Skip to main content
Right of Boom
January 30, 2025

October 19th, 2020

In this video, cybersecurity experts Andrew, Wes Spencer, Kyle Hansloven, and special guests Aaron Chernin and Sunil Yu discuss the challenges and solutions in categorizing and managing security solutions using the Cyber Defense Matrix. They explore the importance of aligning people and technology, particularly in the context of Managed Service Providers (MSPs), and the significance of moving beyond traditional security measures to adopt newer paradigms. The conversation also delves into the future of cybersecurity, emphasizing the need for innovative strategies to effectively address evolving threats.<ul><li>The Cyber Defense Matrix is a framework that helps categorize and map cybersecurity solutions, focusing on the NIST Cybersecurity Framework dimensions and various attack surfaces.</li><li>The importance of taxonomy in cybersecurity was highlighted, emphasizing the need for clear definitions and categorizations to avoid confusion and miscommunication.</li><li>MSPs face challenges in shifting security responsibilities to clients, as clients often see security as an extension of IT services, underscoring the need for effective communication and strategy alignment.</li></ul>

Guests

Andrew Morgan

Video Transcript

We are in episode 23, joined by as always, Wes Spencer, CSO of Perch, Kyle Hans Lovin, CEO of Huntress, and we've got some special guests. Today we are joined with CEO, Aaron Cherin from Perch. Hey Aaron, how are you? Good afternoon. How Are you, Andrew? Doing great. Thanks for joining us. Uh, I thought it was apropos because you know, our special guest, Sunil Yu Sunil, thanks so much for joining us. Thanks for having me. It's a pleasure to be here. Yeah, well, it's a pleasure for us.

Gary couldn't make it today. So again, Aaron, I appreciate you coming on. Um, few quick announcements. I mentioned this every week. We've got the Cyber Nation, which is live. Got awesome folks in there. Sun Neil's in there. Kyle's in there, Wes is in there, and a bunch of security practitioners. I think we're closing in West. I didn't look the latest count. Seven 50 to 800. It's growing. Yep. Growing every day. Yeah. Yeah. Some great content on there. Yes. Yeah, so very excited about that.

We've got an upcoming, um, really some really cool webinars. We've got upcoming, we've got an upcoming event with, uh, Ryan Bonner, one of the future assessors for CMMC, along with networks and Perch. So that'll be really cool about the latest of taxonomy and identification around CUI. We also are doing something really unique with, um, one of the data scientists at Umbrella West. This guy, um, I was blown away. Austin McBride on what he's done, threat intel side.

So we're gonna be having some good, Yeah, it's kind of cool. You know, everyone knows Cisco, right? And we know they have an army of researchers across all their product division lines, but it's really cool, Andrew, just the fact that we have commanding enough presence here among all of us together as MSPs to get some really great folks like, uh, Austin from, from Umbrella. It's really exciting. Yeah, absolutely. So I put up a poll, and this is gonna kind of lead us in here.

Um, and Sunil, I kind of put up a poll here about do people struggle categorizing security solutions. And, uh, with that, let's see what they say. Um, and, um, Sunil was wondering if you could give us a little about your background. Welcome to the show. Really appreciate you coming on. We've been collectively plagiarizing your stuff for some time now. It's awesome, but no, I'm kidding around. But we, we love referring to your stuff.

Isn't there something about like, imitation being, you know, the most sincere form of flattery or something along those lines? I'm glad that's what people say 'cause we use it. Well, I should mention that. Uh, I, I, I think I put a, um, a copyright label on it, and the copyright label I put on was, um, basically one of the most permissive ones that you can, uh, possibly find. Basically, it's share as much as you want, uh, hack away at it and do whatever you want. So That's awesome.

Well, Sunil, you got, um, quite a background in security space. You worked for a small bank. Can you tell us a little bit about that? How this all came into being? Um, not a lot of the audience may not may know you, so excited to bring out into the M-S-P-M-S-S-P space. Sure.

Uh, well, j just to start off with what I'm doing right now, um, I'm the, I'm currently the CSO in residence at YL Ventures, which is a Israeli, uh, US or Israeli, uh, venture capital firm that focuses on early stage startups that are based in Israel. Um, if you're curious about what a CISO in residence do, uh, it doesn't mean that I just work from home.

It actually means that I go, uh, talk to a bunch of entrepreneurs and I act as a, um, as a proxy CISO to help them understand how to navigate the, the enterprise space. Uh, I really was looking forward to visiting Israel, but, um, yeah. Anyway, the, um, but prior to that, I was, uh, the chief security scientist for a, uh, too small, the failed bank, um, starts with the word bank, ends with the word America. Um, never heard of it, and nah. Yeah.

Anyway, uh, in that capacity, I, I, our CEO at one point in time, uh, at Davos, told the whole world that we have an unlimited budget for security. That did not do, uh, wonders for me, um, for my voicemail or for my email. I just got a ton of people basically hammering my door saying, Hey, I heard you have money.

And, um, part of my role at, uh, uh, as a chief, as a chief security scientist was to, uh, try to develop roadmaps, try to understand where we are in this space, um, and provide a forecast of where we need to go. And so it, it was incumbent upon me to understand the, the technology landscape, a actually really all aspects of security and to try to drive forth what will be the next generation of security for the bank.

Um, and to drive it both inside the bank in terms of what, what needs to change inside the bank, but also externally as well in terms of what does the ecosystem need to do to be able to meet the needs that we are, we're gonna have as a bank. But really more, just more so just as practitioners, what are the things that we as an industry really need so that we can, um, put this problem to rest. Very cool.

Um, Sunil, I am putting a link, speaking of plagiarism, I'm putting a, I'm putting a link, uh, hopefully that works for everybody. I tested it. Maybe you guys could just validate it for me. But that is, um, it's, it's A little short of a hyperlink. You think you make it a little longer, You know, that's Microsoft for you, Wes. Um, we have to embed as much code as possible, so, um, you know, guys like Kyle might trip up on, on, uh, deciphering it, but, yeah. Um, can, does it work?

By the way, I've seen this phishing landing page before, it looks good. So it, it's claiming to be O 365 log. No, but it, it definitely prompted. Okay, good. So this is, uh, the cyber defense matrix, Sunil, and, you know, I'm, I'm plagiarizing you here by you saying, Hey, this is, this came about by five things you care about and five things you do, you know, in cybersecurity. I just put a simpler one, hopefully one that's a little bit more memorable.

