October 26th, 2020
In this video, Dr. Johannes Ulrich from the SANS Institute joins the Cyber Call to discuss the importance of understanding and prioritizing cybersecurity threats. The conversation emphasizes the need for MSPs to focus on protecting the most critical assets and avoid getting overwhelmed by less significant alerts and data. Dr. Ulrich also shares insights on the evolution of ransomware, the value of understanding customer businesses, and the benefits of collaboration and information exchange within the cybersecurity community.<ul><li>The importance of collaboration and sharing information in cybersecurity was emphasized, highlighting that learning from others' mistakes can be valuable.</li><li>The discussion pointed out that focusing on basic security measures and understanding the business needs is crucial rather than getting overwhelmed by numerous threat intelligence feeds.</li><li>MSPs (Managed Service Providers) need to understand their customers' businesses to provide effective security solutions and to make a compelling business case for cybersecurity investments.</li></ul>
Guests
Video Transcript
All right. Welcome everybody. This is the cyber call. And guess what, Wes, we and Gary, we just hit 2300 Right On, on the, in the community. And, uh, you know, normally we see Hans, the Ax maker or Wes' Bear Emporium. Does this mean we're gonna have a sales call role play here with, um, Dracula? Dracula? We, we, we just might Count choa, Count choc. All right, so let's get right on into it. I'll put up a few things.
Um, during this, we've got a really interesting if you are in MSP or MSSP, doing a lot around CMMC. Um, we are doing a really, um, interesting webinar with Ryan Bonner, who, if you've been with us, uh, previously, um, he's gonna join us with Net and with NetX. And one of the things they've gotten together to do is, um, they figured out how to get all of the taxonomies collected on previous CUI and the new categorizations of CUI. So we're gonna be talking about that.
Obviously, that's gonna be a big to, you know, big, uh, factor, for lack of a better word, in what level you're going to, to do, so I'll put that out there for everybody. Um, and so let's just talk about today we are joined with Dr. Johannes Ulrich of Sands, uh, internet Storm Center and Stan's Institute. Welcome. Uh, thanks. Thanks for having me. Yeah, thanks for joining us, and very excited to have Phyllis Lee on with us from CIS. Hey Phyllis, thanks for joining us. Hey, Great to be here.
Thanks for asking me to join. It's awesome to have you as always and always. Gary back, thanks for joining us back again. How were your, uh, peer groups last week? Uh, awesome. Yeah, they were great. You know, we run 'em over four days, 125 companies, MSPs high performing, seeing the opportunity, but again, uh, they're being successful because many of them have matured.
They've been working on their proactive process and on their security standards, and so now they're really able to use security as a wedge, right? Yeah. So selling more and selling at a higher price. So just awesome. It, it was an awesome week. Really, really glad to hear that. Okay, so let's get it right on into it. Like I said, I'll put a few things up so that you guys can, you know, look and click on those, but I wanted to get right on into it. Um, with Dr.
Ulrich here, Johannes, I was reading about you and, um, had no idea that in 2005 you were named as one of the 50 most powerful people in networking. Um, that's saying something. Can you tell a little bit about your background? Because, uh, I think people would wanna know. Well, I, I think, uh, Ray, what Triggered that a little bit was that people really recognized back then that, you know, collaboration, uh, exchanging data.
And so it's a really important thing and, uh, within a storm center and earlier, so with senses and incense.org, the shield org, so those initiatives, uh, be particularly during that time have followed a lot of the wars that came out. I'm not sure if anybody still remembers things like MDA and SQL Slammer and Madu and such.
And what about building these, uh, sensor networks, if we still use today and that still work great today, uh, we, in the community, we're really able to sort of fill in a lot, lot of the gaps, uh, in our understanding of some of these events. That was exciting. And that's sort of, you know, what I'm still doing and still having a lot of fun with that. Very cool. Well, I don't know, Andrew, if you Know, but Wes and I were voted at that time, the bottom 50.
You, so I, it just makes you old, kind of. Yeah. Well, Wes, you just, you, you, you, you ripped the thunder out, which is okay, so you put D Shield in there, which is awesome. So, um, Johannes, can you, you tell us about, you know, how you ended up, uh, at Sands? Tell us about D Shield and, um, and, and I wanna close after that as I hand it to Wes, um, what everybody on this show should be doing first thing in the morning or if they're up at night owls, um, because that's how I got to know you.
So, but please tell us a little bit about, uh, your background. Yeah, I hope you have a couple minutes for the full story kind of. Yeah, we do, we do your time. I would say it's a little bit of superhero origin story kind of, right? It involves radiation, it involves a physics lab kind of, uh, so, uh, I actually grew up in Germany. You may notice this, but the accent, I dunno. But, uh, the, uh, and it came virtually the United States back in 89, I think it was, uh, uh, to study physics.
And it was supposed to be a one year exchange program, but somehow it evolved no more. But anyway, uh, and my first foray sort of in networking was really in the physics lab. And, uh, I worked with X-ray optics, and I tried to avoid that superhero thing. Apparently doesn't really work that way. So I, I tried to stay back from my experiment.
I remote controlled them, wrote a lot of software and networking, and that's what I did kind of, uh, at one point I got a cable modem at home, and this was like, you know, mid nineties were still really new when yeah, when you're blocking your Windows system network neighborhood was literally your neighborhood kind of all times of the internet.
