Skip to main content
Right of Boom
January 30, 2025

May 10th, 2021 – CIS unveils version 8.0 – what it means for MSPs

In this video, industry experts dive into the evolving landscape of cybersecurity, focusing on the upcoming release of CIS Controls Version 8. They explore the implications of recent cyberattacks, specifically the Colonial Pipeline incident, and discuss the critical role of managed service providers (MSPs) in safeguarding against these threats. The conversation also highlights the importance of adapting to new technologies and the need for robust recovery plans in the cybersecurity framework.<ul><li>The webinar discusses the state of the MSP industry and the potential for exponential growth in SMB technology over the next five to seven years.</li><li>Phyllis Lee from CIS talks about the upcoming release of controls version 8, focusing on the need for updated cybersecurity measures in light of recent cyber attacks, such as the Colonial Pipeline incident.</li><li>The importance of service provider management and understanding the supply chain in cybersecurity is emphasized, particularly with updated controls that address service providers directly.</li></ul>

Guests

Andrew Morgan

Video Transcript

Should try turning it off and back up, right? We are live. We, we can keep going with our internal conversation, but we're live now, guys. Okay, now. Welcome everybody. Uh, week 49 here on the cyber call. Joined with my, uh, co-host, Gary Pico, west Spencer, and Ryan Weeks. Gary, uh, are in order for you, my friend, that's, uh, fantastic. Great news. Uh, anything you'd like to say briefly? Uh, you don't have to, but I'm putting you on the spot.

No, I, uh, I just want to say, um, we're doing a webinar for our customers tomorrow, but I'm gonna be doing some industry content like in the next month. Um, not just talking about true methods acquisition, but I want to put it in the context of what's really happening right now in our industry and what this tells us, what's likely to happen, not just in the channel, but to MSPs, uh, over the next five to seven years. So there's a lot we can learn, um, a about, uh, about the future.

Obviously I stay, you know, close to things, so, uh, it should be awesome. Yeah. Gary, I, I was intrigued by what you told me offline. You think it's, you think it's early inning still? Like, and I, you know, in terms of this, where this industry's headed? Yeah. So in terms of like, put security aside for a second because that will ride along with it, but in terms of, um, SMB technology, we are in the first inning.

The amount of SMBs and the amount of technology that they're gonna have is are both going up exponentially. Like that's all the numbers, you know, moving forward. So, you know, to meet that demand, both the channel and MSPs are gonna have to change and not everyone's gonna like it. All the change.

What I will say, I'll give you the, the punchline, if you, um, don't rail against the things that, that have changed or you can't control and you spend the time looking for the opportunity, I believe there has never been a bigger opportunity for providers who understand it and can unlock it. Mm-Hmm. Excellent. Yeah. Well, fantastic. Well, joining us this week, uh, and back again, Phyllis Lee Phyllis, not everybody knows you, so, uh, thank you for coming on again.

And could you give everybody just a quick intro of yourself or, yeah, sure. Doesn't have to be cool. My name is Phyllis Lee. I'm the senior director of the CIS controls at, um, CISA small but mighty nonprofit. Um, prior to working at CISI spent around 25 years at the National Security Agency doing, um, vulnerability testing. I spent the bulk of my time, um, on the defensive mission there. Very cool. Well, that kind of dovetails into what I wanted to start off.

The main theme of today is gonna be around, you know, the upcoming release of controls version eight, and I'm excited to talk to you about that with Wes, Gary, and Ryan. But over the weekend, I'm sure most people tuning in heard about the Colonial Pipeline attack, which is the largest, um, oil gas pipeline on our country up and down the East coast. And, you know, Phyllis, you do a lot being, you know, the, um, home of several ISACs and, uh, having deepened relationships with csa.

And so I just kind of wanted to get your perspective on this because in essence, right, I think it was originally called MI if you were telling me MPPD, which was a division of DHS around cybersecurity, then it got turned into csa, but that was formed to protect our, like, what is it, the 13 critical structures? Yeah. That, that is DH S'S authority. Yep. Right. And so this is, this is no small. Yeah. How's that going so far?

Um, so with this one being attacked and, and, and interestingly like, maybe it doesn't seem to be getting a lot of like, wow, you know, this could be a big deal, and in doing some research on it, it's, they're saying it's because we still don't know we, and we don't know what that is. And because you mentioned vulnerabilities, we don't know, is this a vulnerability and an attack on their SCADA systems?

And maybe, you know, Ryan, when you chat here with Phyllis a little, for those that don't know scada, you could just touch on that. But I'm gonna put a poll up and it has to do with, you know, I ot and I'm just really intrigued by what you were doing out there as an MSP around things that are I OT related. So with that, Phyllis, your thoughts on this so far?

Right, so I think that, um, what was interesting to me is that, you know, um, I read an article that said, you know, oh, the operational network was not, was not hit. You know what I mean? Like, you know, there are no real clear details, but I think it, you know, what we've been saying for a while now is like, IT and OT are merging. It used to be in the past that there was this physical separation between your SCADA system, your ICS system, and then like the big bad internet, right?

And so what you saw here was like the IT portion was attacked and then they shut it down so that the ransomware couldn't, um, you know, spread throughout the network. And so I think what that says is no one is immune from cyber attacks, right? We used to think that this physical separation made us immune, or, you know, we had these hard outside soft dinners, you know, crunchy outside, soft inside of our networks, et cetera. I know when I was in National Security Agency, oh, we're separate.

We're, we're classified, but that's not true. Um, you know, people wanna manage networks remotely, they wanna be connected because it is easier. And so I think what that shows is more and more we are interconnected and more and more we have to defend ourselves against these cyber attacks and cyber threats. Excellent. Yeah, I appreciate you sharing that, Ryan.

Um, I, I pose kind of a question there for you, but, um, for those out there, maybe could you just touch briefly on the SCADA side of things and what that, what that means for those out there that may not know? Yeah, so SCADA systems are basically the, the operational systems for critical infrastructure. So you could think like the, the networks that like pressure valves and temperature sensors and things like that, um, tend to live on.

Um, and so when we tend to talk about scada it kind of really becomes interchangeable with critical infrastructure. Um, and, um, you know, there's entire like, graduate courses on like protection of SCADA systems. Um, and, and really it's, it's just around building proper security into those systems. And they tend to be also called out by name because they tend to be pretty poorly secured, right? They, they tend to be extremely old, um, not really updated.

They tend to use a lot of wireless technology that's not really advanced, so they're pretty easy to target and to attack. So, um, it's kind of a crash course in SCADA systems. Thanks for that, Ryan. Well, um, so, um, you know, I, uh, I don't know if you saw it, I was asking about some threat modeling, but the does Yeah, yeah. So go ahead.

Yeah, so I, I think the, the crux of this question is obviously CIS has a horse on the race of, you know, we're defining controls that we want people to take because they'll in theory, prevent the bad things from happening, right? And so when you see something like the Colonial pipeline breach, to what extent do you kind of analyze those breaches, look at kind of the, you know, the Mitre attack techniques and say, how well does CIS kind of protect against those things?

And, and where should we augment those? Like how does that work in, in kind of the back office CIS world? Yeah, sure. So that's a good question. We are always looking, um, at the different threats and threat vectors and saying, you know, how is it that we should be updating our guidance to include the controls and the supporting safeguards? Um, so, you know, starting last year we really started to really back our choices by data.

So we have something called the community Defense Model, where we looked at the top five, um, attack types as reported out by the Verizon data breach report, as well as other, um, sources of data like the MSI sac, right? And what we saw was, um, and well, what we wanted to make sure was that all the safeguards that comprise the controls at the time controls version seven.

So 20 controls, um, supported by 171 safeguards that every one of those, um, safeguards that we recommend actually defend against something they defend against an actual attack technique. Um, see, uh, that is, um, prevalent in those top five attack types as well as, or they can detect or they're foundational. So, um, we took those top five attacks, we created those attack patterns using Mitre attack, and then we looked to make sure that we were mitigating against those attacks.

I would say for control's version eight, we updated that to make sure that all our choices and controls version eight actually defend against the top attacks. Additionally, you know, organizations can't implement all the controls at once, right?

So again, we looked at the priority like implementation groups, which is the new prioritization schemes, um, that we put in the control starting in 2019 to say, does implementation group one, do those 43 safeguards actually defend against the top five attacks? And we were able to say, yeah, if you implement these 43 safeguards, you can defend against these top attacks. So, um, we always wanna try to update, update the controls to make sure that they're defending.

Phyllis, do you have an idea of what those top five, like, uh, like ballpark what percentage of attacks that MSPs and their customers would deal with that would help with? Um, I do not have, um, those percentages, however, I do have, I will say that, um, if you look at something like a ransomware, um, oh, I can't hear you. You can't hear us. I can't hear Gary. Gary, were you talking? No, not anymore. No, no, I wasn't, so I just asked the question. All right.

So I would say that, um, if you look at, um, like, uh, the threat reporting, what you'll see is something like, uh, ransomware, uh, does not discriminate. So ransomware across the board was one of the highest attacks last year, de regardless of your vertical and regardless of the size of your organization. So we do kind of have statistics like that, but not in particular with respect to MSPs. So, um, Gary, you were, you know, you mentioned, and maybe I should bring Chris up.

Chris, you were making some comments there. Um, do, do you want to, I, I hope I, I'm putting you on the spot here, Chris, but just your thoughts on the Colonial piece. Oh, we can't hear you shoot, Chris, we don't have your mic. Try one real quick. All right. He's got a new location. He's in a skiff. Well, we'll see if Chris can figure it out. This happens sometimes if he doesn't reboot.

Alright, so in the interest, um, so Phyllis, um, I'm gonna move on to controls version eight, which is coming out on the 18th. Um, a lot happened in 2020, um, and uh, just this small thing called Covid and we had a wholesale shift to the cloud and work from home. And, um, I'm wondering to what degree that, um, put on the, uh, the changes in controls version eight. And so with that, uh, Gary, I'm gonna kind of let you take over with Phyllis and Chris, if you get your mic working, let us know.

And um, yeah, we got, We got 'em. So before I ask Phyllis questions, let's get an update from Chris. Yeah, so we, with these dark side guys and They're straightforward. Mike, it sounds like you're, uh, in a NASA space shuttle to be honest, but, alright, so we'll, we'll, we'll pause you Chris reboot or something come back or something. But, uh, Gary, go ahead to fill us, Let him switch up his mic. Listen, Chris is so secure that not even his voice can get out.

So, Phyllis, the first thing I wanna say, can you maybe take us through like the process of changing the framework from version to version? Like where do you get the input and how do you establish even how to do that? Yeah, sure. So, um, we do look at the evolving threat. We always are trying to make sure that we are keeping them up to date to make sure that the controls can actually defend against attacks.

And we also, um, look at, you know, how tech is evolving as well as get feedback from organizations. So, you know, even prior to Covid, um, we had gotten feedback that, you know, hey, many organizations are moving to cloud, many organizations are, you know, working from home. Many organizations are levering mobile devices. So really it's time to integrate these, uh, into the main controls document. And so, you know, we created the community.

Um, when we create a community, we make sure that we have representatives from all walks of life, all the different verticals, small organizations, large organizations, et cetera. It just so happened that during the creation of controls, we had a pandemic and it became even more relevant.

You know, it was really, um, thinking about how people are doing work today and the fact that we did see that wholesale move to cloud and what was it that organizations needed to do, um, to make sure that they could manage their data appropriately. So, um, were the takeaways from SMBs like different than what you get from mid-market enterprise? Um, for the most part, the, a lot of it is different, you know, small mediums. They typically don't have a cyber staff.

They don't have an IT staff, they don't have a ton of resources. They do the RIM MSPs. So Yeah. And so, um, they, they really are leveraging MSPs, right? So the small mediums are outsourcing their IT because it's cheaper. Um, additionally, they really, you know, have no idea, you know, how to, how to manage and, and you know, where do we start?

So the feedback that we got from small mediums are that number one, um, we love the implementation groups because we know where to start with implementation group one. Yeah. Number two, um, we're not managing our own data many times. We are going to MSPs, um, can you help us there? So, and also we also got some practical feedback like, Hey, you recommended that we have a separate workstation to administer our network. Like, we can't afford that.

Why, why are you, why are you asking us to do that? And towards what end? Can we just do it virtually? And so, you know, in some sense you would, you might be able to say, we rolled back the security and the controls by saying, yeah, you know what, you're right, everyone is moving towards cloud, things are virtually separated, so let's allow virtually separated, you know, administration of networks.

And so we, um, got that feedback from the small mediums and we take it to heart and we update the controls accordingly. Yeah. So the next question I had was, look, what we're gonna see like in the next five to seven years is probably almost every SMB with less than 250 employees is going to outsource some or all of their IT to the PE people like that are on this, you know, on this call today. So with that, is there a way for you to gauge how the adoption of CIS is going for MSPs?

'cause that obviously that's really important. So do you, do you have an idea of that, of, of the increased adoption? Yeah, so you know, places like here, cyber Nation as well as I, I work with other forums and we do get feedback from other MSPs. We do see, um, is adopting the controls more and more, which actually is very exciting for us. And what we are also seeing is some requests for MSP kind of specific guidance. So I think that's exciting.

Um, you know, honestly, some of the bigger cloud service providers are also coming to us. So that's also, that's also very interesting to see, to see that as well. And, you know, for a couple reasons. Number one, you know, everyone likes, um, we like the implementation groups, they like the implementation groups. What you're also seeing, or what we're also seeing is state legislation around the CIS controls. Yeah.

So Nevada has, um, legislation around adopting the controls and they put for state agencies, and they put out policy on implementing those via implementation groups. The state of Ohio and the state of Connecticut, as well as a couple others have some safe harbor laws around, um, using the CIS controls. And there are lots of voluntary programs or incentivized programs for implementing the controls that aren't necessarily legislation, but will provide training, et cetera.

And, you know, for these states, they know that a lot of their state agencies, especially the smaller ones, are going to use MSPs. And so there is a push to get that training in there. Additionally, what we're seeing is, um, uh, organizations MSSP saying, oh, you know, I have to show CMMC compliance for some of my customers, and they're using our mappings. We have the, you know, we map to hipaa, we map to PCI, the NCSF, but of late, we've heard a lot about CMMC. Yeah.

So, uh, you know, we, we talk a lot about, like, it's our job to do about how much further, uh, as an, you know, as a industry, MSPs have to go to protect themselves, their customers, but also we can talk about how far they've come over this past year, right? All of us, you know, have seen that.

And so, uh, I I just wanted to make the comment, it's really good coming into all these changes that there's organizations, um, like CIS can you imagine if we were going through this without a CIS or a nist without those things already established, um, you know, during this time, o of where we see this proliferation would've been a whole different story. So, um, you know, I always tend to look at what we need to do and what's not, right? That's my personality.

But, uh, also a lot of great things have been done by the industry, um, and, and hopefully it's all gonna pay off. So, so with that, I am going to, um, uh, I'm gonna go to Wes. Well, thank you, Gary. Appreciate it. Uh, man, what a fun time we've all had with the Colonial Pipeline thing. Hopefully we'll have some time at the end to get some thoughts from layer on this one too. Uh, it is, uh, very interesting.

Um, so, you know, one thing Phyllis, I think that's so great about Cyber Nation is we do have a collective voice here. And, you know, we wanna serve is that voice. And I can't tell you how much we appreciate the fact that you've joined us numerous times and given your time as part of CIS to come on and, and hear from us and collaborate together, like that really does mean a lot for the community. And, you know, I, I have a series of questions for you that I'm thinking about.

So first of all, talk to us more. I think most of us that are familiar with CIS, the new 8.0 that's been released now includes service providers in the mix of things, right? So talk to us about what that looks like. Maybe what impacts we as MSPs on this channel together need to be thinking about? Just kinda walk us through some of those changes, how it impacts us. Yeah, sure. So, um, the editorial panel felt very strongly, and this was like a, you know, more of a last minute add-on.

And, and a lot of it was due to the pandemic that we really needed, um, a control on service provider, provider management. And really is about, like, it's very process oriented. Have a process to evaluate your service providers, right? Follow the data. You have sensitive data, many times it's in the cloud. And, um, you know, you need, you are responsible.

You organization are responsible for knowing where your data is and knowing, you know, with your service provider who's responsible for what. Like, there's so always confusion on the governance issue. Oh, I thought my service provider was supposed to be providing this security.

And so it really is about following that data, looking at these contracts to make sure you're getting what you're getting and looking to see can they ver verify or validate some of these controls that are regulatory, not necessarily CIS, but like CMMC, hipaa, PCI, as well as making sure you're designating folks to interact with your service provider. And also knowing, you know, looking at the contract every year, making sure it's being updated, et cetera.

And so, I mean, across the board from the large organizations, many of the large organizations already do this in their classifying their data service providers. And, and they're saying this one, it's more high risk than this one, et cetera, et cetera. But this, the smaller, and even the mediums were not. And so they thought it was really great to have, um, have this guidance. So, uh, this is cool, right?

Like this impacts everybody in the call in the sense of, okay, so now MSPs are specific, or, or really all service providers I should say, are now called out inside of CIS. And so gimme some feedback from the audience from you guys here today. Gimme a yes or a no, give, uh, have you walked through and do you use CIS critical controls in anything that you do in your MSP today? Gimme a yes or a no. Yes, I use it. No, I don't.

And the reason I want that yes or no is because here in a minute, I'm gonna ask a follow-up question that I think is really important to all of this, which is, y you are now included in this, whether you like it or not. So it's time for you to think about your third party into your clients, their fourth party, which is your partners. Like, I'm with ConnectWise, what kind of data does ConnectWise have? What does my data security look like?

Who are the vendors that ConnectWise uses to make things happen? Because when we talk about these supply chain attacks and we talk about like risks inside the supply chain, we have to have these answers. And Phyllis, I I have to think that part of what you're trying to do with the new version of 8.0 is, is call out that entire supply chain so that organizations, um, from the client all the way to the managed provider and those that the managed provider use are all baked into this whole process.

So we have better visibility of what's going on. Am I right? Yeah, absolutely. I mean, you know, with, you know, the ransomware and the SolarWinds and these zero days, you know, there really is this push know what your network look looks like, know where the data's coming from. And, and what we're seeing is people really don't have those basic, um, kind of like basic cyber hygiene processes in place, right? And so the group felt strongly, we need to call this out.

Organizations, even if you're a small medium, you need to do this. Um, yeah, it's that critical because, um, you know, I, I like to, I like to pick on the DOD. It wasn't Boeing that, um, it, it wasn't the Boeing network that the Chinese infiltrated in order to get the plans for the joint strike fighter, that's Boeing has their own soc that, that, that network was, was, was good in that instance. They got it from a small third party, right?

It was someone making a widget that needed the plans, had the plans, and then all of a sudden, you know, they're, they're taken by a foreign nation. So what are we gonna do? Right? And so all these things that happen and it really brings to light that we really need to look at, um, you know, where is that data? We need to follow it and we need to protect it. AB absolutely agree with that. And by the way, Phyllis just gave everyone here a sales tactic, right?

Like when you're working with a, a client of yours and like, look, I'm not a threat. I'm a small company, they're going after the big boys. No, they're not. Uh, they're, they're really not. I mean, and to some degree they are, but they're gonna go after what's easy. And if it's far easier to go after you is a member of that supply chain, you have value inside of it versus going after Boeing themselves, they're gonna choose the weak target. I mean, this is the way warfare's always been.

It's gonna continue to be that way. So, Phyllis, that's really well spoken. And from a a threat intelligence side, maybe another question I have for you is, you guys have worked with multi-state isac. For those of you that are not on the call, think of multi-state ISAC as a nonprofit threat sharing group that's specifically for state agencies, um, and, and a great sharing, you know, and, and outside of that as well, but very heavily inside of all that. And then also cisa, right?

Both of those have highlighted MSPs in particular, um, in the past probably couple years from all these Buffalo jump ransomware attacks that have happened. Um, can you talk to us more about how that factored into the version eight, or if it did at all, and, and maybe how you guys might work with like Ms. isac and others? Yeah, it absolutely did. I think, you know, the fact that we added that control on service providers is a nod to the fact that, um, you know, we are leaning on them heavily.

The small medium businesses are the backbone of this nation. And as you all know, the bulk of them are using MSPs, right? And we, not to be mean, like CISA has pointed out, they're kind of like the weakest link. Um, it's interesting, I, you know, someone in this industry is gonna have to explain it to me that there's a distinction between an MSP and an MSSP. The implication is MSPs, they're missing an s Like I always find that fascinating. Yep.

Like, why don't you go to the mss, but the one, you know, it's just, that's, I'm totally like off topic, but I used to joke when I worked, yeah, we don't want the Additional Responsibility. These products, if you didn't have high assurance or security in your product name that you're out, like every single product that's sold to the government is either high assurance or secure. Like it's always in the title. So I just found it funny that MSP, there's this distinction between the two.

So, um, Phil was, as soon as soon as we add an s, people are gonna expect that we're securing everything. Yes, indeed. And most of us, uh, you know, our clients expect that we're doing it anyway. Yes. So you might as well pop the extra s in there. Right. That's why I asked the question in chat, how many of you guys have added that extra s uh, to your, to what you do. Uh, I'm just curious for it.

So, um, here's another question for you, uh, Phyllis is obviously with, with, and I'm gonna ask you for some inside details here so you can share what you want out of this. But you know, when it comes to version eight, I'm sure you guys had a lot of extra stuff you would've loved to have gotten in, but you didn't. So can you kind of share with us a bit of an inside picture of like where you see the critical security controls going even beyond version eight?

Like whether it's, man, we wanted to add this, but we're not ready for it yet. We'd love to get some thoughts on this. We're still baking it. Can you give us some input on like where the long-term direction of critical security controls is going? Yeah, sure. So, um, I'm happy to give out a, a few spoilers. Um, cyber Nation is a good friend of ours.

So, um, so, you know, uh, I I, I love this quote, and I was on a webinar, uh, a couple weeks ago, and the guy on the webinar, he was actually from a power company. He was like, you know, the end of your network is at your user's fingertips, right? And it really is this idea that there is no hard border anymore. Everyone's using cloud service providers. Everyone is like working from home. So we can't have this, you know, nice cloud that we used to draw, and that's your network.

And then there's a line from there to like the big, bad, bad internet, right? Um, and, and that really, um, affected how we created this later version. It was like, you know, uh, there are no borders prior in version seven, the controls were organized by who managed them, right? There's like your network admins look at your border devices, and then here's a series of activities you should do to lock down those devices here, typical end end user devices.

And then you would see those same activities. Um, and so we got rid of that. It really is just organized by activity because, um, you know, it's like audit logging was all over. Now we've merged all the audit logging and things like that. Yes. So we've gone from 20 controls to 18, and that actually is with the addition of the service provider control. So we were able to kind of streamline that. Um, additionally we went from, you know, 171 safeguards to 153.

And that is, again, for that exact same reason, we were able to streamline, um, you know, those activities. And so, um, and that is with including cloud and mobile, what I see in the future for controls is always evolving to keep up with technology, right? So if iot hits that tipping point, we point to like medical devices, kind of like, you know, we right now point the finger at just maybe, uh, a few industries that are, um, using iot, right?

Um, and things that actually are on the network that your enterprise wants to manage, not wearables, not, you know, not heart monitors, you know, stuff like that. But like, um, once it actually becomes a part of the network, a part of your infrastructure, part of the way you do business, you know, then we would integrate those newer technologies. So I think that for controls, I always see us evolving.

I always see us also listening to feedback, um, from external organizations to say, all right, what is it that we should include? What is it that needs to drop off? Got it. I, that's awesome. And, uh, I have lots of other questions, but I'm gonna save the rest to turn over to, uh, to Ryan. But maybe just one last quick, uh, thing. If, if I may talk to us about csat CSAT Pro.

Um, those of you that have not heard of it and don't know what it is, can you give a quick recap and, um, you know, where MSPs stand and their membership capabilities for it as well? Yeah, sure. So the Control Self-assessment tool, um, is a multi-tenant tool for how you, you know, organizations can self-assess against the controls. Um, the pro version is on-prem.

There's a free, if you wanna play around CSAT hosted version, um, that's in, you know, an Amazon cloud instance that by the way, over like 12,000 organizations are using it at this point. Um, which, which is actually a huge number. And organizations can self-assess against controls version 7.1, it maps to other frameworks. So you can see if you're satisfying other frameworks, it allows you to see how well you're doing with your peer group. So there's industry average in there.

Um, and then it allows you to, um, if you, for example, are a big organization, perhaps an MSP, and you want to monitor the health of sub-organization, it allows you to have that federated approach. Um, we have something called secure Suite membership here at CIS. While we're a nonprofit, we do have to get paid. Um, and so, uh, we, that's how we pay our employees. Um, the Secure Suite membership, um, right now has CSAT Pro as well as CIS benchmarks and tooling around that cisca Pro.

However, we are working on a, um, controls only membership and actually, um, you know, the organization, my company wants to kind of do a cyber nation thing first, um, to see, you know, how well are people interested in it, you know, can we do it and, you know, have a controls only membership. So, um, yeah, we're on the works on that and we're excited. I mean, this has been a great partnership for us as well. Awesome. Awesome. Thank you so much, Phyllis.

Ryan, I'm gonna turn it over to you, my friend. It's interesting, you know, a lot of MSPs are nonprofits as well. Hey, now, Oh, I'm on fire today. Go ahead, Ryan. No, you're, you take, you take, you take one call off, and then you decide to come in swinging the bat. I like it. We'll get to you shortly, Chris. Thanks for coming. So in, in VA eight, my understanding is you're going from 20 control families or control groups to 18 control groups.

What, and you talked a little bit about reducing the number of controls version over version. What, what was the impetus for the collapsing of, of control focus areas? It really was because we were organizing by activity versus who's managing what. So like I said, you know, um, we have, um, you know, just identity and access management versus before it was like administrative controls and then your regular user controls.

And, you know, we just kind of merged those to say the research shows everyone should be using MFA, right? Phishing is the number one way in which organizations, um, are kind of getting hit by ransomware. What's the number one mitigation is MFA, regardless of who you are, right? So we organized by activities, and so that allowed us to collapse, um, a lot of the controls and actually also streamline it and merge some controls, um, that were scattered throughout and repetitive.

So is it fair to say that there's simplification and, and the areas where there was kind of activity based overlap, those controls kind of dispersed into the other 18. They didn't, you didn't like completely eliminate two control families, Right? Right, right. I mean, right. Like we eliminated boundary devices. Why? Because all your devices need to kind of be managed in the same way. It's harder to say that here are these firewalls and routers right at the edge of doing network. Okay.

So you recently partnered, you being CIS partnered with Cloud Security Alliance. Um, can you talk to us a little bit about who the Cloud Security alliance is and why, um, you know, why they saw such an, an increase in the kind of subscription rate for them? Yeah, sure. So the Cloud Security Alliance is a non-profit that gives cloud guidance. They're very popular. They, it, it made sense for us.

You know, we like to reach out to other nonprofits, um, kind of like-minded folks that feel this sense of obligation to provide guidance to the community for free. Um, and since we're integrating cloud into the main document, it was logical for us to reach out to them. We also, um, they have a, uh, cloud controls matrix and we map our controls with their cloud controls matrix, and that'll be out for May 18th as well. So it was great that they could come and participate.

What we don't wanna do is cause confusion within the community and cloud security Alliance say this, and then we, you know, CIS says something different. We wanna be aligned and say the same thing. And if there is a difference, we wanna be able to tell a story. Why is it, why is it that we are giving different guidance? Okay. And Andrew baited me here with, with, uh, my last topic. Um, he knows this is a, he knows this is a sore spot for me.

Um, so I, I really, truly, fundamentally believe in cyber resilience and cyber resilience being the, the combination of left of boom and right of boom capabilities, um, with heavy focus on response and recovery in CIS, you don't really have a concept of recovery control. In fact, you don't even have it listed as a control function. How should MSPs think about, um, you know, build, you know, adopting CIS and also building those kind of recovery kind of cyber resilience functions in parallel?

What guidance does CIS have for MSPs that are really trying to walk that full cyber resilience journey? Right? So I think you're 100% right. I mean, the controls are, are not, you know, everything to everybody, right? So we really focus on mitigating against attacks. Recovery for sure is an important part of that, but not necessarily, um, a mitigation against an attack. Um, but it's something important. And, and we do have something like a backup in there.

Um, so I would say that, um, if we were to reach a point where organizations are like CIS, can you create a document on recovery in particular with MSPs, I'm happy to convene that community. I'm happy to actually create that document with a group of MSPs. I think that's what Ryan's saying. I think Ryan's saying that right now. What I Think Ryan's saying it right now. Yeah. I mean, I'm, I'm happy to do that. That's our core competency. And, um, that would be exciting for me.

I honestly, you know, I will say we've gotten that kind of feedback before, just as a side note for, um, the application software security control, which really is around creating your own homegrown software and how it is that you can secure that and do it securely. We got a lot of feedback was like, okay, you gave us high level eight high level things to do. Yeah. Who left us hanging, right?

So we actually partnered with Safe Code, another nonprofit, and they created a whole paper to provide that amplifying guidance. And I think, you know, these are all valid criticisms of the controls where, you know, hey, it didn't really make it to the main document, but when I get that feedback and I say, Hmm, makes sense, we should do something, I'm happy to take action on that. And you know, Brian, maybe you could be the, or Ryan, you could be the lead editor.

Is he gonna be the lead editor for this recovery? I need another, I need another part-time job really bad. So you Do, Ryan? No, I, I mean, I, you know, unsolicited opinion here, right? I think most MSPs are still working on the foundational mitigation, identifying and protection part of the program, right? But as we've talked about several times, assuming that you're gonna be breached and having that capability right of boom is critical.

And with so many MSPs turning to CIS for that guidance, um, eventually when they walk that path far up, it's gonna end and then they're gonna be like, well, where do I go next? Right? Right. And the answer right now is NCSF, but I think it'd be great if there's a another, you know, if we could lay down a few more sections of, of Rail for that train to drive on to help get them all the way.

So I'd be, you know, I, I'll joking aside about part-time jobs, I would love to work on something like that. Um, but I think it also needs to be MSP informed. So I think M MS P should be part of that as well. No, I'm, I'm happy to, to actually manage that community. Bill, you think putting you, this isn't putting you on a spot, it's just a thought.

'cause you do a lot with sans do you think they might be willing to help collaborate on the IR side of things since they do a lot of that piece of Yeah. Yeah. So we, you know, we actually, we do partner with Sands a lot. Um, they do teach a course on the CIS controls. Yeah. So, um, another, another example is incident response. We had like eight things. Have a plan, have POCs in that plan, make sure their POC data is up to date, right?

And everyone's like, okay, but like, how do I create a plan? What do I do? And so, um, we're like, you know, you're right. We should create incident response templates, right? And we went to Sands. Sands has some, and they're woefully outdated. Yeah. And so SANS is gonna work with us, um, and we're gonna update those incident response plans. They're gonna be freely downloadable, et cetera.

So, um, you know, I love it when people give us feedback like you just did around recovery, and we got that feedback around incident response so that we can provide, you know, what organizations need, um, and then do it in that consensus kind of, you know, way so that everyone has a say. Fantastic. Ryan, any other thoughts there? Or should I, uh, pull it back in here a little bit? No, let's pull it back in. Okay.

So a few things I, I'd love to bring Chris on, um, with that, um, Gary, let let the poll, did you, did you see this Wes, everybody? So, you know, again, we don't know whether Colonial, and it was their SCADA system, we don't know that. But surprising to you, Gary, that basically 85% of MSPs are not doing anything on the IOT side of their customers.

Yeah, I'm surprised that it wasn't a hundred percent because listen, I talk to a lot of MSPs and we, we have so much to do as a community, and there's so many core systems that this is just something that for 85% of people is still out of where they've gotten to Andrew. So, no, I'm not surprised at all. Yeah. I like to hear what Wes says. Yeah. Um, well, none of this surprises me, right? If you didn't, let me, let me share this again. Um, let pop this back in. Check out the showdown link.

It's super safe. I promise. Uh, you can trust me on that one. Uh, this is, uh, colonial's, um, one, one of their ips. Uh, and it's running, I don't know if you guys saw this before. It's running IAS 7.5, right? And this is not to make fun or tease, uh, but that's an issue. And, um, when I've been around industrial control networks, which I've been around them a fair amount, I, I feel for anyone in that space because, uh, typically they're understaffed.

Typically they don't have the cybersecurity personnel that they need, um, to be able to do things they should be doing. And they're protecting people's lives. You know, you look at what happened here in Tampa and Oldsmar that happened a few months ago of that breach occurring. And it occurred because of remote tools being available that and password spray or not, but password reuse. Um, and that, that's how the whole thing happened. It didn't take some crazy zero day.

Uh, we'll find out the data and details out of this thing, um, soon enough. Um, but a hunch tells me this is not some unknown super scary zero day that happened. Um, this is probably just some, um, negligence that happened. It's just my what I guess. And, and again, I feel for anyone in those, those industries, because ICS networks are typically 30, 40 years old in some cases.

And the primary defensive mechanism that many of them have in place is, let's just cord this whole thing off and just air gap it. And that'll keep us secure. And we know that that's just not possible in today's modern day and age. It's just not. Uh, so thi this is a huge challenge that we have in our infrastructure in the United States, which is one reason, um, this whole space is critical infrastructure, water and wastewater, electrical, um, all of these very critical industries.

And, um, they struggle with this. I I work very heavily with water isac, for example, if they were on this call, they would say, you know, yeah, our members are by and large think of as very small organizations with huge footprints, um, and significance amount, significant amounts of, um, protection they have to have in place to keep their popula safe. Uh, that's a huge deal. So it's a big, big problem that, that we have. Um, lair, what do you think?

You've been around some of this as much as I have. Probably more. Yeah. So with, uh, I guess with industrial control systems comes great responsibility. I mean, you're right, Wes, one, I met a gentleman years ago that was a, did a lot of physical audits, uh, of these areas.

And one of the things that he wrote in his, um, contract was that the whatever organization that he was assessing, uh, was not allowed to terminate anybody or do anything of that nature over any of his findings, because typically they were not a result of what the employee was doing or not doing. The employee was kind of dealt a bad hand to begin with. And so to take it out and the employee was just kind of the kind of a bad way. And so I think about that.

And it also, you know, something that, uh, post talking about earlier with regards to like hospitals. And so I just know of a situation lately where a hospital was operational. They had been inhibit their operational, but for an example was in the radiology side. They could take pictures, but they couldn't share data. And so they couldn't do comparisons. And so really the machines were working, but it really kind of h strung them from their abilities.

'cause there was a part of the network that was down that even though if you looked at it from a business resumption perspective, you might not have thought about that one dependency, that operational dependency. And so with this, this deal with Colonial, it's kind of the same way. Was it a situation where the pipeline could run, but the systems that they use to monitor the pipeline or staff the pipeline or do something of that nature were hindered?

You know, we just really don't know what the issue is. I mean, knowing Darkside, I mean, they're pretty straightforward. I mean, they, they do, when they say they exfiltrate, they do exfiltrate every single time is what we've seen. Uh, the numbers that have been punted out there as far as what the ransomware can vary is, is pretty key. We easily see it's mid six figures and up is what they do. Uh, and, but, you know, and, and they do a solid job. I mean, we put it that way.

I mean, they're very effective at what they do. And, and if you do have to decrypt, uh, their decryptor works. So let's just put, put that away. So, I mean, they could have chose a number of other people to get hit by. That did much a much sloppier job than Dark Side.

But this one is really kind of interesting, like I was putting in my comments earlier, is it an issue of where they just have a super flat network and if they did have a super flat network, well then they all probably should be fired. Uh, but if it's more of these things, was it just a, you know, a maybe a maintenance window and somebody enabled something they shouldn't enabled or, or something goofy like that? Who the heck knows? But, uh, I do feel sorry for whoever's in that boat.

I mean, maybe they deserve it and maybe they don't, but they're in for a, a rough road going forward. I'm sure there's gonna be congressional hearings and all sorts of people, uh, way up, uh, various dark spots of their anatomy, uh, to figure out what's going on. Yeah. Ryan, any thoughts on this whole piece? Yeah, I mean, I think it's interesting. So Dark Side's a relatively new threat actor group.

Um, probably only been around for less than a year, but they're, they seem to be, you know, extortion pros from their background. Um, and this, this kind of follows a little bit of what people are calling a trend, which I think is dangerous to call it a trend, um, of threat actor groups increasingly targeting larger enterprises for faster, larger payouts. I think that's something we saw accelerate through Covid in last year.

But the, the variance in the threat actor landscape is, is much wider and broader now than it ever has been before. And ransomware as a service has really created that with the affiliate networks. And the affiliate really gets to choose who their target market is. And so when you hear things about Dark Side and our claims about, well, we we're apolitical, we only target companies that are large that we know are gonna get large payouts from.

You read that and you're like, oh, I'm a small business, I'm safe. But yeah, you're safe from Dark Side, but you're not safe from the 30 other affiliate networks that are going after small and medium sized business.

So, um, you know, just kind of make sure, you know, you're understanding a little bit as you're reading a little bit about Dark Side and a little bit about this specific attack that this threat actor is somewhat unique in their approach and who they're targeting and why they're targeting it. They've just, they've just identified a different target market, right?

Well, we've seen them hit smaller organizations, so they might claim one thing, but they, I don't know what their criteria is for a, a smaller organization, right? So yeah, maybe they're just looking at people that they think are maybe in a, in a, in a position where they wouldn't more quickly pay.

So yeah, that's what them, and, and, and this is the group too, if I'm not mistaken, that they got a little bit of a hot water because they said that they were, uh, hosting some of their infrastructure in Iran, which ran a bunch of red flags up. And they, they've since come off of that saying that was just a miscommunication, yada, yada, yada. So, uh, I would just say these guys are to, to echo what you said, Ryan, these guys are not dumb.

And you know, that's the sad thing is, is all these affiliates and all these things, I mean, we had a, a uch case lately that was real tiny. I mean, it was like super tiny and it just didn't make any sense of why it was so small, but it was uch and, and everything else. And so, you're right, these affiliates and everything else, I mean, the idea is not to get popped, but if you do get popped, get popped by some of these guys that do a better job than the others. Yeah.

I would say also, um, I was just recently on a panel, um, with, um, people who were working in the power industry. It was for a power, um, conference. And they said like the last two hacks that they knew of, um, were through HVAC companies, right? So while, you know, it's, you know, the big pipeline colonials in the news 'cause that's what affected ultimately, we don't know what was the vector inside of that network. So it could have been a smaller third company.

It may not have been, it could have been directly their network. But, um, you know, I just thought it was interesting that, that that company, so, Well, I got a little bit of a discussion with somebody the other day, that Network. I'm sorry, what? No, I'm sorry. I got a discussion with somebody the other day about, you know, is a, let's just say it was a financial institution in their vendor that does their security systems.

Was, was, uh, basically pushing really hard for a Bluetooth enabled access control system and all this side of stuff. And I'm saying like, whoa, you know, that may sound good and convenient and all that kind of good stuff, but I don't know about you guys, but, uh, I definitely want to dig that and put that through its paces before, um, securing any type of institution like that.

So, I mean, it could be a good implementation, it could be not, but so many people err on the side of convenience and all these other things kind of wow type of, uh, buzzwords that go around with these systems that go in. So you either got the 30 to 40-year-old systems, or you got these whiz bank systems that really haven't been thought out from a security perspective, and it just doesn't seem to be a lot in between.

So Chris, I don't know, uh, if you, I'm putting it in chat now, but over the, I think it was over the weekend, blue Force, um, putting this one in here was attacked by Conti, uh, the Conti group. I think you've worked with them as well, Chris, right? Mm-Hmm. Yeah, they're, um, they're related to.

And so Phyllis, you mentioned CMMC, so here's somebody in the, uh, DIB getting attacked and, um, I, I just wanted to maybe, you know, in our, got a few minutes left here, you know, we are do, so just anecdotally, so we're doing, if you guys know of Ryan Bonner, um, we, I'm gonna have Hi Ryan, um, net Ricks and, uh, Ryan, uh, heor. He's the one that did the 26.

Um, uh, things you should ask your MSP, uh, doing an upcoming webinar on, you know, what's new in CMMC there, you know, common myths around the level three and things like that. Um, but any comments and thoughts, Phyllis, are you guys getting pulled in more, um, in regards to CMMC? Are they, are they, you know, using you in conjunction with the cm, you know, 801 71 plus the additional controls? Like, just any thoughts on that?

Yes, so, um, we, uh, often get asked about CMMC, so just kind of, I'm sure everyone knows brief overview. CMMC is the DODs, um, interpret reinterpretation of the 1 71 because the 1 71 wasn't good enough. So now they have something with five levels of maturity, et cetera, et cetera, and they would like someone to, to visit every single person, which is like every single organization over 300,000 every three years to validate it.

So, um, we're trying to help influence that program to say, you know, um, that really doesn't scale. Um, and, you know, um, as a matter of fact, many organizations will be going to service providers. Um, what can you do kind of a look from the outside, like maybe something like a BitSight can give you some data, maybe do something kind of crawl, walk, run, like automate against implementation group one, they're already tools that are doing this today.

Like, how is it that we can help the DUD by automating as much as possible versus doing kind of a manual look? Um, not to pick on auditors, but auditor, every, everybody has a war story, right? So, so every auditor's like, well, they wrote down on this piece of paper that this was in place, and when I went and, and looked on site, it wasn't even plugged in, you know, or some, some sort of story like that.

So, um, it's a bit of, um, kind of a cultural change to believe in automation and say, yeah, you know, we can automate on these controls. We can say, we can look at the tool and say, yep, the tool says it's done and then it's done. But I think that's, that's where we need to go.

We need to, you know, um, be able to trust the tools, trust the automation, and really, um, try to get a program that scales otherwise, um, you know, every three years a person's gonna come and visit you I mean, that's just it, it's not gonna work out. That's still Personal opinion. Not to be attributed. Gary, a standard based tool that, any thoughts on, on this and kind of as we wrap things up today? Yeah. So anything that's not implementable or sustainable is probably not secure, right?

And so, and that's gonna be the issue. You're talking about it from CMMC perspective, but you're gonna see more and more regulation, right? Come down by state eventually federally. And what we're gonna deal with is more of the same, which is, um, most people and definitely government organizations, that they're not that great with unintended consequences, right? Not their strong suit. So there's gonna be a lot of under unintended consequences.

But I want to close on this to say, you know, even starting here with what Phyllis talks about with, which is adding a service provider, um, you know, guidelines, it's what we've been saying for the past year. We are gonna get questions that we haven't gotten in the past. This is not us driving change or us driving this. This is gonna be our customers driving us. And those of us that have the right answers for those questions, this is gonna be a boondoggle.

Those of us that don't, it's gonna be a tough road to hoe and it's not gonna get easier. It's only gonna get harder. My friends. Yeah. Gary, I think the MSPs that are proactively having the conversations on here are the questions you should be asking me. And here are the questions. You Yeah. Or you're a current provider. Yep. Are absolutely. They already are.

I, me, I know if I mentioned this, but our Q1 across our peer groups was the, uh, highest prices and the highest profit margins in the 12 years we've been benchmarking. So yeah, it's, it's good business, but we're talking about every week on here. It's not just the right thing to do. It's good business. Yeah. So, Wes closing thoughts else? Um, not really. This has been a fun discussion of CIS eight. Um, I think that's been the meat of, of this.

And I do encourage everyone to jump in and see what's going on inside of it and start the process of mapping or if you're already mapping, understanding your responsibilities inside the supply chain because you're caught in the middle of it, whether you like it or not, as a managed provider, it's literally what that means by those words. Um, so you are third party, you have third party, and your third party is fourth party to your clients.

So, um, welcome to this modern age of supply chain attacks and, um, certainly be ready for it. So there you have it, Andrew. Yeah. So what, basically you're saying, Wes, if probably not too far in the distant future, if you're dealing with state local government, expect them to be, because they're working so heavily with CIS expect this coming your way. So again, get, get prepared for it. Ryan, any closing thoughts, my friend?

I'm just excited to actually see version eight and, uh, get in there and, you know, look at, look at the mapping and, you know, do some updated, uh, updated, updated content for MSPs in the journey to walk. So I'm just, thanks for the hard work that you do, Phyllis. Yeah, absolutely. You, I'm excited to you. I'm excited to see you author the respondent recovery portion of the, uh, of the special document coming our way, Ryan. So Response and recovery for MSPs coming your way soon.

Ryan Weeks editor, Phyllis Enclos. So great to have Chris today. Special thanks to Chris. Yeah, always. Thanks. What great day to be able to have, you know, be able to, uh, just reach into a bag of tricks and pull out a Chris. No problem. And, uh, and congratulations Gary. You deserve it. So thank you, man. Mm-Hmm. I appreciate it. Phyllis, closing thoughts on how do MSPs get, you know, involved with what CIS is doing?

I know you, and I'll be telling everybody more in the not too distant future, hopefully on a controls only membership. But, uh, love your closing comments, Phyllis, and again, thanks so much. Yeah, sure. So, um, you can always contact me, um, at CIS or find me on LinkedIn. Um, you can join our communities. We, we give feedback, um, to comments in our communities as well as taken requirements. And so, you know, um, I have been asked by Andrew, would you have controls for MSPs?

These different things for MSPs? And the answer is yes. Like, if I could actually get the community together and we could write something, then I, I'm happy to host it. I'm happy to do that work, um, because we do listen to the feedback. So, uh, yeah, so please get involved and, um, give us your feedback and we're happy to update our documents accordingly. Awesome. Well, with that, again, Chris, thanks a million for jumping on in the last moment here.

Wishing everybody a fantastic week and we'll see you all, uh, in week 50. Take care, everybody. Anyway, thanks.

Related Videos

May 10th, 2021 – CIS unveils version 8.0 – what it means for MSPs | Right of Boom