Well, um, can, can you maybe share that for, you know, that that what that means for everybody? Yeah. So, um, the, the first problem that I really had was just, uh, and I could see that in the poll. We at least have, uh, two thirds, roughly two thirds of the folks saying, it's hard to figure out how to categor categorize a lot of these things. Um, and that was really the challenge that I had coming in.

I had, um, imagine you walk into a Home Depot, you know, you wanna build a tool shed, um, and instead of seeing nice aisles, you just see like pla um, planks of wood and nails and hammers all in the middle of the floor. And it's just sort of like, how do I know where anything is? How do I know how to find anything? Um, I spend enough time in Home Depot as it is walking through all the aisles trying to find stuff. So in the context of security, we, we have a very similar problem.

And, um, what I wanted to do was basically create shopping aisles for cybersecurity. Okay. And so my shopping aisles consisted of two dimensions on one dimension. It's the NIST cybersecurity framework or what we do. So that's identify, protect, detect, respond, recover. The other dimension are things that we care about, um, or we can talk about attacks, references, or various other things.

But anyway, those, uh, five categories of things that we care about are devices, applications, networks, data, and users. So then we have this nice five by five grid, uh, very much looks like a bingo card. Um, and it allows us to basically create this shopping aisle for all these different capabilities and products that we have in the marketplace.

So that, that's become, um, a working mental model that has helped a lot of us to just think about where things might fit, what kind of problem certain things are solving, and, uh, and so on so forth. So, very cool. Yeah. And what happened to your camera? Oh, Aaron's or mine? Mine's not working. Yeah. Every now and then they decide they gotta sensor somebody who's, you know, clearly inappropriate. That that must be what's happening here. Real, for real. Mine's not working. No.

I mean, cam quality's down. Yeah. The show must keep going on, gentlemen. So, uh, okay. Can you me, uh, we hear you great, Andrew, Huh? Bizarre. Okay. I can see it appears to be coming through. Fine. Alright. Um, so Sunil, I'm gonna kind of turn this over to Aaron. I hope, Aaron, are you there? We can't see you, or I can't see you, but are you there? I I can see me just great. That's what I see too. I think Crowdcast is having some issues here, so it is what it is.

Um, but Aaron, um, in turning this over to you, I got the, um, pleasure of watching Sunil or everybody could, but I was watching Sunil present at an RSA event, and, you know, so this is a room packed full of security practitioners. And, you know, he asked a question around vulnerabilities. He's like, do you identify vulnerabilities or do you to tech? Then he's like, first raise your hand if you identify.

And a bunch of people raised their hand, and lo and behold, he said, okay, and who votes on detect? You know, do you detect vulnerabilities? And lo and behold, a bunch of people raised their hands. And I'm like, man, if, if security professionals can't agree on what identify or detect is, um, what does that mean for anybody else, Aaron? So, so with that, you hear a lot about these kind of challenges, um, from your role as well. And, you know, I wanted to hand this over to you.

You've known Sunil for a while, um, from your banking days, and, you know, maybe you could carry on from here and, and share your perspective and thoughts with Sunil. Yeah, I am a recovering bankster. Um, I met, I met, uh, Sunil eight years ago, and, uh, I think it was about eight. What do you think, Sunil? Eight. Yeah, that's about right. That's pretty. And, uh, Wow, that's amazing. That's been so long. We, um, all of this is, uh, tax, what we would call in the industry, a taxonomy issue.

Um, and before you can, uh, fix a difficult problem, you have to start at the taxonomy. And you would think the taxonomy, taxonomy is the easy part of the problem. Uh, it turns out it becomes one of the most complex. So even eight years ago, uh, Sunil was looking at that and working on it, and that's how, uh, we ran into each other, um, in the industry. So it's nice seeing you, uh, float over to our MSP and MSSP world. Um, I feel like my realities are crashing together. Thank you, Sunil.

Um, and then, uh, and I do have one, uh, I do have one, uh, funny, uh, funny Sunil story. So last time I ran into him at a financial services conference, um, and I was manning the booth, and Sunil came up to the booth and said, oh, I see they haven't hired a real CEO yet over, at first, I swear that's what he said. Didn't you say something like that? Yes, I did. Yes. It was awesome. So, alright, so, um, kidding a sec.

Um, this is something I've been battling, um, and this was a really good example to, uh, the identification versus detection. Um, everyone who raised their hand, I don't know how you did it in your talk, Sunil, but everyone who raised their hand, how did you even, how would've these folks even known if they're raising their hand properly? What does identify mean? What does detect mean?

Um, unless you had gone over that definition first, um, they, to themselves, I mean, even, even if I gave them a definition, I think, I don't think it would necessarily change their perspectives of what word to use. I mean, we kind of just, um, it, it's kind of baked into our marketing literature and just how we think about, uh, however we've designed our own programs.

We, we say certain word because that's just what we're comfortable saying over and over again without realizing what it means, right? Yes. Um, and in vulnerability management, um, there's, uh, a ton, uh, of this usage of words that we don't have a definition for, for example, take severity and criticality. Um, they sound extremely, you know, you should be concerned about a high severity or high criticality vulnerability. Uh, but there is no definitions to those words.

I always tell folks when they're, um, analyzing products that say reduces risk, the minute the product says the word risk, um, we should all be questioning ourselves. What the heck are they talking about? Um, because Thanks for coming to my talk. Sorry. Uh, can you, can you folks still hear me? Yes. That was my apologies. Yeah. So as a, uh, as a strong advocate for fair, uh, I, I, um, so one of the ways I funded fair at the, at my prior organization was I had this, um, this jar.

It was a, it was a four letter word jar, and that four letter word was RISK. So anytime anyone said that four letter word, without proper context, without proper, um, uh, proper usage of that word, they had to put in a dollar into that jar. And that funded, uh, my efforts to get the, you know, the products I needed for fair. In fact, I mean, if I forced everyone to put money in, it would've funded my entire security budget for, for a long time.

Um, but yeah, people do not use the word, uh, risk appropriately. And they mean different things. If, if, if, uh, four of us said the word risk, someone heard, if four of us heard the word risk, uh, we'd end up with five different meanings. And so I think it's, uh, having clarity of meaning is one of the things that I was trying to really aim for in creating the cyber defense matrix. And as a, as a fair practitioner, the, um, factor and analysis for information risk.

Uh, I'm, I'm pretty, uh, I hound on the word risk all the time whenever someone uses it or misuses it. So, um, this taxonomy issue is huge. Um, how do you build a specific product that fi fixes a specific issue? Um, if the issue that you're resolving doesn't have a, an agreed upon definition, um, and this is why taxonomy and the words we use are so important. Um, and I'm very surprised that in, in our industry, we don't have more, um, anger around this.

Imagine if, uh, I use this a lot in my conversation, so I apologize for, uh, the folks on the, the line here heard me say this, but if you, if you went out and brought up, uh, CPU and you purchased the CPU, you ordered the latest CPU online, and then you got it, you finally got it at work or got it home, and you realized it was really a hard drive, um, you could tell that it was a hard drive. You could show it to others and say, Hey, look, I got a hard drive.

Uh, but if you purchase something like advanced prediction security analytics, and you got that to work, uh, how do you know you didn't actually get what you bought? How could you prove that you didn't get what you bought? Um, it's a big issue. Yeah. And, and one of the issues that we see in this space is where, um, people take what is a secondary or tertiary function for something and claim that that is its primary function.

So you bought a hard drive and, uh, the way it's labeled is that it'll play music for you. Okay. And you're like, where this, I mean, all I hear is worrying. I don't really hear music. Okay. And then if I drop it, I might start singing different tunes to me, but, um, it's not really playing music. Okay.

Uh, now of course it can hold music, um, you know, all the things that hard drive is supposed to do, but the way it's advertised, sometimes it will, especially with security products, it'll talk about the, the secondary tertiary capabilities which the product doesn't actually do. Um, and, and we see that's pretty prolifically in most of the products that, uh, that the, that we create, there's a reason why, right? 'cause we're trying to sell something to somebody.

Um, but it does create a lot of confusion around, wait, I thought I brought this for this function, but it looks like I actually need something else to make that function really work. Right? I need a set of speakers. I need something to read the hard drive I need. I need these things that will make it play music. Um, even though right outta the box it says it's supposed to play music A awesome, um, all right. I'm gonna switch, uh, switch gears here.

Um, and, uh, there was a little bit of a funny at the beginning about this, but it was, um, um, at the bank that, uh, Sunil worked at was where I first heard, um, his CISO say they had a leave no vendor left behind policy. Um, uh, so, uh, and very true, very scary. So with that same, um, thought process, you kind of have to, um, get internal investment and internal alignment, uh, before you purchase tools.

And the way that I would do it when I was in, uh, financial services was, um, I would sometimes use the auditors, um, nudge, nudge, here's the missing gap. Um, and then they would take this freebie I gave them, and that would give me budget, and then I would create policy around that to make sure that I got the correct controls in place.

Do you have any stories, uh, about gaining alignment or lack of alignment, uh, in bank of, you know, bank with America, uh, and maybe something that became shelfware or wasn't used because of a lack of alignment? Oh, wow. Yeah. There's, uh, well, so one, there is a lot of shelfware, but it's less because of a, well, I, I have a particular theory about why a lot of things end up being shelfware.

Um, uh, but you're, the problem that you're pointing out is still an entirely valid one, which is you don't get sufficient buy-in or sufficient, uh, uh, uh, concern about a particular area. And so people just, uh, don't see whatever you might have bought as actually solving a problem that they had. Okay. Um, and of course, money goes away as a result of that, but I actually think there's a different problem, um, that is perhaps more of a concern.

And it's actually represented in the cyber defense matrix. This, uh, this, uh, so you have the five by five grid, and at the bottom of the grid, there's this dependency on people, process and technology. And, uh, what, what I have seen is that, um, we oftentimes buy technology, but don't necessarily have the people to own, uh, to run and operate it.

And the degree of dependency on people process and technology isn't consistent, or isn't constant across all five functions of the n cybersecurity framework. So what typically has happened is we start off buying technology that does identify, and, you know, this is like getting visibility. This is like scanning for vulnerabilities, whatever else it may be. And the technology generally works, um, without a hitch. It might need some, uh, uh, caretaking by, by an engineer and whatnot.

But for the most part, it largely works by itself. Then you go to protect, and there's a slightly greater dependency on people there. But generally, again, the technology works on its own. Then we get to detect, and these are things like your sim okay? Um, and all of a sudden now the technology doesn't work as promised, and we're like, wait, hold on. Why is the technology not working? Well, it's because you need people to run and operate in and tune it and to, uh, continually feed it, right?

And if you haven't really thought through that dependency, all of a sudden you bought this technology that doesn't do anything for you. It it's not fulfilling the needs that you have.

And so, um, that degree of dependency, uh, spectrum on the bottom is a really good reminder to ourselves to say, uh, let's not shortchange the need for people, especially as you go to the right of the, of the matrix and ensure that the technologies that we buy or the, the activities that we perform have the right ratio of people processing technology so that we're not, uh, giving it a short drift in one way or another. Great. Uh, fantastic. I see the same things.

It was a, uh, a great example with the people part and the people alignment required to bring in a new tool. Um, uh, you, um, we're starting to see this more now in the MSP and MSSP space with Detective Controls. Um, a few years ago, uh, the only thing that was being rolled out was preventative things like firewalls and, uh, AV and endpoint protection and DNS filtering.

Um, you don't necessarily need to build out a team, uh, for that type of product, but you definitely need more alignment and more resources when you start to talk detection. Um, you're basically creating an alert generator, but having no one look at the alerts, right? Mm-hmm. Is, uh, at the end of the day. Yeah. And, and one thing to keep in mind is that, um, oh, first, first of all, let me, let me actually, uh, establish one paradigm that, uh, has helped people think about the problem space.

And this is the notion of left and right of boom. So boom occurs between protect and detect. So identifying protect is left of boom, detect, respond, recovers, right of boom. Um, when it comes to activities on the left of boom, the adversary is trying to, uh, the adversary is working against static technologies. Okay? So the adversary is working to basically bypass your technology. So then on the right side of, boom, can we expect technology to go find something that the adversary has bypassed?

And the answer is no, that logically just doesn't make sense. Can technology assist people in finding the adversary that has bypassed the technology that you have? And the answer, of course, is yes. People can, uh, make a, uh, take advantage of certain technologies that will help them find, uh, the adversary that has bypassed your technology. So, on the left of Boom, we rely largely on technology, but the adversary is actively trying to navigate or to evade that technology.

So, on the right side of Boom, um, again, our dependency on technology as the main, uh, capability to find novel attacks shouldn't necessarily be what we rely upon. We should really rely upon smart people who can create hypothesis around what the attacker might have done that has bypassed our technical controls, and then using the technology at the disposal, go and find those attackers. And that's on the right side of it. Fantastic. That's a great, uh, great answer.

So, uh, you created the Cyber Defense Matrix while you were at the bank, and, uh, uh, the bank was, uh, um, really large and used to tell me what your job was there. Can you, can you tell us, 'cause I thought your job was really, really interesting. Uh, when you were there, what did you do at the bank? Uh, well, my, uh, my unofficial title was Mad Scientist, so that probably gives you one hint as to, uh, what I did.

Um, but, uh, my team at, at some point was, uh, about, um, got, I think we were up to 70 folks at one point, uh, which given, uh, that I think most, uh, companies don't have security teams that are that large gives you a, a sense of perspective of the size and scale of the problem that we were trying to tackle. Um, but, uh, my, my job was really fun. I mean, I, I can't, I can't say that, uh, it wasn't fun.

I had a chance to talk to, uh, entrepreneurs a lot, um, kick around their technology, kick them around as well. Um, uh, one point we also ran, I also ran the red team, uh, and the hunt team. So lots of the kind of leading edge kind of things that you would expect, um, a an innovation function or a, uh, forward-leaning, uh, security function should take. So it was, it was, um, uh, it was like playing with, uh, your favorite toys every day, uh, breaking them, uh, seeing if you can recreate them.

Uh, part of my job function was also to create new technologies. Um, it wasn't, um, uh, there were too many vendors that occupied most of my time to, to spend time creating new technologies. But, uh, that was one of my initial charters coming in.

Um, now I, I should say with the organization this large, and, and maybe this will be relevant for MSPs out there, um, we had a really large organization with a lot of security professionals and practitioners who had a lot of different interests and needs. Um, what I did within my matrix was basically into each box, I put the names of people that I thought cared the most about that particular problem. Mm-Hmm, okay.

That helped me, uh, quickly find the right person whenever a new technology or new capability came about. And it wasn't, um, that those names changed on a, on a semi-regular basis, but, um, it helped me do the mapping much faster. Uh, there's so many companies out there that have, uh, a wide range of capabilities. How do I know that? How do I know who cares about these? Right?

Um, and so, uh, I did a mapping and I also offered people, Hey, uh, if there's a particular area that you care about a lot, and sign up for that box, so to speak, and if ever if I ever find something in that box, I'll let you know. You'll be one of the first ones to know. So it provided a good, uh, matching mechanism that, uh, made my job a little easier. Uh, 'cause in fact, I, I kind of played a marriage broker, if you will. Uh, 'cause I, I wasn't the end user at the end of the day.

Um, I had to find, I had to make sure that, uh, the, the startup company, um, or the services, whatever it was, had the, um, was talking to the right person that really cared and use, wanted to use this technology, uh, or a service that was, was being brought, brought forward. So, um, in some ways I was serving as an intermediary intermediary, but I also, of course, cared about the technology itself. 'cause I, I, I wanted to put it to use myself within my little part of the universe as well.

So anyway, um, playing with toys all day and, um, uh, beating up vendors, that, that was my job. So, I'm gonna paraphrase something you once told me that was really interesting. It was, uh, uh, no, no product, regardless of how large the vendor of, uh, was, uh, could work, uh, in an environment the size of your bank. Um, and so you like to get in super early, um, to help steer it, to make sure it would work in an environment of that size.

Uh, that really, uh, impacted me when I was thinking about scale in that bank. So, with that in mind, um, the, uh, cyber Defense Matrix was created there. Is it because it was created in such a large enterprise environment, does it scale down to M-S-P-M-S-S-P size? 'cause it's still useful in the SMB world?

Yeah, that's a great question and, and one that, uh, I, I thought through, uh, early on to say, how do I make this practically useful for not just the bank, but for everyone, all the other practitioners out there.

Um, and that was actually, I, I should mention, that was one of my incoming views to say, uh, when I, when I joined, which was to say, um, look, I can solve a whole bunch of security issues for the bank, but really, um, in the position at the fulcrum point that the bank is in, we have the opportunity to influence the industry as a whole. Why don't we take advantage of that in some meaningful way by, um, creating artifacts or things that everyone else can use.

And so that was, that was an actual goal that I had coming in. And so with that in mind, I tried to make sure that the, um, the cyber defense matrix could satisfy the needs of smaller organizations. I, now, I, I can't say I, I, I haven't heard from enough small organizations to know where it hits fallen short. Uh, but I, I do know many organizations that are smaller than, than the bank that, uh, have put it to use.

Um, one of the ways that I've tried to provide a mechanism that helps, uh, tailor it to a smaller organization is through this notion of, um, design templates or, uh, business constraints to be able to describe, if you will, uh, the nature of your specific business. And, um, essentially, uh, so, so the idea behind, uh, the bingo is, of course, you, you try to get enough boxes to declare bingo. We're not trying to play blackout. Okay?

Now, if you have a big enough budget like mine, maybe I, you could play blackout, but even then, it's not really, uh, cost effective to do that. Right? Um, and so the idea is that we would wanna find, uh, the right, uh, template that helps us understand what's the, uh, what's the minimum set of things I need to do for this part of my organization, this line of business, this particular function that may not necessarily have all the attacks, references that some other organization has. Okay?

Mm-Hmm. And so essentially that reflects the way that reflects in a visual style for the matrix, is you basically just say, you know what? These are all free spaces, okay. Or, you know, you don't need to worry about checking these particular boxes because it's just not a need for this organization. It's not, it's not, it doesn't show up and, and, um, as a, uh, area of concern for this particular organization, and therefore, um, you can ignore it. Or, uh, it creates a business impact.

And because if you put a security control into one of these boxes, then it's gonna damage the business's ability to go do business. Uh, so anyway, those sort of, uh, design templates and business constraints is how I'm trying to make the, um, the cyber defense matrix useful for smaller organizations. What, what I would actually hope from the MSP community is that you guys already have across your, your customer base.

I believe that you already have some perspectives of these design templates, that certain organizations fit this type of template, and others fit a slightly different template. I don't think there's a, in, even though there's a possibility of an infinite number, you know, a near infinite number, I think you've, uh, actually grouped them yourselves.

And what I would love to be able to see is, um, however you've grouped them, that be manifested in some meaningful way, uh, represented in some meaningful way on the cyber defense matrix so that we can say, Hey, I see that your, uh, your customer a fits this design template and my customer, um, uh, x fits that same design template. What are the controls that you're putting in that strengthen customer a's posture?

Because, um, uh, I would love to be able to understand how I can do that for my customer. Okay? I don't know how, how the community works together in terms of sharing that kind of insight.

But the idea is, uh, once you have the same, once you know that you're working off the same template, we can then work together to improve each of our security postures, because we know that whatever, uh, improves, uh, x will cannot also potentially improve a, without creating business impact, without creating any sort of impedance, uh, mismatches. Very cool. Oh, great. Thank you, Sunil. Hey, uh, uh, I'd like to yield the floor to Dictator West. Uh, it is now, uh, your turn. Well, thank you.

Maybe we'll let you stay around. Aaron. Good questions, Sunil. I've got a, I've got a million questions circling in my head, and a lot just kind of came up just from your conversations with Aaron. One of the questions I have, if you look, one of the things that's enlightening to me about the cyber Defense Matrix, and I had no idea we'd be sitting here today actually talking to the creator of it, Kyle and I did, uh, almost a year ago, Kyle and I did a session on demystifying cybersecurity.

And it was exactly this topic, and we used your defense matrix, and I think for a lot of partners, and I wanna see this in the chat, those that are on chat, can you gimme a yes. Uh, if the first time you ever heard of the Cyber Defense Matrix was when Kyle and I shared about that, uh, at V Cyber Con almost a year ago, just gimme a yes or a no, because I think you're gonna see a lot of yeses come through here.

And so it's really, it's good for us because I think it's eye-opening and enlightening for us as a way to sort of think through a cybersecurity strategy. And Sunil, one of the comments I'd like to get your, yeah. Here come the yeses. I think the chat is just a little slow to come through. I knew the yeses would eventually come in. Uh, Sunil, one of my questions for you is observationally.

It seems like a lot of vendors, when you do the mapping and you do play the bingo game, are all on the left side of that identification and prevention, and especially inside what we call the channel with SMBs and MSPs who make up this group of, of the industry we serve. Seems like a lot are over on that side. Just gimme your observations on that. Is it gonna stay that way? Should it change? Yeah. So, uh, I had two theories on that.

Um, one is just that degree of dependency, uh, spectrum that you see. Maybe we just see a lot of technologies on the left, because, well, that's kind of where most of things go. All right. Um, oh, actually, I have three theories on it. So that's one. The second one is around, um, maybe it's because, uh, we, we understand the, the adage that, um, an ounce of prevention is worth a pound of cure, right?

So maybe it's just that we tend to wait more things, uh, to the left, because that's where, um, uh, from a cost effectiveness standpoint, preventative, uh, preventative measures are better than detective measures. That actually falls apart though, when you deal with, uh, very risk taking sort of, uh, organizations that are willing to, uh, instead, uh, spend more on detect and respond, because that's just their culture. Okay.

Um, I, I've heard for example, like, uh, like if you think about Amazon and their sort of day one mentality, uh, they want people to, to have fewer constraints and being able to build out capabilities. Uh, I think Netflix has a similar sort of culture where they, they don't want an engineer to be impeded at two in the morning, uh, with some security control, because at two in the morning, they'll just go to bed, right?

Any sort of little bump, and they're gonna be like, Ugh, I'm just gonna wait till tomorrow. And you lose out on some innovation because they sleep and they forget about what they were gonna try to do, right? So, um, anyway, so that's another theory that announcer prevention is worth more than, um, is worth, uh, a pound of cure. And so that's why we see more tech technologies on the left.

And then, uh, my third theory is, uh, based on, uh, a new, uh, concept that I've been putting forth called the DIE triad. And Andrew May have, uh, posted some links on that in the past. But the, uh, the DIE triad, um, that one of the core tenets of that proposal that I have is we haven't reached the era, or we're just entering the era where we'll start seeing, um, where we're trying to solve problems in this particular space on the right side.

And so we just haven't given enough time for the technologies to emerge. Okay? Now, which of those is, which is, which of those different theories are correct? I think in some capacity, all of 'em have some merit, but, um, but, uh, I, I don't know what's gonna be the bigger driver for what we'll see on the far right. You know, I, and I want to dive in a little bit further. We're seeing some insight here in the comments as well that I want to kind of tackle.

Uh, Tim made a really good point earlier. So, uh, and I, I'm not gonna scroll through all the yeses, I just commanded into the chat, but one of the things that Tim Fornet said that I thought was Insightfully said, you know, for us as MSPs, Sunil, we have the, the more you shift to write of boom, the more it's people driven and it's less, you know, throw a vendor at it and hope everything just works. Mm-Hmm. Yeah.

MSPs have a unique challenge, and then that involves their customer base, their client base, who typically as SMBs don't care about security, don't understand it, they view it as just an extension of it, if I'm just paying you per month, and so therefore I should have no IT issues, and I should have no security issues. Any advice or thoughts for MSPs to bring their, their clients into this conversation? Because they are involved in cybersecurity as well, right? Um, yeah.

So, uh, so let me, let me also rewind the clock for a moment. So, before I joined the bank, I was at, um, uh, consultancy called Booz Allen Hamilton. And one of the things that I did there was I actually ran, uh, threat hunting as, as a service, if you will. Uh, this was well before, like even threat hunting was really popular. Um, but, uh, that was essentially, uh, one of the, the services that, um, that I delivered.

And, uh, it, it was an interesting, uh, challenge when I found something, and then I had to go back to, uh, the organization where I found it and talk through the like, okay, well, is this for real? Right? Is this a real issue? And the amount of, uh, back and forth that was required was pretty intense. I mean, um, because a, a lot of, it's a huge amount of tuning, right?

You need to make sure that, um, uh, actually, this is probably something that Kyle May see in his space, um, around, uh, looking for persistence. But, uh, developers love creating persistence mechanisms. They, they just love putting in things that, uh, allow their program to keep running persistently, and they all look malicious. Okay? Yeah. But which of them are really malicious, right?

And if, if, as you keep coming back and forth with, uh, new findings, uh, at some point the, the customer says, okay, stop. I mean, you're giving me too much junk, um, and, and I need to come up with, i, I need for you to come up with better, more high fidelity results. Okay? Um, anyway, that, that's a constant tug, uh, push and pull that happens when you have an outsource provider for, for these types of services, unless the outsource provider can get the insights directly from your systems.

So in other words, if I have a question about, is this legit? If there's a missing piece of information that requires me to have to go to the customer to get that, then you're just gonna have to deal with the fact that you have a lot of false positives. Okay?

But, um, if you can also get some additional insights off the endpoint, off of the network, whatever else it might be, then you can, um, then as the MSP, then I would suggest that I, I would think that the MSP can get that additional information themselves, uh, triage the findings and find ways to, uh, reduce the, the number of false processes, positives that the, that the business would otherwise have to deal with.

But ultimately, it comes down to what is the business, what is the business willing to, uh, give you, give the, uh, provider so that they, uh, you can, um, minimize the number of false positives, but then the more I give you, the more sensitive data goes across and blah, blah, blah. Right? Yeah, absolutely. And so I, I hope that, um, it, it's different for MSPs, right? Like it, they do struggle.

One of the, the recurring conversations we have in this call is, you know, how can we as MSPs continue to build a more, um, uh, more mature cybersecurity program and offering, because it's extended to 20, 30, 60, a hundred, 200 clients altogether. And so they have to share those resources. They have to share, share processes, they have to share, you know, vendors. All these things all go together in one consistent cybersecurity ecosystem and in an offered package.

And yet, even for those clients, they want to pick and choose and say, the clients say, well, I don't want that, that you have, and I want this. And I think that's too much for that.

And so this is a constant struggle for us, and I think the cyber defense matrix is a really great way to have an eye-opening experience into what I have, where my gaps are, and even be able to use that to communicate to clients what some of those gaps are, or the maturities that we offer that a competitor doesn't offer. Mm-Hmm.

Do you see, again, Sunil, I know you're not as heavily into the MSP industry, but do you see the cyber defense matrix could be used in, in that fashion of being able to convey value in the cybersecurity offering that, that our MSPs on the call today are offering to their clients? Yeah. Well, certainly my hope is yes. Um, but I would love to, again, get feedback on where it's not right because, or where it's not clear where that value can be realized.

Um, I, I, I'm pretty confident that there is, uh, that the MSPs can take advantage of the cyber defense matrix to be able to come back to their clients and say, um, we believe based on your current, um, security posture, uh, and the threat environment, that you may have gaps in these particular areas. And we have services to help you address these concerns. Okay.

Um, and, and to be able to have a really simple conversation around that in a, in a visually, uh, relevant way, I think is, it just makes this, I I would think it would make this cell easier. I mean, uh, we were talking earlier about, uh, uh, how do I, how do you defend, uh, a budget request for some product that you wanna buy? Well, I, I have people who showed me their version of their matrix that they've, uh, shared with their executive management saying, okay, here we go.

Here's our heat map of things that, um, are coming after us and where we have gaps, and right here we have a gap and we don't have anything, uh, to address it. This is how much it's gonna cost. It's like, I mean, how, how much of a cleaner story can you tell when you can just put in that, in that sort of visual format?

There's of course, a lot of complexity if you wanna double click on it, but as a story or as a narrative be to be able to share with, um, uh, stakeholders to say, here's where we have a a concern and here's how we can address it. That's, that's pretty easy. I, I think also, uh, I think every MSP should think through and say, what do we actually cover on the cyber defense matrix? Right? Right. What are the set of offerings that we can bring forth?

And if you can think through that, I think that provides a menu of things that you have in your own, um, pantry, so to speak. Yeah. And, and just maybe a closing comment. Um, I, I very much agree with that. And one of the things I see from a lot of my friends in the enterprise, in fact, I had a conversation with one of them just recently. He went over to a Fortune 500 and Sunil within a week.

He was, you know, we were texting back and forth, and he was just letting me gross negligence and gross security issues in their security program. I mean, just immaturities across the board and no desire to fix it. And I think one of the things I've seen with a lot of those kinds of organizations is they just wanna throw more vendors at the problem. They just think if, if I just had three more vendors, if I just had that AI thready threat thing, it would solve all of these things.

And we're not thinking about it from a consistent form and fashion. And I, I love how the cyber defense matrix as, again, we go write a boom, we begin to see, hey, you can't just throw, and here's a vendor saying this. You can't just throw a thousand vendors at a problem and hope everything's gonna be fixed. Right? A, we know that never has happened in the past. And B, the more we go to write a boom, the less we see the capabilities without our people and our maturity processes in place, right?

Yeah. Yeah. Um, and again, just as the thing at the bottom is a reminder to say, if you're gonna solve a problem on the right of boom, then you can't ignore the fact that you're gonna have to throw people at this. Whether that's our own people, you know, within the organization, or, um, I outsource that to somebody else, in which case I'm essentially deputizing them.

I'm make, I, you kind of have to treat them as a, as really, uh, close partners in securing an organization because again, of that information disconnect that I mentioned earlier, um, so yeah, it just ha has to be a constant reminder that that's, that's something that, uh, one has to account for.

Um, one other general comment I I wanna make, and this points to, uh, the, the, uh, the DIE triad that I mentioned earlier that Andrew put a link into, um, one of the comments I make inside of, uh, that briefing is this notion of, uh, a workforce challenge, workforce shortage challenge, and what is the core cause of that challenge? And, uh, during the conversation, I also mentioned this, uh, um, dichotomy between pets and cattle. Okay? Pets and cattle.

And so here, here's the thing that I think, uh, we should think about as MSPs. All right? The MSPs are your outsourced veterinarians, okay? They, we are, you are your, the cyber veterinarians for the organization that, uh, has come out to, um, to, uh, help you.

Um, the question, one of the questions that if you're a veterinarian and you're trying to, uh, sign up for some plan, okay, for an organization, would you go in and say, okay, well, I don't really know how many pets you have, but here's the bill for, for your organization, right? Of course, you do some sizing, right? You do some sizing that says, here's how big your organization is.

But what I think might be an inter more interesting exercise is see if you can figure out how many pets they have. 'cause that's who we really need to worry about, right? Um, the pets are the ones that are gonna, that the organization really care about. And if your organization actually has a lot of pets, um, so, so let's say you have organization A, organization B, both have exactly the same demographics, okay? Same footprint, same size, same revenue, everything, right?

But organization A has 900 pets and 100 cattle organization B have one pet and 999 cattle. Okay? I can, you know, I can, I'll make money hand over fist on this organization because if they're paying me the same amount for one pet, um, I can treat that pet really well. Okay? I can secure that pet really well, and, uh, the customer's gonna be happy. This one, you know what? You're gonna have pets run out into the street, get run over.

You have the SPCA coming after you, you'll get the CCPA coming after you. You get all these things coming after you, and you're not gonna have a good day. And so you need to make sure that even though the demographics look the same, the the organization with 900 pets, you're gonna have a lot more trouble with. So, Sunil, I'm, oh, go ahead, Sunil. I, I was gonna pick up, like obviously you and I have had a relationship in the past.

You've also, me as a early budding vendor had a chance to beat me up, set me on some of the right path, all those fun things. Um, but what I actually enjoy, even though I love your mad scientist title, I never heard you use the matchmaker analogy today, but now that I think of like, mad scientist, you know, meets Matchmaker, it's kind of the perfect description of you. Um, but I think what you're actually best at is the futurist, and as a futurist being able to convey things simply.

Uh, so it doesn't surprise me to hear you using the pets versus cattle analogy. It doesn't surprise me that you came up with a simple five by five grid with a simple, you know, progression of how much can be technology driven versus how much human. Um, but I think one of the pieces that hasn't got covered in here today reminds me of one of your earlier presentations where you described the pillars, right? Of nist, and you said, listen, you know, the internet was early.

We had identification problems. The nineties came around, we had everybody with their IPS or antivirus doing protection. Two thousands came around. We've got, uh, you know, obviously, oh crap, we need to protect and defend, obviously, the birth of managed detection and response going into the 20, uh, 10. And now here we are in 2020. Is it safe to say recovery is, you know, kind of we're in the age of recovery now in 2020, or what's your thoughts on it?

Yeah, so I, I would've said that the, um, it, it, it fits nicely if you can fit the different errors into each decade. But the age of recovery started actually probably in 2012, or at least made its biggest splash in 2012 when, um, shamoon hit, or you had all these really massive DDoS attacks hitting, um, various banks and so on and so forth. Um, and, and during that time, we tried to do what we can to address those problems.

Uh, but I think what we'll learn and what we'll, uh, learn more about in the, in this current decade is really how do you tackle those problems? Okay. Uh, and I mentioned earlier the DIE triad, but I haven't actually, um, described what that is. Yeah. Most people know confidentiality, integrity, availability, but you want to, you wanna dive into that? Yeah. So DIE stands for distributed, immutable, ephemeral, distributed, immutable and ephemeral.

And, and my argument is that, uh, DIE negates or lessens the need for CIA. So, uh, distributed, uh, and, um, ephemeral, sorry, uh, no, I'm sorry, distributed and, um, available, uh, or counterparts, immutable and, um, integrity are counterparts, and then ephemerality and confidentiality are counterparts.

And just so that it's clear, it is this notion that if I have something that is, let's say, highly ephemeral, why do I need to worry about the confidentiality of something that's highly ephemeral? And a great example would be something like, um, like this where you can see my, um, Google Authenticator codes, which I'm broadcasting to thousands or hundreds of people for everyone to see, but I just Logged into your Gmail. Thanks. Yeah, you're welcome. Do that.

So, um, yeah, so like, what does it matter? Uh, why do I need to worry about the confidentiality of that? As long as it goes, it becomes useless after a few seconds, right? Uh, so anyway, um, the general principle then is the, the challenge that we have in the, in this coming decade is, uh, what are the solutions that we need to be able to address the challenges of recover, okay, of being resilient? And the solutions aren't more, um, uh, uh, it, it, it isn't more protect, detect, and respond.

It's actually a whole new set of paradigms, uh, centered around DIE that we need to bring forth. Uh, and where I would want the industry to come forth and say, here's how we build more systems to be more DIE or, uh, tools and technologies that help us do that. So an example would be like, um, disposable browsers. Okay? That's a situation where you have very, uh, more ephemeral computing, right? I don't really care that this, uh, browser gets compromised or this machine gets compromised.

Who cares? Right? And just move on. So, so that's sort of model, that sort of mentality is what we need to move towards. And this goes back to this notion of pets and cattle. Cattle, you have to CIA, okay? Cattle must be CIA pets. I, I, uh, I'm sorry. Pets must be CIA aed, cattle can DIE. Okay, see, cattle is Designed for, I did there, So cattle you designed towards DIE.

Um, and if you can do that as the first step, then you don't have to worry about CIA, but if you fail to DIE your cattle, then you have to perform some activity around CIA. Okay? If I can't make something completely distributed to completely immutable, completely ephemeral, then whatever I fail to completely be able to do, I now, whatever I've created has now pet like qualities, and I need to make sure that that pet like quality or those pets that whatever, has not become more pet.

Like, I need to make sure I practice CIA for that. So, Sunil, some of the audience asked the question, you know, why not both? Why not DIE both? Is it cost, is it convenience? Is it just too much? Uh, I am curious in your thoughts. Yeah. So, uh, here, here's the challenge that we have in this space. I, I don't think it's a hundred percent cat uh, pets. I don't think it's a hundred percent cattle. It's more pet like, or more cattle like, and we can choose to make it one or the other.

We can choose to make it more cattle, like by designing it to be more DIE like, or if we fail that, then it becomes by default, more pet like, and we have to then, um, uh, uh, exercise the necessary precautions around CIA. So effectively all our assets sit, uh, kind of in the middle between those two. Um, we we're just trying to design systems to be more and more cata like, and continue to drive it to become more cataly over time, mostly by getting rid of our pets when we can.

But pets are kind of hard to get rid of, right? You you have a very emotional attachment to those though. Yeah, I get it. And when I think about like, emotional attachments and people not wanting to get rid of, I think of, uh, the SMB tends to be a little bit behind like a, a cybersecurity poverty line. We tend to hold on to technology maybe a little too long, um, because hey, it's antivirus, it's guaranteed protection.

Um, as you saw, and we kind of, you know, real quickly aligned, you know, maybe with the decades, maybe there's some variance in between. Are you seeing people hold on to some of that older technology of like protection and not moving to the right of boom. You think it's an education problem? I'm just curious what your observations are and obviously relating that to our SMB audience. Yeah, yeah.

So actually it's funny 'cause uh, uh, when I was a consultant, uh, or even afterwards, I heard this notion of somebody comes into an organization and the comment is, it's like they were stuck in the nineties. Okay. Um, and, you know, I was like, why the nineties? Well, it's interesting, but if you look at the, uh, the DIE presentation, I mentioned the nineties is the ProTech era. Okay? The nineties is when we first came up with, uh, when, when, uh, AV and firewalls became more mass market.

All right? We're stuck. The organizations are stuck in the nineties when all they do is AV and firewall and that they think that's sufficient, um, to move into the two thousands and the subsequent errors they do need, uh, detection and response capabilities. And if they don't have that, then yes, they are stuck in the nineties.

Um, but if they're stuck in the nineties and they have a bunch of legacy systems, um, and they have an opportunity to redesign, then I would say skip the two thousands and 2010s and instead go to the 2020s where we're designing systems to be more cloud native, to be more like cattle instead of pets. Um, but if you still have pets, yeah, you know what, if you haven't moved past the nineties, then you might as well treat them as being fully compromised at this point. 'cause I'm sure they are.

Um, right. I, I mean, really I, when, when, when, when we ran threat hunting, um, uh, uh, exercises, there was, we, um, I, I'm only hedging because I, I can't remember where if we ever didn't have this case, but I'm pretty certain that we had a hundred percent, we found, uh, a compromise in that, that environment situation. A hundred percent. Right. Uh, I might have missed one, so I don't know, 99.99. Nine nine, okay.

But it was, uh, we were pretty confident that whenever we went in to hunt for an adversary, we can find, uh, evidence of compromise all over the place, especially if they were still stuck in the nineties. Yeah, I agree. I see. We're right at the top of our hour, so Sunil, I won't eat up too much more of your time. Um, with that said, I try to convince my wife that I age like wine. Um, she tends to tell, uh, tends to tell me that I age more like, you know, milk. Yeah.

Um, which is, you know, not the nicest of things to say, but I don't think I'm the only one that's aging like milk. Are there anything as you're, you know, getting ready to sign off the sucker warning, maybe the audience of like, you need to be aware that some of your stuff truly does prove, and maybe some stuff doesn't. You got any words of wisdom to leave, uh, the audience with before we depart? Yeah.

So the analogy I oftentimes give is that vulnerabilities age like milk and attackers age like wine. Um, which is, which means that the combination of vulnerability and, and threat, uh, ties to likelihood, the likelihood that, uh, a bad event's gonna happen only grows up, grows, uh, worse over time. Uh, the only thing that's really within the control of the business is to design things to be more like, uh, cattle.

So from the standpoint, uh, of, uh, MSPs, I, I would love for MSPs to actually make that clearer, uh, to organizations that, Hey, look, we are your veterinarians, but it doesn't do us any more good if you create more pets. Okay? Uh, please, please, please build more cattle. We, uh, are happy to take care of your pets, but don't create so many that it makes our lives. Uh, it really makes your life hard, right? You lose business agility with every new pet you create. Okay?

It may be you're cash cow, okay? Um, anyway, you got the idea. Uh, it may be you're a cash cow, but, uh, you know, don't treat it like a pet. Um, treat it really like cattle and, uh, you'll have business agility. It'll make our jobs easier, it'll make everyone's jobs easier. Um, but the more pets you create, the harder it's gonna be for all of us. And, and that's speaking as your veterinarian, right? Who makes your, who makes money off your pets, okay?

We have your best interests here, and so we think that you should move towards, uh, building more cattle instead. Love Sunil. Thank you. Um, gosh, we, I know we covered a ton. I know this could go another hour easy.

Um, and I wish we could do it, but, uh, I just wanna summarize with, you know, the things that you, the point you said, the things you care about, I think for MSPs, that's a really important takeaway because, you know, Kyle, I, I, and Wes, I'd just like your closing comments on this.

I think all the time we're always talking, you know, when we're face to face with customers about, you know, technology a lot of times, but when you look at the matrix and you start to think about, well, wait a minute, what are the things you care about as a business? And then if you can use the bingo card, you know, what, what are your thoughts on that, Kyle, I'll leave it to you, Wes, and then we can kind of wrap up, but that's what the thing that struck me. Okay.

Wes, I'm gonna tick first and leave you with closing words. Um, at the end of the day, the thing I appreciate most about the Cyber Defense Matrix is there's just so many purposes of it. Um, my one call to action to the audience would be help Sunil continue to figure out what other uses there are in the SMB. He's obviously come in from a position that's further upstream, but we could help grow that too, and he could help, you know, maybe shape our direction of how we use it most effective.

So let's keep this conversation going. With that said, I know you can use this cyber defense matrix to show value both in your internal org and your external. So it sounds like maybe we've got a follow on content. Yeah, absolutely. Wes, thoughts come to a, Yeah, I think that's it. I mean, that's it right there. Let's continue to use this and mature it. And Sunil, thank you for being willing to take feedback from our MSPs.

We, we've seen tremendous growth in maturity around our partners that are on this call to today that are truly driving SMB security that no other way is it possible. And, uh, there's some things, even like Annie said in the questions and answers that we never got to, she said, you know, even what about assigning higher, higher value to certain boxes on the Bingo card? Versus like, that's a great idea. There may be some really innovative things that we can produce.

So as we continue to use it and trial and error, let's keep the feedback loop open so we can continue to talk with you Il. Aaron, thanks for coming on as a special guest. Any closing thoughts you'd like with, uh, Sunil here? Uh, it's nice seeing you, Sunil. I think, uh, what I'd like to, what I think would be interesting is maybe a discussion at some point here on cyber call about the future. Like, Sunil is usually five to 10 years out from the industry.

You know, I felt like today we covered a lot about what's going on now, um, and how to get us to now. Uh, but there is a whole nother world of what's five years from now, what's 10 years from now look like, which is kind of interesting. So it was nice seeing you, uh, Sunil. Um, and thank you Andrew for having me on. Yeah, well thank you Aaron. Sunil, what a pleasure having you.

We hope to have you back and, uh, um, yeah, I think we can use what you're doing tremendously for the MSPs, so really appreciate you coming on with us today. It's my pleasure. Thanks for having me. And I put out there, um, my email for anybody who wants to reach out and, uh, get more insights. Awesome, everybody make it a fantastic day again. Take care everybody. Bye. Thank you. See you. Bye.

Related Videos