And I wanted to have a router so I could connect better to my systems at school, because, you know, who wants to go in in the lab every day when you can do it from home. Uh, so I set up a little Linux system back then as a router, and sure enough, um, good old networking principle, once it works, don't touch it. Uh, I just got it up and working. It ran until I got the call from the ISP that I was sending spam. And apparently, um, someone figured out that, and back then it was normal.
Linux ran an open mail relay. Uh, so me being in physics, I wanted to collect data. So I looked at firewall logs, I started collecting them and talked to friends. And that sort of then evolved into what became the shield.org, which was the system very basically just say, Hey, you know, volunteers out there, send us your logs and help us understand what the attacks look like.
Uh, and, um, eventually I changed professions first become a web developer for a couple years, and then, uh, later start working for sense, which, well, I'm now sort of running the research part in a storm center. That's sort of what I'm doing for sense these days. That's awesome. So Johannes, I'm putting in, and whatever your flavor of podcast is, um, I put URL in there, but, um, five minutes, six minutes max every single day without fail.
Um, I feel like I know Johannes, but listen to, um, you know, the Storm Center Institute and, and I put a lot of this in the cyber nation, but man, if you wanna be abreast of the latest vulnerabilities, the latest, you know, phishing kits, attack vectors, like these are the guys that are on top of all of this doing the research, and it's for free. And he's, you know, I, I wish I could summarize the cyber call in five to six minutes, but, um, but he does it on a daily basis.
If you're a night owl, it's probably out, what Johannes about 10 30 ish? Give or take Some, yeah, that's about minute. Basically, when I'm done for the day, I just record it. That's sort of, uh, what happens. And it's five minutes because I don't have time to do more kind of, Well, you do a e an excellent job, and I encourage everybody out there to subscribe to, to that podcast.
Wes, let me turn it over here to you and, you know, kind of dig in because you were doing some really great research, um, that I know you want to talk to Johannes about. Well, yeah. So Dr. Ulrich, first of all, uh, Andrew is, uh, I know he, he every day, I think at 5:00 AM while he's doing his jazzer size, which he's known for, uh, is when, uh, he listens to your podcast. You know, I'm curious, let's dive into that a little bit more.
What goes, what's your, what goes into your criteria to make a great podcast like that in such a short time? Like, do you just search like 10,000 news sites? Are there three or four go-tos that you have? Like what goes into the production of that? Yeah, I probably have about a dozen of sort of go-tos that I have. And then of course not Twitter and things like, also things that people send us in during the day.
So it's sometimes not me necessarily getting going out, but people asking questions coming in. I try to ignore the marketing people that, um, send me stuff. Uh, but yeah, if you have something interesting, maybe, maybe every so often that I throw something in there, uh, but it's really a mix of all of that. And, uh, like I said, it's five minutes because when I started out I said, Hey, I wanna do this, you know, every day.
Uh, sometimes I'm traveling at least used to, and, um, has to work them to so that it is no music whatsoever because I'm really bad about music anyways. You gonna get some German techno, some stuff like that. So, uh, I rather left it without, and, uh, yeah, that's, that's really what it's, and what, it's very personal. It's what I consider relevant.
Uh, and, uh, the way I put it, it's five minutes that are supposed to make you sound smarter when you show up to work in the morning and, uh, got it. I hope that's kind of what it does. That that's awesome. And, uh, I wonder if you might share in, in the chat when you get a minute, just a couple of your favorite news sources. We're always hungry to, to know what others are listening to. Sure.
And also, you know, I think your German, uh, techno probably has a lot of interest in this group, so you might have to share your Spotify latest as well. Have any hands up access to that. Wes? I go back to the scorpions, so I go back German rock. The only thing we can't do is we can't let Andrew, you turn your, your jazzer size into that. 'cause your heart rate will just go, uh, yeah, work. Look. So Dr. Dr, you don't want any images of me, jazzer Us. Lemme tell you. Trust me of us do. So, Dr.
Ulrich, uh, another question. I think most of us are probably pretty familiar sands and, and love the mission of what you guys are doing. Talk to us more about the, the ISC. What go, what, what is it? What goes into it? Just teach us more about that. Yeah, so ISC then it's storm center, it's a little bit the research part of sense, and it was point out before, it's sort of all three, and there are really sort of two parts to it.
There is of the backend, the shield, that's the side that I originally started, and that's where we collect firewall logs still. We also now have sort of a network of honeypots, and if anybody wants to set one up, um, I'll probably put some URLs in the chat there later to how to accomplish that. Uh, that sort of, these are these automated sensor feeders in, uh, data. But then we also have, you know, people writing us about what they're seeing. And that's always very interesting.
So we can kind of compare it to what are people seeing, do we actually see that's a global problem or just a problem that particular individual has. And then, uh, we do have about 30 volunteers. We call 'em handlers, uh, that basically the way we put it is each day one of them is on charge and takes charge of the internet, has that big knife switch kind of, and, uh, and they respond to anything that's coming in.
And they also, you know, usually write up something about what, what's interesting to them. And, um, if you read on it, like, you know, lots of sort of hands-on tips, uh, about how to deal with certain problems, uh, because they all have real day jobs to, they work as security practitioners. So it's not that, um, they come up with stories that, um, again, they're being, so it's just, uh, stuff they have seen in their environment. Got it. Okay. That's great.
And, and I guess maybe just a follow up question to that, it's a privilege on the cyber call to bring on so many distinguished hosts. We just had Chris Sanders, uh, join and you know, he, I'm sure you read or aware of his book on honeypots. This is a privilege to be able to get to connect together some of these great MSPs of the 2000, what are we at, Andrew? We're at 2302, we just broke the 2300 mark. This is really good for us to connect everyone together.
And I guess, how can MSPs get more involved with what you're doing? Are there links? Are there things that you could use? Is there input they can provide? How can they get more involved with you and the ISC? Yeah, so, uh, the storm center website, I think, uh, was already being posted, uh, to the feed. That's probably the first starting point, of course. Uh, now we do offer a number of data feeds. Like all the data we collect, uh, we immediately turn around.
So we don't want to be one of those information sharing organizations that you share with us. We don't share back with you kind of, I mean, we wanna, we want to to be two, two way real time. Uh, these are interesting feeds for you to understand better what's going on in your, in your network. They're not necessarily block lists. I'm a little bit opposed sort of to some of these, the way they're being used.
Uh, but, uh, you know, if you see someone attacking you and using our database that, that same IP address attack, like, you know, $5,000 targets, it's probably not a targeted attack. Uh, they're going after. Uh, if you're seeing a spike of attacks, um, against certain URL against a, a certain port or something like this, uh, you can use our side to help you better understand what's going on.
And you, and so a little bit the internet help desk, if you see something new and different, uh, write us. I can't guarantee we don't have any SLAs for, for free service. Uh, but, um, uh, we try our best to help you out. And you know, what works sometimes actually best is sort of that community where, um, if you give us permission, you send us something in and we just put out there, say, Hey, you know, um, best send us this particular log. And we have absolutely no idea what it means, right?
Uh, anybody out there that knows. And, uh, and then, you know, we get the, we get the input from other readers, tens of thousand people that read, uh, this every day. Uh, so chances are there's someone somewhere that may have seen something similar and may be able, uh, to fill us in on what it really means. And is, is it important or not? Yeah. Got it. And, uh, Dr. O Orke, you said something that I wanna, wanna, I wanna zone in. You said something about block list.
I want to, I want to talk about that a little bit. Um, I'm gonna post a link to an article that you just wrote, I think, a couple of weeks ago. And it is really, really good. I encourage everyone to read it. Mm-Hmm. Um, can you talk to us a little bit more about this whole, you know, today no one's going to attack you.
I can tell you, um, as a former practitioner myself, all of the marketing buzz that we hear, all the recycle of old hash news, you know, I remember the, you know, they're gonna be able to see from the, the, the CPU waves that your, uh, computer makes. They can read what's going on. Like all these things that hit the news cycle. And honestly, Dr. Orrick, it hurts our industry. It hurts our reputation. We become the boy who cried wolf all too often.
People shake their head, and no one takes security seriously because of these things that we do. And can you elaborate a little bit more about all of that, because that's such a good article. It was close to my heart. Yeah. And so, um, maybe a story that sparked that a little bit in though that story was like years ago. But, uh, I say people write into us and there's a little bit internet help desk.
And I had this one person that kept writing in, uh, not an IT professional, uh, something financial apparently was compromised at one point, lost some money and hired someone, not sure if it was an MSP or some consultant or so, uh, to secure his network. And, um, they set him up with all Max because they're secure and I love Max. But anyway, uh, and they set him up with one of those small business firewalls, and best I can tell is it basically ran snort in that firewall. And now he gets alerts.
Uh, now he gets alerts all the time about, Hey, you know, you received a malicious attachment. And then he sent me the alerts that, is it bad? What About three, four times a day? Who knows? Who knows? He's blocked, he's blocked. Usually it's not. Usually it's not. And that, that's the thing, like, uh, many alerts that these tools give you don't really mean anything, uh, unless you do some real careful tuning and you understand the context. Uh, the alert is in the network, what happened next?
Uh, you need a lot more information for that. Uh, but tools make it look so easy. And that sort of then leads to, uh, this idea where people say, Hey, I'm being attacked all the time. And I have to admit, we have sort of this little misleading grab. I try to hide on the website a little bit, but the survival time, uh, and that with the time between sort of packets hitting your firewall and getting blocked, and it's in the, in the range of minutes, kind of for an individual host.
But, uh, it doesn't mean that everybody's really sort of attacking you personally. Most of this is stupid mi MRI scans. Uh, if they're still inbound, not outbound, then you're good kind of. And if you had that problem, uh, this was a problem for you five years ago and not today, really. Uh, so, uh, and as a security professional, it's important to just step back and say, Hey, it's probably nothing.
And I obviously, one of the most difficult things for a security professional not doing intrusion detection such is how much time am I going to spend on this particular alert? Uh, and that it's important to just say, Hey, let's move on to the next thing. Uh, this really doesn't matter. Uh, and I think, uh, that, I guess getting a little bit more relaxed attitude.
Uh, we do a lot of good for security in some ways, and that's just saying, Hey, no, uh, there are really only a couple attacks that matter these days. It is the user opening that attachment and, and running, uh, the malicious executable. It is the blatantly open, um, firewall admin interface that you have, uh, in the network. Uh, those are already things that matter, and if you take care of a few things like that.
So talking about it here to fellas, also the cradle controls, uh, uh, the, um, uh, you're doing pretty good. And, uh, don't, don't cry wolf all the time and don't, uh, run like, you know, with your hair on fire around all the time. It's usually just in yet another day. And yeah, you'll get compromised occasionally, but, uh, let's hope that's not too bad when it happens. I, I, I love it. And thank you for having the wisdom to share this with us.
When it comes from someone like you, that means something. And, and I, I mean that, like, I encourage everyone on the call today, go read that article, take five minutes of your day and go read that article. Because I think it shifts our mindset into some things I think are really important for us. You know, if I can be honest for a minute, in the world of cybersecurity, we do struggle with high stress. We struggle with, am I doing the right things?
You know, we buy these alert generators, like you talk about, we talk about that a lot. Where I work at Perch, you're just buying these alert generators, you're doing nothing for us. It causes stress. You add to that, you know, you see the, the, the ramifications of the attacks that happen, and we just sometimes don't know the direction to look for. And that stress even leads to physical things like alcoholism that I think are a big part of our life.
And we should talk about those things more often in our industry of how I'm not sure that we're still doing everything right here, and sometimes we are looking the wrong direction and it's causing problems, even physical problems for us. Dr. So thank you for having that article and writing it. I thought it was really, really insightful. And I think it can take a little bit further, even, even as a consumer to really, um, Hey, if my social security number gets stolen again, who cares in the end?
Um, it's, it has already been stolen so often. All social security numbers have been stolen multiple times. Um, it's, uh, focus on important things, focus on like staying in business really, and, um, not necessarily on all the little news headlines that, that keep popping up. Yes, indeed. Dr. Thank you. I was gonna say, say, man, you talk about staying in business. What a great segue over to you, Gary, because, uh, something near and dear to your heart. So let me let you kind of take over.
Yeah, it's really interesting to hear. I'm, as you talk about noise and, you know, actually spending too much time on the wrong things keeps you from spending time on the right things. Like that's in all aspects of business. And I remember we were early on when we got like the first RMM and we turned on every alert. And until the point was we would miss things because we couldn't check every alert.
And it wasn't until we went to the other way to say, these, were gonna turn off these, we're gonna look at once a day in bulk, and we're gonna get down to when we know we actually get an alert. It's something that reasonably we should spend some actionable, you know, time on.
So, um, one thing that I want to ask you is, uh, what I think IT professionals struggle with, whether they're, you know, working in a company or as MSPs working with our customers, is that conversation, like, we live in this world, we understand the risks, how to convey that. Like, what is that conversation so we can get someone who maybe we need to get budget from, they hold the budget in a company, or they pay our bills on MSP and we have to somehow show that. Does that make sense? Yeah.
And that's actually something that we sort of, you know, struggle with in our graduate program. 'cause that's something we want to teach students is yeah. Uh, how to interact sort of with, um, c-level management, uh, how to make your case for a new security tool. And, you know, it really comes down to staying in business, you know, that, that idea that, uh, why are we doing this? We're not doing this to stay more secure per se. That's part of it.
But, uh, we are doing it to, uh, support a certain business initiative. Uh, so yeah, you know, um, we want to be able to work from home and in order to support that, we need VPNs. We need some infrastructure, some security infrastructure to enable that. And, um, now I can get money. I can get money, uh, for A VPN 'cause it'll enable us to stay open, uh, during the pandemic and have people work at home. I don't get money to encrypt data. Uh, that's, that's not really the business use case here.
And it, it's hard for the techies. It's hard for the techies also, uh, sometimes to know what risks to accept. And that's an important security concept. Like, you know, there is, it goes back sort of to that burnout. So there is no perfect security and don't, don't go for that. You'll fail, you know, you'll set you up. I love retail as an example there, you know, every store has like that bargain bin outside of the outside of the store.
Stuff gets stolen, I bet all the time from that bargain bin. But as long as it's worth having it out there to still make money, um, will keep it that way. Yeah. So, um, similar with, uh, it security. You have to find out, uh, what are your key intellectual properties, not that you have to protect, um, build some enclaves around that, uh, protect that data well and really focus. That's really what it comes down to.
You know, focus on the parts of the networks that matter and, uh, the information that matters and protect that. Yeah. You know, I was having a conversation last week with some of our MSPs and you know, I was saying like, Hey, you need to be going to every customer right now explaining the landscape. You need to be showing them why they need to invest more. And then when you're done, tell them they're still not secure. They're just more reasonably secure.
But not setting that expectation that, Hey, you're gonna do this now, you're gonna be secure. And what this really comes down, and I think that's a problem I've seen sometimes with MSPs when they sort of start talking security and such, is understanding the customer's business. Uh, because you often deal with a wide range depending on how you're set up of different businesses.
And it's really important to see, uh, how that customer works, what's important to them, and, uh, uh, listen, you know, not just talk, but also listen to their problems, the problems they have, uh, maybe also listen to. And that's, I think, a role that I've seen Ms. P sometimes play, uh, uh, learning from other businesses in the same field. You know, what was the problem for my other customer?
Uh, now I can explain to my new customer, Hey, I already know the problems you are having or that you maybe having in the future, and I can sort of proactively help you with that. Wow. So you're saying as an MSP that if we actually know about our customer's businesses, that would be valuable? Yeah. Listen, you've just hit on my life's work for the last 10 years, trying to get people to learn about the business first, but now as security comes along, it's, it's really hard right?
To make a case for, for their business. If you don't understand it, and you're saying you have to make that business case, right? I always bring this example that I learned at the hard way. Of course, we all have our lessons kind, our scars, and this was as a young stupid web developer, uh, where I wanted to be really secure. And, uh, one site I ran, they, they sold women's shoes. And at the time, I wasn't married and I had no idea how women's shoes worked.
So I put an anti fraud, a thing in there that you order more than six pairs, it has to be fraught. And I canceled. Um, needless to say, that didn't go over too well. And I had that conversation with the customer about, apparently for some people, the color of shoes matter. And, uh, those things, it's really important.
And in particular, in this case, I had like, you know, a couple dozen customers to deal with, uh, very wide range of businesses and problems, and you just, um, yeah, sometimes don't listen kind of what their real problems are and what the risks are they willing to accept. Yeah. Uh, like they're doing like the free return shipping and such. And so, uh, they accept the risk of people ordering a bunch of shoes and sending most of them back, kind of, you know, that was, uh, something they accepted.
That's interesting. I, I, one other question, because you get information. Um, we have, we've seen during the pandemic in terms of MSPs, just, just so much more activity, uh, right now in terms of, you know, threat vectors. Have you seen a change this year in terms of the number of attacks, the sophistication of attacks? Like, and you gather so much info, like what does it look like compared the last six months compared to prior to that?
I'm not really sure how much of it is really related to pandemic. I think that's sometimes a little bit over interpreted there. Uh, there are some things, uh, like be, there's sort of two class of attacks I think that really took off this year. Mm-Hmm. Uh, one is attack against security gateways, your Citrix and Pure VPN and some of these VPN solutions. They actually started like late last year. Uh, many of these attacks.
And I think the reason for this is not the pandemic, it's just that researchers really figured out how to find these vulnerabilities. Uh, so uhhas of this proliferation of easy to exploit vulnerabilities in these systems, and of course, these are key systems to exploit the part where maybe the pandemic played a role is RDP, uh, because for many people, that was the quick and easy way to access their networks remotely. Yeah.
Uh, that was often, uh, without really thinking through how to install it, uh, just of on the way to out of the office, you sort of click the button to, yeah. So you're saying you feel like this has just been a natural progression of the maturation, right. Of all the investment that's been then made on the other side. Um, and then just some new opportunities opened up, uh, as people went to work from home and whatnot.
There may have been a little bit of problem with patching some of these devices just because they became more business critical. Uh, but, you know, I think the pandemic is now, you know, six, nine months old. If you haven't figured out yet how to update your firewall remotely, uh, you probably didn't know how to do it before the pandemic. Uh, and for the most part, uh, many of these attacks, vulnerabilities, they play themselves out in the first week after the attack is discovered.
So if you see now a news release that China is going after Citrix, they're late, the Iranians already in there. Uh, but, um, it's, um, uh, so like, you know, I don't think really the pandemic has mattered as much as sometimes people think it mattered. It was, yeah. Let me ask you just one last question, and I, and I I want to turn it over to, to Phyllis.
Um, if, if you could look today what you see in security, and if you could go back further, if you can go back three years, what's the biggest difference between, um, you know, how you need to protect yourself and what goes on today compared to if you go like three years back, you have such a long history with this? Uh, well, I think, you know, the, the most significant sort of recent development on that sort of three to five years scale, it's probably ransomware.
Uh, before that they just stole your data, uh, but again, it didn't take you out of business. Yeah. Now with ransomware, they're taking you out of business, and that's, I think, a real important, uh, escalation of this. Uh, the other part is now they really learn sort of, uh, the attackers become smarter too, sadly, sometimes. And I think they learned that the data has to really not been all that value valuable for a long time.
Um, like, you know, credit card numbers and you Google for them, you don't really have to buy them anymore. Uh, similar with social security numbers and things like that, uh, such as stealing the data has really, uh, economics 1 0 1, I always say, uh, you create more copies of the data, the less scare something becomes the, the less valuable it becomes. Uh, so they eventually figure it out. That ransomware of goes the other way around and you sell the data to the one person, it's valuable.
Most that's, uh, that's the person who actually own that data. So I think that's probably the biggest sort of escalation and change here. And particularly the threat, the existential threat to businesses, large businesses, uh, became, you could Say thank, thank you, thank you, Bitcoin. Yeah. We're making, We're making people be able to, you know, pay things in a way that we could ransom them Now that, that thing just didn't work that well for. Yeah. Good. Awesome, Phil.
So I'll turn it over to you. Okay. Sorry, I have some construction going on the back end here. So, um, we talked about working from home. We, at CIS had to make some adjustments to support everyone work from home. We closed down the offices, many government agencies as well as private industry did. So, um, and I'm assuming, you know, sands already had a remote workforce, however, um, given the pandemic and everyone was working from home as well, did you guys have to adjust?
What kind of ch what kind of changes did you have to make and do you have any lessons learned for the Group? Yeah, the change was really different. Uh, so most people working for sans work from home already. Like, I worked from home, but I worked from home because I spend a lot of time traveling on the road. Uh, we ran all of these conferences all around the world, uh, which of course stopped on in March, and I think last time I stepped off an airplane was coming from RSA feeling really sick.
Right. Something else thank Too, thank too, that was it. After that we shut down. I haven't stepped a foot on the airplane or the airport yet, uh, but uh, you know, that was a change percent. So we were a little bit lucky there. Uh, we had A-C-E-O-A few years back who we actually had a pandemic plan. Uh, we had a response plan. Uh, not too many people had that, and that's pretty Good. Uh, part of us starting to experiment with online training and remote training, so years ago was part of that.
Uh, now this doesn't mean it when the off in a it and such went really quick. Uh, there were, there were problems. And one actually was an interesting sort of risk issue again. Um, if you've ever been to a Sands class, I always tell they're being sold by weight based on a big stack of books that you get. Right.
Uh, and, uh, so, um, shipping those books turned out to be a real pain and to make them arrive at the customer in time was not just the cost, it was just making sure to get there in time, in particular, sort of globally. And, uh, so we basically just pulled a plug and said, Hey, you know, here are PDFs. Uh, ever since I worked for Sans we struggled with trying to come up with electronic courseware.
Uh, we must have had like a dozen of abandoned projects that were abandoned because people were afraid of losing that intellectual property. Right. And, um, in the end we just decided, hey, you know, um, we have to stay in business. Uh, we have to keep our customers happy, and, um, it's worth the risk to give those, It doesn't work that way. You should have called me. I could have told you, don't worry about that. Yeah. What you think is gonna happen is not really gonna happen.
You probably do more. You end up, you end up doing more business, not less when more people Have more information. Our main concern was actually not, uh, someone handing those PDFs to a friend. That's of course part of the issue, but in the very beginning, I start a sense we did that. We stopped doing it because there were a couple of fairly shady outfits abroad that started teaching our classes using our name, uh, using those PDFs.
And one reason they're not that worried about leaking the PDFs, the class are updated all the time. So, uh, but then they basically used outdated material, uh, to teach, claiming to be science. And, uh, that reputation issue was really more of an issue than, uh, just losing that PDF it's, Right. So that's interesting because I mean, you had to adjust content delivery. Yes. Mm-Hmm.
And, um, and so many organizations also because, um, many of our, or you know, people who we serve content to are now working from home. Were there any other issues that you had or any other changes, um, with Sands courses that you had to change the content delivery? Because it's not that interactive, Hey, we're gonna all be in a lab or, you know, like the hacking contest and all that kind of stuff? Yeah. We, we had to change some of this.
Like we, we sort of had to learn a little bit how, which different platforms worked. Uh, so we had a platform already, like for our existing online training, but then as it scaled up mm-Hmm. As we taught class, that format we hadn't taught yet before in that format. Uh, we had to make some adjustments to that. Uh, or one issue, for example, was deliver of our labs. In some classes, the instructor has a couple of laptops upfront, uh, in the room that you get to attack and such.
Uh, so, uh, you had to move some of this into the cloud and then come up with safe, responsible ways to allow you to attack this system remotely. Uh, in particular, understanding that the student who is doing so is still learning and has happened repeatedly in hotels that students ended up attacking hotel networks by mistake. So, uh, we had to be more careful here with, with doing it remotely from home, not being able to walk around looking over people's shoulders.
If they typed in the right IP address, maybe the hotels will pay 'em for finding the vulnerability. Right, Right, right. The same class. Exactly. Exactly. So I like, you know how you said like, you're not always being attacked. Um, I agree. I think that when you're always trying to, um, fight against attacks, it's a little bit like whack-a-mole. I mean, that's why I really, you know, I came from a national security agency. I really love, um, the CIS critical security controls.
It's like, do these basic things to really help protect your network so you, you don't have to worry about what I would call ankle biters. Right. So, um, the low hanging fruit, we always, always say that.
So would you recommend, like a baseline doesn't necessarily have to be, you know, um, CIS controls, but any kind of frameworks or baseline or kind of what is it at a minimum organizations MSPs maybe in particular should be implementing to just, you know, start off here, just raise, raise the bar just a little bit for yourself and your customers, Not just because you're on the call, Phyllis, but I'm a big fan of CIS controls, so I I, I think that the couple, the first few of them, uh, and I think it also goes back to know your customer know, uh, know their network, uh, like inventory and some of these very basic things in a network, uh, throwing in F1 MSP, also communicating with that company, you know, what you are seeing, uh, whether or not that matches what they think they have.
I've often seen some mismatches there. Um, it's not easy to get started with this. I'm not saying that, hey, not just get your inventory, uh, no, it doesn't work. Right. But there are lots of great tools out there. And actually lots of papers in the Sands reading room you can read, uh, to put that black in there, uh, that our graduate students wrote about how to implement some of this, uh, with either free or commercial tools.
Um, and uh, I think particularly for MSPs, it's really important to know what's going on, uh, or what your customers doing. And then inventory is the first step towards that because then you all of a sudden find the system that you don't really know what's the business purpose of that system. Uh, and maybe you're discovering a new part of business that you didn't realize they had.
And I once saw this in a web application pen test whereby changing the language in the application, all of a sudden discovered some new products that this was insurance sold that they didn't sell to the US market, they only sold abroad. And you know, by sort of digging around, you actually find stuff that they may have omitted telling you in the little kickoff meeting that you had in the beginning. Oh. So I have just one final question.
You know, sans is of course, world renowned, as you just said, for training. Um, when I was in the government, you know, we always went to SANS training courses. Um, MSPs maybe have a different outlook, perhaps also different financial constraints. How is it that, um, especially uh, MSPs or small medium businesses can look to sans for training or become more involved on? Um, you know, the training aspect of it? I said there's a lot of free stuff.
Um, webcast papers, uh, storm center, uh, actually have the Sense org slash freel where all the free tools and free things that we offer, uh, are summarized. Um, there are a lot of ways to get sense training for discount. We have like a work study program where you basically help us facilitate some of, uh, like an online class now, of course. Uh, so you get to press the start end button and make sure the audio and so is working fine.
Uh, and uh, that gives you a substantial discount, like about quarter or less, uh, for a class then, but usually, or of course our, our graduate program. And, uh, there are lots of options with that, uh, to, um, actually it's, uh, quite competitive if you compare compared to other graduate schools, uh, what you pay for for a SANS graduate degree or certificate. And we actually even now have some undergraduate certificates and such, but, uh, offer similar discounts. Yeah, That's great.
Can we find out about that? Uh, on the website Edu san edu for the graduate and undergraduate stuff and san org slash free for the free offerings. Awesome. Thank you. Awesome. Well, thank you. Uh, Dr. Ol, we have one question here. I was wondering if I could read it to you. It's also, you can look at it in the question section, but it's from, um, from Mark. And Mark says, you know, where is the vendor slash threat intelligence collaboration in your mind?
And, and I'm glad Mark brought this up 'cause 'cause it's really something that, um, yeah, and I'll let you continue to read it, but you know, we're starting to hear more for the first time over the last few years, um, you, uh, Johannes about ISACs and Ice House Yeah. And SP community, um, you and I and Phyllis had a conversation offline, uh, about even, you know, threat sharing and automated threat sharing versus lists. Um, but can I have you kind of give your 2 cents on that question there?
And, uh, I Don't see the question, but let me talk a little bit about the, Lemme just read it out, you know, where, where's the vendor slash threat intelligence collaboration in your mind? I was recently working with a firewall vendor on block list provided by the FBI cyber outreach team with no way to integrate the data into the intelligence feeds. What's it gonna take to see this come together for the collective good to get more centralized sourcing of malicious domains and ips? Yeah.
Um, it's a hard problem. Like it's not as easy as just importing a threat fee that the FBI provides. Um, I love what the FBI puts out, so I'm not talking against the FBI and I don't want 'em to get in my door. Uh, but anyway, uh, they have been known to sometimes not vet these feeds carefully enough and, uh, to include IP addresses, for example, that had some very important and legitimate users. And that comes back down to knowing your business.
You cannot, and you should never apply a plot list blindly to a business without really understanding what this business is doing.
Um, as an example, I had a discussion with someone from a utility company and, uh, they were telling me, well, we see all these attacks against our website, against our customer website from China, and, uh, we are just going to basically block access from China, uh, which seems to make a lot of sense for a local utility that pretty much exclusively appears to deal with people in the community.
Uh, my wife happens to be a realtor and, um, she's selling a lot of investment properties, uh, to investors from China that often do have a legitimate reason, uh, to check up on utility accounts. Uh, so, um, you know, they would be locked out then, uh, and, uh, some of these block, now this is a little bit a simplistic case, but even if you have a feed off IP addresses, you do need to carefully vet them. And yeah, that's can be a role for something like an MSP.
Uh, if you know your customer, you'll be able to take that list from the FBI and that maybe block it or even better, uh, use it in a detective, uh, function, not sort of active function. Uh, with a block list like this that you get from the FBI, it's yesterday's IP addresses. Uh, the moment they are publishing that, uh, the actor will change, uh, their infrastructure. Uh, so what you really wanna do is you don't wanna block what's going forward. It's probably meaningless.
You wanna go back a couple days and see, hey, did I connect to any of these IP address in the past? Uh, which then of course means that you have the right sensors and instrumentation to actually be able to do that. Interesting. And, and you know, I know you didn't say this outright, but you mentioned honeypots earlier, Dr.
Ulrich, and, and it, it seems that, you know, we've gotta be, we've gotta start to take on ways in which to understand how to do deceptive type things, where, like you're saying, you know, these ips, they're, they've already pivoted out of those to another ip, but what things can we do to lure people in, you know, 'cause we know they're gonna do it so that, you know, they're not attacking the malicious things on our network, but giving us detective information that we know they're there.
Yeah, I think you have to distinguish a little bit between, so the classic honeypot, like we are deploying them, which are really more research tools and what's sometimes now called that kind of deception. Mm-Hmm. Uh, which is a little bit more surgical usually. So instead of just setting up a vulnerable system, uh, you're setting up a system that's actually not vulnerable, at least you don't believe it to be vulnerable. And, uh, then you are monitoring access to it. Yeah.
Or even just the little leaks that you put around your site to see if, if anybody bites for them. Uh, I think they're quite useful. Uh, they're also quite useful to learn more about what the attacker is doing to your network. Uh, when it comes to threat intelligence, the most useful threat intelligence you'll get is from your own network, uh, because that's really relevant, uh, to you.
And, uh, so instead of to subscribing to a lot of feeds, uh, the time may be better spent to set up some little deceptive tools inside the network. There have been some efforts sort of commercially lately to make that more scalable and manageable sort of an enterprise and MSP uh, size and, uh, uh, it may be worth to look into some of these tools to see if they help you, uh, do this easier and better. Yeah. Well, it's great.
Uh, I'll wrap it up by just saying that, you know, we've had some great collaboration already since Chris Sanders came on. Uh, Dana ep, uh, created a port scan honeypot put all the code in GitHub, made it fully available with a, a video on how to set it up. That's all available in the cyber nation for anybody that wants that information. So we've got a great group and I'm, you know, really glad to hear you kind of iterate that those are the really critical things.
And then, you know, the best intel threaten tell is your own. So, um, Gary, any closing thoughts from you? I know, um, here, uh, uh, on episode 24, Uh, no. Just really interesting perspective, uh, that, that you brought today. And, uh, I'm hoping that everybody, uh, you know, takes some time and, you know, checks out. We, uh, posted there, uh, Phyllis posted the links, uh, to some of the free stuff you can get there and can also check out some of the courses.
And, uh, knowledge is our best defense, but I think, um, deployed, you know, in a common sense way that Dr. Ulrich talked about, about how to spend your time and, and, and where not to, I think just that common sense approach, um, probably leads me to believe you're gonna find a lot of great information that you can use there. Yeah. And I think, Gary, to your point, uh, the music to your ears was, uh, hey, we need to know about their business. Yeah.
Uh, which is, you know, pretty big, uh, Phyllis No, I agree. I really liked the practicality of everything, um, that you said. You know, what really resonated with me also was the, um, you don't have to subscribe to all these different threat feeds. It's not lack of data that we have from, you know, all these different services. Tony Sager calls it the fog of more because we do, we just have tons of data. Yeah, right.
But like, maybe just looking a little bit closer to home, paying attention to what's happening, um, you know, at your own front door on your street, et cetera, and then taking action on that is a, is a great first step versus subscribing to all these different things. And now you have to comb through all this data to try to, you know, find the value for yourself. So I, I really appreciate that perspective. Yeah, that's great. Well, in closing, Dr.
Ulrich one, I again want to iterate to everybody to please subscribe to your podcast five, six minutes. Best thing you can do to start your day, or again, if you're a night owl, your evening. Um, next week, Dr. We're gonna have, uh, Ricky Tan on who I learned about through you from cyber. So, um, he is ex, you know, he's fan fantastic. Um, but, And Andrew, maybe you'll put on a jazzer size class. I think we'll go definitely Coming next week. Definitely coming.
We'll go from 2300 to 1300 real fast. Hey, Andrew, we got like two more minutes. Can I just bring up one quick story? Yeah, of course. Uh, so, um, we had our peer group meetings last week and, um, we do special projects for the peer. And, uh, so Phyllis, you know, we, uh, inside my IT process develop what we call an MSP jumpstart, but heavily influenced by CIS, right. As the, the foundation of it.
And the special project was each of the MSPs, uh, had to go through that jumpstart for their own environments, and then they discussed it at the meeting. And I gotta tell you, it was some of the both people that are just really getting started on the security journey and some of the most advanced, mature, secure MSPs in the industry. And in every case, the conversations they were having was one of the best special projects that we had.
And I was telling all them, imagine you could have these same conversations with your customers, right, right, right. And the power of that. But, uh, just wanted to let you know that was, uh, really, again, in the 10 years I've been doing this was one of the best special projects. Oh, that's awesome. That's good to know. Gary. We did, uh, just, you know, I just real quick. So we did, Wes and I did a, um, presentation with, uh, Trent Ballard, who, who I think on from dev source for Awesome MSP.
Um, and, uh, what was really interesting, we did a poll and the research we've been doing was, you know, does your internal cyber cybersecurity, your internal cyber hygiene, uh, impact your MRR, your direct ability to sell MRR and, and cybersecurity and convincingly, the polls have showed it, the conversations. And Dr.
Ick, what we have you just in closing, basically, we said, Hey, look, the, you know, if you have command of your own internal cybersecurity, how influential is that to you to go then sell? Um, just love your thoughts in closing and we'll let you run.
Well, I, uh, I hope it matters that your secure yourself, uh, in order to sell your services because we have seen a lot of attacks targeting MSPs because they sometimes turn out a piece of the, uh, weak point here in, in some of these infrastructures. And of course, it's that bang for the buck idea where if I breach one MSP, I have multiple of the customers. That's, uh, that's a big part. Uh, overall, um, sort of in closing, I always like collaboration. I like, uh, exchanging information.
That's, I think my big thing, uh, for the last 20 years or so. That's, uh, what we do in a storm center. Uh, I love to learn from others' mistakes because I already make enough myself. Uh, and, uh, uh, and yeah, so, um, help us out with the honeypot project. That was always nice to have a couple more data feeds here. Uh, send me an email or contact me on Twitter or whatever way spammers not my email addresses. So it should be too hard to find out.
Uh, so, and if you need any help with that, so thanks. Thank you. Awesome. Andrew. Again, that gets people increasing their command where they are in security. And, uh, I can tell you I get to see the numbers for all 125 of those, uh, you know, peer group members. And I can tell you that, um, you know, further, you are in your security journey. It's good business. Uh, they're the fastest growing and they're the most profitable MSPs that we work with, No doubt.
Well, wishing everybody a fantastic week. We'll look forward to seeing you back here next week. Have a great week, everybody. Take care. Thank you. Bye. Thanks, Andrew. Thanks Dr. Roller. Thanks guys.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois