Skip to main content
Right of Boom
January 30, 2025

The Cybercall: New Home is: https://www.youtube.com/@rightofboom/streams

In this video, industry experts discuss the complexities of automation and security within the realm of managed service providers (MSPs). The conversation delves into the challenges of implementing secure configurations and how automation can drive consistency and efficiency across processes. Through tabletop exercises and real-world scenarios, the speakers highlight the importance of strategic planning and collaborative efforts to enhance security measures and improve operational effectiveness.<ul><li>The importance of automation in the MSP industry is growing, with a focus on using it to enhance business processes, create standards, and improve security measures.</li><li>There is a significant need for MSPs to focus on essential cyber hygiene practices to prevent large-scale attacks, such as those seen in auto dealerships and other industries.</li><li>MSPs should develop comprehensive onboarding and offboarding processes using automation to ensure consistent and secure management of user access across various tools and platforms.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. Welcome everybody. Um, and welcome back. Thank you for, uh, gosh, hanging in there with us, Gary, it's been a whirlwind June as far as events. And, um, thank you for holding down the, for the week before. Um, and, uh, we're gonna talk today a little bit about automation and the flow event and the M 365 breaching M 365 pre-day that Bo Bullock did. And, and we've got some goodies for everybody that'll be able to, you know, get, um, downloads, et cetera.

But before we start that, uh, in the news, I think's really important, um, I, I'd really like perspective, um, from all of you, um, that they, what I'll ask it and frame this out, if, if you all out out there heard about the, um, CDK, um, uh, card dealer auto or auto dealer supply chain attack. So this is really interesting on three different fronts. Uh, it's a SaaS based platform. I think there's something like 15,000 or so auto, um, dealerships work in this industry.

So, again, think about this from not only the perspective of if this was a tool that we use, but also Tim was noting early on, uh, in his days as an MSP, this is a platform that some of his clients actually used. And what's happening is, um, currently, uh, the threat actors, um, and Kelvin's got some up-to-date news, but prior to, um, what Kelvin just shared, what was happening, Gary, is the threat actors, because of the data, they probably exfil know who the auto dealers are.

They're posing as support, right? You got 15,000 of them. So this just happened, Hey, you know, we need Gary, we need to reset your password. Some things happened, et cetera, et cetera, and they know all about your company. So it's pretty, sounds pretty legitimate and obviously pretty concerning. So, thoughts on this and how maybe some lessons learned and what we need to be thinking about in our own, uh, due diligence here. Uh, as MSPs, Who do you wanna start with? You?

I said, oh, yeah, I said Gary. Yeah. So, yeah, I mean, I, I think this is interesting when, when I see big industries, usually in many cases it also means older technology, right? There's only I think, three companies that I know of that sell into that, you know, space. Have you ever bought a car? It's like going to the airport. They, they, they're just typing and typing and typing and typing, you know, into it. I'm like, all I did was give him my birth date. Right. You know? Right. Right.

But look, Andrew, all of this stuff, and I know, I know MSPs that support car dealership, so this is direct, right? Mm-Hmm. This is direct to us, but I also think it's just we're seeing so many different, like we're seeing these patterns large scale within a vertical, and it's definitely lessons for us to learn, for sure. Yeah. Phyllis, uh, so, you know, uh, technology, you know, the, the Verizon DBIR and the CrowdStrike report pointed out technology is the number one vertical for attacks now.

And it's, I I think it's pretty easy to see why, because of the breadth of the use of, you know, they, they, as they say, right? Software is eating the world. Everybody's using software, big supply chains, probably the biggest now. Right. And, and any perspective on when you look at this through your lens of, you know, Verizon and, and, and attacks, um, your thoughts on, on something like this?

Yeah, I mean, I definitely, you know, um, see how Verizon's putting to technology as a number one factor. And, and, you know, I always marvel at how well organized criminals are. It's always like the biggest bang for the buck. We always talk about that. Oh, where's the biggest bang for the buck? Put your cyber resources where the biggest bang for the buck is. And like, you know, cyber criminals always do the same thing, and they're so, so good at it, right?

And then always our head is reeling, like, oh my gosh, it affected a whole vertical, like the healthcare Mm-hmm. United who, who, they're still reeling Mm-Hmm. And they're still trying to recover. And this will be the same sort of thing. And then the question is, is like, you know, back to the basics. How many times do we have to say that back to the basics, essential cyber hygiene?

Um, you know, and it's like, for me, when I look at things like that, it's like, we don't need to look at fancy new attacks. We don't need to look at fancy new tools. We need to get back to the essentials, essential cyber hygiene. You all have heard me on this call, know your environment, apply secure configurations, MFA, all those things, um, to prevent, you know, phishing, you know, do that training and all those kinds of things.

So really, again, it just kind of hits home, um, you know, are we doing the essential things we need to do to prevent these kinds of large scale attacks? Yeah. And we're gonna be talking Calvin, today to you about, you know, we're gonna view tabletops, but I, I, I think we're at the point as MSPs where we really have to tabletop a, what it's like for our support team to work with you as our customer. What does a real support call look like?

What's the real, how do we authenticate a real support call? And versus what's happening here? I mean, I think it's an important story because this is what MSPs are gonna need to, to e Andrew, right? We've heard this multiple times, that same approach around support. Oh, yeah. I mean, this is MGM, right? It's Brilliant, right? This is MGM attack. This is now, it's, It's the entire part of verifying who you're speaking to isn't a part of, even, even in most MSPs that I know.

And I'm saying most MSPs, because my Ms. P of course does everything fantastic, and we never make a mistake, Of Course. But, um, the user verification process is something that is very lacking in a lot of support departments. Uh, I mean, the entire, uh, um, four, four or five years ago, smishing was the biggest thing where they just called your phone provider and changed your SIM card over to another SIM card because they could pretend to be you with just your phone number and your birthday.

That's all they needed. And that entire part of verifying who you're speaking to is just, it's not common enough in the world of support. And it needs to be more common. It needs to be a more, more, um, um, ingrained part of our process. Just like you create a ticket for everything that you work on, you verify who you're speaking to before you work on something. It needs to be that level of, uh, uh, procedure for everyone, And you can't believe anything.

I mean, Andrew, I just was having a conversation with co um, uh, with, uh, some of the dev folks, uh, over at, uh, roost at the event, and they were talking jokingly how they start. They were kind of like, you know, they're always joking around, but they figured out how they can sample small pieces of someone's voice, you know, and then get them to say anything in their voice. And I was thinking, that's just them having fun internally.

But like, you can get a call that says, Hey, Andrew, uh, it's the CEO, Gary, uh, listen, I didn't catch you before you left, but I need you to do this wire for me, and it's gotta get done tonight. Sorry for the short notice. Can you send it out this much money to hear in, in, in the CEO's voice? Right? Like, that's pretty scary stuff. And it's here now. Yeah, it is. I've been on, I'm, I'm on the roost morning calls. I know. I've heard it real time, and they're excellent at it. Um, so yeah.

Uh, it's definitely a very good point. I mean, it's almost like where we've gotten to with BEC, right? I mean, if someone says, Hey, I need you to change an account. Hopefully you have a policy in place that we don't do anything without multi-step verification, right? Phone calls, right? And a whole bunch of subset of practices in your policy that we're not changing any accounts without multiple steps involved. And I think we're gonna have to get there. Yeah. Phyllis, yeah.

I mean, I, I am curious about, you know, that kind of training for MSPs. Is that not like a, a standard thing or is, you know, the, the, you know, verifying people and stuff like that? I'm just kind of curious. Yeah, I'm gonna go to Kelvin. Kelvin.

I mean, look, I mean, you think about an onboarding project that's typically, you know, correct me if I'm wrong, that's typically not the first thing that comes to mind in an onboarding project, but probably something There's, there's so much that goes on when you're onboarding a client that, um, the support portion of onboarding is often the one that gets, gets the least amount of attention.

And because of that, it also doesn't get the amount of attention that it deserves in regards to this is how you verify, always speaking to us, or vice versa. We train our, uh, help desk engineers to always verify who they're speaking to by either using a, um, a verification functionality, like sending a message to their phone, and they have to press yes on the phone, like an app that we use for that, or that they verify it by only calling a specific number or the, these kind of things.

Or having the user call back. There's, there's a lot of steps that you can do to do this, but I've noticed that that is our help desk. And then I look at our professional services department, which is somewhat separated from our help desk and not used to the constant procedures. The, the, the, the, the, the constant repetition of this all. And they don't do it. They don't do it because they're not used to doing it constantly over and over and over.

So even internally at our MSP, um, we, we need to make sure that this is ingrained in people, their behavior. That's an awesome, when you just gave, right, there is an awesome example because it sums up everything I've learned. Like people install awesome tools and they're on, you know, 99 out of a hundred of the endpoints.

Or you have a process in place in one area, but you don't realize there's another, like, that's just probably the most common thing because we're in like five different businesses. We're in the support business, we're in the tools or centralized services business. We're in the professional services business, we're in the alignment business. You know, we're in the consulting business. Like, they're almost five different businesses, right?

And when you're a small and when you're, you know, relatively small companies, um, Kelvin, it's hard to get it right everywhere, right? It's, it's hard to get it right even in the two most important departments. And then we haven't even spoken about, um, what if our administration calls you and tells you, oh, our bank account has changed. Like, how do we make sure our clients respond to that correctly?

And of course, phishing training and, uh, security awareness, uh, training and simulations all help in that over time with customers. But we have to keep doing it right as the MSP. And, and I think that's for everyone listening right now, the most important thing you have to remember that everyone has to stick to that repeatable process. Not just your help desk, not just professional services.

If you are a solo entrepreneur, a solo operator, please start introducing it now, because the next time that you hire someone, you can explain to them why it's important. And the next time that you hire the next one, they'll explain to them why it's important. You'll create this natural culture around it. And I, and I think, Gary, there's an opportunity here to show, you know, one of the things you and I talked about, just quick tangent, right?

When we were talking at the conference about automation, not only was it, you know, going back 20 years in time from the perspective of we're on this precipice of this massive growth in M-S-P-R-M-M and automation was one thing, right? As you always used to say RMM is for you, the MSP, it's not for your customer, right? Whereas automation is not only for the MSP, but this time you and I were talking about, this can be a huge boon Yeah. In terms of services.

But, but coming all the way back to this point we're making on service desk and support, I think there's probably easy ways to correlate this to the company you're working with about, Hey, this is not only the way we wanna verify support with you, that we are who we say we are, but you have support right? To your customers. Let's talk about, you know, your supply chain. So again, You have finance, like they're susceptible to the whole thing.

And if we live with this every day, and if we're having these conversations, you know, Kelvin runs a pretty good MSP and we're having these conversations like, our customers have no chance without us none. Zero. Yeah. Yeah. One other thing, and we'll get right on into the call, um, of course, um, certainly, uh, on the other side of CDK is the Federal Reserve, uh, where Lock Bit has attacked the Federal Reserve. Supposedly the Fed hasn't supposedly come out and said, yes, they have.

The lock bit certainly says, yes we have. Um, but speculation, uh, if in in reading, uh, the through the tea leaves is, is if it did happen, it wasn't anything the Fed did wrong, they're saying it must have been a zero day, Of course. Couldn't be anything. Uh, anybody in the 870 economists and the Fed actually did Gary. Yeah, no. And if they're very busy, it takes a lot of effort to print money. So, we'll, we'll see what happens there.

I guess my only question, Gary, is if indeed, you know, there is this, um, what are they talking about, 33 terabytes of sensitive data that that lock bid is saying. They have, uh, a lot of MSPs, uh, work with banks, uh, that, you know, community banks that still have to interface with the Fed. Yeah. Um, we, we gotta monitor this one too, right? If you're an MSP working with banks. Absolutely. Yeah.

And the only good thing about this is maybe some more high level type stuff like this maybe is what it takes, like to move the needle in terms of, you know, some regulation and oversight on things. Yeah. Interesting. Alright. Alright. So let me set the stage here. We'll get on into it. Thanks for, um, taking some time to talk about these two, um, uh, I guess unfortunate, uh, scenarios. So a as I was saying, cut starting today. It's been a whirlwind June of events.

Um, Gary and I were at, along with, uh, the folks I'm gonna introduce momentarily. I think, you know, a lot of, a lot of, you know, a lot of them, but we will let do some intros. But Gary, it was interesting that, um, roost hosted the first industry agnostic automation conference. I think they did a really good job actually not making it a roost event. It was all the presentations main stage. I know we're gonna talk a little bit about this, but it had nothing to do with roost.

It had everything to do with what MSPs are doing around automation. So they, that was really cool. Um, we wanted today to talk about a little bit about perspective of automation. I'm gonna ask Gary and, and, and Kelvin and Nathan a few questions about it. And then we're, we did a session on breaching M 365, um, and we've got some goodies for you all. I'll make sure that if you tend today, we get them to you, we'll get some links up so that they're easily downloadable.

Um, it was on breaching M 365. We used black doors and breaches actually to do a tabletop exercise that between Bo Bullock of Black Hills and Tim, um, we were able to coordinate a really cool scenario. Um, Kelvin was heavily involved in moderating the session 'cause we were looking at different ways MSPs could mitigate those threats, use automation. And, uh, Kelvin also put together a top five things that you can do. I'll have that PDF available for you as well, um, to, to download.

So just bear with me as we get through this session. I download all the, um, email addresses, exfiltrate those over to you, Gary. And, uh, you can sell them on the dark web. How's that sound? Sounds good. Alright. So quick introductions. Kelvin, thanks for being on a lot the last few months. It's great having you back. For those that may not know you, could you, uh, share a quick about yourself? Uh, we'll go to Nate and to Tim and kick it on, off A awesome. Um, I'm Calvin.

I am an MSP owner, uh, called Lamb Networks in the Netherlands. Um, I'm also a Microsoft MVP specializing in Microsoft Graph and Automation. Actually, the full title is something like Cloud and Data Center Management, but no one understands what that actually is. So just say Microsoft Graph makes it a lot easier. Um, next to that, I also own a business called Cyber Drain. Uh, cyber Drain creates a product called sip. Sip is an open source free solution for M 365, multi-tenant management.

So that just makes it easier for MSPs to manage M 365 at scale. Um, and that's me in a nutshell. Nice. And say that 10 times fast, Calvin? No. No. Alright, Nathan, good to see you, man. I think it was your first time on the cyber call. Awesome to have you with us. It's thanks. And then, uh, yeah. Um, so if you could share a little about your background and, um, we'll hit it over to Tim and kick it off. Cool. Yeah, my name's Nathan Spec or Nate. Um, I'm the VP of Strategic Partnerships at Roost.

So I work with vendors to, uh, get the integrations built and then get, uh, some crates built around those integrations with them. Um, I worked at Roost, uh, for a long time before that. I worked at another bunch of places. You can hit me up on LinkedIn and see 'em all. Thanks Nate. Okay, Tim, welcome back. Um, you've worn the MSP CSO hat, so it's really cool to have you with us. Yep. Uh, Tim Fornet here, uh, before I was at Roost I was, uh, at an MSP for about 16 years.

Uh, so wore every hat over there. Um, but now I, uh, at roost I work a lot with our customer education and experience teams to try to teach people about automation and how they can do it better and, uh, really kind of change their culture to embrace it. Yeah. Awesome.

Alright, Gary, I want to ask you a little bit, I'm gonna just look at my notes here 'cause I really wanna make sure I hit on this, uh, point because, um, you know, the roost event, again, like I said, was it was done really well in the sense of wasn't about a company, wasn't about some selling products. Um, they really, they invited competitors, um, but the onstage, right, was a lot of MSPs presenting how they're using automation.

Um, so, um, you know, as I said, this is eerily similar to having conversations with you two, A 4, 2 0 5, 2 0 6, and you know how RMM was a massive advantage for people that understood how to use it, what it was for, not trying to sell it to their clients yet, but really understanding it internally. Can you talk about some of the similarities, but also how this can and probably will be very different for those that are early adopters and, and really get ahold of this?

Yeah, so I mean, this is something I'll kind of, this is the message I've been giving to our peer members pretty much now for I don't know how many quarters, uh, in a row of the past several years, which is, you know, in the beginning that first Enable came out and we bought that, then Kaseya came out and we bought that, and that's when things changed. Like we went all in on what we could do.

And, you know, it took time from a pricing standpoint, from a maturity standpoint to it to get to the masses, right? And we probably had it figured we'd have a two year head start, you know, on everyone. It turns out in the 10 years I owned that first MSP, our gap, our gap got bigger, not smaller with the rest of the marketplace.

So number one, what I see is the same when you see something, and I feel like the impact in general, that automation as a category is gonna bring to the space will be bigger than what the change was with RMM because the space and the opportunity, uh, is bigger. And, um, but what's different is that, uh, this has the opportunity to get to the MSP's customers, and that means customers values going up. A customer that spent 5,000 right? Might spend $6,500 with you.

It gets you involved at a business level. It couldn't possibly be any stickier, you know, at that point. And what it does, you know, for an MSP is it immediately expands their tam right, in the most profitable way, which is within, you know, each logo. So e everyone should be thinking about, you know, step one, which is, you know, what do I have to do to prepare my company in terms of how I look at things, my processes, my roles?

'cause that, you know, that predates, you know, anything else you can do. And then what are, how am I gonna become internally in all areas of my business, not just support desk in all areas of my business? How am I gonna start to make automation part of my culture? And only then can you start to think about, you know, I think that easier step, which, and some MSPs are already doing it, so, uh, it's a big deal. Yeah.

Um, I was smiling in my head as you were saying all this because the, one of the things we used to hear was about, Hey, if I get an RMM, I'm gonna be out of the, you know, m engineers were, if I have an RM I'm not gonna have a job. Yeah. We're not going through that again. Yeah. And, and isn't it interesting though, there's some of that still today of what does this mean to me and my job?

Nate, you're shaking your head love to, you know, hear your thoughts, but you're actually seeing those companies, Gary, pull away like, yeah, You know, you know how I know someone's on the right track. They aren't just talking about how much time they're saving. Same thing back with RMM. Like, how much time can we save? If you saved no time, if you could just do every task the same way every time, if you could complete tasks right, that you're not completing today because of it, right?

And you had more alignment, more security. If you can get the same results from a tech who's been with you three months, in three years, all of those things, when I hear people, that's when I know they're starting to unlock what automation means. Yeah. Nate, what, what did you see, you know, for, like I said, great job, uh, keeping the conference vendor agnostic. What did, were there any like eye-opening conversations you saw with how, um, MSPs are using tech?

Because like you said, as, as the head of the relationships, right? The API integrations with all this different technology, whether it's a Sentinel one or something. You gave a great presentation about that at, um, at, uh, beyond.

But any like, interesting things you heard about how MSPs that were like, like that is pretty damn cool how MSPs are using technology, uh, that you didn't even Yeah, one of the most exciting things I think that I'm seeing just in the vendor space, the more and more people I'm talking to is more and more vendors opening up their APIs. So vendors who didn't have APIs before, they're building APIs.

Um, vendors who had garbage APIs are, you know, rebuilding them, adding better functionality to really take, to allow an MSP that has already built a process to then use whatever tools they want in their stack to be able to accomplish their process, right? Some vendors want you to go to their product and use their process. You have to fall into their stack and do their things real.

When you open up the APIs, you really allow the MSP to make those decisions, pick the right tools that they want, right? And allows them to really drive that change. Yeah. Aria, as I turn it over to you, um, and I said this to Joe Panari at the event, really good to see him. Um, he was the, uh, mc for those that don't know Joe, he was channel E two EMSP mentor, uh, et cetera. Most people didn't know him. I was shocked. Crazy.

Um, so, um, but one of the things I I, I did say to him, Gary, was this, I've never seen something create cottage industry so quickly. Like, you know, it wouldn't be a cyber call, Gary, without you hu humiliating me and my references to CrossFit, but let me use CrossFit that built so many businesses, right? Clothing, equipment.

And what we're seeing here is I'm already, like Nate just said, you're seeing companies change their way, they manufacture their APIs, you're seeing companies, uh, develop to do automation implementations. Uh, you're starting to see a proliferate in like no time relative only a year really quickly. Yeah. It's like CrossFit, except you have less callous on your hands. Yeah, I I I'm with you. Everything's happening faster though, Andrew, right? Yeah.

What we see is, you know, what it takes to build a billion dollar company, you know, went from, you know, three decades to, you know, three periods, you know, three quarters, so everything. And so it makes sense that someone, something transformative, like what we're seeing, um, would go faster. And I, I I'm agreeing with you, it's already offshoots customers, things being built, you know, all, all, like you said, a cottage industry all around it. Yeah. Okay. Over to you. Go. Okay.

Um, so Kelvin, I wanted to, um, uh, first off, it was really cool. You traveled from the ne Netherlands to Tampa, right? To be, to be there at, at the event you spend a lot of time in 3 6, 5 in, in, in security. So was there a particular area that you saw through that that maybe lends to today's discussion when you correlate those two things? Ooh. Um, well, our pre-day session was first, first off, it was amazing to be at the event. It, it was so much fun.

Like it's absolutely worth the travel, going to a small scale event where not everyone knows everyone already and you're actually speaking to new people about novel automations. It, it, it really was a, was a good time. Um, and, but those kind of discussions, um, what I noticed especially is when, uh, Beau from Black Hills Security gave his part of, of the pre-day session is that people were shocked at how, um, Microsoft actually allows insecure defaults.

Like during the first four hours of the day, you saw MSPs getting more and more scared. You actually saw them going like, wait a minute. Is is this true? Is this the case? Um, I think Tim and I both saw like four or five people on their screens live changing settings as we were giving instructions and, and talking about how to defend yourself because they just didn't know.

So I think that is the biggest, biggest thing that surprised me, that there's not a lot of awareness around, um, what Microsoft calls the accessible defaults. They're not secure defaults. They are accessible. The moment that you are, uh, um, creating M 365 tenant, you are creating, with the idea of collaboration, you're not creating it with the idea of security, because those are completely conflicting with each other.

And a lot of the settings that we're going to talk about in the tabletops and these kind of things are actually decisions that Microsoft has made to say like, okay, we're going to, um, make sure that our product is as usable as possible, not as secure as possible. Interesting. Um, let me ask you another question. So, um, specifically dive in a little deeper, you know, authentication, ex exploitation.

When you think about that and you think about automation, what can automation do to maybe help, uh, what reduce or, um, the opposite? Yeah, so there's two things that, um, everyone in, in, in this chat should think about right now. It's, um, it doesn't matter that, you know, what settings need to be changed. It really doesn't matter. Uh, what matters is that you're capable of doing this at scale in a controllable manner and in a way that is reapply, uh, reapp applyable every single time.

And that is where automation comes in. It doesn't come into, uh, automatically, I don't love that word, automatically, automatically make everything more secure. It comes in to implement the process that you've envisioned. Um, your automation should never be, oh, I'm going to make my tenant more secure. It's going to be, I'm going to change these specific settings because I know exactly what the, what these specific settings do and how they make my client more secure.

If someone tells you, if you set this checkbox to allow all users access everywhere, it actually makes your tenant more secure. Because Microsoft implements this super deep dark policy somewhere in the background. You'll also look at them saying like, wait a minute, the checkbox explicitly says, I'm making this, uh, I'm giving everyone access. So what you're saying, I'll have to go check. Do that with every single checkbox that you set.

Actually discover what your product does, because automation should be there to help you apply your process. It shouldn't be there to help you apply just security. And also, to your point, Gary, the insecurity part of automation is one of the biggest danger if you don't know the settings that you're changing over. Yeah. If you don't know what you're doing, imagine setting a specific setting over all your tenants or even over a small subset of them that disables security.

You don't want that happening either. So it's more of a matter of understand your process first, and when you understand your process, then you can move on to thinking about how you're going to automate that. Gar, just a quick question to, to Kelvin.

So there's, you know, you bring up a really interesting point, and I don't know if we have enough time to delve into it today, Kelvin, but there's a big difference, I think, in what you're saying about using automation to really drive standards, which is near and dear to Gary's heart. Hey, we're always gonna do this this way every single time, as opposed to what, like you'll see in a soar, right?

That, you know, you're seeing something happen at a detection level, a threat level, and using automation to high, hypothetically take a host offline or something like that. Very different types of automations that we're probably gonna have to categorically define a little bit at some point too. Yes. Yeah, absolutely. I mean, uh, just, just looking at the type of auto, because of cip, I have a very specific mindset about things like standards, exactly.

We should apply specific secure standards and we shouldn't allow anyone to apply insecure standards. Like that is one of the biggest things that I've done in sip. Sip is opinionated software. It tells you what the standards should be. It doesn't allow you to turn off your security and then say, go and press a button. Now it tells you you should be doing this period. This is, this is how you're, you are secure.

And, um, I think that the separation between a, uh, standards orchestrator and a orchestrator or an automation tool that allows you to respond to things are two very separate things. And one can be done without process. One can be the, or at least without understanding the entire process. Like isolating and host is an action where you, that you can absolutely take without needing to understand exactly what happened on that host. That's something that you can research later.

That's something that where you can deep dive on later, but allowing access to something or, uh, setting specific settings that should be done. Keeping the process in mind. I think there's understanding. Yeah, I think there's a concept here that we're talking about, but it might help to define, and that's to, to define your desired state, right? So, um, when you use automation to set your standards up, you're defining how you want things to behave.

And if things drift, if they fall out of those things, then your automation should be built to put them back into the line where they should be. You get a really good point, Tim. I like the draft piece. Phyllis, I, I got a few questions with you and then we'll go back to Gary and we'll get into this tabletop a bit. Yeah, sure. Before you start, can I just say one o uh, other thing about, um, Flo? Yeah. I told someone, I'm like, oh, you can find me downstairs. I'm the one without the beard.

It's either me or Andrew, because we were the only two people at the event didn't have a beard. Mine is 'cause I can't grow one. Gary, what's your experience? Yeah, never was never my, never my thing. I'm outta style now, Although Junior's got a good one going. He does. Go ahead fellas. Sorry. Oh yeah, sure. No problem. So, you know, we just talked about secure configuration and then the default configuration of M 365 mm-Hmm.

So, um, when you and Bo discussed this topic, what kinds of questions did you get from MSPs and how is it, you know, you talked about automation, just these processes in general. What is it that MSPs can do to help with that kind of automation? Wow. Um, that's a tough question because there is a lot of different, uh, ways that MSP work.

Um, I think personally that, um, when we're talking about secure configuration following a benchmark that has been set by another, like CIS is a perfect example of how you can make yourself more secure by relying on crowdsource knowledge. Because I'm, I'm saying that, uh, the, the crowdsource knowledge part is very important because a small MSPA solar entrepreneur will never be able to discover all the intricacies in M 365. It just won't happen.

There's too much going on there that you need a cloud engineer, someone who spends most of their day in the software and understands all of these things. So crowdsource knowledge becomes a very important component. And something like the CIS benchmarks are a perfect example of crowdsource knowledge. Kelvin, can I just jump, Phyllis, can I jump in on this? Mm-Hmm. Sip You got five over 5,000 MSPs open source. Have you learned stuff from them? Kelvin being an MVP yourself?

Like someone go, well, what if we did this? Kelvin has have some of those come from the community crowdsourcing. Yeah, Absolutely. So, um, that, that's the brilliant thing about open source software. A lot of things that are in this current set standards aren't just made by me anymore.

We have 30 or 35 people contributing to the software and all of them have slightly d opinions on what is actually secure software while we're all working towards the same goal, but someone says, this setting is something that we need to think about. And then as an MSPI start thinking about it. Like, okay, uh, a good example of that is disabling shared mailboxes. A shared mailbox is a way of sharing a mailbox across multiple users by default.

It has an account that is enabled, but it just doesn't have a password. It's a securely generated password. That's from the way where Microsoft the moment is created, but still it has an account enabled. You have to think of your identity management. So you should disable that account because no one is logging onto it. Even if you don't know the password, you should be disabling it. So there's a lot of thinking like that going on.

And, and a lot of the community actually, um, just go through what are the IDs that are in, um, um, what are the security IDs that Microsoft has about M 365 and how can we apply our own benchmarks to that? Nice. I just a question have, I don't know if the group, um, saw the Secure by Design Release by CIS a and it was a document secure by Design and it, you know, all the, all the Five Eyes countries, a bunch of definitions and organizations signed up for that.

And one of the basic tenets of Secure by Design is having, um, a default, um, secure configuration so that when M 365, um, does get deployed, um, it's default locked down, kind of like that router configuration, like the default deny is the first statement, and then you allow stuff. You know, that's, that's the gist behind that. And so I just mentioned that it's just interesting as US government tries to put more and more onus on software vendors to provide some sort of security out of the box.

You saw that in the, um, national cybersecurity strategy. You see it, um, in some of the executive orders coming out and now secured by design. Oh no. Gary, did you wanna say something? You look like you wanted to say something. Okay. Nope, just Some Good stuff. We get a little more tactical. I wanna make sure you get to it all. Phyllis. Okay. And then, um, so Nate, um, so we know that phishing of course is, um, ever popular, um, way to get into organizations, um, initially for a compromise.

And so what integrations and automations have you seen, um, that MSA MSPs are using, um, to address this? Yeah, roost has a number of, I mean, we've got almost 60 integrations now. So a lot of the things that, that we do can be, uh, very vendor agnostic. But one of the first things that comes to mind when we talk about phishing is we have a crate that's in our marketplace that was built by one of our customers. Can you just explain the crate is Nate?

'cause a lot of people know where the heck a crate is. Sorry. It's, uh, Ruth's terminology. So a crate is gonna be a, um, like a little bundle and that's gonna have the, uh, workflows, the integration, any templates that are, um, being used in the workflows and then scripts. So it's just a little bundled automation. You press a button, you would install that in your roos tenant.

Um, so yeah, uh, that, that automation is then what it does is anytime a MSP's customer will report a phishing attack, roost grabs the email domain from that phishing attack. And, you know, for instance, it's just, this one's specific to Sentinel One, but we go to the Sentinel one URL tool and then we validate if that URL is a known phishing attack or not.

We grab the information from Sentinel One and then we add that to the ticket, allowing the MSP technician to be able to have more information right away to be able to make that decision faster. So it's not, you know, removing the technician from it, but it's just giving them that information right in their face, in the PSA, giving them the information to make that decision. It's, Go ahead. Sorry. No, It's, no, simply it's, you know, things like that, like standing up a, a website, right?

Nate five days ago, three days ago. Like, just though that little bit of information can really make a huge difference. Yep. That's, and so, um, I'm not familiar with the tooling. So is that available for everybody to use or is it like for a customer? Like how does that work outta curiosity? Uh, if they're a Sentinel one customer, they would just set up the Sentinel One integration. They would install that crate and then they would be able to use that, um, that automation. Oh, that's awesome.

Yeah. That's great. 'cause that's so quick. I like that you, you know, that's the beauty of automation. I think we all know that. Yeah. Okay. Um, so back to you Gary. I think we Have, so yeah, I think what we're gonna do next is, um, tabletop, Kevin, maybe walk us through, um, the tabletop exercise a little bit and how Ms. Peas, you know, we're approaching these and just to like, maybe 'cause we, you know, for the sake of time some key takeaways from this. Yeah.

And then we're gonna make sure, Andrew's gonna make sure everybody gets this. Yeah, absolutely. There were So sorry, Andrew, go ahead. No, no, no, you're fine. Kelvin, I just, let me just confirm. Can everybody see this first off? Yes. Okay, perfect. And so, yes, I'll make sure if you're on today, uh, we will, we will promise you'll get all of the five tabletops along with Kelvin's best practices, uh, that he put together for mitigation of M 365 attacks. So Kelvin, walk us through this one.

This was the first one we, we went through and then maybe you and Tim can kind of collaborate and like what things you heard from MSPs that were like, oh, that that was pretty damn clever that you could use to mitigate and automate. Yeah, so, um, Tim and I were joking about this, but every table where I sat down to, to discuss the thing with everyone, um, the first thing they said was, we're closing shop and we're, we're filing bankruptcy.

That wa that was the first comment that all the MSPs had. Please don't do that. Please don't do that. No. But, um, seriously, um, there were a lot of inventive ideas, especially about the business emo compromise scenario. Um, if you're not familiar with business emo compromise, you shouldn't be on the cyber call, but I'm still going to explain it to you.

Um, business emo compromise is when someone is phished and at that moment, um, someone, uh, uh, the attacker will try to, uh, either send, uh, uh, phishing emails to the CEO internally or try to, um, change an invoice, the change bank account numbers, all of these kind of things. It's, it's one of the most annoying threats there is, uh, especially when they work because they're often pretty low effort by, uh, the attackers. So they're able to do this in massive bulk.

Uh, the, the, they are massive bulk attempts. Um, in, in one of these cases, uh, in this case, uh, they got initial access, um, if I recall this correctly, through, um, they got initial access through a phishing email. And, uh, from there on, uh, they started, uh, trying to exfil data, searching, uh, information in the emails, uh, then, uh, elevated their access, et cetera, et cetera.

Um, yeah, the, the most creative, the most creative solution that I've had for this was an MSP that actually said, um, this is, uh, uh, more of an insurance and legal risk. So we're going to move this to, uh, uh, our insurance and legal department and getting them involved as the first step to create a new policy. Because the idea behind the tabletop exercise was create a new policy and create an automation if required.

And funnily enough, um, most, well, funnily enough, of course, most of the, uh, uh, answers were very technical, but this was one table that said like, first we're going to discuss this with our legal counsel, which is one of the best ideas that you can have at the moment that you detect an actual compromise. So, so that was one of the surprising ones. Yeah, that, that's absolutely. Tim, anything come out of this for you that you saw?

Yeah, I think it was really interesting that a lot of MSPs decided that, um, they were gonna update the IR plans, uh, based on these. But then, uh, they came around to, you know, we, we've talked about response, let's talk a little bit about prevention. Uh, so they were talking about, um, MFA, um, and doing a better job at detecting, uh, which users have MFA turned on and turned off. mm-Hmm. Um, Kelvin had some, some news for the group as well on how we can automate that better.

Um, and then, you know, doing things like monitoring, uh, email for, uh, passwords and, and things in the email so that we can identify when people are misusing email by throwing credentials around things like that. Uh, so yeah, it was really exciting stuff. Uh, a lot of, uh, as Kelvin said, unexpected solutions, uh, based on these things and, and really like a, a whole a well-rounded, uh, set of ideas.

You know, what's interesting to hear Tim, uh, how you approach this and that, what you just gave is a great example, but Nathan, you know, you're on the other end when MSPs are just beginning their journey and you're trying to show them, they can't really think in that way. They really think in terms of can it complete a support test task? Can it save me time?

Like, they start out at this kind of point because they haven't had the experience to be able to think, you know, in, in a much broader sense. Yeah, I would say, um, a lot of the MSPs that that we talk to, um, don't have processes yet for a lot of their, you know, the, the tickets and things. And that just makes it harder to look at, like you were saying, that entire scenario.

So if you, if you haven't written anything down, you don't understand what you have to do step by step, it, it's more difficult to actually come at a automation mindset because if you, like Aaron says, right, you can't automate a process that doesn't exist. Yeah.

And I think what's interesting about even this BEC at, at a more macro level is just the fact, Kelvin, what you said, you know, they're like, Hey, we'll sit down with our legal and discuss this, uh, and, and which will really probably get into some type of policy.

And what these tabletops do is, you know, and, and probably the biggest one is in when you start to talk about, you know, vulnerability management is, um, it is very rare for me to talk to an MSP that's looking to implement some type of vulnerability management platform. Um, one of the first questions I ask them is, okay, the number one reason they're doing it is to find, use it as a sales tool.

Hey, we wanna find, um, areas that are, you know, are behind in patching, show how inept your current provider is. Use it as a wedge. That's the number one way to use it when I ask them, let me ask you two questions. Number one, does your, you know, agreement with your customer, say, we patch systems not specific. Do we patch we patch systems? So generically, which is, is is broadly dangerous because we're not being specific. That means we're patching all systems.

And number two, do you have any type of, um, policy and SLA when it comes to vulnerabilities? So quick tangent, but these tell true or fault. Like these are, this is what these tabletops do is the aha moments to go, wow, we don't even have a policy. Even though we say to our customers, we're gonna patch, we're basically saying we patch everything. So just a, a different approach to the same, uh, or, or sorry, a different angle to the same kind of realization. Your thoughts on that?

Um, just jumping on this, I absolutely agree so much with vulnerability scanning just being used as a sales tool, it's, it's insane how little it's actually being utilized by an MSP to improve their own internal process. I mean, I fell sort of victim to that myself. My sales team said We need vulnerability scanning for this and this reason. I said, okay, let's do it. And then my security team was like, no, we actually need it for a lot more reasons.

Completely opposite to what sales sales are saying, we need to start using this to actually protect people. My security team, they, um, I I always say that they have complete say over anything that I do because they should.

And they simply said like, we're not going to implement any type of vulnerability scanning for sales unless we actually have procedure to back this up to say we're going to use, uh, vulnerability scanning to make sure we are able to catch up on patches that we needed to install or updates that we've missed somehow, or third party patching that we officially don't do, but want to assist you on these kind of things. Right, Right.

Another Thing that's really interesting about this scenario is it gets into, uh, container vulnerabilities. And a lot of MSPs are getting kind of pushed into those DevOps roles these days where they may be building and maintaining containers either for their own services or their customers. Uh, so that vulnerability scanning only containers and making sure that those are kept up to date is a, a whole new set of, uh, uh, communication and collaboration that people were talking about.

Um, if you guys could just bear with me, of course, I know you're shocked, Gary, but I'm having issues with Crowdcast. Um, Well, we can kind of talk through even you can't put it up 'cause it's, the cards are small anyway, but our next scenario was just talking about, um, rogue admin. Yeah. So the rogue organization was, was really good one the, um, Tim handle the mo most of the tables with those. So maybe you can talk a little bit about those. Yeah.

Uh, let me pull up the cards just for my own memory here, since they're not, it Was the public storage bucket exposed. Oh yeah. That's another case where it's interesting. I think it's a thing that a lot of MSPs had not really considered yet. Um, and there was a lot of new discussion on enumerating those public blob, uh, buckets, you know, so, um, blob, uh, and and Azure terms stands for a binary large object.

It's just a way of storing data online and, um, what by default they are publicly available, um, unless you turn them to not be a I member correctly. Um, so, you know, that's one of the things that people had not yet considered yet. You know, are we listing these things? Uh, are we making sure that anything public is real public data and not something, um, that is, uh, sensitive in nature?

So automations that people came up with just around going through your tenants listing those, uh, those public blobs and going through some sort of approval process and, and understanding identification. Right. Uh, this is, you know, identification of assets. It's the CIS control one, right, Phyllis, where, uh, we need to know what we've got in order to know if we're securing it or not. Yeah. And it's also the, the, you have to remember that this is very citizen IT stuff.

This is, users can create blob storage. They, they could potentially have some form of shadow IT access to Azure or AWS or Dropbox or whatever, and they are able to upload the storage using the company name, putting it in places where it doesn't belong. So it also signifies that little bit of a blind spot that we have as MSPs, what are our users actually doing?

Because if you as an MS P are not supporting your client in what the, what their needs are, they will find a way, especially with Gen Z coming to, to, to the table as, um, um, entrepreneurs these days. They will definitely find a way they will not care about any of your security procedures or what your help desk thinks. They are used to self-service. It's, it's a different type of generation that, that you're sort of getting involved with Phyllis. Yeah. A question.

So, um, is that part of a service that an MSP should offer? Is like that kind of user training as well or Absolutely. That overstepping your bounds. Okay. So yes, It's, it's absolutely something, uh, MSP should offer and shadow IT monitoring. There's, there's a bunch of MSP and non MSP products for that. Even Microsoft has, has a couple of solutions for it and DVM as they call it threat and vulnerability management, um, where you actively scan around for users using these products.

So you can notify them. You don't have to block them, you don't have to stop them in their tracks and say you are being a bad boy. But what you can do is say, Hey, we don't have any pro process or procedure around Dropbox. What are you using it for? Maybe I can help you get it over to OneDrive, which we do manage, or maybe I can help find what you need to do and help you secure Dropbox in the way that we need it.

So you're thinking with them not blocking them from doing something, you're trying to help them and that, I think that's a very important difference than just pointing your finger at them and saying, bad boy. Yeah. That's, I mean, that's the real goal of, of security, right? Is to keep the business running. And if you're stopping the business from running, you're not really providing security. Yeah. I I think that's actually great to say as well.

I've worked with a lot of organizations like K 12 and the teachers, you know, they get all the software, they get excited. It's like, we're trying to help kids in the classroom. Why are you trying to prevent me? And you know, the cybersecurity experts there were like, you know, just like you said Calvin, you have to, um, approach it like a partnership. Yeah. We are here to help you not to point out all the things that you do incorrectly 'cause I'm smarter than you.

But like, how can we enable you to do what you need to do? Um, so I I appreciate that, um, viewpoint. 'cause so often in security, certainly when I was at the NSA, we certainly talked about how dumb people were. Um, you know, there's some, I Think there are, I think MSPs internally still do that. Both can be True. Exactly. Exactly. One statement doesn't make the other false.

So Andrew, we're gonna run out of time here, but I wanted, um, the team to talk a little, a little bit about scenario three. 'cause it's the, um, I think most interesting one, which is data published to the dark web. Yeah, yeah, yeah. That one was exciting because, uh, the cards said, um, and I'm doing this from memory. So, um, credentials were uploaded to a GitHub repository, I believe, something like that. Mm-Hmm. Or, or to, to, to an online repository.

And because of that, uh, the, uh, uh, credentials were leaked, including environment variables. And Tim, those true, those, it a bit more in depth, but I believe that even the, the, the, the attackers eventually pivoted to a serverless function. And you have to remember that one pair of credentials so much can happen so much in, in your environment can go wrong. Imagine that one admin's credentials of your MSP get gets leaked. Yeah.

That means that, um, I know that a lot of MSPs have bad security practices, so that means that for every client that you have, probably there's a username and password that's lying about somewhere because people tend to reuse usernames and passwords. So it becomes so much more complex and it's like this, this ever-growing snowball effect of things that could be attacked. Kelvin, can we pick just a touch in the last few minutes on that?

Because, um, something we talk a lot about on this, uh, on, on the cyber call is the proliferation of tools, right? Gary? 40 tools, 50 tools. So, and we're talking about automation here. We often talk about automation for onboarding new users for the customer, offboarding new users. But Kelvin is there applicability. Nate, certainly chime in here.

Uh, for the MSPs engineers where in one felt swoop, we wanna make sure that all access is turned off in RMM, in firewalls, in on, you know what I'm saying? All these different facets. Now granted, some have good practices where everything's, you know, correlated to a secret server and, but, but, but still, can you talk about how automation could and should be used in that area? Yeah, absolutely.

Um, I, I actually want to give that, give, give a hand to Nathan here and, and let him go because their offboarding crate fixes just that, um, that they, they have a crate available, so have premium automation available that helps you offboard users, utilize that in your own MSP, make sure people get offboarding from the right product. But Dave can talk more about that.

Yeah, so we, we talk a lot about, like Andrew, like you said, the onboarding and offboarding and a lot of those are, are around, just like we talked about earlier, automation doing the same thing every time. So it's not skipping a step if you offboard someone you forgot to, you know, invalidate the sessions, you forgot to, you know, disable the login, right? Like any of those things, like the automation does those things every time.

But another kind of thing to think about, Andrew, as you were alluding to is if one product in the stack fails, something else can then pick it up, right? So one of the examples, uh, again, I I talked about this at Beyond was Sentinel one, but if, uh, Sentinel One has a threat, not mitigated alert, so that means Sentinel One did everything they could, but that threat was running at admin level. So Sentinel One couldn't remediate it, that automatically creates an alert in the PSA for the MSP.

So then Roos can use that alert to use the RMM to take that machine offline. And so it's just using all the tools in the MSP stack together, kind of weaving them together so that, that if one doesn't do or can't do what it needs to do, another can kick in and do that. Very cool. Well, I know we're, Yeah, I'm sorry. I know we're gonna come right up against it and I gotta bounce off, I'm up against it at two. But real quick, I wanted to mention one other thing that was talked about, uh, at flow.

Uh, and you've heard Aaron, uh, Churnin talk about this, which is, um, uh, center of excellence, this idea that for automation to work, the process for it has to be in place with, from executive, you know, sponsorship to representation from different delivery areas, um, so that it becomes part of the culture and what, you know, in talking with Nathan, that's like really the common thread they see of, of the people that are maturing the fastest.

And it's not like anything else, it's just that this happens to be something that, um, is complex enough, you know, and to really make an impact. So everyone start thinking about, you know, what it is to build a center of excellence. Yeah, I think that's a a really good point. It's really important. Well done. You know, close Andrew, I think you froze. Yeah. Crowd issues. He's got a nice smile though on his face. Not a weird, I that's You're gonna freeze. You should freeze with that picture.

Yeah. Thumb. Alright, well I guess we could close right Gary? Yeah, we'll say, uh, we'll say thank you to everybody for, uh, for joining us today and we'll look forward to seeing everybody next, next week. See everybody. And there he is. Bye.

Related Videos