection is in compliant with your security policies. That's a huge win in today's world. And it can be done at the branch level, it can be done at the individual level. So you get flexibility to be able to describe, to provide the rep the appropriate solution that you see. Um, I was working with, this is hard.

I mean, like, I I, I just saw a demo of a solution, you know, last week Mm-Hmm. And it was free. Like you could look at every user, but like, I got 8,000 users. I can't look at every user and manage 'em and set 'em up and revisit 'em. Do you know, like this is kind of where, and people aren't. Oh, again, you have multiple companies and within that company there's multiple mm-Hmm.

It's not like I'm a, uh, you know, like I'm an organization with 2000 employees and I have departments and like, it, it's kind of all organized. It, it's so much messier, right? For us as MSPs. Mm-Hmm. Keith, do you agree with that? Yeah. Yeah. A hundred percent. Yeah. But, but everybody still has a role. I think that that's the important thing to understand.

Role-based access controls can solve a lot of these issues if we understand the role and then what the user's doing within the organization, right? If we attack it with, if we think about it with that, we think about those core components I mentioned earlier, role-based access controls principle leads privilege that go hand in hand. You manage it that way. Think about it strategically.

'cause most of us may not have large departments, but we have people that work in those areas that work in governance or audit and compliance that can help us with these. And one person with five hats, sometimes it in smaller MSP I've sat in roles, but understand that role and then executing on that, find the framework that fits the tech that fits with you helps align.

And I've seen actually reductions, the thing that's funny, it sounds like a big honors thing, but I've seen reductions in trouble tickets for connectivity after a platform's been put in.

I saw a company that has about 130,000 users across the, across, uh, it's a government level, but they went from, uh, I take that back, 80,000 and they went from 30 people managing their remote access and all that infrastructure down to that were full-time, down to one part-time person that had to manage remote access with the company. It didn't, they didn't get rid of people. They freed people up to do things that they should be doing. And that's something else so important. Yes.

One, one thing similar, like I, I know Sonny Lowe, who Mm-Hmm. Gary, another one of your Yes. Who was very successful exit. He moved everybody off of VPN to you guys, and he said his trouble ticket count would substantially. So, you know, again, that's where you're seeing, I think, um, he, he used that literally as a mechanism to go out and it was almost as prospecting tool when there was a VN ticket. Historically, it led right into a, uh, a strong conversation here.

The other thing Wes Robert's points on, you know, accounts, um, role-based access. We, we did, I think some really good cyber casts on that. This is fundamental CIS controls, right? And they talk about, you know, roles, um, how you provision, how you de-provision, um, looking at change of roles. Um, so if you haven't looked at those right, Wes, you'd probably wanna check out the cyber cast on those. I find myself continuously telling people to go to listen to cyber cast.

I mean, because so many of these things are discussed, and they're at a very deep level that I think will start to help you understand, oh, there is a pathway to do this. And just a quick comment on roles. Um, we, you do need, it takes a lot of build time to really think through what are those roles? How many roles do we have? What, what types of users belong to those roles, and what's the role type, what does the role need to do?

Going back to wa what you mentioned about principle least privilege. Um, but if you put the time into doing that, then all of a sudden the cloud's part, because now instead of juggling a thousand users, you're, you're managing with fine detail, 10 groups, 10 role types, and that's it. And then all of a sudden you're like, I can actually do this at a really effective level. So, yeah. So as we're talking about VPN Robert, would you say like, like blank check here is VPN dead?

I, I mean, do we need to prioritize just ripping out VPNs wherever we can, because we're hearing a lot about it on the chat here. Uh, chatter about VPNs. I know, uh, talking with John Murchison at Black Point saying, man, those are, they're seeing them get popped, like left and right. If you don't have MFA on on VPN, it's just like not having MFA on your email. Um, yeah. Seems like you could just yes. Get rid of a lot of these problems if we could just get rid of vpn.

Is that, And Robert, kind of quick Yeah, go ahead. Answer this. There were questions. To Keith's point, like, it sounds like ZTNA is just like another VPN. Can you, can you debunk what the differences are as you answer Keith's Question? Yes, absolutely. Absolutely. No. Great. And those are solid questions. So as far as, I mean, this heard I've got on today's actually says, friends, don't let friends use VPN. I mean, that's part of what we talk about each and every day.

And, um, yeah, we give these, we'll be at write a boom and we love to give these shirts out because it's so true. It's, it's, like I said, the technology was at its time for the purpose that it was designed rock solid. Today's world, it's, it's not most VPNs authenticated were only one direction. That's a problem. We have tool sets like mutual TLS, that allow us to authenticate in both directions so we know that the endpoint and the server are who we expect them to be.

And then to up a level of security, put it in a private certificate enclosed and closed system. So what's a closed certificate system that's not advertised publicly that people can't get those certificates out in the fly and mimic those? Or, or, or, or mimic those? So if we do authentication in both directions, we got a highly, we got a solid security position in that.

And we also defeat those men in the middle attacks because the one that was came out a couple weeks ago, every 10 when these pops, the pool of se goes through and rips 'em apart to see A, if we're vulnerable with it, B how can else can it be exploited?

The one with the reverse proxy that just came out two to three weeks ago where they're inserting, they're, they're redirecting people to reverse proxy that then passes information in so they can grab the credentials, they can grab the information and onboard an authenticator app for the OTP. They can grab those things as well and onboard those. So there's mimic going in there. I agree with you on the UB concept and the security devices.

So, so from A-Z-T-N-A perspective, um, endpoint connect to resources when they need to. Um, let's take it back a little bit. So VPNs, we know they're leaky, they have open ports that sit on the internet. Their concept is connect first and authenticate second. And unless you spend a lot of time managing firewall rule sets, when users come in, quite often they have access to A-V-L-A-N or they have locked access to the entire network scope that's inside the EN environment.

Beyond that V VPN concentrator, unless you do a lot of work to segregate things out, they're quite often flat networks. We can't live in those kind of worlds today. Uh, it's just not everything from insider attacks, whether you're intentional or unintentional, bringing somebody in, piggybacking on your connection, they're just, they're just bad. So VPNs, yes, they need to be retired, and what we found out is companies are switching off into a ZTA platform.

We've seen them actually switch out for the cost of support and maintenance on platforms as well. So don't think that cost should be, should prohibit you from going in and going and ask the questions, talk to several different providers. There's a lot of different good solid providers out there. Of course, we're the best, but that's another point. Um, Rob, we Do one thing. I'll add to that though.

I think one of the other advantages too that I've seen a zero, or I'm sorry, a ZT NA deployment give is it forces you to think about network segmentation and traffic flow, whereas you may not have ever done it before. Right? So like, if you think about A VPN, this kind of gets into Rob's question in chat a little bit. A V VP N is al, think of it as almost like a single layer gateway.

The way 99% of deployments single layer gateway, that has some amount of like trust consideration coming in, use the username password multifactor, and it gets access to everything on a flat network on the back end. Yeah. ZTNA forces you to think, Hmm, this coming in here can only go over here in this case, and this can only go like, and, and I, I think that has a lot of benefits. It like, it's not even about ZTNA, it's about classic network segmentation. Absolutely. Absolutely.

You know, what's the purpose of the connection? Separating frontend ports from backend ports to me is a huge win. You know, general user population uses 80 and 4 43 and almost everything. Those are easy ones to understand. But you wanna know when a system admin is coming in to do repair on a device, maybe a patching or whatever, they're gonna use ssh, they're gonna use RDP, maybe they're troubleshooting in the support test and using I cmp.

Those are tools that have purposes, but they need controls. Those are great concepts for multifactor or to step up authentication to prove you're who you say you're before, you're allowed elevated access into an environment. So great solid use cases, but you're right, it does force you to rethink your network, your network segmentation. And what's, interestingly enough, we see things improve inside of IT staffs, whether it's MSPs or enterprises, they start seeing firewall rule sets coming down.

