John Strand “Talkin’ Bout [infosec] News : Special Ukraine Edition”
In this video, industry experts John, Phyllis, and Wes discuss the critical aspects of cybersecurity, focusing on patch management, secure configurations, and the importance of integrating security into business processes. They delve into the challenges faced by MSPs and the evolving landscape of cyber threats, emphasizing the need for better training and communication with clients to improve security postures. The discussion also highlights the role of insurance and compliance in driving cybersecurity improvements across various sectors.<ul><li>The webinar discussed the importance of aligning to the CIS controls for improving cybersecurity practices, especially within the MSP community.</li><li>Emerging and innovative vendors can utilize platforms like Channel Program to gain visibility and feedback in the cybersecurity market.</li><li>The need for effective messaging and communication by MSPs to their clients about the importance of cybersecurity practices and compliance requirements was emphasized.</li></ul>
Guests
Video Transcript
All right, we are live on episode 87 here, the Cyber Call. Welcome everybody. Hope you all had a fantastic weekend, and we have got an awesome lineup today. I'm gonna get into intros momentarily. Um, I'm gonna do a quick announcement first on March 28th. We are going to have the four CISOs together. Um, so that means ConnectWise, Datto and, um, enable. Um, so it's a cyber call, but because of our platform size, we can only have six windows here. Um, we could not do the cyber call here.
So I was talking to my good friend Kevin Lancaster, and I'm not sure if you all know what Kevin is doing these days. I'm gonna let him chat briefly about it. But we've teamed up with Kevin and team and he's done a phenomenal job on his new platform called Channel Program. So for those of you that may not know Kevin, you may know his company, former company called ID Agent. Um, he built that. He also comes from the cyber world. So with that, Kevin, welcome.
Thanks for the, uh, the kind words and we're thrilled to host the call on our platform. You know, real quick on channel program, when I had built ID agent, you know, it was a fast growing, probably one of the fastest growing companies in the channel in the, in the last five or six years. And we're very fortunate that we had a, a magic trick. We could show people their compromise, email address, and password, and really start behavior change, uh, because of that.
Uh, but not very many companies have that type of magic trick. Uh, a lot of companies that are, are, uh, that are growing don't have the ability to really break into the channels, some phenomenal technologies out there that just, for whatever reason, they're just not gonna get to Velocity. And so we created this platform called channel program.com to allow all of these emerging vendors to get their equal airtime across the channel. So we started with Channel Pitch.
We do a monthly pitch every month. We have, uh, seven or eight companies on, and we really want emerging, you know, innovative platforms and technologies. We let MSPs log in anonymously. They provide feedback to the vendors, and it's invaluable feedback to the vendors 'cause it helps them, you know, determine how they can grow or whether they should even be in the channel. Uh, so that's a little bit about, uh, a pitch.
The platform in general will be, uh, kind of a, a LinkedIn meets YouTube and it'll be a, a home for where everyone can provide their thought leadership and, and influence over the channel. So that's what we're up to, but we're really thrilled to, to partner with you on this, uh, this event on the 28th. And it's, it's, uh, it's great that all, you know, the big four really are, are are putting their foot forward and, and really stepping up when it comes to security.
And this is gonna be a fantastic event. Yeah. Hey, Kev, what year was it when you launched into MSP? So with Ivy Agent, um, so I've owned a quasi MSP since 2003 with ID agent really officially launched in 2017, where we pivoted from enterprise supporting fed gov and enterprise to, uh, MSPs.
So when, uh, so when you came to our peer groups, did the presentation, I, we've never had a situation like that where at the break there was just a line that people to sign up, You know, it, it was, uh, I'd never really done that. The trade show circuit, you know, before. And, uh, I think that first year, I think we did something like 50 different shows because of the impact that we were having, right?
When you have the ability to, you know, do a slide presentation in front of a hundred, you know, MSPs and you can put up how many compromised email addresses and passwords that you have on their domain, and they come back to the booth and they actually see their password and they have that, oh crap moment. You know, it just, it became this really viral sensation in the channel.
And, you know, it, I think it was, I think the best part is it allowed MSPs to start really having a cyber conversation. Here's something that's tangible, it's in your face that your password is personable, you know, and it allowed them to start talking about upping their game. 'cause until then, and you could already, they still have challenges selling cybersecurity, but until then it was, you know, it was, it was impossible almost to sell cybersecurity until you made it personal like that.
And that was one of the most, uh, positive byproducts that we had is, is we are able to change behavior and help the industry really start to start to sell security in a meaningful way. Hmm. So, great man. So John Brandy A real thing. What's that? So, so credential theft is a real thing. Yeah. It comes up every once in a while, So, no, uh, so whenever we're breaking into organizations, it's one of the absolute go-to looking for leak credentials that are online.
And if you look at a lot of attacks that have, you know, actually made the news a lot of those attacks, one of my favorites, um, was when Sony got compromised, not only were they compromised by credentials that were basically available online, but uh, they actually hard coded in their malware to use an admin's credentials that had been leaked online to move internally within the, um, so yeah, it happens, it happens constantly and like I said, it's one of our opening go to moves.
If you look at a lot of the attacks, um, that we've seen, colonial Pipeline would be another example of that. That is absolutely where the attackers go. Why come up with a zero day whenever you can just walk in the front door with a cred? It's much easier to do it. Fair enough. So Kevin, we will have a URL available I think Wednesday, um, and we'll get that landing page up for everybody to go to. Um, just, um, in closing a few comments. Kevin, what's your MSP database around these days?
Give Or take? It's 65, 60 7,000, uh, MSPs. Yeah. So, uh, I really appreciate you partnering with us to give, you know, this important show. The reach it's gonna do, it's gonna be moderated by Joe Penn Terry. Um, so, uh, it'll be really interesting. We'll get coverage from him. And then, um, the last thing I'd say, Kevin, is you talk about emerging technologies.
You were talking about a vendor just on Friday, though, that is in the backup space and, and you know, has a phenomenal platform for backup and, you know, BCDR and backup's in Vogue again with ransomware, you know, so, um, I think we're gonna see a lot of relaunches of, of very, you know, mature platforms on, on the channel program. So That's our goal. That's our goal. So Yeah, we're thrilled.
Like I said, you guys do amazing work, you know, getting the word out and uh, if we can help amplify that, you know, then it's it'ss for the great good of everybody. So this, just, like I said, this will be a a fun, fun event. We're looking forward to it. Yeah, thanks for having us. Really appreciate it. Alright, take care. Thanks Ka bye-Bye. Okay, so, um, let's get on into today's show. Last week, um, we had Scott Edwards on with us from Summit seven.
It's funny, do we still hear Kevin's music? Oh yeah. Lemme just mute him real quick over here. There we go. People were Actually doing a pretty good job of naming that tune. It was like, it was like the cyber call Shazam, um, of working pretty well. I think I needed Shazam 'cause I am horrible when it comes to naming that tune, but I think there's that AP Shazam that would've helped me out, John. Yeah. Um, so, um, I, I put up a poll if you guys could take a look at that.
I know you're always so diligent at filling that out for us. Um, so, um, you know, after having Scott Edwards last week from Summit seven, discuss critical infrastructure and the defense industrial base and communicating to his clients, um, in terms of what is going on in the, uh, Ukraine, Russia conflict. I tuned into John's last webcast, which always you're talking about InfoSec is awesome. Um, your banter for the first 10 minutes makes it all worthwhile as it is. It's hilarious.
Um, but John, one of the things that like struck me of really why I wanted to bring you on, and then certainly Phyllis was, you know, you right in the opening talked about core fundamentals and, you know, I was like, wow, this is, we, we really gotta have John on. Um, Phyllis obviously, because the core fundamentals sit in CIS and you're doing some really cool stuff in terms of building training for msp. So a little bit of the background, let me start off with introductions.
For those of you, I think most of you now know both Phyllis and John, but if, if you don't, John, let me let you do a quick intro for us. You bet. Um, I am the owner of Black Hills Information Security specializing in network penetration testing and SOC services. Um, also I'm the owner of Antis Siphon training, which is probably the more relevant thing for what we're going to be discussing today. And as it relates to the CIS.
Um, I was there when the magic was, was made when it was first called the Sands Critical Controls, uh, before we realized we needed a new stewardship to carry it forward. And, uh, we handed it over to CIS and they've done a fantastic job since then. So that's my quick intro. Fantastic. Bill list. Yeah, sure. Welcome back. As always, good to see you. Thank You. Thank you for having me. Um, yeah, sure. My name is Phyllis Lee. I currently work at the Center for Internet Security.
I am in charge of the critical security controls, formerly SANS Top 20. Now we're down to 18 controls here at CIS. Um, formally spent 25 years at the National Security Agency, um, mainly working, um, in defense, doing pen testing and, and things like that. Very cool. Well really welcome back Phyllis and both of you. Thanks for coming to Tampa. It was awesome seeing you at writeup. Boom. You guys, it was Great 'cause it was warm. It was very nice. Yes.
Like our winter break Conference, eh, it was warm though, so it was wonder. No, I'm kidding around. Alright, so, um, Gary, I'm gonna hand it over to you to get us going here. Yeah. And, uh, get right on into it. Okay. Before I, before I, uh, start with some questions, I just wanted to make a comment about the poll, seeing that 91% of the people are working, uh, to get at least a minimum of implementation group one.
So let me just commend everybody who's on this call to say that our community of almost 4,500 or more is not the norm, unfortunately. So I was asked to speak, um, to a bunch of MSPs. And on that webinar, uh, I just, I talk about, you know, the cyber defense matric and CIS and this like, you know, as just with an assumption that because that we're all there and, um, and all of a sudden the chat lit up what's CIS like, I was like, oh, sh shoot, we don't live.
We now have created our own, you know, community where we're doing something. And it was concerning to think that that's not the MSP community at large. So, uh, we have a lot more work to do, but I also, I wanted everybody to realize that, that you are going down a road, uh, with all of these resources to maturity, that is a true competitive advantage right. In this marketplace.
So I, I wanted to just, I wanted to call everybody out on that and, and give them a, since we mainly tell 'em all the things they do wrong, I wanted to give them an attaboy today. Thanks for pointing that out, Gary. He was a really good, yeah. So John, in, in, in your, in your, uh, most recent, uh, talking about, you were mentioning that, um, Russia wasn't attacking nations and you, you as much and you had two hypotheses. One was, hey, maybe they just suck at it.
And the other one was maybe they're just distracted, um, trying to defend their, their own turf. Maybe you could talk a little bit about that. So if we look at the, they suck at it, that's always a possibility, right? You know, we can say, oh, they're not very good at breaking into places. And just set that off to the side for right now. The other thing that I think is important, and I think Phyllis can speak to this as well, is I was in DOD IC government space whenever September 11th happened.
And on that day, nothing else mattered On September 12th, we were all about terrorists. And that is basically what the entire apparatus of the DOD IC space really started focusing on. Um, and of course they were still watching North Koreans and Russia and things like that, but not nearly at the level that they were trying to hunt down terrorist organizations. So the entire organization, uh, all the organizations really focused on this one issue.
So if you're Russia, we're kind of applying a lot of the same things. The number one issue if you are in cyber, if you're in it in Russia right now, isn't attacking Ukraine, isn't so much attacking the United States, isn't attacking Germany, isn't attacking anybody right now. It's all about trying to lock down information within Russia proper, where everybody is all focused on that.
How do we actually maintain what we need to maintain if you're Russians, um, as far as information lockdown inside of Russia to try to control the political narrative and actually watching dissidents and underground communications and things like that that are happening in Russia right now. Um, there's been a lot of stories coming out about the lead up to the actual invasion.
Um, and executives from Google were basically told, you know, you, well, you know, shut this down, or bad things will happen to you and executives from Google actually fled. So that is what I believe that the Russian apparatus is focusing on at the moment. There's also, the other thing, the third thing was escalation. Um, everybody is worried about escalation. And with cyber escalation, it's an incredible, crazy wild card.
You honestly don't know where it's going to end, and there might be some of that. So my point of all of that in this was just because the Russians aren't attacking right now doesn't mean necessarily that they suck. It just means that right now they're very distracted and they have very, very specific mission objectives. And those objectives will probably be doing intel gathering in Ukraine.
If you notice a lot of the communications and, um, uh, power lines and everything are still up in Ukraine. And a lot of that may be like we did in the, uh, first Iraqi war. We actually kept the power on and kept communications up as long as we possibly could because the United States military and intelligence apparatus was pulling a lot of data of where people were, what they were doing, where they were collecting.
And I'm, I'm assuming that Russia is doing many of the same things, so don't rest easy and think, oh, we have nothing to worry about. No, we absolutely do have to worry. We have to start battening down the hatches. We could talk more about that a little bit later. Yeah.
And, uh, I know we spoke, um, on the call last week about, you know, looking in the past what's happened, but once escalation starts, doesn't it kind of almost take on a life of its own and, and it starts to, to spread, there's like a lot of unintended consequences, right? Absolutely. And the cyber thing, the biggest concern that I see in the cyberspace, um, 'cause I wanna, you know, there's some people in the cyberspace that are like talking about military doctrines in Ukraine.
I, I know nothing about stingers or Javelins or any of those things, but whenever you talk about escalation, the biggest escalation that concerns me right now is anonymous. Uh, where anonymous is completely uncontrolled, unaffiliated, there's no, like, there's no un anonymous clubhouse where they all hang out, um, but basically anonymous going through and hacking as much as they can in Russia. And I am very concerned because they're not under any banner. They're not under any controls.
I don't know where their limitations are. So the escalation wild card in the cyberspace is absolutely terrifying to me in that regard. Yeah. Wow. Um, so I wanted to ask you, uh, you also mentioned, um, on, on your podcast that SolarWinds was not a one-off. Nope. Right. And so you see, you know, uh, uh, you mentioned Conti leaks digging into Sophos and, and Carbon Black. So these eds trying to figure out how to get around or use eds. What, what's the implications here?
So the number one implication is, um, I'm gonna go back to bit nine years ago when they got hacked. Um, I remember I was talking to some executives at bit nine, and, um, they were all worried. It's like, oh, bit nine dot compromised. It's gonna hurt us in the marketplace. I'm like, well, it depends on how you position it. If you position it, you basically say you were hacked. Yeah, that looks bad.
But if you position it as attackers, were trying to bypass the product, and the only way that they could figure out to bypass the product was to hack the company to get a digital code signing certificates, certific, they could bypass the product. That's great marketing, right? Modern Eds work folks.
Um, if, if you're listening to this right now and you're not using an advanced EDR in your space and you're just doing traditional signature paste, uh, deny listing, you're at an incredible disadvantage. And I speak as a, as an owner of a company that has about 650 pen tests per year, trust me, advanced Eds work all the way down to Microsoft Defender, Microsoft Defenders, no joke in the space.
So it didn't surprise me at all when you're seeing Conte and the, the people scrambling around trying to figure out how to bypass specific products, because that's what almost every pen testing firm is doing today. Wow. Uh, Phyllis question for you. Um, I wanted to ask about, you have a unique view because you run the, uh, ms, uh, isac.
Maybe you could just let people know what that is and then, uh, from that a, anything you can tell us that's like, that's a little different look, uh, into, into trends and what's happening, right? Because it's related to, to, to government, um, uh, agencies. So maybe you could just talk a little bit about that. Yeah, sure. So, um, I don't personally run the MS iec, the, but CIS definitely owns the MS iec, which is the multi-state Information Sharing and Analysis Center.
That is, it was the Royal U Yeah. What's the, that is run under the, um, a cooperative agreement with DHS under the purview of csa, right? And so it is, um, in some sense an extension of the federal government.
So the information sharing and analysis center provides threat information sharing, um, you know, recovery and, you know, threat advisories, et cetera, on behalf of, um, the states, the SLTT, state, local, tribal, and territorials, um, of which they're, you know, over 10,000 in total across the nation. And so, yes, we are, um, the royal, we, we are definitely, um, looking at this threat.
So what I can say is in cooperation with the federal government, um, as well as the private sector, MS IAC provides, the intelligence provides, um, the data that's needed to help back, um, claims, other observations from industry as well as the government. So it's a nice public private partnership. Um, I think right now in this instance for sure, um, you know, DHS or CISA will be the single voice in trying to figure out, you know, the best way forward.
And of course, MSIs SAC will be putting out whatever advisories and threat intel, um, in particular with Log four J MSIs SAC was also giving, um, certain, or I would say more specific advisories to SL ltts on, you know, way forward. Yep. So that'll be more of the same as we see new threats and how they impact like that important part of our infrastructure. Yeah, definitely.
Um, you know, and so the nice thing when you look at things like this, when Mandiant does a reporting and stuff like that, um, it is nice to see federal government and private, you know, that public private partnership actually working. Awesome. John, why does it take like a SolarWinds for corporations to start to change their behavior? The threats are there before that, right? It, so why, why does it take that for people?
And then maybe not even all the steps that everybody needs to take, like even after they've had their hand on the stove. I, I hate to say it, but SolarWinds didn't change much. Um, neither did log four J, um, neither did WannaCry, Petya, not Petya, neither did, you know, blaster, Nachi, Welcher. And, and, okay, so this gets to a much larger issue, right? So if you look at a lot of executives, uh, we look at Equifax as a great example. They got compromised through an Apache struts vulnerability.
Whenever you're an executive and you open up USA today, Drudge Report, Huffington Post, CNN, whatever it is, you, you, you read and they read that this happened, and it was Apache Struts Executives say, well, we gotta, we gotta get rid of Apache Struts. Whenever they see solar winds, they say, well, we've gotta get rid of solar winds, which is far more difficult than I think that they understand.
And I think that there's this gross oversimplification of computer security has been for a long time, for many executives of this is the thing that hurt me, get rid of that thing without actually getting to systematic issues underneath the surface. And that also gets into why I like being in the MSP space, being places like the cyber call, right? Of boom.
And those things is, I I, I'd like to get Phyllis's, uh, take on this as well, because she came from many of the same places that I did, you know, coming from offensive NSA, Tony Sager, all of those groups, and we believed in the security community for a long time that we were the vanguard, we were the front line of computer security. And I was wrong.
And I didn't know that really until I met Andrew and we started coming on this podcast and this webcast and getting involved and meeting the MSP space. The MSP space just is monstrous. And they, they have very little in the way of funding. They have very little in the way of support, uh, very little in the way of training opportunities.
And I think if we're gonna change this, I think that we've gotta start finding where can we make the biggest impact on the most people to equip them, not just with training, not just with tools, but the right messaging that's required to move forward into their customers. So, John, I 100% agree. I mean, I don't know how many times we did a blue team red Team pen test of any kind of gots or cots product, and we just made fun of everybody like, oh my God, you're so dumb. Why didn't you patch?
Oh my God, you're so dumb. Why didn't you do this? Why is that same DCOM thing coming up over and over and over every single time? And so, um, you know, after years and years of, you know, making a career out of making fun of people, um, you have to like really stop and think, you know, why is it, why is it that all this is happening?
Why is it that, you know, uh, China has, you know, all the plans of Joint Strike Fighter or this agency or this company's, you know, we always called it, you know, the Wall Street Journal or New York Times test. If you, do you want this on the cover of the New York Times? Do you want this on the cover of the Wall Street Journal?
And even when you're there, just kind of it go, it blows over SolarWinds log four J everyone's like, we're all spun up because we're, you know, in it with the security community, but then everyone just kind of goes about their day. And so it really isn't one more incident. It really is, um, in my opinion, you know, how is it where we can have the most effect? How is it that we make it just business as usual, as painless as it can be for the end user or the end organization?
Where is it that we look to, and I think, you know, like John says, MSPs are a prime place. Where is it that organizations just go and security is baked in, right? It's not going to be that bolt-on that we thought that people would care about, you know, after decades and decades of one more bad thing happening, what's it going to take for everyone to wake up? And it turns out it's not gonna be a major incident, right? Everyone's lives just keep on moving on.
And so we just need to make sure, um, that those of us who have that responsibility, like MSPs, um, those of us in this current community, how is it that we can make things as painless as possible, as seamless as possible, built in and just, you know, hey, organization X, this is just the standard way that we're going to do our business. So it reminds me of a friend of mine. He had a heart attack and heart surgery. He was in his forties, right?
And you know, after that, you know, he was eating celery and taking walks every day. Now, fast forward over 10 years, he's got a giant heart attack belly, right? And I'm like, did it just take time for you to forget what it felt like to have your chest cracked open? Right? So like, you, you change on things, you know, uh, I'm gonna pass it over to Wes, but I'll close by saying, um, you know, John, you hit it exactly when you talk about messaging, right?
At write a boom, when we talked to our, our friends who, you know, went through, uh, you know, uh, an an incident, we said, Hey, if you had your customers here, if all of your customers were in this room, would they care what you charge them? And the answer is no. That tells us it's messaging. And if we don't get the messaging right, it's gonna be really hard to take customers and our companies where they need to go. And that's one of the things that, you know, Andrew and I are working on.
We're working on a class, uh, dealing with implementation groups, uh, aligned to the CISI can go to MSPs and be like, you need to sell your customers these things. But the fact is MSPs are gonna be like, that's great. They're not gonna pay for it. Um, so a big component of what we're going to be working with is if you're an MSP, how do you actually upsell this appropriately?
And not trying to be a used car salesman, but one of the biggest things that drives change is actually compliance and lawyers. So if you know your customer base in the MSP space, I can guarantee you there's almost always going to be a compliance requirement somehow. And it may be CISI think Phyllis would also agree. It's also very likely that it's not. 'cause there's so many compliance things that are out there.
But one of the things that we initially set out with the critical controls years ago was to make them simple and accessible. And in doing that and making it simple and accessible, it makes it that it's easier for people to implement in their own organizations. But a big part of it was also cross-referencing CIS and saying, how does it apply to iso, how does it apply to this 853? How does it apply to NERC SIP and HIPAA and all these other things?
And as an MSP, if you know how to speak the compliance language and you say, this isn't just something I'm trying to sell you to make more money, this is something that I'm selling you because you need it from a compliance perspective, that has far more weight in the sales pipeline process than just saying it's a good idea. Awesome. Can Wes, I'm gonna hand it over to you, buddy. Okay. Can I, yeah, go ahead, Andrew. Yeah, yeah.
I, we, you literally as you I was like, so Wes nailed it, by the way, guys in, in insurance. And, and by the way, I'll talk about, we'll, we'll definitely have, I'm gonna have a guy named, uh, Jack, and we'll get Dustin on too. But, um, John, uh, and, and Phyllis, why I think this is all coming together is, you know, it's, we're seeing it, and Gary, I think you could back this up with the insurance project you did.
It's cyber, the insurance carriers that are going to drive this, because they're the ones with the stick right now more than any of us, and any one versus, you know, certainly regulation and compliance is there. But what's so cool about this is, Gary, as you pointed out in the poll, you know, this group, this community is starting to align to CIS. We've got Phyllis and her team involved. We've got Eric Woodward.
I don't know if you saw that Phyllis out there getting a whole Com group together that he's gonna have a peer group around CIS. And then you got John structuring up the training to align to CIS. So, um, so with that, um, yeah, I'm, I'm, I'm, I'm thinking it's, we've got a really good group of things going on here. Wes, over to you. Yeah, uh, totally agree with that.
Andrew and I, I won't spoil too much, but I will just say I've spent, um, a fair amount of last week, uh, talking to several insurance, uh, orgs around some major changes. And I'm really excited to see how receptive they are and to understand how important EMSP is in the channel for all of this. So stay tuned on that. My friends, uh, I am very, very excited about what's coming out. Uh, Wes, We're at the beginning, right? Not the middle of very beginning. Changes from insurance, We, yeah.
We've still got the machete in our hand and we're getting ready to chop that path, but we're at the beginning of the jungle. Yeah, yeah. Yeah. John, you were gonna say something? I was just gonna say, insurance companies. We have a number of our pen testing customers. Our insurance companies, and I will tell you, they are sick and tired of basically being subsidized security, where a company can say, well, we can do all the security stuff, or we can just pay insurance.
And they, they're looking at as an either or, and insurance providers, especially when they're looking at due diligence, you haven't done due diligence. They ain't gonna pay out that policy. And they shouldn't have to either. Honestly, I cannot agree with that more, John. That's exactly right. And, and their challenge is, up until recently, they haven't been properly motivated to know how do we actually truly assess, especially down market for smaller orgs, right?
Like, what does good security look like when you're not Bank of America? Not saying Bank of America is great, but I'm saying they have millions of dollars and the rest of us have 10. So, so how do we handle that? Um, so I, I completely agree with that. Um, insurance Doesn't help you, but put you outta business. Yeah. The insurance doesn't help if you're outta business. Yeah. Right, right. Yeah. Um, so let's jump back into the content.
Uh, so John, you've mentioned this on one of the last cyber calls you joined us, and I know you talked about it on your last, uh, webcast of like, if an organization comes to you as a client and they say, John, can you guys help me get ready for like a nation state attack? I know your answer is, yeah, sure. That was two years ago, right? Like, just the very nature of you asking means that you're probably really far behind.
And so at the risk of beating a dead horse, which I think we should continually do, that means back to the basics, right? Absolutely. So can you just go through the basics again? 'cause I think it's so important for us to hear. Well, I, I think the ba the basics have shifted right at the beginning we were talking about EDR. The EDR are the, is the basics, right? Um, you have to have that endpoint, uh, capability that's not just traditional denial listing.
But you know, in the, uh, class that's down below, I think, I think we have a link for it. Um, and it's pay what you can. It's, uh, it's coming up here shortly. Um, we, we start with the basic skills of do you know Windows? Do you know Linux? Do you know networking? You have to know those things, right? Just to get started. But then in the actual security class, the intro to security class, um, we, we developed something called the Atomic Controls that were 11 things.
So if you look at all of the controls and you take that across 650 assessments that we do per year, and we say, okay, what are the core things that would stop us? It's probably about 11 things. It doesn't mean you can ignore everything else. It's just saying triage. Right now. We're a little worried about Russia at the moment. Where do I start? And if I was to tell people, okay, the first thing you need to do, inventory all of your systems and your software, yeah, that's really important.
But if you're in triage mode, don't start there. So if you're looking at triage mode, two factor authentication, uh, long strong pass phrases, we need to get away from passwords, right? Uh, patching and vulnerability assessment has always been right there. Uh, application allow listing all of your really good EDR products. Really what makes them good is they're excellent at application. Allow listing. That sounds hard, but in the class we make it a lot easier.
It's just multiple ways to do that. Internet allow listing instead of saying, these are bad sites, these are porn, gambling and hacking sites. You can basically go down to your uncategorized, it's usually in your filters. It's like something, you know, Cisco has never seen before. You, you wanna uncheck that. Don't allow your users to go to a website that Cisco has never once seen.
There's some really basic fundamental things that you can do that you can do relatively quickly in your organization that'll make a big impact. Once again, there's still tech debt, there's still that asset inventory that's software inventory. But if you're talking triage, you can boil it down to about 10, 11 things with backup and recovery in there as well. I, I love that idea of the, uh, triage 11, right? The atomic 11. I think that's great.
Do you guys have that published anywhere, John, that you might be able to share in, in chat? Well, one of the first places that we're going to, we, we built it in as part of the pay what you can training that we have that, and by the way, we did the pay what you can. 'cause we know that a lot of MSPs, their profit margins are just razor thin.
Something we didn't understand where in security, a lot of security, there's a lot of money in security, let's just put it that way and let that be where the profit margins in MSPs are much tighter. They can't afford to send people to $8,000 a week training. Not just the cost of the training, but losing somebody for that period of time. Um, so by setting it up, so it's pay what you can, getting people into it, it's baked in there.
But also in the class, that's going to be a subscription that Andrew and I are working on right now. You're going to get access to the Atomic Controls auditing, uh, portion of it.
We didn't develop that as a part of this class, but I know with a lot of MSPs, whenever you go into a customer, you're a smoke jumper, a brand new customer, and you get to crawl around underneath desks and look at all the dust bunnies and all the horrible things, how can we actually audit customers quickly and efficiently to get an idea and a baseline as far as where they're at? So we can try to get them up to speed as quickly as possible. And that will be in the class that's coming up as well.
Fantastic. And smoke jumper. Uh, I love that. Uh, and speaking of, uh, smoke jumpers, Phyllis, I want ask you a question that's a good pivot from that is, so you mentioned the MS isac, right? And, and kind of what you do as the interface, especially in the, in the public sector.
And I just, I I, I know you can't violate like TLP stuff, I know that, but can you give us like, some information, some like groundswell of what's happening in, from your perspective of like, do you see, uh, do you see the public sector, especially where MS. isac plays, do you see them taking this seriously? Are they run around chickens with their head cuts cut off?
Are you seeing any industries that are stronger or weaker than others, for example, like electricity versus, you know, water, waste water. Love to just get your insights as much as you're able to share with us, because I think that'd be really helpful. Yeah, sure. So, you know, we'll keep it Just between us. Yeah. So, you know, um, I think you'll find the trends very similar.
Um, for example, if we were to look at the, um, MS IAC space, um, you know, the states are the ones that, and the states with the most money, like California or like a Colorado, in case you didn't know, Colorado has a lot of money for cyber. Those, um, the state, at the state level, you'll see more, um, you know, like MFA secure configuration, et cetera.
Um, the smaller organizations, while responsible, while the state CISO's office is responsible for those smaller areas, you won't see a lot of those security controls in place, right? And so it will be the typical, they're small, they just have to keep the lights on. You know, they're, they're, they're taking care of your local municipality. They're taking care of water, they're taking care of this. I will say, um, you know, um, the, the power industry, um, is slowly coming up.
They're, they're, they're afraid of regulation. They just had the EO where TSA was in charge of, you know, uh, providing some oversight over them. And they're very concerned. Um, they're trying to come up to speed. Um, we've talked with a few of those organizations on CIS controls and how they can help position that industry moving forward. You know, we have mentioned, of course, and, and you know, Wes, the banking industry is the same way, right? You mentioned Bank of America.
It's like those bigger banks, they have more money they're going to be implementing, um, controls. I mean, bank of America, we we're good friends with them. They love CIS controls. Um, they're, you know, they like to start there, A new map, just like everyone on this call has said to all the different other, um, controls. I mean, I think It interesting regulatory frameworks, right? So Phyllis, you talk about all these organizations, and I talked about this a while ago.
Um, you know, we came up in DOD and you remember in DOD I'm sure that you saw like the scary Solaris eight, nine systems. Yeah, yeah. That have been running for decades, right? Yes. And if you talk to DOD, they're like, well, you know, we're a precious snowflake. We have all these legacy systems, we can't just upgrade them. And then if you go to banking, they got like as 400 systems running rack f and top secret. They're like banking. We're, we're a precious snowflake.
We have these legacy control systems that no, we just can't shut down. And then if you go to like Data, right? SCADA says that all the time. Oh no, I need my win 98. You can't get rid of this if you go to, uh, scada ICS and like, you know, all Yeah. It's constant. It's constant. Yeah. And what I think is interesting is everyone thinks that they're all precious snowflakes, but they all have the exact same problems. It just doesn't change over time. Very cool. Completely agree. Yeah.
Uh, completely agree. Um, John, another question for you in the same, uh, vein or line of thinking, right? So I'm gonna paste into the chat here so people can see this. The CSA now maintains like that list of critical infrastructure. So a lot of the ones you just mentioned, of course, you know, finance, banking, all uh, uh, uh, healthcare, water waste, water, et cetera, et cetera.
Um, but do you think there's need to like potentially change and add some, like is there new emerging critical infrastructure? I'm, I, I, I want to talk to somebody at cisa. I haven't talked to Jen in a long time. Um, and I never really got to know her really well. But CSA needs to stop. Um, there's some things that I think that CSA is doing that I think are fantastic. And there's some things that I think that CSA are doing that are leading us down the road of ruin.
One of those things is trying to say, well, these are critical infrastructure. The reason why I don't think that that's the right thing is you talk about, you know, oil and gas sector, you talk about medical, you talk about all these things, you're like, yes, that's critical. Trucking and logistics is critical infrastructure. It is.
And, and, and I, and I think that we ignore that, you know, manufacturing, you know, somebody that makes a simple little grommet can be used in something that's used in critical infrastructure further on down the line. And the concern I have about that is we're putting focus on like a handful of things without a, without really understanding the full ecosystem where everything, either everything's critical infrastructure and nothing is.
And let me give you another example of kind of how CISA is doing the same thing. CISA is trying to get into the, of the realm of saying, these are the things you have to patch. These are the most exploited vulnerabilities that are out there. You need to patch those. A ton of organizations are looking at that and reading, these are the only things we have to patch.
So it gets to the point where you get into doing too much and getting too granular, insofar as what you're doing that you start to, the larger message that needs to be taken starts to break down. So if you're looking at funding from a government perspective, they're gonna say, well, we're gonna try to get funding for securing these critical infrastructure things. And they're forgetting, like I said, something as simple as trucking and logistics, which is absolutely critical infrastructure.
And by the way, who's there protecting logistics? Many times it's MSPs, right? They're the ones that are protecting the individual infrastructures that are smaller. They kind of fall off the radar. 'cause they're not Bank of America, they're not epic, but they're absolutely I little hospital that's using Epic. So we need to kind of stop this push to try to get down into the OIDs. And that's one of the things, going back to the critical controls, the critical controls, like we fought for years.
And I think CIS does too, and Phyllis can speak to this to try not to get into the OIDs of specific patches of very specific things to do, but trying to provide broad guidelines that we need to focus on instead. I, I, I agree. And I think that's really good feedback. And I think to illustrate your point, John, like you look at exactly how threat actors operate.
The, the reason that the supply chain exists is their preferred, one of their preferred attack vectors is for exactly what you just said. And we had in the early days of the cyber call, we had Christie coffee on. Christie is one of the, um, folks that runs the, uh, MTS isac, which focuses on what you just mentioned, like the transportation industry, especially in, um, you know, the big trade ships that come in from overseas and then the trucking and train routes.
And, you know, you, you brought her back on the call, she would tell you what an immense colossal risk this is. Um, and just how many of these not, maybe the ports are doing a little bit better in some regards, but man, the rest of the surrounding infrastructure is, is not ready. So you bring up a great point there, John. Yeah. And, and I mean, and you can play this game and you can start thinking it through, um, oil and gas delivery. We have pipelines. Okay, what about last mile?
There's a whole bunch of small companies that take oil and gas, and then they actually get it to the gas stations. They take propane and they get it to hospitals. They take oil and gas and they get it to machinery for development of neighborhoods or like large scale projects of construction. We forget about that. But if that goes down, that's critical infrastructure, believe me. Agree. So, um, one more question for you, John. And, and Phyllis, I want you to elaborate on this too.
If you, if you would, can you talk to us about, you mentioned a little bit of the training with IG one and, um, getting that, you know, into the hands of more folks and even like positioning, like teaching MSPs how to position this themselves because they unique requirement of managing all these clients. And so therefore they have to sell security as well. And I don't mean like scummy sales, but really sell its value, right? So can you share a little bit more about that?
So if we, we talked about insurance and there's a section in here on insurance as well. If you're an MSP, like I said, and you show up and you say, we have this really whizzbang firewall that we want to use. The only thing the customer is hearing more expensive, and it's a cool toy for this person. And to be honest, we're all it people. We're a little bit weird on, on our, on our, on our best days. And that's okay, right? But it seems scummy.
But if you can go to the customer, and what I recommend is doing this, don't, don't try to sell things to people. Create communities where people want to hang out. And there's a lot of MSPs and Wes and Andrew, we, we talked to some of them. They actually create communities in their own geographic location that they specialize in. Um, and they basically set it up. So, okay, let's set up a brown bag where we're gonna talk about insurance and ransomware, right?
Then your customers come in and you can talk about insurance and you can talk about ransomware, you can talk about the problem intelligently. And then it becomes a lot easier to sell that to your customer because you're in effect educating your customers. So one of the things we're gonna talk about is how can you actually go forth and educate customers and demonstrate risk with stories and narratives? 'cause human beings are visceral that way.
We like stories so that you can say, okay, don't go and just say, here's a package I'm trying to sell you. And said, stay. Here's a series of stories and narratives about insurance not being paid out. Here's a series of stories and narratives about compliance regulations that exist in the industry, whether it's medical or other industries that might be under ISO or nerc SIP or whatever. And you're basically educating your customers.
And most of our customers, like at BHIS, we don't do an active sales team. There's no one here at BHIS that dials for dollars. We do tons of webcasts, we do tons of training for free or pay what you can. We're training our customers constantly and they come to us. And one of the things we're gonna talk about is how an MSP can do that exact same type of thing as well.
Tie it to compliance regulations, tie it to insurance, and then also tie it to how you can create a community of your customers in your space to truly become, I hate the phrase, a thought leader in that space that people want to go to. I, I love it. You know, to give an example of this that we're seeing, John, um, you take interests for example. They, they do such a stellar job of getting so many MSPs together and teaching Tradecraft Tuesday, all these things.
You as an MSP should be the mini hunts, right? Like go take yeah. What they're doing. It's such a large level. And go do it with your sphere of influence and, and make sure it, it attaches to the audience, right? So you probably don't want to talk about, you know, uh, like some kind of like reversing or, or like the latest intel on a zero day, but, but bring what they're doing into your sphere. I think that's so powerful. And I think there's a lot of ways we can do that.
And In a lot of ways and think we're successful, we have a bunch of MSPs that are, that are really successful, right? At this right now, not only do customers come to them, but when they do, they're not concerned about price. They've learned enough where they're concerned if someone's not charging them enough because they're educated enough on what it takes.
And there's another magical thing that happens here that I think a lot of MSPs miss, is whenever you have the ability to start communicating at this level, it basically increases your total marketable space that you sell to. And what I mean by that is, a lot of people working with MSPs today, they're mom and pop small places. The vast majority of MSP customers are these smaller organizations. They don't care.
They want the computer to turn on, they want to get to the internet, they want to do their job and they want to go to bed at night and not worry about it. But if you can start communicating compliance, if you can start communicating the intricacies of legality and you can start communicating insurance properly, all of a sudden you're no longer dealing with a small mom and pop shops, you're now stepping up into medium sized businesses and even large scale businesses.
'cause many organizations are realizing it is cost prohibitive to keep a security team on staff all the time. And they're looking to outsource that. So this isn't just an issue of selling it direct to your existing customers. It's really trying to expand out who your customer base actually is. I would say I agree with you 100%.
I would say we have even talked with large, I would say transportation, large manufacturing, um, companies that you would be like, wow, what they don't have a cyber team. Um, and you'll, you'll, what was interesting to me is really, um, explaining cyber risk to the business risk, right? So transportation, they understand uptime manufacturing. It's like, I gotta make this at this factory this amount of time, da, da, you know what I mean?
Like, they know if that factory goes down, this is how much it's gonna cost me, right? What they didn't realize is the dependency on cyber, right? So transportation things have gone a lot more, um, you know, electronic, you know, and, and, and they don't realize, oh, I've got the camera there to see if this gets there on time. I have, you know, things may be automated on their route, et cetera, et cetera.
And like that last mile, the truck taking this over to there, they don't understand that they have all these, um, dependencies on cyber. And so as MSPs, you could also help describe cyber risk to the business risk. Most business owners know what it means to keep the lights on. They know what it means to make a profit.
What they don't understand is, um, when you know their, their dependency on being secure, what that means to their business, like John said, they understand their computer needs to be on. Um, but they don't understand that other component of the, um, the risk if, you know, they were to get attacked. I, I hear the Ghost of Ryan Weeks, um, nodding and hardy approval with you Phyllis, right? This is why Ryan's always saying, know your clients, right?
Know their business processes, why data flow diagrams are critically important. Chris Laer says the same thing. He says, he sees so many MSPs that don't know their clients and so they can't even have these conversations 'cause they don't even know the questions to ask. Get those conversations started. So, so good. It's hard to start right, Wes? I mean, it's a really hard thing to start.
And I don't know, I may have been a little bit blunt, uh, when I was on stage, um, at right of boom, but I was basically like, there's only gonna be two types of MSPs. The MSPs that get this and they're gonna continue to be in business over the next five to 10 years. And the ones that look at it and they're like, but this is hard. I'm gonna have to sell this. I'm gonna have to like charge more money for my customers and they're not going to be in business. This is the future.
This is where it is going. And you're absolutely right. And Ryan's right too. If you know your customers, you have a relationship with your customers. This isn't schemy, this isn't like slimy salesperson type thing. It's basically helping some friends out. It's not the future, it's the present. We're already seeing a bifurcation of those two groups in a way that we didn't see a few years ago. So it's already here. Yeah, I couldn't agree more. And I, and Everyone gets to make a choice.
That's the great news. Yeah. Very, very good point, Gary. I mean, and Gary, we hear this not only from you and you, you still get pulled in from your old clients, but Brian Blakely, who we're gonna have on, again, we're gonna do business impact analysis with him. He's masterful at this. You know, he's a guy that goes in and sells VCIO Vcso services, he builds security programs. He's owned several MSPs. But first question you'll ask somebody is how do you make money?
Like literally that generic and then, you know, he starts going down this path of, okay, so systems, you know, support that function. Like what do you have to do in your business? And again, so we'll have him on, I couldn't agree more with you. Um, but Gary, you've said it all along for years and years and years. You have to have command and you can't have command without understanding your customer's business.
And Wes, as you pointed out, if you get a breach, first thing a guy like Chris Lahr is gonna ask is where are the critical systems? What supports the business functions? So speaking of Chris Laer, I don't know, is not a good answer. I have to ask the customer, but a comment, not a good answer. Not good time. Yeah, really good point, Gary. So I'm gonna actually, you know, in essence of time, gonna kind of combine this question to John and then right over to Phyllis.
I was speaking to Chris, I was in San Antonio with Chris last week, and I said, Chris, you know, just humor me. You know, you work just thousands, I don't know how many cases a year, but tons and tons of cases. And I said, I gotta believe phishing is, you know, the top, you know, things you're seeing on a day in day basis of how people are getting popped. And he said, Nope. I go, what? He goes, Nope. It's patching still to this day, this past week, Andrew, we had the SonicWall patch.
We had the exchange patch, and we had the Fortinet patch. Those three all happened this past week. And I'm like, you gotta be kidding me John. So you said on your most recent InfoSec podcast, like why, why do, what's going on that we still can't get patching? Right. And I'm gonna put a resource in a URL in here that's phenomenal from cisa and I'll talk about it in a second. Go ahead. Alright, so a couple of things with patching.
Uh, the first thing with patching is if you go back a number of years ago, anybody that's in this industry and has been in this industry for a long time, got burnt by a patch. You installed a patch and a system went down. Whose fault was it? It was always the IT administrator's fault. It was always the security team's fault. It was always the network administrators. And you're the ones that get blamed for it, right? Because you're there. I mean, you know, they can't, they can't blame Microsoft.
I mean it's like, it's like blaming god at that point. But the administrator who installed the patch, we can blame that person. So this goes back to changing attitudes and the way things work. Really good, highly functioning security organizations, they install patches and they understand that there is a risk with installing that patch and something may go down. Now I'm taking like, you know, like systems associated with medical and DOD, we're taking that off the table for general business.
The system goes down because of a patch. We need to start changing the culture and saying it's not the fault of the administrator, it's the fault of the patch, right? And we need to do that. And it, people are terrified. I mean, I know MSPs and I know our customers at BHIS. We still have customers every once in a while. Like we like to wait a month before we push a patch out.
But the risk associated with that now, especially with the ability to reverse engineer a patch, to write an exploit is so quick these days is much higher than actually having the systems go down. And I also go back to SolarWinds. SolarWinds was tragic for a lot of reasons. One of the main reasons why I think SolarWinds was such a tragic thing is I now have customers that are like, we weren't patching our SolarWinds system, so we didn't get hacked by that.
So the lesson they learned is don't patch name another incident like that, like SolarWinds that happened. Now I can name a couple, I can go back and I can talk about some with Cisco. I can talk about some kernel updates that almost made it back into Linux. A lot of those are really academic, but you have this one visceral white, like this bright shiny alert attack that happened. And so many organizations are now saying we gotta slow down on our patching.
And it's getting better as, as the older CISOs and CTOs are kind of getting washed out and retiring, uh, people that you know, have been in the industry, you know, and they didn't come into it from a different place that have been in the industry from the start, have a better understanding, are kind of taking their place. It is getting better, but that's the biggest reason why people hate patching is and why it's such a huge risk is because they're afraid of downtime. Plain and simple.
Well, and over to you Phyllis. You know, I think, you know, we're starting to educate MSPs and we're starting to see better things from MSPs on developing policy with their customers. Like what is the most critical thing if it's exploit, you know, if it's a certain CDSS level, if it's being exploited in the while, we can go ahead and patch in this given period of time and then there's something to back themselves up on.
So you point out in CIS controls and, and let's just talk briefly as the doctor on the cyber cast, why is, um, control four secure configuration so critical and you know, in, in this conversation? Yeah, you know, and automated patching, it's so this is decades, decades old of, oh, there was already a patch release for that. If you had only patched, you would not have been exploited.
And you know, um, having a secure configuration is the number one thing you can do to help defend yourself against these top occurring attacks. Verizon did that research, we did the research, it, it all, it all points to secure configuration. I do wanna comment. You know, it was back in the day, you know, when I was first at the NSA and I administered Windows nt, I did wait a little bit before I put out a patch.
We had the, you know, um, SDK and we'd look at that and um, But they went, but those NT boxes went down like week. Yes, I say, I mean it was bad, right? I would say that was no longer the case. We are so much better today than we were like 20 years ago. So I would say the oh, it's gonna go down. That is no longer a valid excuse. It is not as common as it was even, you know, exchange patches not as bad as they once were.
Um, and so I think that to say, well I'm worried about going down that, that, that that no longer rings true. You need to patch and if you do have a legacy system, you should know where that legacy system is and that's the one that you don't patch. But you really need to be thinking about updating that and upgrading it so that it is patchable Today people do write software in a better way.
It's more modular where you can patch and it's not gonna affect every single piece of software on that box. So I don't think that's a valid excuse anymore. Got it. I know we're right at the top of the hour and John, I'm gonna just maybe give you the floor.
I was gonna ask you about, you know, um, user, you know, account management and, and you know, you talk a lot about past phrases past, but, so maybe just kind of close us out on what, what, what are we gonna see in upcoming probably month or so month, few months here on the training you're doing? Um, I call out, you know, using this code cyber call on your upcoming training.
Um, that's, uh, we'll, we'll put more out there on, you know, being in the beta group of this, if you pay the 4 95 less 100, you're in the Ask John anything quarterlies, but kind of bring us full circle to here, John, at the top of the hour. So what, what you're gonna expect when we do this, this is gonna be wrong. I'm just gonna start out by saying that and I wanna explain why.
So we're starting out with, uh, we're, we're using the critical controls and then some other things that we're pulling in as well. And right now I think I'm up to 275 slides and they're gonna be broken up into modules and all these different sections, um, from backup and recovery, creating a community, talking about legal, all of these different things. What we desperately need is feedback from the MSP space. So I can gen this stuff up very quickly.
I trust me, I can write an entire presentation in about 15 minutes. Um, so what we really want is feedback. So if you're interested, reach out to Andrew and say you might be interested in the beta side of things. Um, I think we're, well I'm not gonna mention any companies. We are talking to companies right now and what I need is, I desperately need for you all to tell me what you need to know about from the cybersecurity perspective.
'cause I was not born and raised in the fire of the MSP space. I was born and raised in the fire of the computer security space working with intelligence organizations like Phyllis and the NSA and that is not the MSP space. So I can talk about the core fundamentals. We, we, we got that. We can handle that, that's not gonna be a problem whatsoever.
But I would like to know if you're interested, get out on the beta part of it and then give Andrew and I feedback and say, I would like a module on how to do this. I would like to have a module on how to do this because I don't want to be Prometheus bringing fire down what I want this to be as a conversation where we're learning from each other. So that's what you can expect. It's gonna be, uh, it's gonna be a subscription model.
We're going to have special calls where we can sit down and we can sort of ask a hacker where you can ask me questions about what you're seeing in the space. We're going to be releasing scripts where you can do automated adversarial emulation using Atomic Red team on those CISA things we were just talking about where CSA releases an alert and it says this is something you need to watch out for.
We're gonna give you all some scripts where you can automate and see if that's something you can detect in your organization. And hopefully we can get some vendors in the space as well to bring some of their training as well to this platform. But really we, we want to try to get you as much as we can, especially from the security side of the house. But I want it to be a conversation. I want you all to tell me what you need because between Andrew and I, I think that we can cover it. Awesome.
Billis, always wonderful to have you. I know we'll probably hear some upcoming stuff that you are working on for MSPs as well. I know the lot, a lot of things you guys are doing. Um, Wes' always great to have you and all the things you're um, involved with. So I think Gary had a run. Um, and then I'll get with d if Dustin's still on, I'll get with those guys probably mid west, probably mid April. Um, uh, we'll get going on that.
So until next week, um, we appreciate you guys as always being part of the cyber call. Phyllis John, thank you for jumping on with us, Wes. Awesome. Take care everybody. Thank you so much everybody. Talk to you all later. Thanks Guys. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois