Skip to main content
Right of Boom
January 30, 2025

John Strand of Black Hills discusses his Core SOC Skill Course for MSPs

In this video, a group of cybersecurity experts, including John Strand and Carl Bickmore, discuss the importance of foundational cybersecurity skills for MSPs. They explore the challenges MSPs face, such as tight margins and the need for security training, and how courses like the Core SOC Skills Course can help elevate their security game. The conversation emphasizes the significance of fundamentals, frameworks, and hands-on training in preparing MSPs for effective incident response and overall security management.<ul><li>The webinar emphasized the importance of cybersecurity training tailored for MSPs, highlighting the need for a foundational understanding of security basics to improve their security posture.</li><li>Creating a culture of security within an MSP is crucial, with security awareness and skills being integrated across all personnel, not just concentrated in a single role.</li><li>The discussion underscored the significance of leveraging frameworks like NIST for security practices, helping to standardize and elevate the conversation with clients and prospects.</li></ul>

Guests

Andrew Morgan
John Strand

Video Transcript

All right, we're live and welcome to episode 61 of the Cyber Call. We got a star-studded group with us today. Gary, speaking of stars. How are you? Uh, awesome. I'm doing great. Andrew. Ready to go? All right. We are here today with John Strand. John, thank you for coming back and joining us, uh, owner and security analyst of Black Hills and a bunch of other stuff. I'll let you introduce yourself shortly, but appreciate you coming back with us.

Carl Bickmore, CEO of Snap text with us, Ryan, weeks, I think you're the CISO of some public company. We, um, Ryan and then Wes, great to have you with us as well. Okay. So we are, we've got a lot to talk about. A lot of really cool things to share today. Go out and get people. By the way, we went over 3,700 in the cyber call community this past week. If you guys didn't know, um, let me just quickly set the stage here. Andrew, can I say something real quick? Of course.

So, uh, I do a, a weekly, uh, audio message, like the mini podcast for all, all my members. And so, John, I did one after you were on and the see if you can know why I did this, but the title of it was the National Anthem. Oh, cool. Yeah. Very cool. So I used your little quote when I asked you about if this was a baseball game and you said it was a national anthem. I did a whole thing around. I love it. I love it. You said you. Oh, that's cool. I need a link to that. That'll be awesome.

Fantastic. Alright, so I'm gonna set the stage real quick, then we will get into intros and we'll get going. By the way, John, I got a a few true or false questions for you before I hand it over to Wes. Umm gonna put you on the spot. All right. So, oh, since the July 4th incident, we, uh, it was awesome event. We had, gosh, live like almost 900. We had Kaseya on all sorts of things. We actually talked about what was happening the week after we had John on. It was Ryan's idea.

We wanted to understand, you know, what good application security looks like and how do you figure it out if you're an MSP. John had some fantastic ideas on that. All the cyber calls are up in the left hand corner schedule. You can hit hit it and, and, uh, look at that. Then we wanted to understand how to really start to manage risk for with third and fourth parties. We brought on Greg Rasner, who had just produced a book around that.

Then we heard about all the sweepings changes in cybersecurity. I'm, I'm sorry, in cyber insurance. Lots of cybersecurity changes in cyber insurance. We brought on Lockton, the largest insurance broker in the world. We talked about the onerous things that are happening there, the complexity, et cetera. And then Gary said, you know what? This is the perfect time to be in front of every customer and prospect. So we started to get tactical.

How are we having those conversations with customers and prospects? We did that last week. This week we're getting tactical on what we need to do to elevate our security gain in terms of what our technical folks need. And Wes is gonna be talking about this a little bit about, you know, coming out of a peer group. Um, but I've been talking to John since he's been on, and man, I said, you know, we, you've got the perfect curriculum at Antis Siphon and you're teaching a course coming up here.

I would really like to figure out a way to get at least 500 MSPs registered for this, which could affect over 2000 SMBs and in essence, protect over 500,000 on workers. We're gonna tell you more about how we're gonna go out, out doing that. Uh, today before we're done. There's gonna be, um, uh, discount codes. But let's suffice to say there is a ton of momentum behind the scenes. A lot of your most favorite vendors are supporting this. Um, it's Fif that would be 15.

That would be roughly 15,000 SMBs. 15,000 SMBs mass checking you. Yeah. As we, as we like to say. It's a good start. Yeah. Well, I like that, Gary. Thank you. There's, those must be true methods, not your average M msp, is that what you're saying? No, they're average. I just checking. Just I'm a fact checker. Thanks for checking my facts. I Said it, Gary, I gotta say I was doing the math in my headset. That's light. Oh, I don't know what's wrong with my math these days. Okay. I put a poll up.

Please take a look at the poll. 'cause we're gonna get into this course. Um, I think it should be called John, I'm going out a limb here. I'd like there to be quotes, maybe like a little parentheses after course skills MSP Security Analyst course, because it is the foundational thing that every MSP needs. What are your thoughts on that? I kind of like that.

You know, one of the things that we've realized whenever it comes to naming something like YouTube videos, you can come up with a really creative name. Like, you know, something like smashing the stack for fun and profit, great title, horrible paper by the way. Very dry. And it, you know, if you come up with these really cool titles, it gets no traction. Um, but you get it like straight on the nose exactly what it is. That's where you get the Google traction. Got it.

So by the way, John, people are gonna start clicking things, et cetera. There's the course skills course underneath. Again, before I introduce you and Carl, can I just have you talk about your, it's a 15 year san instructor where people spend five, six, $7,000 Mm-Hmm. You know, you don't do that anymore. You felt an impetus to build your own curriculum. You have a model which is pay as, pay what you can not pay what you want. Mm-Hmm.

What's the impetus behind that, if you could and talk about that a little bit for us. So, alright, so one of the reasons why we kind of went this route with pay what you can is, you know, it, it comes back to conversations of diversity, right? And I know there's a ton of people in the industry that pay lip service for diversity. And anytime anyone mentions diversity, people roll their eyes and it's like, oh God, here we go. It's woke, it's whatever.

Um, but I honestly do believe that diversity is important. You know, doing this now for 20 years and teaching for 17 years, and I'll give you an analogy, and I think I may have mentioned this with a rooster in our last show. Music, if you have diverse voices in music, right? Like you have all these mixtures of all these different things, you come up with better music. And that's artistic.

And whenever you're looking at computer security, just in my own company, just having some diversity on the table, we get better results than just a whole bunch of white guys coming up with the same ideas again and again. So I've seen it, but the problem that I have in the industry is how the industry tries to go about increasing diversity in the industry.

So what they do is they say, okay, we're gonna do scholarships and we're gonna do scholarships for this specific ethnic group, this specific gender, this specific thing. And I believe that people's hearts are absolutely in the right place, and I don't begrudge them for that. But the problem that I have with it is, it doesn't change the fricking game. It doesn't change anything.

It's great you have that one person that gets that scholarship and that's wonderful, but it doesn't fundamentally change things at a core level. So whenever you think about diversity, what does that mean? Uh, you got race, you got gender, are you talking African Americans, native Americans? You're talking Pacific Islanders. Are you talking, uh, let's say Native American tribes that are, um, like Eskimos up in Alaska? Um, what, what, what, what exactly are you talking about?

But then you also get to places like where I'm at right now. I'm in Wyoming and places like where I'm from in South Dakota, where you have people that are really underrepresented in the industry because they live in South Dakota. And that can absolutely be a white dude that graduated from high school, immediately went into construction because there was no other jobs available to that individual and there was no other options. They couldn't afford college.

And they have this spark for computers. And in their spare time, they sit and they work with computer security type things and you know, they have that interest. How do they get in? And no matter what, whenever you're looking at lack of diversity, it always comes down to gates. And the biggest gate is always money. Whether it's money to get a degree, whether it's money to get training, to get a certification to get into the industry.

That's the biggest single gate that exists regardless of your background, your sex, your color or anything. So whenever we set up pay what you can. I don't care if you're brown, white, black, pink. I don't care what your religion is. I don't care if you're, uh, a guy that's working in a dish, uh, sink somewhere in Alabama. I don't care if you're a single African American mother in Los Angeles trying to do what you can to get by.

'cause as soon as you drop that pay scale down to the point where almost anybody can afford it, that gate is destroyed. And then it's opened up for everyone regardless of their background. And it's been absolutely, fundamentally transformative for me. Just seeing the number of people at our conferences. Like, we just had a conference in Reno, one of the first ones back from Covid.

And I had like four or five people come up to me and they said, look, I I, I was literally that person washing dishes or waiting tables. And I started with your classes a year ago and now I'm working for Kevin Johnson at Secure Ideas on a pen test team. That matters to me. And that matters a lot to me. That's awesome, John.

Okay, so if you are gonna jump on this, the code cyber call, you have to register for the 4 95 to get all the special things, additional cyber range, John's open Q and a, ask him and his experts anything after this. So yeah, if you're get click happy, just be careful. 'cause you may be missing out and you're, there's some other things we're gonna talk about. Big stuff at the end. So with that John, quick intro from yourself, then we'll go to Carl and we'll get going.

I'm the owner of Black Hills Information Security. I got started in computer security in the world's large, largest class action lawsuit, al versus Department of Interior. Um, I was an instructor for 15 years. I've done classified projects to mom and pop websites and, uh, I, I break into places for a living and that's a really cool job. That's awesome. And you guys provide some amazing stuff on Black Hills Information Security on YouTube. There is tons of free content. Go to their site.

They have an amazing blog, malware of the day. We could go on and on and on spend about that. Now, uh, my homie and good friend, uh, speaking of diversity, Carl Bickmore. Yes, I'm the Baldest here. Uh, I think that was established in the chat that that's our form of diversity here. Okay. Hey, I'm Carl Bickmore, CEO of Snap Tech. It, uh, we have offices in Arizona where I happen to reside also in San Francisco Bay area and in the Atlanta area.

And, uh, we are a concerned MSP citizen of the community. And that's why I like to participate and help. And it's an honor to be on with you folks and it's, uh, really fun to be talking with John Strand today. Uh, a a legend in his own right. Yeah, absolutely. And I had you on Carl, 'cause when we started talking about this course, you're like, I'm gonna send three of my guys. So I wanted you to be the voice of the MSP. You put your money where your mouth is, et cetera. So, um, okay.

What I wanted to say, John, is, uh, as I, just before I hand this over, wait, wait, wait. Let's not throw around the legend word. All willy nilly. Yeah. Gary's, supposedly Gary's the legend of the MSPs. Um, too funny. I love this 'cause it's like a completely different world to me. It's just like, it's just like, it's so cool. Yeah, no, this is great. Well, you, that's your YouTube's too, John. You guys are always cracking stuff up with your team. So Yeah.

It's, uh, so, uh, John, you said, Hey, there's one simple rule. Computer security is the glorified implementation of the fundamentals. It's the basics. Mm-Hmm. And it, it's, it's, the reason I wanted to start there is I was talking with another MSP that's well known. The CISO of Marco, Mike Berg, uh, Mike Ard, who's probably on there. He is. And Mike comes from the financial industry, you know, mid-market banks. And, you know, he likes to say that banks think they're different.

Everything about the banking industry is different when it comes to security. Wes, I don't know if you can acknowledge. Oh, both of you, Wes and Ryan, we, They think they're special. Yes. Yeah, I better way to say it. And when I've been talking to MSPs about this course, um, I wanted to bring that up because MSPs are like, you know, John really should develop training, security training specific to MSPs. 'cause we're special and we're different. John, are we, in terms of the fundamentals?

So what I'm gonna say is yes and no. Okay. Yeah. So the first thing is, no, you're not, um, if you're looking at securing an MSP, if you're looking at a bank, if you're looking at DOD, if you're looking at healthcare, um, if you're looking at operational technologies, scada ICS systems, power grid, every one of them are special snowflakes just like everyone else. Uh, they all deal with the same problems, legacy technologies, lack of budgets, fighting management to try to get what they need.

So the problems that they have are the exact same problems. Even though they're always like, well, no, no, this is DOD, you see, we've got Solaris systems that we have to keep running. I'm like, I'm been in four banks in the past six months that are running Solaris and as 400 systems, it, it, it's no different. It really, really isn't. And then they'll say, well, we have nation state attackers after us like everyone else you do. Um, so when you're looking at that, we're all the same. Yeah.

When you're looking at MSPs, oh my god, is that different? And, uh, one of my, uh, one of my friends, the owner, uh, Justin at uh, info aggressive, you know, he's really kind of enlightened me over the years about, you know, how this space is different in the fact that the entire industry for MSPs got into a game of race to the bottom for cost, where they're looking at things. It's not apples to apples. It's like, who's cheapest? Who can I get it? And I think that that created a problem.

And I might be misreading this and I wanna get everyone's opinion. 'cause you know more about it from your side than I do. I think that that created a lot of kind of like traps for MSPs where they wanna do better, but their margins are so tight that they just don't have that ability to do better. Which once again comes back to the pay. What you can mantra.

You know, I, I, you know, if somebody could say, well, why don't you just go pay $6,000 for a class for all of your employees, like, I'm outta business, then I've got a mortgage, my house, sell my car, sell my children, my kidneys, I'll wake up in a bathtub full of ice. And that is something that I think is unique. When you look at finance, they have money. When you look at healthcare, they have money. When you look at, uh, like ot, like power companies, they have money.

They'll tell you they don't have money. But trust me, they totally have money. When you go to an MSP and they say, no, we don't have money. They really don't have money usually. Yeah. So that's, that's a big difference. Gary, uh, I, man, I just, your years must have been burning there when John said a race to the bottom in margins, you must have been like, wow, did you guys talk before this, this happened? I Well's two things.

Like I I'm thinking as you're saying that, you know, one is if you think about where the MSPs are on one side, what we're talking about today, which is they all need, uh, more more knowledge. Right? And that's what we're focused on to give them, to give them the knowledge they need. The other part is, in order to use it, they have to change their business model. They have to make a process around it. They gotta do it for 40 customers, not just an enterprise.

So there's that level of complic, but they have to do both Andrew. Right. And obviously that's gonna mean changing their, their price as we've talked about every for 61 weeks. I don't think we've missed a week where that one thing hasn't come up. Very true. Alright. So, um, I had some true or false, but I, there's not enough time. Um, and so with that, um, Wes, can I let you take it on over? Yeah. To John? Yeah, for sure. And maybe I'll just say this quickly.

Um, John, I think you're right on the money with that comment. You know, I've been watching a lot of TED lasso lately, so I'll use an analogy from that. You know, it's, I would normally say like the soccer field, but it's the pitch is what they call it, right? Like, we've all been dropped onto the same pitch. Um, but for sure we have different challenges inside of that, right? And, and, um, MSPs are really waking up to these challenges.

They're scared of these challenges, you know, in terms of, um, having to deal with, uh, like these focused RMM attacks. It's just an example of this. But they're also seizing on these challenges as well and understanding, Hey, I can mature my practice for fun and profit, right? And that's, that's a good thing for everybody. Um, and, and so I I, that's why we're going down this journey for sure. Today and what we've been doing on the cyber call, specific to that mission. Mission.

And, you know, so maybe I'll get it's kicked off on this, John is, so I was at this past week, I was at, um, NMSP peer group, uh, the Evolve stuff. I got the jacket and Lisa Mitchell is in here. Yeah, there she is. Uh, yes to Tedd lasso, Ted Lasso. Um, good seeing you Lisa, by the way. And, you know, it was a great opportunity.

So these peer groups, you know, I'm jumping into these boardroom sessions just talking about security, you know, leading discussion around what's working, what's not, how we've gotten to where we're at, you know, where the challenges and roadblocks are, all those kinds of things. And honestly, I do that all day. It's so much fun to talk to MSSP partners and kind of figure those things out.

But, you know, one thing I'm starting to arrive at John, and this is what I want your comments are, is on, is it seems like every MSP, regardless of size is getting to this point where they need somebody to understand and own cybersecurity. I've been talking about that on the cyber call recently, is that you've gotta have at least one person that knows security.

Well, maybe it's at the technical side, maybe it's on the governance side, maybe it's how we structure it, but you've gotta have at least one person that owns it and runs it. Um, do you see the same thing? Like, or gimme your comments and feedback. So, so I think it's, it's difficult, right? Because I think the knee jerk reaction is to take an analyst and say, well, that belly button is now responsible for security. So you just added more bricks onto that individual. That's tough, right?

Because they're gonna do both those jobs poorly. The other option is, let's have a dedicated security person, kind of an ISSO type position. Now that's overhead. So how exactly do you handle this in such a way that you can be effective as an MSP, be secure as an MSP and not have this person be peer overhead? So one of the things I would recommend is if you get that person, that person can do two roles.

That person could be your security representative that's making sure that things are secure within your own SP keep your house in order, but also bring that person in on the sales conversations with customers. So they're almost a salesperson talking about what the security offerings are. Because whenever we're talking with MSPs, uh, with, on, on behalf of our customers, a bunch of our customers bring us on and we evaluate MSPs all the time.

And one of the things that, that we notice is the MSP has no idea about security whatsoever. And those companies get washed out. You can use this person as dual role to help with those sales calls, to field those security questions. Bring in a furby to talk to a furby, bring in a security person to talk to a security person. And that's gonna help you win more sales. Just because you can have somebody who can walk the walk and they're doing, I don't Think it's overhead.

I don't think that role is overhead. Yep. In that situation. You're right. Yep. You're Right. You mentioned one thing, but there's really three, you know, one of them is in the sales environment, right? To help with that also in marketing, right? In terms of content with the customer base, like working with the, uh, V CIOs, right? Mm-Hmm. So that your customers get educated, that's revenue, uh, you know, producing and then with your team. Yep. Right? So, yeah.

Well, And The other thing, The other thing I'm gonna throw out there, and this is like saying, Hey, come compete with me at BHIS what you, what I don't mean, the wider you don't understand in the MSP space, and I see this time and time again, is as soon as you allow another firm to wedge in and do something that your firm does not do, that creates a situation for that other firm to pop you outta that contract.

So if you start hiring security people, that gives you the ability to do security audits, gives you the ability to look at applications, gives you the ability to possibly do IR as well for these customers. And what that does is it basically increases your portfolio and then it also reduces the risk of a dislodging event where someone comes and knocks you off. If I could just say real quick, I wish we had seven windows. I pull Mike Ard up right now.

They're, to your point, Gary and Mike, I'm sorry, Gary and John, they are doing these outward facing company customer events around the Midwest. They are closing business post boom business assessments. It's in staggering right now what they're doing. So, mm-Hmm. Go ahead, please, Wes, continue. Yeah, No, I mean, we're illustrating this right here. It best, best performing MSPs really understand.

This one is right above me in the window right here, Carl, who'll be chatting in just a minute about yeah. About some of this stuff.

Um, so maybe another question for you, John, just as we're jumping into this, Andrew earlier was talking a little bit about that comment you made about sometimes we as security people and even in the MSP space, jump into and seize, like, you know, whether it's the silver bullet or it's the, you know, I'm looking for that Binance smart chain smart contract that incentivizes, you know, crowdsourced, you know, threat intelligence sharing or whatever it may be, right?

We're looking for something so cool. We think if we just find that or like the next ML blockchain or ML algorithm that'll like completely redo my detection engines, I'm gonna be good, right? Yeah. And the truth is, it's simple basics. Can you expound on that much more for us? So, uh, one of my mentors, his name is Ed Capi, he actually lives in the Denver Metro area. Um, anybody that's listening in the Denver area, go outta your way, find Ed and hire him.

Uh, but Ed Capiz is the one that said, you know, good security is nothing but an an inspired application of the basics and fundamentals. And what, what we mean by that is if you're watching the news, it's like, oh my gosh, there's a SolarWind zero day they did this. Here's a new attack against H TT p uh, smuggling attacks and all these different things. And those are really distractions. And I know that that sounds weird and some people will disagree with me. That's okay. They're wrong.

Really what it boils down to are the core fundamentals, you know, patch your stuff, good password policies, two factor authentication, doing assessments on your applications using free tools like Z attack proxy, looking at active directory, using tools like Ping Castle and Plum Hound that are very cost effective. Stick with those core fundamentals and you're more than likely gonna be okay.

However, the past two years working lots of IR gigs, the vast majority of ransomware attacks that I've seen, something like in the nineties, are companies that had very poor security hygiene. They're the ones that get compromised. The attackers very much look for the lowest hanging fruit. If you have the core fundamentals in place, you're more than likely gonna be okay. That's what we need to focus on.

Unfortunately, it's not sexy, it's not the main stage at security conferences like Black Hat and Defcon. It's kind of boring, but it's the stuff that we all have to do And it's effort. And so that means it takes time and costs money. By the way, I wanna call out something I talked about, you know, companies being afraid of the security person being a cost center. And it warms my heart that I was disagreed with here and then also disagreed with multiple times in the chat.

Um, so I I, I very happy to see that people are like, no, security is not a cost center. That, that's awesome. And that shows a change. And not only does that, that's so true. And I, this is where I think we as MSPs have the opportunity to provide some leadership back in as an input back into just the conversation of security overall.

Because we are unique in that we have to be able to sell, we have to position security that a lot of CISOs for Fortune five hundreds don't fully understand that as well. And so these are inputs that I, I agree. I think it's, it's so natural for us to have that reaction back that hopefully that can be some, some inputs back into the larger conversation about some of this. Um, Carl question for you.

Maybe just some feedback, like, does, does what John just said, does that resonate with you in terms of like, the basics and share from us your wisdom and, and how you guys have gone down this journey and how, how the basics are critical to Snap Tech? Yeah, thanks Wes. Uh, you know, I couldn't agree more. I was recently asked to, to, um, give a presentation to the Arizona Technology Council. Uh, and they were interested in the state of ransomware and the state of cybersecurity and SMBs.

And my presentation was called the missing link. And my entire contention was that the missing link is that nobody pays attention to the basics, uh, that is getting attacked. And it, it is my list. I had eight on my list, but you listed four of 'em, John. And the other things were things like end user awareness training, you know, some very fundamental things that, that everybody should be doing. I couldn't agree more that every now and then we're exposed to instant response, uh, to IR gigs.

And every time we come in, it's always something stupid like, oh, we had, you know, MFA on everything except this one admin account for this one guy that left on this one tool. And there was just no process to catch that, nothing in place to, to just take a look at what's going on. And so I couldn't agree more that the fundamentals is the core.

And I think the MSP space is really, you know, if you look at it, analyze it, the majority of MSPs are technical people, not business people, not salespeople, not marketing people, not admin people that started a business and they still fundamentally lack, uh, leadership capabilities and still fundamental. I I don't, did You mention not salespeople? Yeah, yeah, I did. I said not salespeople. That's right. Alright.

That's why, that's why there's a race to the bottom whenever that happens, is 'cause they don't know how to sell. They just take whatever comes, you know, and that it, it's, it's, it's really that we're not sophisticated and mature enough as an industry to be a fully functional business with all pieces firing. And that's what I work on in my business. And so I've, I've always tried to do this and, and for us on the security question, the, the gap is really obvious.

It's because most of us are, it, it guys that were never trained in security and we hire people that aren't trained in security. And it's an education gap, which is why this is a great conversation. You know, for us, it's, it's not that we hire a single person to say, now security is covered. It's a cultural thing across the entire organization.

Everybody in my organization, even somebody that's, you know, calling on ar uh, or, or, uh, accounts payable or somebody that's, you know, administering the office or whatever, everybody is involved in the security conversation in my organization. And we are building people with expertise and with specific skills. And that's, that's why one of the reasons why I'm excited about what I, I'm looking at what John's working on in his course.

One is I appreciate this, um, altruistic approach of let's get, let's get a wider p person in the crowd. But for MSPs, this also makes it a lot more attackable because like I said, a lot of us haven't set aside that budget for training. And so I'm excited about some really approachable, really effective stuff that means that we're gonna be able to raise our end game.

And I think that more that we, that we think about across the entire team, not just a single person or two or a team, the more it's a cultural thing in our entire organization, the better. 'cause I have a hard time separating just being an MSP and not being good at security. I feel like it's a huge mistake to do, to do it and not have the skillset. It's a fundamental, you know? Yeah. That's a, that's, that's my first take on that.

So, So, uh, there was a question, um, talking about the time that we, we denial a service to the Center for Internet Securities website, um, during our training, uh, it was, so people are like, what? Um, I just basically posted a link. We had 3000 people in the training and they all went to the link at the same time and we brought the Center for Internet Securities website down. Um, so I just shared something. Um, so Andrew, you should have it in your inbox.

Hopefully we can get it to the attendees to kind of get what Carl is talking about. Um, it's a spreadsheet that was created by audit scripts. And whenever you're trying to implement security, it's a, it's a worksheet that is free and you can do like self-assessment with it for audit and compliance. And if you do that spreadsheet, it's master mapped to every single audit and compliance framework on the face of the planet. So that's number one. So you can do that to protect yourselves.

If you want to find a roadmap, it's a great place to start. The other thing that I want to throw out there, Carl, and you know, you know, just kind of talking about, and Wes brought it up too, folks, you can build a service around the spreadsheet. Trust me, James and Kelly awa, don't care if you do, where you can sit down with your customers and go through a very simple checklist, identify gaps in their security, the blocking and tackling, the basics and fundamentals.

And then you can provide those services to them. And what's cool about what this spreadsheet does in the master mapping is it's not your word saying that the customer should do this. You now have it mapped to 47 compliance standards around the world saying, yeah, but NIST says that you should do this. The NSA says that you should do this. The Center for Internet Security says that you should do this. It becomes an easier sell.

So it's something that makes it easier for you to learn security and your own companies. And it also can become easily a service that you can offer to your customers as well. That's good. Um, so maybe Carl, my last question for you, I want you to dive in. One thing you said a lot about is the training aspect, right?

If you, if you had that magic wand and you have the ability to design, um, what security training would look like for your technical personnel, you know, whether they're analysts, whatever, what would you want to see in it? And, um, even maybe comment if you've had a chance to peek at what John is doing, you know, is there anything in there that seems to, to meet what you're looking for there? Give us some feedback. Yeah, so I did get a chance to peek at the course for, for MSPs.

And it's a bit of pieces, I'm sure from other courses where you even go into some of the subjects in more depth because I've looked through the list and my, my interest is very peak. But what I love about what's going on in this MSP course that, that he's put together for us is the, um, there's some Windows forensics, some Linux forensics, some memory stuff, some basic skill stuff that is almost never found in an MSB. And then I love the instant response stuff.

'cause like, that's one of my big fears in our organization is when we have an incident that we get a cowboy technician kind of just jumping off the rails and beginning to do stuff before we really formally organize and begin following our incident response process. I mean, we, we've done internal tabletop exercises to try to emphasize follow the process and, and to show how it goes.

But the, the, the key thing is, is uh, there's kind of a base level of a lot of subjects that's really needed as a starting point. And that's what I saw in the course that was laid out. And so I'm really excited about it. I'm also excited that the cis CISSPs on my team, I, I'm told they're gonna get their, their CPE credit, uh, or continuing education. So that's exciting too. Yep. Absolutely. Got good friends with IC Square, so. Awesome, Wes, great job. Thank you, uh, Mr.

Weeks over to you, The background Ninja master in the background, so, alright, sir. Um, yeah, so, uh, way back in the day, so I guess I should start with a, sorry, not sorry, um, sorry that the training you gave me so many years ago had such an impact and it got you sucked into the MSB space, but also not, sorry, um, at the same point.

Um, but yeah, I took active defense, uh, when, when you were really just starting out with that message and, um, threat hunting right before it became, you know, the new hotness. Um, and like people were, you know, building products around it, um, uh, when I was in my financial services days and I was so special. No, I'm just joking.

Um, but I mean, from your perspective, why was the Core SOX skills course so foundational for MSPs and, and, and, you know, why is your, why is the delivery of your content, um, more applicable for them than say, going to a sand training? Okay, so first and foremost, if you can afford to go to SANS training, it's, that's a life changing experience, right? I oftentimes look at, you know, success for me is companies and people that can go through my class, they can then afford to take SANS 5 0 4.

Um, that's success, right? But if we're looking at all the years that I've taught in the consulting that I've done, right, SANS had this, the area that they're very strong in, and then an area that we tried. We, like SANS Royal, we tried for years to hit, right? So SANS is amazing at six day training, they're the absolute best in the world. Two day training in smaller core skill, uh, skill sets is something they've always struggled with. And we never could quite figure out why.

For, for whatever reason, with what we've been doing with BHIS and anti psiphon, we seem to hit that really, really, really well. And when you're looking at this class, I would generally look at this class as like an on-ramp. So if you do take a class from SANS or Black Hat or someplace like that, you are gonna get more out of that class.

Because whenever I was teaching, um, for, for sans and Black hat, half the students in my class didn't understand the basic core fundamentals of how to use a command prompt. That's 50%. Now, by the end, we got them kind of awakened and they were then, you know, flying around and they're doing a good job. But 50% coming in not knowing how to do a packet sniffer with TCP dump on a Linux system, that's a high number, right?

So there needs to be a way that we can get these blocking and tackling core skills to these people so that when they do other training and all of a sudden we start talking about link local multicast, name resolution attacks, NetBIOS name service, we start talking about curb roasting. Their brain already has a hook and understanding windows, understanding active directory, understanding these things so they get more out of that.

So that's how I would look at it, is basically it's an on-ramp coming in. Understanding this core stuff about Windows and Linux and network threat hunting, kind of getting started working within EDR and what you should be looking for. What does malware actually look like? How do you look at registry values, all of these different things. These are key to get the most out of training.

So that's the key difference for the, uh, for the differences between like what we do and the Sands Institute does. Now, the reason why we created a class, the way that we did this is harsh, is, is, um, a lot of the incidents that I work, when I work with MSPs, the people I'm working with didn't even begin to understand the basics and fundamentals.

They knew what CrowdStrike or Sentinel won or whatever product would tell them, but as soon as you ask some additional questions, they've lost the plot completely. And it's easy to stand back and say, well, it's 'cause they're stupid. Look at this MSP. But when you start seeing a trend and a theme, then there's a problem and you have two choices what to do with that problem.

You can either continue to be part of that problem, make fun of them at security conferences or try to fix the damn problem. And I chose to try to fix the problem. Awesome. Um, I, and when I, you know, when Andrew was, was first talking to me about this, like, Hey, we should, we should get more MSPs going through core SOC skills. I went and I looked at it 'cause I haven't actually taken the Core SOX skills, but I was looking at it, I hear my dog in the background, This is not a rooster.

So he's he's very upset that his mother is gone now. Yeah. I missed the rooster. Let me go. Yeah, me too. Actually, I got the antelope. So, Well, while, while we're waiting for Ryan to, to calm the, uh, not the chihuahua. No, it's a, uh, bulldog, what is it? I forget the name of it. What, what is he again? Ryan? He's a French bulldog. French Bulldog. Oh, okay. Oh, one of those cool ones. Got it. Okay. So John, to your point of the fundamentals, just real quick and go Ryan, continue.

In one of your videos you talked about the Sands cheat sheets. I mean it lays out the command prompts, like if you look at the Windows and Linux. So I put that URL in there as well for, for people. Awesome. Thanks to take note of. Go ahead Ron.

Yeah, so I, I was looking at the course and, and there's something, Wes and another gentleman in the channel, Chris Lu do a tabletop exercise with MSPs and the kind of, one of the, the core things that MSPs walk away from is this understanding that the way they instrument their business, they are response and return to productivity oriented for their customers.

And what that means is when there's a ransomware incident or hey, something weird is happening on this computer, they have zero idea about how to maintain evidentiary value or mm-hmm. Even the things that they're doing, how those impact their ability to investigate that incident in the future.

And so talk to us a little bit about why that, like the lab portion and why that like live incident response piece is such, such an important core skill, especially for MSPs that live in this world that are response oriented. Yeah, so this ties in with the cheat sheets. Okay. So whenever you're working in incident, one of the things you want to do is you wanna follow some type of methodology and you want to document what it is you're doing. Okay?

So if you're going in and I'm gonna look at a Windows computer system and I'm doing live forensics, I would write in my notebook at this particular date. This time I started the sans incident response cheat sheets. So that way I've got a running record of what I did at what time, which is important. But also I followed a methodology. And if you ever get in front of a judge and a jury, they love people who take notes and they love people who follow methodologies.

Uh, rather than being like, yeah, I'm a keyboard cowboy, I just sat down and I started, you know, just doing stuff now that doesn't resonate with them, right? So that's key. The other thing is, whenever you're looking at evidence being admissible in court, according to Daubert rules of evidence, evidence is admissible in court only if there's no evidence of tampering. So whatever you're doing is more than likely going to be admissible in court.

But it really boils down to what's the weight that the judge and jury will give it. If you're meticulous, you have notes, you're following a methodology, you're following these cheat sheets, you're developing the methodology your company has, that resonates and it gives more weight than just saying, I was just typing a bunch of commands and I fell into it. So that's one of the key things why this training is critical.

'cause now you can give the cheat sheet to somebody that has the training and they know how to get to the programs that they need to run. They know how to deal with the output. They know how to interpret what those cheat sheets and those methodologies actually tell them. Yeah, Yeah. But it's not just how it stands up in court, it's legitimately a better way to get it done. That's why that's Important. That's true, that's true.

I always, I always lead with court 'cause it scares the hell out of people. Well, those Words in court come up fairly often right on, on the cyber call. And, you know, I owned two MSPs over, you know, 20 years, uh, never been to court. The chance is that you can own an MS P for the next 10 years and avoid being in court at some point are very small. So I just wanna note that that's a, that's a massive change for who we are. Yep, absolutely. Yeah.

I mean, uh, the thing that's exciting for me is if you go to this course and you pay attention and you do the labs, uh, and I know John, he's gonna give you 5, 6, 7, 10, 15 other resources to go expand that knowledge on you could actually take what you learn here. You could create live incident response scripts for your operating systems, for your MSP and instrument them in your RMM and part of your response playbook now is before I do anything on the system, I run the LIR scripts.

Mm-Hmm, absolutely. And then you do whatever you're gonna do because you've now preserved evidence and like, it's such a simple thing that we don't think to do because you start killing processes, well, you're not gonna be able to see what network connections they need. Oh, like there's so much valuable information there that you need, that you really, you gotta preserve that before you go keyboard cowboy, which I, I love that.

And that, and that example is a great example where people are, you know, you know, they, they sit down and they don't know what they're doing and they say, oh my God, I've got 52 instances of FCC host running on this computer. That must be the virus. And they just start nuking them and they don't know that they just killed the RRP C service on the box. Networking went down and they create far more damage than they do actually trying to solve the problem.

And a lot of that comes from, you know, they're, they're panicking and they feel like they have to outrun the hacker. So if anybody's listening to this, one of the things I'm gonna tell you is if you're working an incident, take a deep breath, take your time. Document odds are the vast majority of the damage has been already done. And making really rash moves without knowing what you're doing can often create more problems than trying to be calm, collected and sticking to the script. Yeah.

It can make it harder for you to actually respond. Yep. Right. Exactly. You could actually be missing data that'll help you understand what happened and be confident that you know that the incident has been contained. So that's really important. So, uh, I saw a post you put on LinkedIn, you're doing something on atomic red? Yep.

We did, uh, on the cyber call, uh, one of our quarterly summits we just did on threat modeling where we, we actually did Gold Southfield right before the July 4th incident, oddly enough. Uh, where we built the threat profile, we took down, you know, specific, uh, TTPs from what they do. We modeled them with Atomic Red. Uh, we had the folks from Red Ion and we actually walked through this. How important do you think it is outside of having core stock skills?

How important do you think it is for MSPs to be leveraging, uh, adversary emulation tools, uh, and knowledge in their, in the instrumentation of their own protection? For me, it's so important. It's actually a lab in the class. We actually do run through Atomic Red team, um, and how to use it.

And, and the reason why is if you're, if you're, if you're a soc, if you're an MSP, one of the things, your question, one of the questions you're gonna get from your customers are, there's this attack out there. Are we prepared for it? And if you know how to use Atomic Red team exactly as you said, you can pull down the report from CISA that tells you the techniques that are used in the atomic, uh, sorry, by, used by Mitre. And then the Atomic Red team can emulate and run those.

Now, you can quickly go back to your customer and say, Hey, we just did emulation. We know that you're, you're detecting 70% of what the attackers do. We got a plan for dealing with the other 30. That's proactive. And that's what's gonna help you keep that contract moving forward into the future. Uh, rather than just saying, yeah, yeah, we we got you covered. Right? You got 'em covered. Yeah. Yeah, yeah. Gotcha. Best in class security, best in class.

No, you can actually emulate it and it's cheap. It's, it's free other than time. And it's easy. I mean, if you did it during one of your webcasts, you know, it's not hard to do and it's effective and those are the big things that we need to be looking for. Okay. Um, so Carl, uh, you know, John mentions that he's done consulting engagements, uh, on hardening systems.

Um, and, and prior to the meeting, he'll pull out the, you know, the, the 600 page user guide, um, uh, where a bunch of the answers are, um, you know, lies and, and wows. Um, yeah, he also shares how he reads almost every CIS hardening guide. Um, he says Security hard up. Yes. Yep. Um, and MSPs haven't historically truly understood frameworks, fundamentals, processes. Why does your MSP invest in like, baseline hardening and, and spending time on those, those basics?

Like where does that fall in terms of importance for you? Well, I can tell you it's something that, you know, participation in the community really has helped us along in, in realizing how much we needed to leverage a common language and, and have a dialogue that was understandable and point to an authority that's well researched and deeper than just my, I'm the MSP here with my opinion today, that you've gotta sort out amongst the three others that are also proposing, right?

If you can get a common language and commonality, you now can have a conversation that's understandable than beyond, you know, a technical speaking person. And also there's an authority and a com comprehensiveness to it. And so for us, you know, we, we have literally reformulated our entire offering as into this categories. Now we happen to grab a hold of the nist, uh, categories as a way of looking at it, you know, protect, detect, you know, identify, manage or recover, respond.

And, and so we've gone through all of the things we do and we now present them to the customer in that format. And that's how we assess them and that's how we sell to them. All of our offerings are categorized as such. It's how we invoice. It's at every level, right? And, and, and I could tell you it's changed the conversation in a really significant way. And it's changed the, the internal understanding of the culture of my company. And so the, the, the framework conversation's important.

Now, cross mapping is always helpful depending on what, you know, conversation you're happening. But generally with a business owner, high level categorizations in detail, and then helping them understand where they're strong and weak and where are more risk and less risk. And also thinking of your own business in the same way. You know, it's, it's just, it's a critical element to maturing your thought process and being more comprehensive.

That's why we embraced it and we've, I think, found a, a great deal of success with it. I think it's a lot to, to John's point earlier, a lot of times when we're called in to, you know, put in a bid or a proposal for managed services, and when they see us present it in that way and clearly can identify strengths and weaknesses, risks, and, and lowers it, it's been a real game changer because we can really clearly help 'em understand where, where they have been good and bad.

So, you know, that's the, that that's a big deal for us. It's been, and I, and I and I thank the community for what we've learned, learned and how to do that. 'cause I didn't used to do that. And it's been a big deal for us. Everybody needs to go back who's on this call? They need to get to that point and need, they need to listen to every word that Carl just said again. Yeah, I couldn't agree more. Gary, John, go ahead.

You were saying, I, I, I was just gonna say, I'm gonna keep a link to this one because whenever I'm dealing with MSPs, it's usually an adversarial relationship, unfortunately. And I always hear them complain, we can't do that. It's too expensive, we can't do that. And to like, get 'em on something like this and be like, well here's a bunch of industry experts that are doing this successfully. I mean, that, that, that's huge to have some people.

So I'm just not the man from out of town security saying security's important. Having Carl like lay that down so succinctly, I think helps reinforce it so much. The other thing, Gary handing to you, you know that Justin has said multiple, multiple times to be defensible when you're sitting in front of a prosecuting attorney and you're like, well, how'd you come up with that? Well, it was my idea. Well, what standard did you follow?

Well, now that that doesn't, that doesn't work so well in a court of law. Yeah. Listen, uh, Wes sat in the evolved groups. Um, I sat in, you know, recently, you know, my peer groups probably between the tutors 500, you know, MSPs, and I know Wes would say the same thing. And this is the message I've been trying to get through every week. This is not just a good idea, right? Getting where, where Carl has gotten to, if you felt that this is good business.

The people that I work closely with that are following that same path that Carl just explained, have learned to have those same conversations with customers and prospects are having the best year. They had the, we had the best sales quarter in the 10 years I've been running peer groups. So the message is for all the risk that there is, this is good business. I like Keith, this is good business. Keith had a quote, he said, by the way, when you focus on price, so does your customer. Yeah.

And, and I think that that's, that's a great quote, Keith. Yeah. I can't tell you how much your customers don't care about price and MSPs. You've Gotta raise the conversation to a different level. So true. Yep. Yeah. Well, and as soon as you do that, your competition starts falling away. It does. And here's my hope. Here's my hope. So years ago I did a presentation how not to suck at pen testing. And I did this whole presentation on what a bad penetration test is. Getting caught is important.

Being thorough, doing all these things, just don't show up and be like, I hacked you, you suck. Now pay me. Um, and that changed the game, right? We had pen test puppy mills that were just churning and burning vulnerability scans and charging $25,000 a pop. And from that point, it started to change the conversation. And now all these former pen test puppy mills are doing really good work.

The best thing that can happen in the industry is that, that the entire game elevates for all the firms and it redefines what the floor is. And, and you know, I, I, once again, Carl hats off to you because you're redefining what the floor is. And you know, once you do something, it's like, it's like, what is it high jump? Once you get it over seven foot, everybody else can do it. And that's what we need is more people going over seven foot. It's the four Minute mark. I'm just paying attention.

I didn't invent any of this four minute Mile. I'm just trying to do my best, you know, Roger Ban. That's awesome. So John, how important is it knowing what you're learning about MSPs, that really these skills get to pretty much everyone on their technical team, not just a few people involved in security. Oh, so that, that's one of the traps, right? Well, we're gonna have, we're gonna have Bill, he's gonna be our security belly button. That's, that's a recipe for disaster, right?

You, you need to have it all the way through the organization. Yeah. And a really good organizations, and this is bizarre, I'll be teaching and someone will be like, Hey, I'm an ciso, one of your customers, we're Fortune 500. I'm in this class and our whole team is, and it's like really? Like we've got the CISO sitting in on it. And that's a sign of a good ciso. You know, right there, there's people that say, well, as a ciso, I don't have time for that.

I don't need to know about risk, I don't need to know about vulnerabilities, I don't need to know about threats. I need to make risk-based decisions. And what that basically means is they're ignorant of everything that makes up risk and they're making decisions. So the more you can get in the weeds and kind of understand what it is your team is learning, the more you're gonna learn the capabilities.

And I always use this analogy, you know, people talk about great military geniuses like Napoleon, right? And they're like, well, he was just good. Napoleon would do things like have his team go out in groups of like two and 10 and Phil sandbags for all day and record how many sandbags they could fill in an hour and half a day in an entire day. Then he would record that and he would understand how far a horse could go completely loaded and all this stuff. But he understood the minutia.

So whenever he got into an adversarial situation, he could predict what the was able to do in the amount of time that they were there, because he had actually done that type of research on his own people. That's the sign of like a good ciso. Yeah. If you're a good CTO, a good ciso, you're gonna learn the technology, you're gonna be right there in the trenches with your team and know what the capabilities are of the team.

And then it goes back to what Carl was talking about, having a conversational framework model. Then now you can have conversations on the same level because you have that taxonomy all the way through. It's essential. It absolutely is. You figure people, like, they think of, they're like support desk glass to me. I was just talking to an MSP, they said, we're training our support people in the first wave.

They're the first ones who can recognize things, and they're the first ones that can ruin evidence because they don't understand it and they're responding to something. So up and down. The next question I had for you is, there's hands-on labs. Mm-Hmm. Can you share why this is critical for MSPs, even though most don't have a soc? Explain why it's still critical to them. Alright, so a couple of reasons. One, uh, just to have those skills.

If you get into a situation where somebody says, Hey, my PC's doing weird things. I have the cookie monster running around on my screen, eating up things on my screen to give them the skills that they can sit down and they can support that customer through that problem is monumental for an MSP. It is to be that person that they come to. You are the trusted advisor, and you can work through these things. These are core essential skills.

And honestly, their core essential IT skills, it's not just security, right? Yep. It goes to troubleshooting on networks, troubleshooting on operating systems. It bleeds into absolutely everything. The other thing is we cover a lot of open source and free tools as examples. And the thing I love is I have people that come through and they're like, we just went through and we were running Velociraptor in the lab. Velociraptor, ISS free, it's deployed in environments that are over 50,000 nodes.

It blows my mind and it works really well. And they're like that free tool that's better than our expensive $200,000 year tool that we're using now. Now, I'm not trying to crap on a tool because it isn't as good as the open source tool, but this goes back to elevation. They can go back to that vendor and say, why am I spending this much money if this free tool does all of these things? So well now that tool is gonna get better and things are only fragile till they break.

This allows me to have conversation so people can identify what is broken in their infrastructure, what is broken in their customer's infrastructure, and fix those things appropriately. So Andrew, I'll pass it back to you, but here I'll give you my quick wrap up. Um, a lot of people have been on all 61 of these calls, right? And in those 61 weeks, you have not yet.

This is the first time you've seen us take an entire show, um, to promote something, something that, um, none that we hear on the cyber call don't have any investment, any, there's no, uh, you know, purely we believe this is the right thing to do and, um, and we're lucky that we're able to work closely with John, but again, we're, we're not here to promote John and we're not here to promote. We are here to, to get people where they gotta get to.

And this is, this is the best way we have right now. I swear you can have a subtitle for the show, the cyber call making our competitors better. Um, it's just, it's, it's so cool. Yeah. Yeah. So no, Gary, I appreciate you saying that. So John, in, in the last few minutes here, Gary, thanks for wrapping it up early a little bit. I know we had some more questions. So John, let me just confirm for everybody, we have a, a code called Cyber Call. Easy enough. Yep. Right?

They need to register for the 4 95. It'll take a hundred dollars off. Mm-Hmm. It will also give them a year of the range. Uh, Six months, six months, six months of the range. Sorry, sorry. Um, we're thinking about kicking it up to a year just to make it better. So what, you know what, it's gonna be a year. How's that? It's a year. You heard it here first Folks. I don't mean, I'm not trying to put you on the spot. You don't have to do a year. No, that's fine.

Um, alright, so si you know, these are differentiators. The big differentiator, however, is we're gonna have that list and John's gonna come back with some of his team and it's gonna be ask them anything. These are the, you know, who's who of security that you are gonna have access to. Mm-Hmm. Also, there is something that's gonna be announced in probably the next week, week and a half. Again, it's depending on Joe Pan Terry and MSSP alert.

But let me just say that some of your most important and favorite vendors are very bullish on this idea and they are getting behind this in a major, major way. And again, we encourage you to register now and be in this if you want all the good stuff coming out of this. Um, so that's stay tuned. Um, so John, any closing thoughts from you? First? Uh, just my closing thought is thanks for all you guys do.

Um, I know in a lot of ways you, you're, you're, you're always the ones that kind of get pooped on when something goes wrong. You're the first line of defense when something goes wrong. It's kind of a thankless job. And I want you to know that just kind of working with MSPs over the years and especially coming on the show, it's kind of opened my eyes. This is, this is the front lines folks, and whenever we use battle terminology, we use war analogies, it's, it's not a joke.

And you guys are the absolute front line and I feel a little bit better now about our chances. So go forth and just do amazing things. Yeah, thanks for that. And I, I, I couldn't say that more as I turn it over to Carl and thank him and, and what he'd like to say. That's one of the biggest impetus, John, because I'm sick of hearing everybody, you know, I see it on LinkedIn and these holier than now people on CMMC and the like, crapping on MSPs. Now is our time and I just wanna make this happen.

Uh, Carl closing thoughts from you and again, thanks for coming. Uh yeah, no problem. Well, so, you know, my perspective is that, uh, training is difficult in MSPs and it's something that we've actually had multiple years of effort put into. And I, I, I can give lots of kudos to like my service manager, Shane Swanson and the work they've done in trying to create a culture around training in our organization. And we've built up a lot of ways to incentivize it.

We give out cash, we give awards and recognition, and we've built teams of people that, that come together and get points for things that they do. We've done all these things to try to encourage, because I feel like it's the number one thing in our industry that holds us back is our own ability to learn and grow and to become educated. And so I, I personally, uh, find very difficult to get good meaningful training in a way that's easy for me to approach with my MSP.

So I love what you're doing here about making this accessible. I love what you're doing about putting on significant and serious topics in an approachable way. To me, this is a really big deal for our industry and our ability to raise our game from a security standpoint. So I'm excited about, I'm excited about for what this can mean for my company and for my customers. So Yeah, well said Carl, for those of you asking where to register, there's the core sock skills, little green button there.

Please tell a friend, you all have friends in the industry, the more we can get there, again, the more and the better things we can, uh, get out of this. So, um, again, Wes, Ryan, Gary had to leave early. Again, John, Carl, thank you and lots more to come. For all of you guys. Stay tuned and take care later, everybody.

Related Videos