Skip to main content
Right of Boom
March 20, 2025
757685

Leveling Up Your Cyber Skills with Boom Games, MetaCTF & CyberDrains

## Level Up Your Cybersecurity Game: A Guide for MSPs with Meta CTF and Write A Boom Hey MSPs! Keeping your clients secure is a constant battle, and the threat landscape is always evolving. That's why honing your cybersecurity skills is absolutely crucial. We recently hosted a webinar with the amazing folks at Meta CTF and Write A Boom to show you how you can level up your game and stay ahead of the curve. Here's a recap of what we covered, and how it can directly benefit you and your clients. **What's Meta CTF and Why Should You Care?** Meta CTF (Capture The Flag) is a platform that offers hands-on cybersecurity training and competitions. Think of it as a virtual playground where you can practice and refine your skills in a safe and engaging environment. As a Managed Service Provider, the more knowledgeable your team is about cybersecurity threats, the better equipped you are to protect your clients. Meta CTF provides the tools and experience to make that happen. Their platform is trusted by major companies, and now, you can leverage it too. **Write A Boom's Boom Games: Mini-CTFs for Everyone** Write A Boom's Boom Games is the perfect entry point for MSPs. It's a continuous, open-access mini-CTF (Capture the Flag) competition that utilizes the Meta CTF platform. Think of it as a constant stream of bite-sized cybersecurity challenges designed to teach you practical skills. These challenges are ideal for: * **Building Core Skills:** The challenges cover a range of crucial topics, ensuring your team gets a well-rounded understanding of cybersecurity. * **Hands-On Experience:** Get practical experience in areas like forensics, reconnaissance, and web exploitation. * **Skill Enhancement:** Practice your problem-solving skills, and hone your critical thinking capabilities, all crucial for managing security incidents. **Key Takeaways from the Webinar: A Deep Dive** During the webinar, Roman from Meta CTF walked us through some real-world challenges that directly benefit MSPs. Let's look at a couple of those examples: **1. Flags Over the Wire: Mastering Packet Analysis** * **The Challenge:** Recovering a downloaded file from a packet capture (pcap) file. This requires understanding network traffic and using tools like Wireshark. * **Why it Matters:** As an MSP, you need to be able to analyze network traffic to: * **Identify threats:** Detect suspicious activity like data exfiltration or malware communication. * **Troubleshoot network issues:** Quickly pinpoint the source of network slowdowns or connectivity problems. * **Investigate security incidents:** Uncover the root cause of breaches by examining network activity. * **The Solution:** Roman demonstrated how to use Wireshark to filter by protocol (FTP in this case), follow TCP streams, and export the relevant data. **2. Road Hosts: Identifying and Assessing Network Assets** * **The Challenge:** Identifying the function of an unknown server on a client's network. * **Why it Matters:** This skill helps MSPs: * **Perform network audits:** Ensure all assets are properly documented and secured. * **Discover vulnerabilities:** Identify outdated or misconfigured services that could be exploited. * **Improve incident response:** Quickly understand the scope of an incident by mapping network assets. * **The Solution:** The webinar covered using Nmap, a powerful network scanning tool. The key is to properly use flags for the appropriate results. This involves identifying services, checking version numbers, and understanding how to interpret the scan results. **Resources & Next Steps for MSPs:** * **Sign up for Write A Boom's Boom Games:** It's free, and it’s the perfect way to get started. Find the sign up link in the public chat from the session or on the Write A Boom website. * **Consider Meta CTF’s Subscription Model:** If you're serious about training your entire team, explore the option of a Meta CTF subscription. * **Participate in Meta CTF's Flash CTFs:** These are free, monthly, two-hour competitions. They provide a great way to challenge your skills and learn alongside others. Find the link and time in the public chat! **The Bottom Line for MSPs** Cybersecurity isn't just a service you provide; it's an ongoing process of learning and improvement. Meta CTF and Write A Boom offer a fantastic opportunity for MSPs to: * **Strengthen team skills:** The tools and training help you make a stronger team. * **Enhance client security:** You can secure your clients more effectively. * **Reduce risk and liability:** Build confidence and reduce threats for your clients. By taking advantage of the resources discussed, you'll be well-equipped to navigate the ever-changing cybersecurity landscape and protect your clients for years to come!

Guests

Andrew Morgan

Video Transcript

Welcome, everyone. Happy Monday. And halfway through, uh, April already. It's, this year is just flying by. I don't know if it's me, Phyllis, but do you feel that way with 2025? Yeah. I can't believe it's already April. I mean, it's crazy, Crazy. Uh, let me just make sure everybody can hear and see us. Okay. Can you hear and see us? Okay. Gonna throw that out in chat real quick, everybody, just make sure we're all coming through, uh, with everybody.

And, uh, hopefully we'll get, uh, as, as people are getting in here, um, we have, uh, Keith Bartol joining us as another one. Thank you for letting, letting us know everybody. Uh, let me just turn off all my dings and dongs that are always fun if you, if you're forget, Hey Ann, welcome and great to see you. Hope you had a great weekend. Um, okay. So, um, let me all, Hey Joel, let me just make sure, okay, well, hopefully we get Keith Bartol in here. He's up number.

I was gonna say number two, but that didn't sound right Chris. Um, alright. So just a little, a a few announcements that, um, you'll start hearing over the next few, uh, weeks that we're gonna start promoting. Believe it or not, we are one month out of the fifth year anniversary of the cyber call. Um, yeah. Wow. Congratulations, Andrew. Yeah, thanks, chip. Um, we're, like I said, we're gonna, you'll, you'll see a lot of promotion around this on LinkedIn and social coming up.

We're gonna actually bring back, um, Kyle from Huntress, one of the original. So the original cast was Kyle, we, Gary and myself. Um, I created it right after we did the first, um, virtual event coming out of the pandemic. We had 1700 people on it, and this is what was the continuation of it. Um, so West's coming back. Kyle's coming back, and Gary, it'll be May 19th. Um, and it'll be like an hour and a half session. And we'll look at past, present and future.

Over the last, you know, five years. We're gonna be looking at, you know, kind of retrospect of what, what's transpired over the past five years in terms of threat, business, et cetera. Look at where we are today and what, um, each of these, uh, folks thinks is where we're headed, um, in the next, uh, five years. So that's coming up. Um, and did I have anything else I wanted to mention? Oh, that's about it right now.

Um, so this, this week we've got, um, the, um, conversation here and we'll introduce Chip in a moment. But every, gosh, Phyllis, we try to do some of the really major, um, uh, threat reports. Yep. You know, each year, every year we have, um, Verizon on and, and hopefully we will, we'll get them back with us this year. Um, uh, each year we've had, uh, Philip Phillipe, who's just been phenomenal. Um, and so we'll have him back.

And we've, we've, we've had Clark on with CrowdStrike and there's Keith. Let's bring Keith on in. Hey Keith. Um, what's up? Hey.

And you know, we've had, um, and then, and then this year, um, you know what, what I just has blown me away 'cause I've followed this report over the past five years, is the, is the SASS e report by Sass and, um, chip, we're gonna get into this, but the amount of data that you guys have now is like head scratching and shaking how much data you guys are collecting and the, the breadth of MSPs and downstream SMBs.

So I, I thought it was really important for people out there to understand, you know, the SaaS-based attacks because we, we certainly can see the shift from threat actors, um, where they're going. And it is based on the whole thesis of why you started founded SaaS work, which is gonna be identity. Hey Keith, do you mind just muting? 'cause we're getting a lot of feedback on your stuff, right? Yeah, yeah, yeah, yeah. Um, but it's a great garage. I love it. Um, it's Not mine. Wish It was mine.

Is that a fake background? Because I'm jealous. True. No, I, I, I'm here with, uh, a, a fellow MSP owner Trent, uh, that exited around the same time as me. So he is, we're we're just playing Now The Side effects of, of successfully exiting. That's right. So, so, um, so Chip, um, you know, this report, you know, you know, when I was looking at it, and oh, by the way, I'll put the URL in for everybody right now so you can get it.

Uh, there's the URL 43,000 SMBs over 2,500 SMBs and like over, if I remember correctly, over 7 billion alerts Events, not events. Right. Thank God they aren't 7 billion alerts. You know, it's only about 1% of those that are actual alerts. But yeah, thank, If they were alerts, I think Chip would have even less here. I, our, our clients would skin us if all 7 billion events were alerts, Sorry, events, but, you know, just, you know, an astounding data set. So with that chip, welcome back.

We haven't had you on in a while, but for those that don't know you, if you could share a little bit about yourself. You've got some pedigree in the MSP space as well, so, uh, welcome and tell everybody a little about yourself. Well, yeah, thanks Andrew. I was, I, I certainly started off my career in, um, in technology, well, sort of after the, the coder part of my life, I started off as well, we used to call a var, this was before the term MSP really existed. Mm-hmm.

Uh, and we definitely transitioned into an MSP, but we carried that VAR DNA with us. We were solution resellers for CRM systems and accounting systems. Definitely got out of the hardware side of that business, um, in the very early aughts. 'cause there, it didn't feel like to us the margins were worth it. And we, we got into the, into the software end, um, really with the, the first product that we built, uh, was called Clouds Workspace.

It was a, you know, IT product aimed at managing, um, virtual desktop infrastructure, which back then the thesis was data is what people are really after. And it can be better protected, um, inside of A VDI architecture than just leaving it on servers and small offices.

Um, I still believe in that thesis, by the way, but the world has moved to SaaS and, you know, we exited that business in 2018 and almost immediately started working on the idea for SaaS alerts because we just, you know, you, the trend was too obvious. Every, all, most of SMB data was going into SaaS environments, particularly 365, Google Workspace sales, slack, all that stuff. So that's how we got where we are.

Um, and it's been a really, uh, it's been a really fun run, you know, the last five years, uh, you've been following us, working with us to help us build and grow our audience. And, um, I think our thesis turned out to be correct. You know, in the end it's really about user behavior analysis or I like to clarify it and put a fine pin on it, which is account behavior analysis. 'cause not all accounts are users.

Um, and that's, that's becoming, if not the key to overall information security and data protection. It's certainly one of the key stone in a, you know, in a strong arch. Yeah. Yeah. It's been a great, it's been a really cool, really cool to see what you guys have done. Chip and the thesis, um, boy was spot on. And, um, and, and certainly the market agreed, agreed with you with the velocity of adoption. So, with that, Phyllis, let me let you kick things on off with Chip. Yeah, sure.

Um, first off, great to see you. It's been a while, so, um, you too Phyllis. So, uh, happy 2025. So even though we're well into it, um, so the 2025 SS e report, um, has a ton of, um, good data, some of it alarming, all of it actionable, um, with actionable trends. So from your perspective, what's the most surprising insight, um, that you saw in the data?

Um, well, this is gonna sound maybe, maybe counter surprising, but the most surprising thing to me is how consistent it is in terms of the, the types of attacks that are successful. Um, and how they really haven't changed in the last maybe two or three years. You know, the, the token hijack thing really reared its ugly head in maybe late 2022 or early 2023 that became, um, the predominant way of successful attacks.

You know, it took the, the password sprays and brute force attacks took a backseat to that in terms of the success of the attacks. Um, and that's continued. Um, I think the, the initial introduction of products for the hacking industry, and I use that air fingers quote, but really is its own marketplace. Its own industry, industry. Mm-hmm. Um, products to help, um, script kitties become very sophisticated hackers.

Um, that really seemed to kick off a huge surge in successful compromises using, using token theft. And it's continued to advance, um, you know, our internal team plays with and studies those tools and, you know, we went from one to two to, you know, now close to a dozen different products on the marketplaces that are completely integrated end to end to help people, um, you know, to drive from phishing to successful token hijacking to data exfiltration and start the loop over again.

Now that you've got data coming out, you can just go attack vendors, customers, everything else of the people that you just ripped off the first time. So, you know, we've seen that cycle really, really grow and become much, much more powerful. So you, you kind of covered this, but, um, can you kind of break it down for the group and explain why token hijacking is so dangerous, and how is it that we can defend against it? Hmm.

Well, the, the reason it's so dangerous is because the, the entire SaaS world, um, has a vulnerability. And the vulnerability is the browser is the interface. And in order to, you know, go from the step where you're authenticating as a user to having authorization to actually use the product that's behind that browser interface, you get what's called an authorization token. Um, and those tokens can be temporary. Sometimes they last a long time.

Some products allow you to set a duration, a lifespan for that token. Think of like a TTL, uh, for a DNS setting, almost, um, others it, you know, can last forever. You know, slack is one of those that, you know, we log into Slack and unless your administrator is very focused on making sure the tokens expire, they're gonna just sit there, you know, virtually for infinity.

Um, Microsoft has gotten better about this, but nowhere near enough businesses or MSPs that manage those businesses are setting token expirations or token security. Um, it's so dangerous because I think there's two elements to it. Number one is phishing scams have gotten better and better and better. AI is improving them because it's localizing language better. Um, and people are falling for them. And that's the, that's the spear point for that token hijack.

It's getting someone to go to a now very, very realistic looking login page. Um, that is bogus, generally speaking. Um, and adding their credentials and passing that authorization token back to an attacker. That attacker can then take that token and plug it into any browser anywhere in the world, you know, drop it in 'cause it's basically a cookie. Um, and now instantly access all that person's resources. So it, you know, that's the problem.

It's, it's far beyond just, you know, getting access to, um, only a mailbox or, you know, the days when we all had exchange servers in our offices, you could get to the exchange server, but that didn't necessarily get you all the way through to everybody's, you know, data stores and everything else. You had the email, but you didn't get everywhere.

Now, once you're in, um, in a SaaS product like Google or Microsoft in particular that has all the other services connected to it, that attacker's got access to the, the whole thing, everything, it's an open book. Um, and the way we, the way we protect people from this, um, you know, and again, this, to those who haven't talked through this before, it may sound kinda like a counter argument, but there's actually no way to stop it.

Once, uh, an authorization token has been stolen, there's no way to prevent that, that hacker from accessing that, uh, environment. So the compromise occurs. What's key is how fast can you observe it, and the way you observe it is back to our original thesis, which is account behavior analysis.

What's going on with this account that doesn't look normal, you know, where it's being connected to from what are they doing with data, um, you know, what are they doing with mailboxes rules in mailboxes forwarding, exfiltrating, a whole bunch of files at once. All this stuff adds up into very, very consistent patterns. And our, our software has been trained to, to spot that and stop and alert and then shut down the account within minutes of that compromise occurring.

And that's, that's really the big thing. This is just like having a heart attack, right? It's that first, it's that first 30 minutes after someone's having a heart attack that you have an opportunity to save them or stroke. If you can shut down the, the problem very, very quickly, you can prevent the data exfiltration all the extra damage and everything else. That's awesome. That was a really great explanation, by the way. Um, thank you so much.

Um, so you mentioned phishing, phishing as a service exploded in 2024. So how is it that MSPs, um, should shift their focus or, you know, what kind of defenses that they should be, um, putting in place in light of phishing campaigns and now that they're being outsourced at scale? Well, um, the, the number one is user training. I mean, I think all of us as security professionals know that in the end, the biggest vulnerability in a system is between the seat and the keyboard.

Um, so we, we have to figure out how to raise awareness. Um, there's lots of great, um, you know, anti phishing simulation software out there. I certainly recommend that everyone add that to their stack for their customers. Um, that's one of those things that personally I think it's so important to do that, that you gotta find a way to stick it into your, your bundle, uh, of services to a customer.

Even if you can't mark it out and charge for it right away, you, you really have to force it down, you know, people's necks. It's, it's so important Yeah. In the contract. Yeah, I mean, we just required it. Like, it's so important that we don't wanna mess with that. Like, train your users. It's in your contract, it's required. Oh, go ahead.

Yeah, no, I was gonna say, Keith, I'm, I'm glad you brought that up because this is something, you know, I've talked to, and Chris certainly chime in here, you know, when talking to Eric till who, you know, gets involved, you know, between, you know, he, and you know, whether it's a Spencer who we can, we can mention, you know, that which is a, I'll write a boom at attorney, but what, what you even see, Keith and Chris please, uh, chime in here.

You'll even see, um, when their cyber, you know, the attorneys on, on the, you know, end customer get involved. It's one of the things, if there is, if it is phishing that was, you know, patient zero, it's one of the things they go right into the MSP about. Like, show us, show us your documentation about your phishing education, your phishing simulations.

How often was it your policies that you worked on with your, like, Chris, correct me if I'm wrong, man, they go right at the Well, they can de Yeah, it can definitely help you. Right? So they do go after that. What policies are in place, what training, and obviously, like I say all the time, you gotta have an audit trail behind that.

So you can say you have it, but if you don't have that audit trail, so you're right, exactly where the MSP needs to come in is, number one, is make sure that they have that, that audit trail, so if their client does ever need it, they can produce it pretty quickly and that it's rock solid. The other thing I'd say on this training thing is it's super important, but what I have noticed is that, uh, we get a little complacent as service providers in, in what we're providing.

And so you gotta remember that you need to have something that appeals, that these people are actually gonna pay attention to and learn from. And if the content is somewhat stagnant year after year after year, you're, you're, you're not doing a good job of what they're expecting you to is to provide content and training materials that actually, number one, is timely and relevant. But number two, that they actually go, okay, I get, you know, this is, this is what makes sense to me.

Yeah, Chris, so spot on. You know, I I, I just had a conversation last Thursday with a, a, a, a local charity that I sit on the board and obviously mostly for the technology stuff, and they brought up, um, no before specifically, um, that their MSP is trying to sell them. And I said, absolutely. You know, there's no question you guys have to find some tool.

It doesn't matter to me what it is, there's many good ones out there, but ask them about who is going to actually create the simulations, what the timing looks like. Is it you guys inside in the internal IT staff who have some, you know, knowledge and context for what is actually gonna get by people and fool 'em? Is it, you know, the MSP themselves? Like that is the most important piece of this is who creates the content. Otherwise it's just not a powerful enough tool on its own. Exactly. Yeah.

Chip, chip, can I just throw this in there and I, any, any and all please respond. Um, so, you know, I, I take, I, I take secure awareness training, right? In one of the companies I, I work with. And, and, and what I find is, um, it's, I think it's lagging.

And, and what I mean by that is, you know, chip, we talk day, week in and week out about the attacks, whether it's the capture attacks, whether it's standing up SaaS infrastructure attacks, et cetera, and, and be because of the velocity in which threat actors pivot. Okay, you, you're, you're getting me here. Okay, I'm gonna pivot here. There's this lag effect, and that's my concern. I I'm not saying, again, it's like, of course do MFA, right? And threat actors are doing token hijacking, right?

Right. But, but my concern is the lack. Can you talk about that a little bit and what your thoughts are there? Um, I have the same concern, Andrew, but I don't really have a solution for it.

I mean, you know, Microsoft and Google in particular, if you think of them as the two biggest mail providers, they've got decent, you know, anti phishing products built into their stack, and there's third party products out there, but no one can, can keep up with the rate of change of identifying a phishing email.

So, you know, as, as soon as one campaign gets really successfully flagged, either because of the infrastructure that it's using or the kinda language that's entered it or whatever else, I mean, even AI is, is being applied to this now, something else comes along, you know, somebody changes the script, changes the, the infrastructure that they're using, the, the focus of the language in the attack and they get around it.

I mean, wouldn't it be nice, you know, and we talk about this a lot, Andrew, the you and I are like, we always, you always feel like you're saying the same things over and over again. It should be so simple to just tell an end user look. Don't click on anything, any link, any document, any anything, unless it's from someone you know, and you're expecting to get it. Like the someone you know, part now isn't even enough.

If my account gets compromised and, you know, this guy finds out that I regularly email you and Phyllis on a set of topics, he'll create a phishing campaign to get you and Phyllis, you know, on those topics and have you click on something. So it literally has to be something lands in your inbox, you know, if, if you aren't expecting it, don't know the person, don't touch it.

But we can't bring that across to, you know, to our customers, to the people who are here to help, um, in a powerful enough way. So we need to keep, you know, driving forward with the solutions they have. Um, Ben just posted, you know, doing lunch and learns with pizza in the chat. That's a great time to bring across this message. It's like, guys, I'll tell you what, no more phishing campaigns if you all can figure this out and never click on something that you aren't expecting to get. Yeah.

Yeah. I, so to add to that, I say, you know, we just, you need to slow down and verify. I think people are just, especially when it comes to emails, they're just processing emails. They're doing whatever they can to either read, discard, or file that email or take action, right? And they're just so focused on getting to that finish line, getting through those emails that they don't think about, Hey, I, some of these things I really need to slow down and verify, you know, whatever that takes.

And, and it gets harder these days. I mean, we've talked about in prior episodes, you know, used to be you could just pick up the phone and call, but now you gotta be concerned that the threat actor might have compromised the phone system at the other end. Yeah. Yeah. So yeah, and that's where that training comes back.

And I think you're right, Andrew, to the point is that there is a lag in that the training content usually is produced annually, yet the, the tweaks and the things that happen with these attacks happen daily. And so trying to get that in front of people and make it, and not disrupt their day, disrupt their productivity, you can't train 'em on this stuff every day would be cool. Um, bless you, Phyllis. I'm sure you're sneezing, but we can't hear you, but I'm gonna say bless you anyway.

But the, uh, the point is, is yeah, I mean, we gotta figure that out. I mean, you know, what we see in our BEC stuff is, you know, I can even attest, I, I have seen exactly where an MSP had SAS alerts in place and it did catch something quickly and they were able to, the MSP was able to respond and, and do those necessary actions that prevented the situation from being a lot worse.

And if you looked at what happened that MSP had so many controls in place, and that user just went through and approved, approved, I agree, approved whatever it was, and it was like five or six things that user had to do to finally have that attack happen. And it still happened. So it's kind of crazy.

So, so, so Phyllis, I know this never happens in the enterprise, but um, you know, um, just comment, um, you know, when we start to see version nine of the controls or, or in the discussions you guys are having now, obviously secured awareness trainings part of the controls, any changes we might see, or anything you guys are discussing in terms of the way in which, you know, threat actors are leveraging SaaS these days and relationships to the big Google, you know, the big email providers that chip's talking about, you know, they're so pervasive.

I mean, you know, I'll have to look into that. We're collecting our thoughts and notes now, quite honestly, but I mean, anti phishing training is already a safeguard. Excuse me. I mean, I think, um, you know, in my mind as I'm listening to the conversation, maybe we say you can't just do anti phishing training at least once a year. Like maybe there is like campaigns that you have to run monthly. I'm curious, you know, what is the recommendation of the group?

Well, I'll off, I'll offer mine just in terms of the policy that we put in place within our business is that, Which mind you, chip, give a little, I'm gonna give you a little shout out here. 'cause not all vendors have done what you've done. You went full iso, which was good for you guys. So, and, and then Full ISO and, and full o osp. Yeah, I was gonna say, and, and o osp and basically following B principles.

So again, you guys can, hats off to you guys as a vendor who put in like, immense time into your security of your core code and, and all the training around it. So please continue. Well, so our, you know, even as a relatively small company, we had a compliance officer full-time right outta the gate. Um, and his job was audit, internal audit compliance, obviously dealing with our audit vendors for the external stuff.

But one of his side jobs is every month, um, he does phish simulation in, you know, inside of our company. And it's very effective. You know, the first six months he was catching people all the time, by the time he got to nine or 12 months. Very rarely does anybody get caught up. 'cause we're all looking for it. And we, we don't publicly embarrass people, but we certainly joke about it a little bit on mm-hmm.

You know, on team calls and, uh, and discuss the experience of why, you know, if somebody, you have to have this as like an open embracing, um, policy inside your company. If you do get caught by the phishing simulation, share the experience with everyone, what about it, you know, led you to go ahead and click on those things, um, and, and acknowledge the understanding that you, you got from that. The more you share that inside the organization, the better off you are.

And I think a lot of companies, based on my observation, they treat it very privately. Somebody, you know, gets, gets picked up and it's a big secret. And they have like kind of a little counseling session between the auditor or whoever is running it, and they talk about it a little bit. It's, it's, it's not a mark of failure that you, you fell for a phishing simulation the first time, maybe the fifth time in a row if you did there.

But it's, you know, it's a mark of success when you learn from it. And I think adopting that, you know, that psychology inside of the business is, would really, really help. I really like that a lot. The discussion afterward. I think for us internally, you just get additional training. Like if you, they're like, they're like, now we're gonna train you more because you made a mistake Compared to what we do as cybersecurity professionals. When something bad happens, what do we do?

We go to and, and generate a root cause analysis. And then our internal team, we talk about it all right, how are we gonna fix this? What do we learn from it? What do we have to change in our processes to get better? I think it's the same thing that we're trying to bring across to all the other knowledge workers who aren't cyber security professionals around this specific topic. Yeah. Yeah. It's, it's great.

Phyllis, you know, we're, we're coming out with the a a new, um, phishing here, uh, to help all end users. It's, it's the morning after, uh, phishing. So, um, you know, we'll, we'll be out with that soon. Awesome. Yeah. Um, my last question for you, uh, chip is, um, now we have the average SMB using over a hundred SaaS apps. How can we gain and maintain better visibility across all these different environments? And how does an organization even start? Um, it certainly is a challenge.

You know, the one of the, I'm gonna start answering your question by identifying a weakness in a lot of SaaS apps, um, and that is, is that they don't do adequate logging of their own products to pass on to a SIM solution that somebody is running in an enterprise or a product like ours. And, you know, we're not the only people in town who collect all this data.

So this isn't a SAS alerts commercial, but, you know, trying to use a tool where you get as much of the data in as you can is, is very, very important. And the more apps that are connected, the more correlation information you can get about what's going on with that user account. So, you know, because we're in the days of, you know, of OAuth for, for most SaaS applications, right? People are encouraged to sign in with either DUO or 365 login or Google OAuth.

They use that across many different applications. And now we can follow the user behavior activity from one application to the next one device to the next one location to the next. We've caught countless, countless actual alerts events that became alerts because of the correlation between different applications used by the same account. You know, I'm andrewMorgan@cybercall.com, and I'm logged into my Salesforce in Los Angeles and I'm logged into Google Workspace in Miami, instantly suspicious.

So mm-hmm. You know, that's the, that's the approach that you have to take. And for people who are using, let's say, secondary or tertiary SaaS applications where they can't get logging, I would just encourage you to jump on those vendors and say, you guys, you gotta log everything that a user does for the moment they authenticate and get in that system, log everything that they do, and give us a way to get the information.

Webhooks API, doesn't matter what it is, give us a way to get that information and, and, and pull it out. Yeah. Even Microsoft is like, they used to provide much more logging years ago than they do today. They, you know, they, they stripped that down. And so it's, um, it's painful to know how much logging could potentially be available that they, these vendors just don't make available.

Well, I was gonna ask you that Chip, after the storm incident, Microsoft said, Hey, we're gonna open up, remember that whole thing. Are, you know, you guys are obviously deep into their APIs and their graphs or the a the graph, right? And, and pulling data are, are they any, are you getting any more since that whole incident? And, and, Um, I wouldn't say we're getting more. I would say that they've made more available, available to lower tier licensees.

Um, you know, we've always, if you're an e if you're, you know, if you're a, an E three or an E five, um, kind of customer, every, almost everything was available to you anyway. Um, they brought some of that down into the, you know, into the P one licenses or the business premium, uh, which is useful.

Um, I mean, Chris is right, you know, they're, I think everybody that does anything that security reads the Microsoft log, the log data that's coming out of Entra very useful, no question about lots of good stuff there. But to really get after the other stuff, you've gotta be capable of building individual pretty complex API queries that are pulling down, you know, many, many thousands of, um, of events per second. And then parsing through those and figuring them out.

And that it's difficult, you know, the, the, the log information that comes out is kind of sanitized for you by Microsoft. The raw data that comes out is, you know, when I log into a 365 environment, that act of logging in creates 25 different events, most of which are completely useless. The only thing that I really need to get to our customer, to the customer is, okay, you know, Andrew logged in from this place with this machine using this application at this moment in time.

Like, that's the only event that we need to create. And that stuff is challenging for a lot of organizations to work with. 'cause to boil everything down to that event, you've gotta parse through a whole lot of data to get there. It's why Chris is recommending everybody goes back to on-prem exchange. Right. Chris? Yeah, no, just, just send letters back and forth. I'm Sorry, over to you. Chris. Exit's over to Keith. Keith, welcome. And, uh, welcome.

Congrats on the semi-retirement, and, uh, you know, we'll, you can take us around, uh, you know, with, with, with the, uh, iPad and show us, uh, all the good stuff. No, I, I, no, I wish I, I wish this was mine. Uh, a fellow, uh, peer that exited around the same time Trent, um, with him here in Kansas City, and we got to race Porsches around, uh, Ozarks International Raceway yesterday. So, Nice. Enjoy. We're Covering from that.

Well, That, that's, you know, that doesn't, you know, the whole reason we had you come on, Keith, is 'cause we thought you were really bored, but it doesn't sound Yeah. Bored. Well, thanks for joining us and come out of, uh, retirement. Keith, uh, let you ask, uh, Mr. Chip some questions. Yeah. So Chip, so, um, I'm hearing like that 40% of the, uh, shares that are going outside of organization file shares, um, are outside of the MSP.

And, uh, certainly like our, our clients at DKB, were very interactive with their clients and collaborating with file shares. And, um, that's certainly a, a, a huge threat vector around that. So what do, what do you recommend on, um, that sort of file share collaboration between companies, um, to reduce the threat? Yeah, it's, it's an interesting topic. Um, and there's an interesting subtext to this that I'm going to lay a disclaimer. We still haven't figured out really why this is.

But, um, consumers of, uh, 365 versus Google Workspace share externally, you know, from their organization about twice as many files as in, in the Microsoft world. I don't really know why that is, but it's super clear in our data, like it's unambiguous.

Um, the, the, I think the number one thing that you should be doing back to the Microsoft universe, which is most of you know, of our customers, of, of small business customers that are using a, you know, an online productivity product is set expiration dates on when you share something, a file, whether it's shared through teams or, um, you know, or SharePoint or, or OneDrive, directly set an expiration date on the share.

And if you have something that you truly want the whole world to download, or even a small subset of the world that's all your customers and you want it available on, that's all the time. Put it on a SharePoint site that's specifically made for that. Mm-hmm. Don't just hang it out there and say, you know, I'm gonna put, uh, I don't know, I wanna interact with my accountants, so we're gonna put all of our, you know, monthly statements, uh, out there perpetually forever.

Like, it's just a bad idea. Um, I don't real, I'm not a fan of sharing attachments in email when it comes to corporate data for the very same reason. Now you've lost control of it. So, you know, do your best to train users to keep it inside, um, you know, kind of the walled garden of the productivity suite that you're using. And use the tools that are available both in SharePoint and OneDrive and Google Drive to restrict that as much as possible. Um, and when it's no longer needed, turn it off.

Get rid of that share. Yeah. Gotcha. Well, I can give you a little personal, so my wife is a photographer and then she shares out the digital images, and sometimes you used to have like a pretty short leash duration on that type of stuff. And then people would always come back and say, I haven't had a chance to look at 'em or whatever. So she would extend that duration.

Well, she would pop in there every once in a while and, and it would be what she's sharing, but those people would then use it as their personal file share. So here's her share that she's providing access to just for them, but now they got all sorts of documents and stuff in there that she doesn't need to be seen. She's like, what the heck are you doing? So people are really terrible with, um, um, understanding what the purpose and how to correctly use file sharing applications. Yeah.

I have some really interesting pictures of you, Chris, from your wife. Those are all, those are all AI generated. You, you gotta start copyrighting your image or something, Chris, this AI thing's a real threat to your personality. Yeah, that's, that's true. Hey, so we're, while we're talking about the file sharing, um, so Chip, talk to us a little bit about orphan file shares and link or file sharing links rather. And, um, what, what do we implement today?

What should MSPs be putting in place, um, that start eliminating those like orphaned external file shares? Yeah, we, we call 'em orphaned links and we track that very specifically, um, as part of the, you know, the file activity tracking that, that we do in SaaS alerts. And, you know, our concern is, uh, and the way we're, what we're looking for is a file that has been shared, but no one's accessed for a long time.

Um, and often from the Microsoft 365 world associated with a guest user account, which also hasn't been activated for a long time. So, you know, going back in and identifying both of those things and cleaning them up, um, you know, as, as systematically as possible, um, it's actually a much smaller job and much easier to tackle if you get either the customer or the MSP or both, um, in the practice of doing that, you know, if not week, if not monthly or weekly, you know, even daily.

But it's a personal hygiene thing, right? Like, you don't, you don't invite guests over to your house and leave a whole bunch of stuff laying all, all around you. You put pick things up, you put 'em away, you get rid of the trash. It's sort of the same thing. And it's certain, I think Microsoft themselves recommends, um, that this is a every 30 day exercise for a a, an organization that has good hygiene is running well. Certainly that to me is, is a minimum.

Um, there's no reason not to do it weekly. You know, it's something you can do in five minutes weekly. It's something that every individual can do at the, at the end of their day, you know, as they're staring there at the mailbox that they know they're never gonna clean out. You know what, I'm just gonna go make sure that I don't have any file shares out there that, that are hanging naked and, and could be accessed.

Somebody accesses a guest user account that was created specifically for the share that no one's monitoring anymore because it's a guest user account. The guest isn't using it. No one knows if it's logged into or not. Lock those things down, you know, send 'em to block sign in, remove the file shares behind them, and just keep tidying up after yourself as you go along.

It's, it's, it's a chore and it's a really bad chore if you let it pile up like a term paper, you know, the night before you start working on it. If you do a little bit, you know, every week, every day, every month, it's, it's just not that big a deal. Cool. So, so VPNs, and it's still, we're still seeing attacks around, around VPNs and evading geofencing alerts. Um, what does that look like now? What does monitoring for that look like with SaaS alerts and in 2025 for VPNs?

Yeah, it's gotten worse, honestly. You know, you have VPNs of course, which, you know, a sophisticated attacker is gonna use to obfuscate their geolocation. Um, interestingly enough, um, in the beginning phase of, of a compromise, again, mostly focused on token hijacking, but even brute force's password sprays, the, the initial attacker usually often isn't hiding behind A VPN.

We see a lot of this from consistent countries, Kenya, Brazil, you know, places that, you know, we've kind of come to recognize as like, oh, it's coming from there. Well, we know this, where this is going. Um, but when they pass those credentials or that token on to the guy who's an experienced attacker, who's gonna live off the landscape persistent, they're gonna use a VPN.

Um, and they're also, they also started, you know, especially last year, Andrew, we talked about this early last year on one of the SAS e calls, um, using the old botnet networks to, to lease a local IP address, um, specifically for very, very targeted persistence, um, and, and phishing attacks.

Um, you know, you wanna make it appear, you know, if I'm in Allentown, Pennsylvania, which is closest city to where I am, um, and I'm a hacker, I'm gonna wanna make it appear as if I'm, I'm coming from right down the street a couple blocks over, you know, really isolate using that botnet, um, IP address that I can now rent and bounce off of that and make it look like I'm super local. So it's an ongoing problem.

Um, one of the things in our data that is not surprising to me is the, you know, the, the geolocations where the unsuccessful attacks are coming from, mostly the, the password sprays and brute forces. China's at the top of the list, in fact, of the top five, they're, they're more than half of the top five just themselves. Um, but what does surprise me is on successful compromises, um, the, you know, the top five actors there don't look anything like they do on the unsuccessful side.

All of a sudden, China, Russia, uh, the Koreas, they vanish. And now you're looking at the attacks look like they're coming from, uh, Germany, Australia, Philippines, you know, places where you wouldn't normally associate and say, well, this is where the back act bad actors live. So they're obviously shifting to different environments using VPNs to upscale geolocation.

So that, so just to clarify, chip, do you think that initial, where they're like, Hey, I don't care if you know where I'm coming from, is the reconnaissance piece of it where they're just spraying and trying to figure out what's open, what's available, and we don't care if you know where we're coming from, Right? Because they're not gonna be there long. Yeah.

They just, their only role in the whole, um, economy of, you know, of the, of the data exfiltration hacking business, I suppose, uh, their only role is to just get access to an account and then you give it to somebody else, like they're a specialist. That's what they do. Think of, think of sales organizations, right? You got guys who are a hundred killers and they dial for dollars, and their thing is, you know what? You just gotta make a hundred phone calls a day.

And when you get three of those to actually win a bite, you pass it on to a guy who can actually sell. It's, it's the exact same process, just magnified, um, with tons of automation. Uh, and, and you know, people that are starting out low level in the organization and they're, it's gonna take a while to work their way up, and they're not gonna get there until they've handed over or sold or whatever. You know, they're 10,000 accounts that they've compromised.

And this is where I see geofencing people do a poor job of explaining geofencing because when we are involved in, you know, responding to attacks, people are like, but we had geofencing. And so they think it's somewhat of a silver bullet that is gonna, that is gonna protect them from people outside the US or whatever. And it's not the case. And then we see people that are like over geofencing and they're actually blocking legitimate stuff and they're complaining about that.

So I, I just think that from a risk perspective, um, you have to continue to do geofencing, but you have to explain it to your clients so they understand it well to say, Hey, this is Joe fencing, this is gonna get us part of the way there. But in no stretch, is it a silver bullet that's gonna protect you from, from everybody trying to attack you? Yeah. It's one layer, right?

And we, we've all learned over our careers as cybersecurity professionals that it's defense, defense in depth, and it's layered the way the, the image that I paint for people when I'm talking about this is somebody that just hasn't heard it before. You imagine you're somebody shooting at you and you're standing there with a bulletproof vest. How many layers of Kev already won?

You gonna, you gonna rely on one n no one, you know, you want, you want a bunch of layers there that are gonna stop and diffuse the penetration of that attack. This is the same thing. Geofencing is part of a much bigger picture of layered defense. All right, so last question, chip from me. Um, 11,500, um, alerts or, uh, breaches actually that, uh, you guys thwarted at SaaS alerts through your respond module.

Um, either you've got a huge army of minions or you, you got a little bit of automation in place. Maybe you can, uh, talk us through what that looks like, how you're doing it. We wanna know the secret sauce, man. Um, well, in terms of minions, you know, we're still under, uh, just about a 50 person company. And when we developed our respond module, that's a Lot of alerts per person to handle. It seems like maybe a little automation there. Yeah.

When we develop respond, I think we're probably at about 18 people. You know, we've, we've grown a lot since then, um, as we've added even more functionality. But virtually all of that is done through the respond module. So, and we train the module ourselves, you know, we, we, we, we train, uh, the expert system. I'm not gonna use the term ai 'cause Andrew knows that I hate it, by the way.

I, I still like, it's, when you say ai, people automatically think like, I don't know, total recall or something. Um, you know, we train the expert system the way we want it to function, but we also allow our partners, um, to build their own rules and chain together. You know, there's over 300 different event types that we track and our partners can chain those event types together and build any attack, attack chain simulation that they want that says, look for this.

That happens within this amount of time. And then that happens. And then this happens. And that happens. They can mix applications into that. They can mix IP addresses, a SN names really anything they want and build really complex rule sets. And that's what's picking up, uh, when these compromises occur. And we have some terrific partners. You know, I know Ben is, is listening in on this call. Um, in a sense, Ben is our own internal best customer.

He runs our MSA group, but he works with our, our largest, most sophisticated partners. And together, you know, they talk about what's going on, what are we seeing, what kind of, what kind, what kind of behavior sequences are we seeing that it, it that indicate a compromise has just occurred. And we model those into the software, and the software does its job, it automatically sees something and then shuts things down.

Chip, you also have, like you, I can see Corey on, you know, from solutions granted like, Oh yeah, Corey isnt there, You know, we have Corey's team is, is, yeah, probably Ben's number one collaborator. Um, they do a, you know, Zach is the guy I know that Ben and Zach probably interact multiple times a day. Uh, and they're constantly sharing information and you know, to that point, you know, this call Andrew is an example of it.

You've built a great community here, but constantly sharing more and more little nuggets, the tiniest things, having, you know, no one group of threat researchers by themselves is ever gonna catch every permutation and possibility of what's being used, um, in a post-compromised scenario.

So, you know, sometimes it's something as little as a user agent identified, you know, deep inside a connection string, and all of a sudden you realize, hold on a second, all of these user agents are coming from the same place and the same kind of, you know, data exfiltration is occurring once they show up. Wait a minute, we've got something here. And, and that kind of feedback, it's a never ending loop.

You know, you put it in the system, you train it, you see what happens when it comes out, starts grabbing things, you realize that stuff actually was compromised. Now it's there. There's Corey, Zach is my hero, right on Corey. Yeah. And it's, it's almost like it's your, it's own like little, um, threat sharing community, which is, which is such a, such a great thing, chip. Um, okay, well let's get over to the res the other response that the feet on the ground response chip.

Uh, let's get into what Chris is dealing with these days in this and, 'cause I'm sure this is picked, you know, over the years, Chris, SaaS-based attacks are, are where it's at for you as well. So, over to you, chip, Poor Chris. Oh. So I think we're gonna have you ask him the questions. If, if, if you see on there Chip, is that possible? Uh, if it is Andrew, then I did not. If people, if people didn't know, this is highly scripted. Yeah, we do about 12 rehearsals before every cyber call. Yeah.

Well, and I'm breaking the mold because that's, I can kick it off For any, yeah, why don't, why don't you run, run the questions. Yeah, that's fine. So, so Chris is, you know, someone that leads defer, you know, investigations and active breaches constantly. What, like, give us a sense of what you're seeing, you know, in SaaS based attacks, you know, over the past 12 months.

Well, yeah, I mean, um, obviously I think, you know, we haven't really talked about, it's in, and it's in the report, but we haven't talked about obviously the platforms that are attack that the MSPs run. And that's still prevalent. I mean, I'm, you know, there's a group out there that's specifically targeting tiny MSPs and they're going after their platforms, right? And so, um, those still occur.

So as the, if you wanna talk about SaaS platforms, probably MSPs use it the most and depending on the most. And I would say just like I, I've said it year after year, the platforms the MSPs use are probably the most dangerous SaaS platforms out there. They can inflict the most damage in the wrong hands pretty quickly. Uh, so I would say that, you know, for us, obviously the cloud storage platforms are twofold.

Number one is if a threat actor's able to get in there, they will wreak half it in, in, in a, in a storage platform. They will go in and they know how to permanently delete files. They know how to exfiltrate data outta there pretty easily. And you know, in some cases we do see where things sync, where the, the data gets encrypted. But the other side of it is, those cloud storage platforms are also a very handy tool for the threat actors that exfiltrate information to put on there.

So whether that's a cloud storage or a cloud backup platform or whatever the case may be, um, we see that, and a lot of times, and I'm not gonna name any names, but a lot of times when we reach out to a vendor that has a cloud storage platform that's being used for nefarious purposes to store exfiltrated data or whatever, they're usually very cooperative in shutting that down. But they're not as proactive about monitoring for that stuff as you would think that does.

And, and they, they say their reasons are privacy. And I'm, you know, that's a tough one. I think there is, uh, I think that's the Chris Do what until It, until it comes to billing, Until, until it comes to billing. That's exactly right. And so, uh, no, it's real interesting what happens with those platforms.

Now, as far as the other SaaS platforms, I think where we see, uh, a lot of things happen is with internal threats and people using those platforms to get information out, and people are not paying that much attention to what their employees are. Now, we don't see a bunch of those cases, but when we do see those cases, SaaS platforms seem to play a role in that. They're not necessarily monitoring what their people are accessing, how much data they're accessing and what they're doing with it.

So I think back to, you know, what Chip was talking about usage and specifically around account behavior monitoring. I mean, that's really, really important to kind of know what's, what's happening when and where, and especially how much data, I mean, chip talked about it very early on about data security and, and, and that is still to me as well, I talk about it. It's, it's so important.

And with SaaS platforms, it's, um, it's, it's a more, it's not, it's not more difficult, but it does take some work to monitor those platforms correctly to make sure people are using them. And they're, you know, a lot of people don't restrict time of use either in today's world, right? You're just like, well, your employees really need to be accessing at three o'clock in the morning, and you're like, well, our people work around the clock, blah, blah, blah.

I'm like, no, I mean, tell your people not to work at three o'clock in the morning. Tell them to just, you know, take and then, and then close that stuff off. So that, that's what, uh, that's kind of my commentary on it. Chris, Just you, if you and Chip could just banter about this real quick, chip, I, what is it, the a hundred plus SMBs a hundred plus SaaS applications on average right now, wasn't that the stat, give or take?

Um, so, so, so Chris, like, let's just start with, you know, you know, some of the forensic gaps you see when it comes to, you know, SaaS applications, but specifically, you know, M 365 or Google Chip alluded to this a little bit, but just in general, have you walked into places people go, like, really we're running that? Like, I mean, starting there with inventory, you know, it's something that Phyllis and I, we've talked about ad nauseum, right?

With the controls, but with SaaS, it's, it's the wild West. Oh, it is the wild West. I mean, we've seen people run 3, 4, 5 different SaaS based project management platforms, right? And there's all sorts of attachments and stuff that get uploaded into there. And just like Chip was talking about, there's no purging process there, just stuff that's out there, you know, forever. Uh, they're not, you know, doing with that.

I mean, I would say like with, um, you know, like from our BEC team, the majority of the tax we look at are 365. But the ones that are G Suite, our team will still tell you the G Suite information is much cleaner and easier to process for us from an investigative perspective than the 365 is. There's much more stuff we have to kind of filter through and, you know, do all that kind of stuff. And I, and I see Chip nodding his head on that one.

Uh, but, but people just don't understand like when they, they adopt a SaaS platform, whether it's in kind of a shadow IT fashion or more of a formalized fashion, no one's asking those questions about, Hey, what logging is available? How can I get a copy of that logging? Is that logging something I can get real time? Or is it something that you're gonna provide me once, twice or whatever amount they, what details in there? Is there a way I can kind of pre-filter?

I mean, I want the security events. I could care less about other types of events. No, you know, hardly anyone's, especially in the SMB space, is asking those questions.

And, and the other thing is, is like, you know, like to chip's, other point about correlation, like, okay, it's one thing to gather that logs, but are you doing any, are you doing the work that you need to do as a provider to correlate those events with other applications to understand, like Chip gave the example in two different geographies.

If you're just getting events from this app and events from this app and you're not correlating the two, you're, you're, you're not doing yourself or your client a service, you know, you're doing disservice. So, you know, there's a lot of work in, in, into dealing with these SaaS based apps and explaining to your clients what the risks are by adopt what the risks are if they adopt them without thinking about security thoroughly.

Yeah, and, and I mean, I'd add on this Andrew, you know, this is one of the, one of the ongoing forever conundrums in cybersecurity is the, the tug of war between availability and productivity, um, and security, right? We're always going back and forth between this. If you left it to the pure business side of the house, I'm gonna throw those guys under the bus for a minute. 'cause it's always fun on a cyber call.

You know, they'd be like, well we just wanna have everybody have access to everything whenever they need it and share it all over the world because that's how we grow our business. Well and you know, that psychology intersects with the freemium model in how SaaS applications are sold. Hey, I just wanna get Phyllis a project manager to jump in here and use my new SaaS, you know, charting tool and I'm gonna give her a free account because I'm gonna hope to God that Phyllis is gonna love this.

She's gonna tell the 10 people in, you know, in her group about it and they're gonna run off and try and buy an enterprise license. Like, that's why you have this massive pro proliferation because it's very easy to sell SaaS products in a freemium mode. Get one person in an organization hooked, transition them maybe to a very inexpensive subscription and then have your, your team following up on the sales side to try and move that to an enterprise product. Like it's a successful model.

So people use it and it's, you know, when you don't have to ship software, burn it on the CDs and, and spread it around, it's really easy to do. And then you wind up with this proliferation problem. Now there are lots of tools available to every MSP, ours included, that would help you inventory what your customers are doing. And just doing that like as an eye-opener for most small businesses.

'cause you can almost be guaranteed the guy that's running, you know, a hundred person small manufacturing company has no idea that they're using, you know, 30, 40, 50 different SaaS apps across that organization and just telling them about it and what the risks are. You know, why do you really need this? You have software that you pay for to do this thing. You know, how about we we discover why it's needed and get it out of the organization if it's not necessary. Yeah.

Other, yeah, it should be important to the MS P because guess what? If you don't find it and then something happens, uh, you take the blame as the MS. P, right? Yeah. You should have been on top of it. You're Supposed to know it all. 'cause you told your client you would know it all. That's exactly, exactly.

The other thing I would mention on the SaaS based stuff and, and um, we've mentioned it before, is that when we're dealing with instant response and we're dealing with these third parties, a lot of times people don't understand the relationship and they haven't paid attention to the contract language.

So if they're in a, if we're in a position we have to investigate, we have to say, okay, now we need to see, let's just say it's a ransomware attack and we need to rule in or rule out that someone did gain access to a SaaS based application. 99.9% of the time we have to go through the vendor and guess what the vendor will do?

Once, once you tell 'em the reason why you're asking those questions, they will cut you off and then they will want you to provide some kind of evidence that you're secure before they re-enable your access. So people don't understand that dynamic either. Which, Which, uh, let me get to this Chris before the end here is like, what about, you know, evidence, you know, preservation, you know, when you have, like, you're trying to do your job right?

You know, and figuring out what's going on, you know, from a and, and, and, and from a evidence right. Preservation perspective. And then you have, like you said, the SaaS provider finds out there's a compromise and why Chris Laer is calling them and hey, we're, we're shutting down access and how can you walk us through this conundrum of how challenging this can be and you know, how you get how you manage this process. Yeah. A a lot of times it's just through conversations, right?

I mean the, the hardest, the the hardest part is getting the third party on the phone, phone call. If you can get 'em on a phone call and start talking through it with them, you're, you're gonna have more, more, uh, higher probability of success.

A lot of times these guys have some letter or some form they want you to fill out, and quite frankly, there's a lot of information that we nor breach counsel or no one else feels comfortable about putting on paper and giving it to a third party that's not privileged. So that's that issue.

Uh, but yeah, it is, it is kind of interesting to try to figure out that a lot of these SaaS-based companies, and the smaller they are, the more prominent this is where they don't really have a process to provide you the data from a forensics perspective. So you have to kind of go through and exercise to learn what they have, what they have available, how they're gonna get it to you in a secure fashion.

Uh, you know, and again, you don't know, a lot of times you don't know what they log until you're in this thing, you have to start asking questions and hopefully they do have the, the amount of information going back as far as you need it to, the detail that you need it to kind help you with these situations. But it's, none of them are easy at this point. There's not just some simple process that you can go through where they just provide that to you.

I think, I think it just toot somebody's horn real quick. I think being in, in, in cases in the past where people have had like screen connect compromises and that type of thing of their own doing, meaning they did a bad job of securing their screen connect, like ConnectWise does have a process, but you have to know that process and most people don't know that process until you have to go through it. Okay. Chip, you wanna say something? Close this? Yeah, one more comment on this.

Um, I think this is gonna get a lot worse the, in terms of SaaS proliferation and, you know, I do a, you know, Andrew, I do a ton of research and reading specifically around machine learning and AI and what's going on with it. So literally every day in my mailbox or in my Twitter feed, I see, you know, a message from somebody that's telling me that they just vibe, vibe coded this brand new SaaS app that is gonna do X, y, and Z for them.

And they're already earning $40,000 a month in a RRR and they can teach you how to do it too. Well, you know, we know a lot of that is a scam just to get you to do, you know, jump in and join whatever they're building, but it's actually being done. Like people are building SaaS applications and deploying them, um, that are not developers.

They're just smart business people who know there's a problem to solve and they realize, oh my God, I can just keep, I can spend, you know, five hours in a day prompting and reprompt with one of the large language models and it will build and deploy and deploy an app for me. Google just released Firebase studio to do this. Anybody that's on this call that's never written a single line of code can go and use Firebase studio in Gemini and build and deploy an app.

So if we think it's bad now with the number of SaaS apps that people are gonna have access to in all the hooks and marketing to get 'em, it's gonna get a lot worse. Yeah. There's gonna be a lot of people out there wanting to raise Porsches. They're gonna, They're gonna use those LMS to do it. Good honor, Keith, thanks for, thanks for filling in. Send my best to, to, to Trent and, um, really appreciate you, you, you coming in on your, uh, on your trip there, chip.

Real pleasure going through this. Uh, again, um, I in chat is the link or just, you know, Google the SASS e report. It's really well done and lots of data. Chris, thanks for jumping on Phyllis. Always wonderful. Have a great week everybody. We'll talk to you soon. Thanks Andrew. Thanks everyone. Thank you Andrew. Thanks. Bye.

Related Videos