I've seen them reduce 25 XI mean, I've seen rules go from hundreds of lines to just three, four or five rules, because now you have a software platform that only allows a user to get to the very, the IP port protocol that they need to access a resource. So very, very solid. They can't even see things, which, you know, if you think about it from the kill chain, that's always one I like to look at that first one is reconnaissance. They wanna find out your openings on the perimeter.

If they get in a little bit farther, they take a look around, we wanna close things up, we wanna make, we wanna make sure that they only have access to what they need. And that's a huge win. And that ties into Andrew, you, you're asked about VPNs versus ZT a. So VPNs really their goal is to connect to disparate networks. You know, whether it's a user segment, a home home network, or remotely, um, connecting to the corporate office or wherever the other, whatever the termination point is.

That's really what the concept was to bring the two networks together. It's a virtual private network in zt a it's a little bit different. Um, ZT A looks at every connection made by an endpoint individually and ensures that the user has the, is privileged to go to that resource and meets the security policies for the endpoint to connect to that resource. Two very important things.

Um, so checking that to make sure that you know, Robert, your assistant admin, great, you should have access when a trouble ticket is open to this server so you can work on it. If you don't have a trouble ticket that's open, you should not even see the server inside your environment that you can take it that, that to that extent. But making sure I've got the latest antivirus that the process is actively running and so forth.

So when I build that connection to that device, it's checked in real time before my packets are even allowed to go onto that resource. That's really the core of principle of least privilege, combined with role-based access controls to make it what we call today's zero trust architecture. Yes. Can I ask you something? We just on the, I'm gonna ask Wes, let's start the perch hat days.

You know, if, if you are taking something from massive amounts of, you know, rules and a firewall down to three, let's say, and you're going this route, true or false, is that gonna be beneficial to the soc from the stand point of, you know, inspecting logs, um, packets, et cetera? Um, your thoughts on that? I've never really thought about it before. I, I think well engineered it, it is valuable and it is helpful, right?

Because a soc one of the things that the network team needs to do to make the job of the so easier is, or maybe more effective, is helping them not have so many needles and haystacks, right? Mm-Hmm. So less haystacks, less needles becomes much more important for them. And then they begin to focus on the things that matter the most, and then it gives them the time to dive into the anomaly. So yeah, I do think it is helpful for it when it's well engineered. That's a great question, Andrew.

I hadn't thought about it before. So, Gary Andrew, coach a little bit here, Gary. So, uh, ms, all the MSPs on here, we're seeing regulation, we're seeing cyber insurance changing things like how would you use this as a wedge, uh, to, to, to move sales forward because of these changes? Yeah. So I'll tell you how, but I'll tell you why.

It's e it's simple, but it's really hard because on one side of it, we need to have conversations to get our customers to invent some more on the other side of it. Normally the reasons why we do is when our belief system changes because we've matured our back end and we know how hard it is and the work that we've done. So it's almost like a chicken in e in in an egg standpoint. But I think still too many MSPs don't have the right relationship with their customers.

They don't even have it with the right decision makers at their customers. Mm-Hmm. To have these conversations and until you do, this is an uphill climb. Start by doing easy things like Andrew, we were talking on the, on the call this week for, um, SaaS alerts. Start with easy things bundle a couple things that are relatively low cost per seat, roll 'em out and do an optout.

Like there's so many simple low hanging Keith, low hanging fruit that you can do that build your confidence and then, and then start having those conversations, not just about the investments they need to make now, but talk about the ones they need to make in a quarter and two quarters and a year from now. So by the time we get there, there are already things they've thought about and budgeted instead of just showing up every time and, you know, asking 'em for unbudgeted money. Yeah. Right.

That's good. Yeah. I I think it also, you know, this is a what you, what, what, when you just painted this all out, Gary, it kind of made me think of Brian Blakely who has, again, it's a business led conversation, right? He's talking about that what's running the business and, and the criticality of what drives revenue processes. And he doesn't sit there and you know, the tools come in, but he's at the level where he's talking about the business and business impact. Fair. Yeah.

I mean, look, it's really hard if you're still selling fear, uncertainty and doubt. When you, when you talk about the business first and business impact assessments and, and you get on that plane, you can just explain the risks and the investment and, and you and you move on to the next thing. You don't really have to do a lot of true fud because you've explained you understand their business and you've explained the risks in a way where they can attach a value to it. Mm-Hmm.

And that's where Brian talks about, that's where he lives. Mm-Hmm. Yeah. Yeah. It's A whole Clark And it's so easy and, and most everyone that I know has gotten there, Keith, you know, through Pierce says the same thing. Like, why did I take so long to prioritize? Mm-Hmm. Business part of this, like everything else is so easy now. Yeah. Yeah. Good stuff. Wes. Over to you my friend, Man. It's been fun conversation. Um, yeah, it's great. Robert, how about this? Yes.

Can you kind of like less about App Gate, but it's fine for you to talk about App Gate. Mm-Hmm. Um, can you give us kind of a case study of maybe an MSP or, um, yeah, but how about an MSP that has, you know, thousands of clients when you or thousands of employees when you put it all together? Mm-Hmm. Can you give us a walkthrough case study of, of an MSP that's done this successfully and what ramifications they've had out of it? Yes. So I, I, I actually, I wanna jump to Sonny.

'cause Sonny was great BlueJean Networks in Fort Worth. Um, he acquired Agate because of a customer. So, um, they came, he came to us, they acquired an attorney from another MSP that wanted, that had been using our product before and required the MSP to use it. It was that simple. And that's what brought the two of us together, which actually started Lloyd because that's how I, that's actually how I met Andrew and some other people in the industry going back a little bit.

But, um, they adopted our technology and they said, Hey, this is really good. And so we worked with them. They started rolling it out, they started using it and consuming it and they found that overall things went a lot easier. Reduction in trouble tickets, reduction in rule sets, the ability to pull back and not necessarily his, but the ability to reevaluate how we're providing connectivity for these locations for the customers as well. So that's been a very strong one.

And I think the, the best feedback, um, that Sunny gave us one time in a call was using VPNs is like sipping peanut butter through a straw, but using a good zt, a product just unleashes users and productivity inside the organization. I dunno where he got That sucking peanut butter through a straw. I said that earlier in chat. We all got, actually, Is it really tough for you? Yeah, Yeah. What's funny about the story though, how it actually did, so I've known Mark Rahe for years.

The funny story about, part about this story though, Gary is Uhhuh, Sonny was a huge SonicWall VPN advocate. Yes. He onboarded the new client and switched them over to the VPNs on SonicWall and reached out. He is like, the client's gonna leave Andrew, do you know anybody? And, and that's kind of, it's probably, it's, it's kind of an interesting, a funny story, but, um, Absolutely. Yeah. Um, yeah, we were working with an MSP that a, that has a large global customer. Here's one for example.

Um, they're heavily distributed throughout the world, so this is probably a little bit larger in scope. They've got a lot of remote sites, uh, wide area net network connectivity, mt LS where they can DIA SD-WAN circuits. I think the big things that we saw in reductions, the things that we're helping, number one, security, security goes up. And Wes, you had touched on this.

One thing I really love about these platforms is I kind of think of them almost like those internet border routers that sit at the edge and do the filtering so that when the traffic is inside that area, when you've got users that are in and authorized, they're authenticated all these, they meet these criteria, you know that the traffic that you're seeing in these detection systems and the audit logs and these scene logs are real things you mentioned we're searching for needles in a haystack and that's a one thing that you're used to drive me nuts.

But back to this. So, uh, this was actually about 9,000 users and, um, they went through their deployment. They were able to reevaluate all the branch locations. They had separate security stacks in all these remote offices that were wound down because they could bring that traffic back to a central location when they chose to do so. So think about your, your internet side of the SSE conversation.

They routed that up to their, to that portion of the provider for role base, uh, for, uh, remote browser isolation for casb. And, and they used us for zt a for securing the traffic that came in. Um, we saw as large of, for the customer, the end customer, it was about $250,000 per location that they were able to remove from their budget annually. And their firewall rule sets, that's the one that I always saw.

It was a 25, about 25 x in reduction of lines because you don't have the, the, A good ZTA platform routes traffic based on the user's need. We call, in our world, we call them entitlements. So they only have access to what they need. Everything else stays dark and then traffic that you want to go for the internet, things you can send off to a platform that's designed to target and process those. Whether you need to bring those all back to a central location and send those out.

I've seen zt zt a platforms that integrate the PAC file for those platforms as well. So there's a lot of different really solid tools, but ease, efficiency, easier for the IT staff and both the MSP level and for the company itself, huge wins. Performance and production goes up as well. Yep. And cyber insurance usually goes down. That's another one we've seen. Yeah, there you have it. I mean, I, I think that's why we owe it to ourselves for a more modern approach, right?

It's not about going, buying, buying a shiny vendor. It's about really reconsidering some of the tools and technology and capabilities that we have today that, you know, I'll be honest, man, in my old bank, um, I remember moving firewalls was, you know, months long in a project ordeal, you know, because of the rule build outs and the analysis and the testing and the gotchas and the whoops, and how is that working and why is that not working? It was just beyond frustrating and quite archaic.

So, um, really well said. I think I have time for maybe two more questions and, and Keith, my last one will be queued for you, my friend. Um, so, but, but maybe one other quick questions around like BIA right? Business impact analysis. We've talked about that periodically throughout the cyber call, and if anyone listening doesn't know what that is, it's sort of this idea of like, you know, when bleep hits the fan, what do we focus on? What are our critical assets? What are our critical users?

What are the critical, um, restoration steps and actions that have to happen, right? So it gives us that, that perspective, right? We know that let's just pick on RMMs and PSAs, just like firewalls are archaic. So are those platforms are still the lifeblood of what we do, yet they haven't been engineered for security. Um, and, and I, I know in the aftermath of, you know, the big, uh, July 4th incident, there was a whole bunch of, well, how can I protect my, my, uh, RMM in particular, right?

So can you talk to like a little bit more about how ZTNA and this type of conversation today should be thought through with MSPs protecting the crown jewels of the RM RMM and PSAA bit? So, yes. So I think, you know, from those, from the tool sets, um, I think that's an incredibly important part to think about. And that's where we typically start first, you know, let's clean up your house and let's lock your house down. Um, we leverage a lot of the IP wileys.

Not all the tool sets are ready to go, some of them, uh, some of deploy on-prem, which is great. We can work with those. But leveraging IP whitelisting to lock it down to a platform like a ZT a, whether it's a SaaS provi, a SaaS application that's hosted up in the cloud teed solution. Good SaaS platforms have some type of IP white listing that lets you lock down to source ips.

That combined with a zt, a platform like the one that we, we use in App Gate, we authorize users first in the device that's connecting in, then they authenticate and then they're allowed to connect.

And if you can lock down the connection to the SaaS provider, whether it's a cloud for one of your tool sets, your RMMs, your PSAs, um, being able to lock those down so that you know that the user that's reaching out to that SaaS quo platform is authorized to do it, it's a much better platform to go with. And they don't accept the tokens from outside. That's, that I think is the big one right now.

These men in the middle attacks that are grabbing tokens before they get to the end point to the, to the resource and they get captured and replayed, are things that we want to avoid. Leveraging a SaaS, uh, A ZTA platform that is deployed properly can interrupt that attack by ensuring that the device and the user is authorized and authenticated before they're allowed to connect. So that's a huge win.

Um, and from there, looking at a platform that has a capability to help automate some of your tool sets as well and ex understand the work that you're doing and the platforms that you're using. API integration is a new functionality that's really becoming more and more popular. Being able to understand what's going on inside the environment, automating some of the, some of the typical workflows that may be repetitive and consuming up time and looking at ways to automate those as well.

Again, performance improvements, assumption. We know How many APIs and where they are. Ah, we can search, we document it, of course not, but most of the, most of the, most of the vendors out there have the documentation for those APIs that they have interfaces with and it's growing. Um, the automation piece I think is becoming more and more important, especially in A ZTA world.

If you can automate a workflow and remove the human element we were talking about humans before, remove that human element. It gives the PO potential for being a much stronger and more secure platform overall. Love it. Love it. And those are things I think we really owe it to ourselves to think deeply about because of the crown jewel nature, the RMM, right? Yeah. So let's really Consider that PAMs, Pam's another one.

Um, platforms that can take GIP where the location of the user is when they're requesting credentials and import that into the PAM to double check is a huge one. I've seen that sort become a big one now as well. Mm, yeah. Yeah, that's a great point. Um, Keith, you know, you may be the world's worst pilot. The guy says, you know, You say that, Hey, but um, come remember I do have pictures of you hanging upside down in a parachute. Oh yes. With your eyes bulging outta your head.

So I'm Just also barfing. Yes. Yeah. If you guys don't know, Keith now has a podcast, which is pretty cool, except he makes you do it on his plane while he does flips and, um, not exactly a pleasant time. Wear a para Episode releases tomorrow. We'll see how he holds up in That. I'll not be appearing on that podcast. Come on, Gary. Gary. That's what I told him too, but he wouldn't take no for an answer.

So I think Hands up You wanna see Gary, We, Wes, is it worse than it when, than you thought it was? Uh, It was absolute, absolute fun, but it was, I did not feel good. When I was done with that Thing episode, I absolutely lost my breakfast. Yes. Once you start doing it on a jet and you have a copilot, I'm there. Oh, okay. Yeah, make that happen. Keith Does have an jet button. I kept pushing it, it didn't work. So, uh, I was willing to test that parachute anyway.

Keith, what stands out to you from this conversation? Man, aside from the imagery of drinking peanut butter through a straw, which I'll never get that one outta my head. Um, you know, I, I, I, I think for us is, it's kind of, it's bumming me out that I thought that my Q4 plan was complete and now I'm gonna have to put a big space in there to go, wow. Gotta reevaluate. Um, where we have VPN critical use cases and ZTNA and I, I, I think just make like everything else making that a priority.

Mm-Hmm, new priority. A new priority. But this is a big one. And it's what Gary said about not just springing that on your clients, but educating, thinking like, we've gotta start now educating our clients on this being a threat and something that has to be addressed. And the time to do that was a year ago, but second best time, second Best time is this quarter and, and take it in pieces, right? Mm-Hmm. Like, you're not gonna get there this quarter.

Like, don't set goals that are, are unachievable. Get some low hanging fruit, start the process, have a plan and say, we're gonna be there with every client in a year. Here's what we have to do every quarter. Yeah, no, that, that, that's really it right there. Good, good stuff. And, and Keith again, right? It's customer zero, right? That you were thinking about if I hear you loud and clear. Yeah, exactly. Exactly.

Don't, don't, uh, don't let your MSP be the, uh, cobbler's kids with no shoes kind of thing. Like, you've gotta secure your stuff first. Hey, if this was super helpful, absolutely. Like, I thought this was an awesome call. If anybody else felt like this was eyeopening, can you give us a three in the chat? Send on that Andrew. A three Three in chat, three Testing to see if they're listening. There You go. There's always a lag. Ah, yeah. Well, glad to hear Carl. Um, Bob, thank you.

Um, threes here come the threes. All right. Three, 3.5. Awesome. Alright guys, well, we'll look forward to seeing you guys really soon. Wishing everybody a safe, healthy and prosperous week. Until then, Robert, thank you so much, Keith. You're welcome. Thank you for in as, uh, for Phyllis as always, thanks for an invite. Thanks everyone a great day. Bye.

Related Videos