Infostealer Malware, Credential Theft & Future of Browser Management for MSPs
In this video, industry experts discuss the critical topic of browser security and its implications for organizations. They explore the evolution of cyber threats, particularly focusing on the rise of info stealers and the need for secure browser configurations. The discussion also highlights the importance of adopting Zero Trust principles and the challenges faced by enterprises in managing browser inventories effectively.<ul><li>Many SLTTs (State, Local, Tribal, and Territorial) are increasingly concerned about cybersecurity, especially regarding ransomware attacks, and are actively seeking knowledge and networking opportunities to improve their defenses.</li><li>A significant gap exists in knowledge about how to properly vet Managed Service Providers (MSPs), with only a small percentage of attendees at a conference knowing how to do so effectively.</li><li>The shift towards SaaS and Cloud has been significant, and threat actors are capitalizing on this by focusing on credential theft, particularly through methods like info stealers.</li></ul>
Guests
Video Transcript
Welcome everybody. Episode 1 51 here. Uh, I think there's a, isn't there a, an alcohol That is 1 51. Oh yeah. Bacard Bacardi 1 51. Yeah. All right. All right. Well, it just kind of hit me as, as I was, you know, taking us live here. Um, Less so I had that. I was in college. Well, Gary, we were just talking about sch. I don't Think it was a good night. No, you don't remember it. I imagine Not. Um, few quick things. One, Phyllis, I'm gonna put you on the spot here a little bit in a good way.
Um, it was awesome meeting up with you, Tony Sager and Kurt Dukes in Utah. You guys just finished up the MS. isac, um, what would you term it? They, their national conference, Phyllis, right. For lack Of a better word. So the, uh, yes. So it's the M MSS I SAC annual meeting in which, um, uh, we sponsor M mss I SAC sponsors, I think is a, um, two folks from every state. Mm-Hmm. Come there were over a thousand attendees. Okay.
And so folks from, um, you know, local tribal territorial governments are attending, state CSOs are attending. Um, EII SAC also had a track, so elections officials also attended K 12. I've talked about K 12 community here before on the call. Uh, a lot of K 12 attended as well. So, um, what's exciting is that, um, SLTs more and more are, um, concerned about cybersecurity and getting hit by ransomware attacks, et cetera.
And so, um, they wanna go, they wanna network, they wanna learn more about cyber, et cetera. So, um, it, it was a very good conference. That's awesome. And you ran a panel and you had Eric Woodard, Ryan Vestey from VC three, one of Gary Gary's on the board there. Mm-Hmm. And Mackenzie, uh, brown as well. Yeah. So it was great. It was really how to vet, or what do you need to look for in an MSP?
And so when I asked, um, how many folks actually, um, were using an MSP, probably like three quarters of the audience raised their hand. And then we asked how many people know how to vet their MSP. Two people raised their hand. Yeah. Thank goodness a lot of Ms. Ps are saying. Yeah. And they're also saying, I don't even know how to vet myself so good. You know, so kudos to Eric Woodard, who basically like outlined, you know, he had like, these are the things that you should look for.
These are behaviors or like, you know, indicators of what you should look for. So there was one person there who like, had a lot of war stories, like, well, you know, um, we looked at the number of tickets that they closed, but that wasn't necessarily a good metric. So it was really good. And, you know, I wanted, um, the audience to know as well.
You know, we had some mature, um, MSPs up there, so it was like, you know, what do you do when a client comes and says, no, I don't wanna pay for that. And both our representatives were able to say, well, then we, we walk away. Right? Wow. Um, because, um, we don't want that liability, you know? And, and, um, Kurt Dukes, who's been on here, my boss, he did a panel on cybersecurity, of course.
I mean, not cybersecurity, well, cybersecurity, cyber insurance, which of course, people were also curious about, like, you know, what can my MSP fill out on my behalf? Where does the liability start and end? Um, were some concerns from that from, from the audience on there as well, which it's a little bit murky, but, um, so people, um, in the SLTT space certainly are using MSPs and are wondering, you know, and have questions around it. So that was pretty cool to see. Yeah.
I'll just close with Andrew. I was gonna say the right answer is, yeah, you can't work with people that aren't gonna make the right security investments in theory. That's great. And the people that you had can do that because they have a sales marketing and sales engine, so they bring on new MRR, like, pretty predictably. Um, if you don't like many MSPs, it's really hard. You end up with customers, you can't live with them, and you can't live without 'em. That's a really good point. Gary.
What was fascinating Phyllis is, um, fascinating and I, I air quote fascinating. I, you know, I look at the cyber wire, it's a great publication, and just this past week, I, I literally almost every, you know, they, they, you know, put all the articles of, of attacks Mm-Hmm. And the number of state and local government is just exploding. And, um, and I'm just wondering, you know, what are you hearing from, because you guys housed the Ms I sac, you're the SOC for it, the threat intel.
Um, so, so, and any thoughts on that? And, and, and are they hoping MSPs get, you know, there's better collaboration, um, because this seems to be a growing, and it's certainly tangential to what we're gonna talk about today, because a lot of these are credential based attacks, which is where things are starting. Yeah, I would say, um, so many of the, especially ltts are leveraging, um, MSPs and they're looking for the MSP to provide them that security.
And so, you know, I've, I've said before, and we joke that like the MSP really does provide that extra s that security, right? So like, you know, SLTs are expecting security services from their MSP and many of those s ltts don't know how to ask, don't know what, what to ask, but it's still their expectation, right? And, um, you know, we at CIS, those folks at the MSI sac, we always say, oh, contract out your IT since you don't have that expertise, right? Mm-Hmm.
Get that expertise from the MSP, and, and that's where they're expecting those backups. They're expecting, you know, all, um, all those security services. Now, I understand that you're talking about, uh, an end user base that has a restricted budget, um, and perhaps, you know, maybe not, um, something that you can, um, negotiate easily with. However, you know, we're, we're, we're trying to help that. Um, and we did recently not to like, you know, shill our wares. It is free.
We recently did put out, um, a costing paper, and we are trying to help organizations get that money to say, this is how much security costs. And that's what, what people really want to know, how much should I budget? How much does it cost so that they can help, um, budget and tell decision makers, this is how much money I'm going to need, um, in Security. So one last, one last thing, if I may then, where are we, we're almost a year now into C'S announcement of the $4 billion Oh, yes.
X period of time. And we haven't heard anything since about establishing a cybersecurity program, yada, yada, yada. And you'll get funding, right? Um, this would be a boon in theory for MSPs that are working with these s SLTs on building their cybersecurity program. Um, any, any update there? I, I have not been following that, so I don't really have anything concrete to say other than this first year was about those programs and I believe it was like the state, right?
That was Supposed Yeah, the state does. Yep. And then they're the ones who divvy up the funds. Um, and so that is interesting. And, uh, I, I do wanna say, and I'm curious what MSPs are experiencing. Um, state RAMP was mentioned as a way to vet, um, service providers. I'm curious if, um, if any MSPs are participating in state ramp care about State Ramp or looking at that. I'm cur and I'm gonna try to find out, are the states looking at state ramp for service providers? Yeah. Cool. Alright.
Um, Garrett, just real quick since we talk conferences is your URL up 'cause I'll, I'll just briefly talk about boom up. Yeah, yeah. Miss fest.com. Okay. You wanna throw it into, uh, there, um, I think I mentioned this last time. Um, Huntress has already sold out their pre-day. We're about ready to announce Phyllis in the next week or so. You doing a pre-day with Black Point where CIS will be heavily involved there. So, um, uh, that is it on the announcement side. Let's get on into it.
So, um, last week we had, uh, bill Tindel on, and by the way, if you didn't see that, you should go watch that. That was absolutely, I think one of our best yet. Um, bill is unbelievable in terms of being able to scale a business. Um, and, uh, he talked about, you know, electric, uh, AI and his thesis. Gary, you asked him about, you know, Hey, when you started this thing, what was your thesis? You know, 'cause they raised a fair amount of money, right? And their thesis was everything.
Not every, sorry. A huge amount of the work was gonna shift to SAS and cloud, therefore, if a huge amount of effort workload was shifting to SaaS and cloud, therefore, his background in robotic process automation or RPA would lend itself to a lot of the things that he noticed that MSPs did in a manual fashion. That he felt they could build a platform to automate and put in immense scale. His thesis turned out to be very true.
There are companies at a thousand customers and over 50,000 endpoints and obviously doing very well and scaling very rapidly, which led me to think about, well, if they're thinking about everything shifting to cloud or a fair amount, I should say everything, fair amount shifting to cloud and, and, and SaaS, what are the threat actors doing?
And obviously, you know, in tandem we're seeing them do lockstep activity, which has to do with credential theft, which we saw in the Verizon DBIR, but specifically around something called Info Steelers. And with that, I wanted to bring on Jason Schiffer because as he'll talk about in a minute, their platform is something that works specifically in the browser.
And Phyllis, you know, in talking, uh, offline, um, with Ryan Weeks, you know, he's a believer that a, a few things, and if I, I'm stealing thunder from questions, I apologize. But he said a few things. Number one, he's like the browser's, the new os, number one. Number two, um, this is an area of inventory, whether it has to do with the browser itself, browser extensions that's being completely overlooked that threat actors are capitalizing on.
So, um, with that, um, Jason, thanks for joining us. Tell us a little about yourself, conceal, and let's get right on into it with, uh, Wes kicking things off. Wes, I actually don't have you last this week. I wanted you to actually have time for questions. Alright. So, uh, Jason? Yeah, Welcome. Um, Jason Schiffer. I am, uh, the VP of technology at Conceal. I've been in the security industry for Heavens, 20 plus years now. Um, the conceal, we build, uh, endpoint detection in the browser.
The kind of our thesis along the same lines was nobody wants to install yet another browser or be locked down to a specific one. So we built an extension and a whole lot of tooling around trying to detect bad things before somebody can actually get hit by it. That's kind very cool. Very good thesis. Um, Wes, yeah, how about you? Taking on over my friend?
Let's, yeah, I, I do think, I think as we get started, I think Ryan's right, I think that it is right, is, is we pushed, um, you know, identity is the new gateway and the browser is the new os, right? Like, that's a good way for us to think about security. And we're, I think in a lot of ways just the security industry, not, not just MSPs in the channel, but as a whole, we're woefully unprepared for that.
Um, I think when we had, uh, fill in from Verizon, D-B-D-B-I-R in about a month or so ago, you know, he really showed that credentials, uh, are the keys to the kingdom now. So we, we've seen this huge shift and we're not doing enough around it. So I, I completely agree with this, this thesis. So I guess, Jason, get us started with this question. Let's, let's focus on, um, info Steelers.
And in a minute I'm gonna ask you how it's evolved, but first just level set on what they are today, why it's a threat, and if it's something that you guys see a lot. Alright, so info Steelers are a large category of a bunch of different methods, but there really comes down to attempting to gather information from the endpoint to use for whatever the next level is.
Whether that's things like social security numbers, your login credentials, your bank account id, whatever, those pieces of information that can then be either directly used if it's your credentials, or can be aggregated with other information collected from elsewhere along the lines of social security number and home address or whatever the pieces they're trying to gather specifically. Okay. And it's insidious, right? Like my mother-in-Law just texted me, um, a couple nights ago.
She's like, Hey, I got this text from my bank. Is this legitimate? And at first I looked at the domain and they bank it like Cecilia Bank. And I looked at it, I'm like, yeah, that's good. That's legit. So I clicked onto the link and went to look and it was just a normal login. I'm like, well, that's interesting. I'm like, but I'm always the kind of guy that I just feed crap in just to see what'll happen.
So I gave something bogus and immediately brought up a to fa prompt and said, great, thank you. What's your two FA prompt? And, and of course they have something automated behind the scenes that's both harvesting the credentials and then gonna hit the two FA at the same time and see if they can get an active session, right? Yep. That's modern stuff today. And the reason I missed it, and she missed it, was the threat actor added one extra L in Cecilia Bank. And I didn't see it at first.
And so I wrote her back, I'm like, please do not go there. This is super, super, and I mean, they did a great job. They, they targeted the bank. Well, uh, they replicated the site, um, just stuck one extra l in there. And so I think, can you kind of talk to us about like, let's, let's follow that pathway a little bit. Why are bad guys going after credentials in such a deep manner? Why is that so valuable for them to do those kinds of sophisticated attacks?
Well, it's, uh, real simply, you can think about it from, they're trying to get any type of toehold in no matter what level it is. So the, the example that I, we used to see a lot more of it, but it's now kind of broadened. Um, the, uh, executive assistant would be the number one target because you already know everybody's watching the CEO or watching the person who's got, you know, massive controls around them, but his EA or her EA may be the best toehold to get in.
And if they can hit that machine, then they're gonna get to the next level and kind of level up continuously. So that plus the fact that the tooling has become much better for automating these attacks.
So they, they're able to u um, it feels like it's coming directly after you, even though that person, the per people on the other end of this do not necessarily know who you are or even care, but they're able to scrape websites, rebuild them to be an attack surface, then deploy it, then send a customized link that you click on and it looks identical to in every way, except for, like you said, the URL may have an extra L in it or whatever it is that they're using at that particular method.
And so, yeah, there, it, it has massively leveled up and the requirement for the person, the threat actor to be skilled has dropped significantly. They are nowhere near the level of, you know, like what you used to see in the movies of this elite hacker, you know, swirling screens and whatnot. They're not at that level anymore. They don't have to be because the guys who are at that level, they're writing the software that other people are deploying. Yep. Okay.
So maybe just a follow on question to that then. I think the way in the channel, the way most of us sort of deploy a browser strategy is we probably adopted and tried to solidify in one, whether that's edge or Chrome or whatever it may be, but we really haven't, I don't think any of us, most of us have not gone down like that really deep pathway of like pushing a hardened secured browser out like a talon, right?
In fact, I'm curious in chat, how many of you guys even know of like secure browsers, like that pre-configured and have a lot of settings like a Talon browser, gimme a yes or no back in chat. 'cause I bet the answer's largely gonna be no. So my question for you, Jason, is like, what should MSPs be thinking about when it comes to like browser hardening, browser configurations? If Ryan weeks' thesis is that the new OS or the, the, the os of, of, of importance is the browser?
What should we be thinking about with a secure browser delivery? Like anything that that sticks out to you that we should be doing, thinking about configuring? So I would say the first step is to think about it like the same way you think about an operating system, separation of privileges is probably the number one thing that you need to do.
So start with the standpoint of my browser should, it's the new os my, uh, so therefore I need to separate things like my password manager does not necessarily need to be an extension, right? It can be a standalone on the side tool so that therefore it's no longer directly even theoretically attackable through a browser page. Um, whereas as an extension, they can put in enough code to pop up the, Hey, do you wanna autofill this field in depending on the configuration for that point.
So starting there and then working your way down through that list until you hit the, the classical problem of if you're, if the user finds it not just inconvenient, but if they can't get their job done using that tool, they're gonna find a way around it. So finding the way to configure it such that it is as secure as you can make it.
And at the same time, not completely disrupting or fo uh, example that I saw in one was, um, I don't remember where I saw it, some chat recently, but talking about password managers, the built in password manager, your browser asks you for that. My number one thing is turn that off.
Get into using an external, uh, third party, whatever it is, password manager, because it is way too easy for that to be an attack vector of constantly prompting, you get in the habit of I just insert my credentials whenever that pops up. And now you're just, you just dump them into the wrong thing. Um, the, sadly, there is no easy path to doing this.
There are some kind of security, uh, uh, baselines of where you can start with, but in a lot of ways it's, I won't say custom to each user, but it has to be tailored. Um, so that's, there's no nice golden, you know, here, if you just do this, you're gonna be great. So, And, and what you're talking about really screw you Up, Gary. No, I was gonna say it's really invasive. Like this is really hard. The same issues we've talked about and it's gotten better, right?
With, um, multifactor, but when you talk about this, just what you mentioned and how users actually work in and out of 20 apps a day, um, that's really hard Situation. And each user may have a different, you know, a different set of those 20. So now you've got 20, you know, divided by two times n in order to get that, you know, what is that going to do? It sounds expensive, doesn't it? Yeah. That's it. It sounds expensive. That's what you were gonna say. That sounds expensive. It, it is.
And there's some great commentary going on in the chat right now. There we go. Like, this is stuff that you've like, I'm not sure that we're even doing things like Zach mentioned from Cynthia on, you know, like, are we mapping through configuration standards? Are we actually doing that as part of a risk assessment for a client? We probably should, we should probably include user roles. What are those users? What things do they need access to? What does your data flow look like?
Those are all things that MSPs need to do and you gotta bill for. It's not cheap to do that, but clients need to see that if you're gonna be doing this the right way. So, okay. Jason, walk us through the evolution then. That was the other question I kind of tabled for a second. You know, it used to be just phishing and tax, right? Just steal usernames and passwords, but man, they are much more nasty now all the way to the point where bad guys are now selling.
We talked about this a while back on a cyber call, but we talked about how even some of the criminal marketplaces aren't just selling credentials, they're selling credentials with active sessions. So you can just hijack that session and you're right in. So walk us through this evolution, if you would, which is very convenient. Oh, yes, it's great. Yes. Buy this active session. They haven't rebooted yet, so we're good to go.
Um, the, in a lot of ways you can think about this the same way you'd think about the, um, the financial markets, right? Where you have your baseline of you can buy and sell a stock, that's your, your initial, I can buy a bunch of credentials. Then as people got started to get a little better at this, they weren't able to sell individually these pieces. So they started selling them in bulk, large sets up.
So I can buy a a hundred thousand credit card numbers, but maybe only 20% of them are guaranteed to be good or projected to be good at the time of that. As we have gotten better on the security side, they are escalating at the same way. So now they're doing derivatives of derivatives of the different methodologies for getting it. And those, like you were saying, the ones that have an active live session, those are their premium.
And particularly if, oh, you've got an active life session into Capital One banking session and we've identified that this person is an internal works in their IT department inside of there that's now big dollar, uh, in the black market. So I think a lot of the time is thinking in terms of how they've, how they've gotten better is purely based off of the economics of what you can win on the other side.
So I guess what I'm trying to get, there's the technical side of how they've gotten better, but the key factor is they're still working on the same underlying principles of whatever they can get that's going to take them to the next level.
So we've gone from phishing attacks, like I said to Mel, you've got now SMS attacks that are doing third party with, um, so, uh, my daughter gets a SMS messages from my boss saying, Hey, I need you to go, uh, uh, get me a card 'cause your dad needs, uh, whatever, $10 from Amazon gift card, whatever it is. So they're getting more and more derived away from their actual target and any methodology that they can use to get that first toehold.
So I, I know I'm not really answering the question you were asking, but you Oh, sorry. Yeah, no, you're doing a good job, Phyllis. This gets into, in west all the team pretext, this whole notion of you don't even have to, you know, get somebody a fall for something anymore. You just tell them to do something, which is phenomenal, right? Phyllis, and, and when you look at the Verizon DBIR where for the first time ever, pretexting is more of a tactic used than phishing. Yeah.
I mean, it, it overtook phishing. And that was one of the most surprising things. Um, you know, that Phil Langua, um, who works on the Verizon data brief report said, you know, he, he was surprised when he saw that that, um, right now over overtaken, um, phishing as a number one way to get into, um, you know, to, to to, to attack an organization. Yeah, yeah. No. So Jason, I think you did a good job kind of outlining it and, and kind of just leading right there.
'cause that is the, you know, the, these social type methodologies of just telling somebody to do something. That's really where we've evolved through. The other thing, and I know Gary is, I think Gary might be off screen a little bit here, but I, one of the things we talked about last year, we all were on live Shani Fest, but the supply chain, that's the other thing, right? Wes is how it's not just the fact that Jason mentioned you don't even have to be a great threat actor anymore.
It's more so the fact that these supply chains are so efficient, right? Yep. I mean it's it's in Go Ahead. No, I was just gonna say we, you know, we've classically looked at like breaches as a two car wreck, right? One party hit the other and it's at fault, but it's really actually more like a big pile up on like a snowy highway, right? Where you got bam, bam, bam, bam, bam, bam, bam, bam. I know it's kind of a crazy analogy, but it fits, doesn't it?
Phyllis, I see you laughing like that's who's actually at fault and what was the cause? And like, does it matter when you're eight cars back and you got eight other cars that have all hit you two? Like, this thing gets to be a train wreck because of what the, what supply chain has really done to us, right? And, um, we, all we've done is we've just greased the wheels or we've added more snow and ice to the road by doing all kinds of things. Like SSO and OAuth and API integrations everywhere.
And I'm not complaining, right? It's the speed of business. But I, I don't think that we've, and we've talked about that too, Andrew, on the cyber call. Like, um, I remember we keep talking about Ryan 'cause he is awesome when he was talking in depth about APIs. Remember that call and, and you know mm-hmm. He's like, your job after this cyber call's over is to go and start auditing all of your APIs and understand what has access to what and start calling things away. That's your job. Mm-Hmm.
And I'm like, that's good to hear. 'cause these are all things that lead to supply chain challenges, um, for sure. Yeah. Yeah. Yeah. Wes, I would say one thing, you know, I've gotten interested in this whole thing in chat. GPT called or Bard, whatever the heck ML you want to use. Yeah. But it's something called prompt engineering.
And this is something that I think MSPs really, you know, you, you ask it to speak in terms of the CEO and I did it and said, speak in terms of a CEO of a $25 million manufacturing company, what the most important things are to your business. And interestingly, number three was supply chain and that, you know, needing redundancy and the importance of that manufacturing firm. And what, what this all brings back to is Brian Blakely talks about is how you speak to the customer, right?
What's their language? So again, are they gonna understand, you know, uh, info steal or malware? No. Are they gonna understand that, you know, what if your largest supplier that impacts 80% of your revenue got taken out? What's your, you know, what's your continuity plan for that? So that's kind of where, what I'm hoping we all, you know, and Gary talks about this, this is ultimately our fault if we can't get them to take action.
Well, I think that's a, a large part of, so the security side, we just talk about, oh, how do you secure something? What are the actors? How are they coming in? But all of this falls under the risk assessment that everybody should be doing. I mean, you should be doing it for yourself or your business, whatever it is. You have to, if you don't know what's at risk, you don't know what to protect. Right. Very excellent point.
So, Jason, last question for you before I flip over to Phyllis is, you know, let's also bring into scope live off the land attack. So for those of you that don't kind of know what those are just native tools that we have, like PowerShell, like P-S-E-X-E, um, or, or things that could exist in a cloud native environment, right? There's a lot of stuff that is not necessarily malicious by, um, by, by the tool itself or the activity, but can be obtained and exploited for nefarious purposes, right?
So we know that live off the land attacks are harder to detect. We know that they typically can filter out with all the rest of the noise and we don't see it. So just walk us through info Steelers, what we've been talking about in this whole conversation today alongside live off the land, if you would. So an example of that might be, um, I push, I push you to execute something, a script.
Um, PowerShell script would be a prime example that then goes and pulls down what it needs and inserts something to your browser or scrapes your password hashes. If you're on like a Unix machine or a Unix shape machine, it doesn't really matter. All of them are using tooling that most operating systems have built in as part of their process.
And there are no matter what you do for your operating system to do what it's going to do on a day-to-Day basis, a lot of these tools need to be there in one form or another. Even for the automation of a Windows machine, you're gonna have PowerShell some form or another. The number one way that you can deal with that is exactly what we were talking about before, which is doing that separation of privileges inside your system.
So it is absolutely possible for you to say PowerShell cannot be executed arbitrarily without administrative control. So me as a regular user, I go to execute the script and it gets denied, or at least I get prompted to escalate, which then as most of these, makes me stop for a second and think about what I'm doing or should if you're doing the right things. So I think in a lot of cases, these tools, you can't lock them down or you ca when you're locking them, you can't remove them.
That's the right way of putting it. You can't just take it off the machine or you're gonna break. Everything's gonna break. So all of these patterns of anything that is an automation tool, anything that is a, that does not require the user to be using it should be kind of locked away under administrative controls in one form or another. Adding in the roles that allow you to, you're here to use this machine. Here's your browser, here's your email client. Those are your primary things.
Anything else you need, you need to get permission for or an exception for. And again, it's the same thing we're coming for, it's a big pain in the tookus. Um, the, uh, I use stronger language, but one way or the other, there's no good. No. Let it rip. Stop them. Yeah, let it rip. There's no, there's no, uh, silver bullet to solve this. So it really comes down to anything that can be executed through some automated tooling, all of those should be locked down.
I mean, that's really the best you've got. Love it. Thank you, Phyllis. Yeah, sure. Um, so I'm gonna, I think I'm gonna skip over the first question, but I'll, I'll still give some context. 'cause I think you already answered about, you know, um, using a secure browser or, you know, how is it that, um, enterprises in the short term can manage the browsers, but, um, you know, you've already covered like info stealers, they're in, they're out, right? They're, they're in, they're out quickly.
They get the data that they need in a short period of time. And then, um, you know, sometimes data's packaged and sold as as logs. So the research shows, um, that of course everyone wants to use, um, stolen credentials, um, to get unauthorized access into networks, of course via remote access, um, using services such as VPNs or M 365.
Um, so do you see the need for zero trust network access, um, to help out, you know, so to, um, and then you would have to get that additional right before you get access, such as the device, your ip, EDR, you know, on those managed devices. What are your thoughts about that? Uh, as much as is humanly possible, um, you, it, it's all about the layers of protection you can add.
And if zero trust is a should be the default, I don't know who you are, just because you have a token, I don't know who you are. Just because you come from a specific IP address or appear to come from a specific IP address, I, you know, so I, as a, on the corporate side, on the asset side, I should be trusting nothing about this packet that's coming in across the wire, making a request for services.
If you're thinking about it like that, every layer you can add that gives a extra, uh, extra piece to the puzzle of is this person who I think it is. And more importantly, is it the person I think it is right now, as, as Wes was talking about before, they're selling sessions that are already in existence.
If you are, if that access then allows, oh, you're coming in from the VPN and, uh, so yeah, you just immediately get access to the, let's say the database or local file storage, then you, you've just given away the game. Um, at each stage inside of that system, it needs to be re authenticating, finding a new way to identify you. And it doesn't necessarily mean you have to be prompting the user per se, but there needs to be something else that is constantly being checked to verify.
Not only are you who you say you are, but you're still who you say you are. Yeah. That is crazy. The session stealing just because, um, so many organizations today are just relying on VPN, right? And it's like VPN in, and then now you have access to the whole entire, um, organization. I don't wanna say which organizations could be government, could be not government, I'm just saying a lot of people are doing that today. So Across the board. Yeah, yeah.
Um, you know, is, is that what you mainly see just outta curiosity? Yes. And uh, I would, I would even It is absolutely what we're seeing, we see it a ton.
Um, the, it's one of them that even in a security organization where you're constantly thinking about this, it's very easy for those things to slip in because people by default trust and that trust can easily slip into, oh, well you've gone through the VPN, you went into a jump post, you've got an SSH connection, you've got whatever it is that you're coming in through that extra step of, oh, now I need to re-authenticate to connect to the database, to be able to check who, who's in there and what's, or what data I wanna extract is just an a layer that it doesn't feel necessary until it's too late.
Right? Mm-Hmm. So it's that constantly add in the extra layer, and the more that you can make that extra layer something that doesn't get in the way of the user, the better. But it still needs to be happening constantly. And I think it comes back to that same, um, kind of the, the, the risk audit standpoint of if you understand that if they get, uh, I'll use our company as an example. If they got access to our company database, what gets lost?
What, what can they extract from that system that would then, or how much damage would it do to us if that happened? Mm-Hmm. And so all the layers we put in place in order to make sure that that doesn't happen, and more importantly, that if it does happen, we're alerted quickly, which is, you know, the other side of zero trust, I think requires the auditing constantly. And then the, so being able to look back at if it did happen, how did it happen?
So I think zero trust needs to have the other half of it, right. Constantly has to be looked at from an audit alerting standpoint. That's awesome. Thank you. So, um, as was mentioned in the beginning of the call, I just came back from MSIs sac where all intent, all of the attendees were s ltts, right? To include like K 12 elections folks, et cetera. So I, I just mentioned those 'cause those are not typically what organizations or folks think about for SLTs.
So most threat actors, um, info Steelers included, are looking for the best financial return. And so they target those verticals, which could be the most profitable that al institutions healthcare and of course the government. Um, does this line up with what you're seeing, you see, um, as being targeted? I would say those are the, where we see the ma the final target are those things. Mm-Hmm.
So in the vast majority of what we're looking at, let's say a large enterprise, um, we will see two or three steps away from that final target. So we see an awful lot of attacks on, um, family members, so directed at at them. But you then look into it and you discover that mom works at the government or dad works at a bank, um, wherever it is, we're seeing like this two or three steps away. But it does appear that the final target tends to be those, at least on the majority.
Um, it's where it is going after the money. The, there is one other aspect though, and that is those are where the big dollar payouts are the single target. You get that a lot of money. The secondary thing that we see is lots and lots of very small dollar figure broad scale. Hmm. So you'll see campaigns that are going after, uh, Craigslist buying a kitten for $15 and they're doing it running a scam inside of there, but they're all coming in from the same path of injecting into broad space.
Get go after somebody who has something that they want and then kind of target them. That's interesting. So I think we should, you know, look at that, um, kind of pretexting training, right? The only mitigation to that really, um, is training, right? Yeah. I mean, I don't know how else, there's no really technical mitigation, Correct? I, there's no, there's no filter for if it sounds hinky, right? There's no, Yeah, no, that's, that's interesting. I mean, we just got hit hit by that here at CIS.
We got him asking, saying, with the CEOs texting you asking for a meeting. Nope, don't respond to that. He's not, he's not really texting you. So Yeah. That's so interesting. So as technology has evolved, of course we've already talked about, um, Michelle, um, Michelle machine learning or ai, um, to sift through all the vast amounts of stolen data to get of course the most valuable information, of course as fast as possible.
Um, so as a counter to that has concealed, um, incorporated, um, ML or AI into their platform? And if so, how? So I'll say there are two aspects of that. One you, you were asking on. They're using ML in order to, uh, aggregate the data, kind of the big data, sift through and try to connect things like the social security number to a bank account, that kind of thing. Right? There's the other half in that they're also using ML to, for the actual attack.
So they're using, as an example, there's a product out there on the you that can be gotten that is purely using chat GPT or an open source model of it to write the campaign of what you're about to send out an attack with. So they're using the tools just like we are for their purposes. Mm-Hmm. On our side, we are absolutely doing, uh, ml, but we're kind of taking it different than the vast majority of, at least historically the way that security systems have used or tried to use ml.
Um, and that is one, the main reason why is all those systems that have been built up are in order for you to make them sensitive enough that you are able to catch the bad things, they generate ungodly amounts of false positives. Right. And the negative with false positives, the negative with false positives is that, um, you start to ignore them. Right? Right.
If I see a hundred false positives and then one real one, I'm gonna ignore that one real one 'cause it doesn't stand out, we're taking a different pattern in that our ML is designed around detecting shifts and patterns. So it's designed to inform an engineer or security, uh, practitioner about, we've seen all of these patterns are consistent and now today we saw the same thing happen, but this segment is different or this workflow was different. Mm-Hmm.
So informing a practitioner on what to start making the system look for in the future so that we're not inundating with gobs of false positive. In our case, if we get a false positive, your page gets blocked and, you know, people are gonna turn us off if we're blocking perfectly legitimate pages. So from our standpoint, we are using it to determine if this pattern is shifted and then add in tooling to support protecting against that new pattern. Yeah. That's always the rub, right.
You know, looking at, uh, audit data or just looking at, just looking at data in general and then reading out the false positives. Um, because analysts get tired too. They're humans, but, you know, so, so we want the automation to step in, but it's not totally flawless. Right. And so, And it can't be balance. Yeah. I mean, Yeah. It's not possible. Yeah.
And that, that's the hard part is that, you know, the, the sales side of companies, they want to pitch it as perfect and there's no way for it to be perfect. What you can do is make the process as strong as you can make it without making people trip over their own feet. Right. We want them protected, but we also don't want them, well, we want them protected, so we definitely don't want them to turn it off. Right. The, you know, finding that balance. Yeah. It's Perfect presale.
It's always the usability versus security. Um, Always, Always. Well, Gary, off to you. Okay, so this is super inter interesting, right? As we're watching this landscape change so dramatically from the first cyber call and the kind of things that we're talking about today. So according to Gartner, they said that enterprise browser management management will be widespread adoption by 2030. That's not that far away. And Google and Microsoft obviously are positioned to dominate this.
So what do you disagree, agree, or disagree with this? And what does that mean for early adopters? 'cause this pattern where there's something we can get in, we can help, we have some r and d, we're early adopters, we make money, and then after it becomes widespread, the big guys come in and say, oh, thanks, thanks for that. They push us aside and say, you know, we'll take it from here. That's a story of my career.
Um, the, what I would say is, I agree in the, in the year that we've been building this, we started with none of the tooling and nobody who was installing it, they were all looking at, how do I go automate deploying this thing? So we're talking the baseline. How do I remotely execute a an MSI across a bunch of machines to do an installation to where, and that was the exception. They were looking at how do I write a script to do this?
And we're already seeing a lot of them going from, uh, uh, deployment tooling to MDM, uh, tooling for actually doing the enterprise management level of all the, all the browsers.
We're starting to see the browser tools start, or not the browser tools, but the deployment tools start to understand extensions, which is just a minefield of places of things that you can trip over just trying to enforce a browser policy or, uh, or worse an extension policy and all the things you can break and whatnot just by using the tooling and they're getting better.
So just that path in the last year, I've seen a huge ramp up in the direction of where they're going with added tooling and more and more people expecting it to be the default. So I think absolutely it's on the, it's on the pathway for them to be on the enterprise for it to be managed. Yeah. I think a large, there's, there's a huge gap. 'cause I agree with you, you left one out, which was Apple, and Apple was a huge, early, early adopter of full MDM at the outset.
So it's actually not possible to side load, um, for side load an extension on Apple. Um, as a policy standpoint, the only way to do is with an MDM and I think everybody is going to be moving in that direction because it, for, well, two reasons, it forces you to use one. But secondarily is that it, it obscures all the technical bits behind the scenes of what has to happen in order for this thing to go into place. And it makes all of it more explicit about what's, what's deployed.
So yes, I agree with you. I agree with Gardner at least. Um, and I think from the, how does that help the early adopters? Well, none of these things are trivial. So if you know it and you competitor doesn't, you're gonna be ahead of the game because it's not something they're gonna go pick up over a weekend. There's no book to go see. How does MDM deployment work? Well, yeah.
Um, so being an early adopter gives you the opportunity to experiment, find out what does work, what doesn't work, and then be able to guide others as they start coming to you. Yeah. Listen, and I think that's, this is what our job is as managed service providers. And again, why I harp on pricing, because it's expensive to innovate, it's expensive to be an early adopter, but wes, this is our job.
And knowing that almost many of the things we do eventually, they don't have the same margin, we might not even end up doing them someday.
And I think back over my 20 plus years in this, I can give you a longer list starting with like frame relay access of things we did and made money at, you know, all the way up till today that you get 'em, you make money, 'em, until they become mainstream, and then either all the margin gets sucked out or, or it gets plugged into something else in the ecosystem. But that's kind of our role, right? Wes would, don't you think as that's our, that's that's the service we provide. Yep.
That's, that's the delta MSPs are full of Delta, right? What's the change? What are we changing into? And I've said it before, Andrew, I know you got some too. I'll, uh, I'll say, said it before. I'll say it again. The future of SP in five years is not what it is today. You're gonna be focused on business transformation. You're gonna be focused on like automation. You're gonna be focused on, um, GC as a service. Like, it's, it's gonna be wild. Get ready. Yeah.
Gary, I was just thinking, you know, back in the day with supply right? And exchange, I mean, there's a lot of money to be made. Yes. The best thing that ever happened that they'll, until there was enough money be made that Microsoft said, well, we'll just take it. Right. We'll do it. You know? Yeah. So, um, go ahead. Oh, I was just gonna say, in a lot of ways, the way you just described it is exactly what doing a software startup is, which is the vast majority of my career.
We're always on the leading edge. Of course, there's higher risk in being on the leading edge, but you, you spend the money in order to do what you think is the best product that nobody else is doing yet, or that you're, the competition is so widespread, but, uh, low level widespread that you can stand out and really push the frontier of it.
Um, but every startup's goal is that I'm gonna get either large enough that I become the dominant player or somebody's gonna come acquire me because it's now become recognized as being necessary. Right? Yeah, absolutely. I mean, that's one concern I have. Like, we're going through a period now of, you know, this year, you know, venture funding's down about 50%. And what that means is innovation is down 50%, almost all the innovation Right.
Starts with the startups, and at least in the SMB, then it comes through MSPs. Like that's the cycle. And then eventually it gets to the big players who are distribution. Right? Yeah. How, if I, if I could just say to your point, and we've talked about this already here in Phyllis's question to Jason around zero trust just the other day, uh, checkpoint bought perimeter 81, which is a, you know, a zero trust ZTNA SASS E solution. So it's is interesting, yes.
Those deals are way down, but for the, the ones that are, are ripe for where the market's headed, it's interesting where the, the money's still flowing. Yeah. And most of the, you know, listen, most of the, you'll see a lot more this year, most of the businesses, you know, who got funded in 21 now's when they're going for their second round Right. Their next round that isn't there. So, but it's not a good thing for innovation.
So, um, I, I Actually, I was gonna say at the same time, it is a clearing too. 'cause you have an awful lot of, uh, money that was going after people who could talk well, but not actually do the job. So in some respects, I think there's that good clearinghouse of, uh, a lot of those companies that aren't gonna get funded shouldn't have gotten funded. Yes. Um, a hundred percent.
I talked to a lot of that's another, maybe we could do a session on that, talk to a lot of startups, and then afterwards, I think to myself, they have no chance. And then they get and then they get funding. Yeah. And I'm like, well, I guess someone didn't know to ask the same questions. So I agree with you. Um, I have a question for Phyllis. So Phyllis, we talk about how corporations MSPs struggle with, you know, hardware, software inventories.
Now we gotta talk about browsers, extensions, SaaS. Like what's gonna happen now? We haven't even got to step one. We gotta get to step two now. Right? And you know, in the chat someone said like, the best thing you can do is really just have a policy about browser and extensions, which is true, which is true at this point. Um, I'm gonna, I'm gonna throw in one thing. Um, so I do believe in secure configuration as well.
So please, whatever configuration you use, get a secure configuration for your web browser as well. Um, but you know, it, it's gonna be hard to keep up. So the question is, um, you know, there's a thing called an SBO m software bill of materials, right? And, and, and right now it, the burden is on the end organization to know what you have. The burden is on the end organization to be like, here's all my software and here's, like, all the libraries.
Here are all the different kind of files that, um, comprise that piece of software and that that burden is on the end organization. The nice thing about an SBO m is that burden gets shifted to the software developer. The software vendor. And so I think the only way we get to really have good software inventory is if we actually do shift that burden, right?
And so that's, that's the power of an SBO m If we could ever, you know, get there to, um, a standardized sbo MI mean, I could go off, but I won't. So right now I would say SBO M needs some work. Um, today I feel like vendors are just, um, meeting the letter of the executive order, not necessarily the intent of the executive order. So we aren't quite there, but, you know, we really need to create that demand signal, MSPs unite, create that demand signal.
No, we Need, we have, we need an sbo, but instead it's just a huge sbo. Exactly. And it's just there, where are the tools to read it? Where are the tools to actually get what you need out of it, et cetera, et cetera, so on and so forth. So, Yeah. Sorry. So, um, next question, Jason, I had for you. So I sit on the board of a couple large scaled MSPs. I have a peer group with 450 MSPs that we meet regularly.
And they're all, and the one topic that comes up now constantly is tools we got, there's anywhere from 30 to 40 or more, you know, tools that are out there. So if the browser really is the new os, um, with SaaS and browser, like, will, will, what, what will that look like? Your tool stack? You know what I mean? Compared to like premise, is it gonna keep just going like this? Where we gonna keep buying?
Will we have a hundred tools or, or as the environment changes, do you think it'll, it, it, it, it'll get more reasonable? I think Grounding in Tools, there are two, two ways to think about it. If, if people are able to install whatever the heck they want to, then it's just gonna keep growing, right? There's no getting around it. Yeah. Um, there, the, it really gets down to is it reaching a business objective?
Um, is it giving them what they need in order to achieve their goals without ex more exposure? So I think initially it's gonna grow. However, I think at the same time as we get a better handle on that, um, as an industry, both security MSPs, um, training, the same thing, uh, Phyllis was talking about earlier, helping people understand what they actually need versus what they don't.
And maybe that's materials that, you know, you're not having to put them through training, but just, uh, understanding of the space. Every tool you add, uh, I'm trying to think of the, I was just reading an article recently. It basically was talking about that every, every tool that you have both add something and take something away. And whether you realize it, oh, I added a password manager, so now I no longer have to remember my passwords.
However, now I've also trained myself to click on a button every time it pops up in front of my face requesting my password. So the better we get at figuring out what is the purpose of it, does it solve a, does it solve a need? And then what is the scope of it, both through your sbo m through, um, the, the workflow that it introduces or takes away that we'll start to whittle those back down. And I think in some regards, it's always gonna be that expanding contracting space. Yeah.
Uh, sadly there, it's not one of those where if there was one tool to rule them all, then that's great. That's now the adversaries are just going after that one tool and they're gonna win, right. Because they will be able to, part of the reason why we're able to do well in the market from a protective standpoint is that they do have an infinite number of vectors that they have to try to go after. So they can't get everybody all at once. Yeah.
And they only the other on one or two of 'em at a time. Our team exactly. Greened on all of them. And, and I, I see two things across all the MSPs, like as a general rule. One, they're getting not more efficient right now. And I measure efficiency by how much revenue per tech or employee. Sure. And I also look at just, uh, how they can, how efficient their support is getting tickets done and it is going sideways or backwards right now.
And it's coupled with another issue, which is it's really hard getting talent and I think tools are at the center of it. Like used to be able to train a guy on eight or a gallon eight tools and get 'em up and running that week when you have 30 or 40 plus tools. Think about the training process and if you're on support desk, you touch most of them Right. At some point or at some point or another add to this complexity. Um, I, one more question I had for you. We're getting to the top of the hour.
Um, and, and that is, you're, you're seeing it, right? Like in terms of browser management in the mid-market become more accepted. Yes. And what do you think drives that? Is it supply chain, the questionnaires? Like what do you think is driving that acceptance today? That's a, that's a good one.
'cause that, so my experience is directly when talking with somebody, solving some problem why they're trying to do the browser management as opposed to the sales side from, from that perspective, I truly, what I'm seeing is that they see this huge mess that they know that you go to, uh, we're gonna uh, take over managing some, some mom and pop doctor's office or whatever it is that they're going after.
And they see they've got 400, you know, extensions plugged in and they've got three different browsers with 14 profiles in them. And they go, holy crap, what am I gonna do with this? And what they are seeing is that, oh, well how do I tackle this problem?
The first stage of that life center a year ago is, oh, now I need to go write a script that knows how to do all this low level technical detail of adding and removing extensions and configuring profiles and that first stage of tooling that comes along and says, oh, I can help solve a bunch of that problem for you just to get your head wrapped around what they have installed. I think going through that, that mental progression gets down to this has to be simpler.
You don't need 400 extensions, it's just that you installed every extension you ever saw and thought that it was a good idea at the time. 'cause it was a good pitch, you know. So Jason, just to getting a, if I'm hearing you correctly, almost like an early on RMM was, wow, at least we can have visibility now of all the stuff, all these endpoints we're managing, is it the same analogy if you will? Yes. That we're seeing here. They're going from RMM to MDM to Yes, exactly.
That workflow as they started with how do I automate, automate seeing what's out there and then migrate to now I have to get a control over it because I'm taking on responsibility for managing these machines and they're putting whatever they want on it. So now I need to put some policy controls around it. How do I, you know, how do I go about that process there? And you get the MDMs and whatever other tooling that we're getting in that space is all around.
Uh, realizing that you're taking on a lot of risk as an MSP or an MSSP, you're taking on a lot of risk and you have to get your hands wrapped around that risk. And as you start doing it, you're realizing they don't need all the things that they think they need in order to achieve that goal.
So in a lot of, a lot of it is, uh, us training our customers to actually solve their job and get better at doing what they're hoping to be able to do as opposed to what they're doing, which was primarily when I see those, I almost always think they were trying to solve something and they did not know how to solve it. So they were just experimenting their way through trying to solve some problem. Got it.
And the first step is, is wind it all the way back and go back to what is the problem you're trying to solve. Let's work you through that. Yeah. And Andrew just, and this is the logic starts there, right? And it comes down eventually to SMBs and MSPs and yeah, I think that's that, that's the transition. So Jason, this was really good. It was awesome. And Phyllis, thank you. You know, it was nice to hear it wrap up around it.
Really the use case is what do I have inventory, which is where everything starts. I put Jason, I put your, um, MSP community URL in there if people wanna learn more about. We really appreciate you coming on and sharing your knowledge and wisdom with us. Phyllis awesome having you back. Wes, Gary, always awesome. Next week I think we're gonna have, actually have Ryan with us as our guest, so that'll be really a lot of fun.
So, uh, until then everybody look forward to seeing you all have a safe week and uh, we'll see you soon. Take care. Thanks everyone. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois