Skip to main content
Right of Boom
January 30, 2025

The Rise of BEC, SaaS Application Attacks & Credential Compromise

In this video, cybersecurity experts Chip Buck and Craig Riddell discuss the rise of business email compromises, SaaS application attacks, and credential compromises. They explore the complexities of identity sprawl, the importance of identity governance, and the challenges of maintaining robust cybersecurity practices in the cloud environment. The conversation sheds light on the evolving threat landscape, emphasizing the need for effective communication between MSPs and their clients to enhance security measures and protect critical business data.<ul><li>The majority of security incidents in enterprises are related to compromised credentials, and there's a need for strong identity governance and access control policies to prevent such incidents.</li><li>Misconfiguration in cloud services is a significant security risk, often more so than credential theft, highlighting the need for proper configuration management and oversight.</li><li>The shift to cloud computing has increased the complexity of security management, requiring decentralized cybersecurity practices and a focus on identity and access management.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome back everybody to session 1 38. Missed you all last week. Um, I hope, uh, you all saw that message if you came and got the message, uh, via email. Um, we were traveling. Um, fair number of us. So, um, excited to be back here. We got an awesome session today. I'll make an intro to our guest moment. Um, let me just kind of set the stage today. I do need to look at my notes 'cause I did write a fairly verbose, um, uh, setting the stage.

Um, I do have one poll question up if you guys could take a look, uh, at that. Good to see you, Anne. Let's make the chat, uh, nice and lively today for our guests. It's gonna be a good one. Um, so the, um, title, uh, is the rise of, uh, business Email Compromise, BEC, SaaS application Attacks and, and, uh, credential compromise. And I don't think this is like earth shattering in that, oh my gosh, there's, you know, this is, uh, on the rise.

It was more so, um, the fact that, um, and, and the threat report, by the way I put in the call to action, it's, you don't often hear of Rubrik, uh, doing threat reports. And so I was kind of fascinated by it because, um, Wes, I know you know of them. I mean, they arguably at the enterprise, one of the premier data companies. Would that, would that be fair to say? I mean, yeah, I think that's super fair. Yeah. Yeah.

I mean, and, and so they have a very unique, like, I forget the exabyte type of, you know, metadata they have, but it's, it's off the Richter scale in terms of views into, you know, sensitive data. So, and over 5,000 companies. So I thought it was a really interesting study. Furthermore, they reference some phenomenal studies in it as well. Um, studies from Esia, uh, expel Manian.

Um, so it's this like aggregate, I would argue, uh, Phyllis, it's, it's, uh, kind of, you know, putting you guys on notice there. It's CIS for your community defense model. We would reference a report like this. Yeah, Yeah. This is a great report to reference. I sent it to the person who writes the community defense model. Oh, okay. Fantastic. It's, it's good stuff. Okay. So in, in looking at this, you're talking about over 5,000 companies across 22 industries, 57 countries.

Um, as I mentioned me, you know, it's a metadata study. So Palo, uh, is in this, they reference Palo Alto, unit 42. They referenced, like I said, promeo expel, on and on and on and on. And, uh, what was really, uh, fascinating was 99% of all these companies had at least one security incident. The average, the average Phyllis is 52. Now, again, re you know, these are enterprises fair to say, but F 52 is the average.

Um, and then, um, what we really stuck out at me was SAS was the number one, um, attack vector, not, um, on-prem anymore. Um, and then, um, so when you looked at all of these and you looked at, you know, some, we're gonna talk about permission of that, of all the, uh, incidents that permissive detected all of them, not some were results of credential compromise.

Um, so when you look at all of those factors together, I thought the two guests that would be absolutely perfect for today, we were able to get for you. And so with that, let me start off by introducing, uh, Charles or Chip Buck, uh, CTO and co-founder of SaaS Alerts, and then Craig Riedel. Um, he is the field CISO of networks and the former, um, uh, director of identity and access management at hp. So, chip, starting off with you. Welcome. Thanks for joining us. Thanks, Andrew.

It's, uh, it's nice to be here. Yeah, great set of topics today. This is gonna be fun. Yeah. Chip tell like you've got an MSP background way back. You've developed and, and you've, you're a co-founder of, uh, or starter, uh, just giving people on the fairway a little bit about your background. 'cause I think it's pretty fascinating and how you, you know, got into the SaaS application, uh, a monitoring and, and soar. Yeah, sure.

So my, my background, um, goes back into the nineties, uh, before MSPs were really called MSPs. We called ourselves VARs. Uh, we really called ourselves and anything for a buck, if it touched technology, we pretended we knew what we were doing and we went out and got paid for it. So, Yeah, That's, that's kind the way it worked.

Then, um, we transitioned, um, into an MSP model again, still before it was really a model, but the recurring revenue, revenue stream notion, you know, kind of got in our heads 'cause I hated selling and we didn't really have anybody that was great at it. So gotta figure out a way to sell it once and keep getting paid for it.

Um, we, uh, we eventually built a, a, a hosting platform for virtual desktops, focusing on mostly on the, the data layer, the, the security and the data layer, uh, transitioned that into a software product, the product that we built for ourselves to run that business. Um, that was called Independence. it, the product with cloud Workspace, um, after selling that built a couple other applications for folks, one in the FinTech space, one in the healthcare space.

And then, uh, co-found the SA alerts, uh, along with Jim and Seth. And, and here we are. So, you know, the, the focus has always been around, uh, securing the, what I consider the, you know, the business jewels, which is spreadsheets, PDFs, and Word documents. Like in, in the end, that's what it's all about is, is that business data. Mm-Hmm. Very cool. Thanks again, chip Craig, great to have you. We were talking about, um, a little about your background and, and, uh, o off the air.

It's, it's great to have you. I've had the opportunity and pleasure to have you on one webinar previously. Um, but thank you so much for joining us. And how about a little about, you know, a little about yourself and your background, Craig? Sure. Yeah. Thank, uh, thanks for having me always in love. Uh, these, these types of conversations. Um, great set of topics. Like Chip said, I'm, uh, I'm have a background in ephemeral identity and access.

That's really where my passion is, um, becoming over the CISO at at networks. Um, we, that's basically what we do around, uh, data infrastructure and identity, um, ephemeral wear and when it's, uh, should be Very cool, Craig. Uh, and, and it's awesome to have you. For those that don't know Craig, uh, played di you don't see this often with CISOs, but division one rugby player and Arkansas, we were talking about, um, uh, a gentleman, I'm reading his book right now, Brent Gleason.

Um, we hope to have Brent as the keynote speaker this year at write a Boom. We do have the dates for write a boom, we have secured the venue. I'll announce that in this next week or so. Um, alright, so with that, again, if, if you could take a quick look at the poll. It's not a hard one to answer. And Phyllis, I'll put you up and Gary should be here in about seven minutes. Uh, he was just running a little bit behind. All right, Phyllis, the floor is yours. Great, thank you.

And, um, welcome Chip and Craig. So Chip, um, we, my understanding is that, um, SaaS alerts focus 100% of all of its efforts on monitoring and SOAR for apps like, um, M 365 and SaaS based solutions. Um, even still though you said that you're mainly focused on MSPs and MSPs, which of course we all know, um, support SMBs the backbone of our nation. So when you look at the stats in rubrics, um, report, do they align with what you're seeing with MSPs and MSPs, or are you seeing something different?

Um, I think they align the, the term attack for us means, um, correlating with a hundred percent probability for a, a customer that their accounts are under active, uh, penetration attempt. So that's an attack. Um, so if we're using that as a definition of attack, absolutely correlates. Um, you know, we see this the same kind of numbers every single one of our MSPs. If you, if you, if you say the MSP is the CIO or the ciso, um, every single one of them see attacks every single day.

Um, if you're talking about actual successful compromise, that number drops substantially. Part of that is because of what our, you know, our platforms design and, and, and you know, how it helps to remediate, um, compromises before they really get moving. Um, and part of it's because we just have a really strict definition about what that looks like.

That means, you know, a set of credentials, an account credential that's actually being misused by someone somewhere on a device that it shouldn't be used on. So, you know that if you're talking that we get down probably more into the 10 to 15% range. Um, I think the, there's a lot less exposure in the SP space to platform as a service to, to cloud versus SaaS where people are, um, running services that are public facing and are exposed.

Um, you know, in the MSP world, the SMB world, they're using 365 and QuickBooks online and, and other SaaS products exclusively. They're not necessarily, uh, exposed directly with their own infrastructure. So there's a smaller attack surface.

Phil, Phyllis, can I just interject there, chip, can you expand on, just for a hair, because in some of the other studies when you, you know, kind of jett out and look at the, you know, pa uh, Palo study for example, they really get into how, how, I guess, viable the attack surface is around A-W-S-G-C-P and, and Azure. What is it about it is, it just is, why is it the Swiss cheese, if you will, right now? And and why isn't, why aren't enterprises doing a better job securing it, in your opinion?

Um, I think it's a lot more complex than the software as a service universe. Number one, you have publicly facing services, web servers and data servers and application servers of all different flavors. Um, database servers, people that are using, um, publicly available libraries, um, you know, for JavaScript or, or no JS or Python or PHP, whatever they're running.

And so there's all the, the, You have a kind of a witch's bruise, stew of a lot of things, a lot of penetration points when you're talking cloud and platform as a service where when you're talking SaaS, it's up to that SaaS vendor to really tighten their own ship. And it's not so much, um, on the, on the platform side of it, it's not really left to the end user customer organization or even the MSP to manage that.

Like we, none of us have any control over what Google Workspace or Microsoft 365 is doing with their infrastructure. Mm-Hmm. They have teams and teams and teams of people whose are responsible for securing that. And that's the number one argument for SMBs using those services rather than trying to roll their own exchange server like we did 10 years ago. You know, 15 years ago everybody was, you know, running Microsoft Small Business Server.

They had a, a web server exchange server and, you know, a SharePoint side of their own out there. And, you know, we've all learned that that's not a lesson that you can run forward with in the MSP world if you wanna maintain any kind of security. But boy, it brought in a lot of revenue for everybody. It sure did. Sure.

Craig, Craig and Phyllis, I'll turn right back to you, but similar thoughts on chip's perspective there on, you know, the, the proliferation of the attacks on, on those cloud platforms. Oh, I, I completely agree with everything you said. Um, I mean, I think what you're seeing is moving to the cloud has enabled business to move fast, which means that cybersecurity needs to be decentralized and you need to have, have cybersecurity understanding with your app dev teams and everything else.

It can't just fall to one centrally managed team anymore. Mm-Hmm. So the, the broader the attack surface, like, like Chip said, you have to worry about IAM roles, making sure your keys are rotated, all these other things, versus a SaaS platform, you just make sure that, you know, they have their proper certifications and that your, your API calls are secure and you're good to go. Yeah. Cool. Phyllis, thanks for that. I was just curious so that, Yeah, no, that totally makes sense.

And that's kind of, you know, what we see as well at CIS with, uh, you know, we see a lot of large organizations and, um, who are, who are moving towards cloud, and it's true, they're, they're also, they're international organizations. And so it's always default to usability versus security. Right. And, um, and so that's why I think you also see more compromise in that area. Mm-Hmm. Um, all right.

So Craig, um, we know that stats from promio, I hope I said that properly, where Sunil Yu, who's our good friend, he's on the advisory board, um, where it says, um, compellingly, they're saying that a hundred percent of their cloud incidences, cloud incidents are, um, due to compromise credentials. So what are your thoughts on this? And does it surprise you as someone who specializes in IAM? Anything that says a hundred percent?

I guess I'm a little bit skeptical of, you know, but, um, yeah, I, uh, I, I think it's not surprising, whether it's cloud or on-prem, the, the goal is to get credentials and, and move laterally until you, you find something with enough privilege to establish command and control. Um, I think, I think, uh, it would be interesting to, to divide that study up and see which were true, um, breaches, compromises of a vulnerability versus misconfiguration.

That would be an interesting data point for me to have. Uh, you know, that is interesting. We were just having this discussion on, um, incident versus breach. And it is interesting, you, you kind of pick up on that just even in this reporting, um, you know, versus the scare tactic of like incident, just like, you know what Chip said earlier of, Hey, we see, uh, people getting attacked all the time, but then where's the success? Right?

And then the success rate goes down much larger, or it goes down a lot more. Yeah. Even, I mean, even if you look at some of the biggest, um, breaches, quote unquote that, that we've had, even in the US government space, it wasn't actually an exploit of a vulnerability, it was just misconfiguration of cloud storage. Right? Right. Exactly.

Um, so Craig, um, the report further goes on to say that 90% of the credentials used, um, to move laterally within an organization were overprivileged and in reality, only five to five to 10% of privileges are required. So can you tell us, you know, about this, like what does it mean and, and what have you seen in this area? And what would you say are some best, best practices to help organizations with least privilege? Yeah.

I, I, look, I how this happens is organizations have either been around for a very long time and people have just collected privilege as they've, you know, matured in the organization, or it's, it's a talent issue where they're trying to get something to work. And the easiest way to get it to work is to give it all the privilege. Then you don't have to troubleshoot.

And you always have the best intention of coming back and fixing it later, but you have 5 million projects to do and later never happens. Right. So, yeah, I think that the stats on that are probably very true. And the only way to really get around that is to have a strong role-based or attribute based access control program with good local enforcement. Yeah. I, I, I wanna chime in on that for a minute.

'cause I think that's exactly where the problem lies for so many of us in the sense of, like, I call it the SDR problem. Uh, you know, in the sense of like an early, an early business that just the CFO or whoever it was had access to the entire SDRs, they have all access to all their data. And then as the company just grows into 20, 40, 8200 employees, they still have access to like literally everything they've always had access to.

And then same with everyone else that's early in the org, or if they've switched from more one side to the other, and it's this conglomerated mess of everyone just has access to everything. And that's where the nightmares happen because orgs don't want to go clean. It's, so, I like the analogy is like, are you gonna clean up your house? Are you still gonna be a hoarder? Right?

And, and post-incident, that's where all these things go from not so great to just colossally bad for that exact reason. So totally, totally agree with that. So, you know, I guess the question is then you really need those policies and procedures in place as you grow. Like, you know, it is kind of easier. Like what kind of best practices do you recommend an organization?

Yeah, I think what ends up, I think what ends up happening is you create policies to say that you're compliant, but there's very little enforcement, right? Right. So it's like you, as you get promoted, your manager should remove your access, but anything where there's a manual effort, likely is isn't going to happen. Or at least not with any level of consistency. So you need to have automation there.

And that's where like a, a true end-to-end identity governance, um, program will, will help as, 'cause it, it, it really embraces the concept of people who move around in the company, people who join the company, and people who leave the company and what to do with their access when they do those things. Great. Thanks. I, I'll add one, one note to this, and that is that, uh, we didn't touch on the whole notion of administrator over privilege. And I think that's a huge problem.

Um, you know, yes, Microsoft and Microsoft administrators have a tendency to be global admins almost universally. Like there's all kinds of granularity available there. This is true of Google Workspace as well. Um, but we rarely see that people take advantage of the granularity that is available to them.

You know, for, for the most part you need one or two, uh, global admins and everybody else can be some other kind of administrator, whether it's account administrator or a global reader or, you know, lots of different granular that can get cut down. And that would have a big impact on, on the big successful compromises if everyone would kind of tighten that piece of the ship. Yep. That really makes sense. But you know what's so funny?

I just thought about, you know, even getting people to my, giving people access, Hey care to my, to my Outlook calendar, I just default to just everything because it's just too many choices. Mm-Hmm. You know what I mean? Like, it does become overwhelming where it, it is that usability versus security, it's like how many levels, but that's like, are there, and then how do I even know what they all mean? Right.

That's where the attackers have gotten really, really good at compromising accounts because you don't even really have to get to a privileged account. You can do things like replication attacks and all this other stuff to get your account to a certain level of privilege. And they have a very good idea of how to do that. Where in, in a lot of companies, the admin level is maybe not that high. So that's where we really have to rely on tools. It is interesting you say that, Craig.

'cause we've had, um, you know, you know Black Hills John Strands group and we've had Bo Bullock on who is their like top cloud, um, pen tester and the tools he's written, the automation in which he can go, you know, discover just the things you're talking about and then, you know, gain access and then start to move laterally. It's, it's, it's really phenomenal. Um, he also talked about misconfiguration a lot, and to your point, you know, you brought that up earlier.

I, is that as big of an issue, would you say as credentials these days? Is it bigger? Um, In my, in my opinion, and I'm gonna make a a blanket statement, I would say it's probably the biggest issue with moving to the cloud is misconfiguration. So, so you see it as bigger, Craig, I I would almost bet that there's probably more leaks than breaches nowadays. Wow. Wow. And Chip, I, I know you guys are, are heading that direction, right? In terms of looking at the configurations, right?

Yeah, absolutely. I mean, you know, when we first launched SAS alerts, it was intended to be only, um, a a monitoring and remediation platform, but not a configuration platform. And we've learned through feedback from our partner community that, that they need more, um, support on the configuration side and they need to, you know, it's like everything else. There's a bell curve of cost and benefit that you gotta deal with.

And, you know, if we can find a way to help at the MSP universe more cost effectively standardize around configurations, it makes a a huge difference. Now, you know, we, we've talked about this on previous, you know, webinars especially around this I am space is, you know, if people just correctly use MFA, um, password management, you know, they, they reduce their exposure dramatically, but yet, you know, 30% do and 70% don't. That's, you know, those are amazing, amazing numbers.

And, um, that's, that's, that's configuration. That's a set of, It's amazing. It's amazing. Yeah, it's amazing. But it's a set of choices. And so we need to find ways of making those choices easier to make and less costly. Yeah, I agree. I agree. It's not that everyone is so dumb, honestly. 'cause I used it. It is, it is that, um, you know, what is the barrier and how is it that we who work in the field can really knock down those barriers?

Um, it just seems obvious to us, but it's just, it's just not So what can we do? Look at Andrew doesn't agree with me. No, I, I'm just disappointed because it takes away so much of Gary's sarcasm, so it, you know. Oh, well. No, no. I mean, I agree with what Gary says when you're like, I'm talking about end users in like organizations. Oh, okay. Like, what is it that we as like, you know, the organization who set the policy and stuff can do for like end users. There's a lot to unpack with that.

It's not like a simple thing. It is amazing that those, uh, those numbers, but I also, on the other hand, I understand it and I work with MSPs every day and I know what percentage of them aren't able, they don't have that relationship with their customers to be able to move that forward and explain the balance between, uh, some inconvenience and, and, and different workflows, you know, relative to the security.

So I think that, uh, again, I think we get to take some responsibility for that, not the SMBs. Cool. Um, Yes. Chip one more. Yeah. Like, uh, should we just pass to West based on time? What time is, um, I think we're fine. Go ahead and ask another question. I think we'll be alright. Alright. Um, so Chip Expel, expel goes on to, um, provide the following stats. So malicious incidents, um, increased by 70% in the three, um, major CSPs. So that's Microsoft, AWS, and GCP.

Um, and then Andrew was sharing that you focus, of course, on M 365 and Google Workspace, and you, um, produce a SaaS report every year. So what are some insights from your findings in this area? Um, well, 365 is certainly the dominant platform, right? So we can almost focus everything there. But you know, what I'm about to say, I think applies somewhat to Google as well. So, SAS alerts, we have, uh, now a three year dataset.

So, you know, this is not enormously long, although, you know, in the lifespan of anything, um, technology, it's, it's a reasonable, uh, statistical, um, statistical number set. Um, we've definitely seen an uptick, um, in, in overall attacks and in variety. That's the biggest thing. Um, the, the, the view the field is changing, it's always changing.

We've seen a couple new things introduced in the past, let's say six months since last October, November, that are exploiting old vulnerabilities that weren't really being exploited before. And now all of a sudden, you know, we're seeing not only, um, attempts and attacks, but we're seeing successful compromises. And they have definitely, uh, picked up in, in both, um, frequency and severity. And that's just the SA SaaS universe not even paying attention to the cloud universe.

I mean, in my role, I have, I do have a lot of focus on the cloud side of things because we ourselves are a SaaS provider. In fact, that's really what most of my job is about, is about that side of the business and making sure that we stay outta the weeds. Um, but on the, on the MSP end, on the customers who are using 365 Salesforce, Google Workspace, we've definitely seen a significant increase, um, and a change in the shape and variety of, of compromise attempts. Thank you, Wes, over to you.

Yeah. Cool. Thanks Phyllis. So, um, let's go back to some identity conversations again. 'cause I, I think there's a whole lot in this, I think over a series of questions I wanna unpack for us a little bit. So, first of all, I think we've hinted at this, but I think most SMBs and even large orgs too, are guilty of like identity sprawl everywhere. Like, it, it, it is a problem and it's a problem that's existed for, you know, many years if not decades. That just becomes almost unattainable.

Like, how do you actually fix the problem Stuff is everywhere. Identities have never really truly been managed. Bob mentioned in chat earlier I thought was really good, like even identity matrix, you know, according to responsibilities. Like, we're not doing a lot of those things and they're helpful so that we can understand what things, what the gold standard is, and then how we build towards that and audit and test for that so that we aren't introducing outages and challenges along the way.

Right. So all that being said that we have, I think we have a problem there. I guess, Craig, to you, from your experience in your role, do you agree with that? And maybe where's the starting point? In my mind, it's probably mapping out a responsibility matrix and then going from there. But what else would you add to that? Yeah, I mean, and you're absolutely right.

It's not just in the SM v space, it's probably worse in the established enterprise space, um, because it's just a bigger ball to untangle. Um, yeah, I think getting into that identity governance space, understanding who does what and why, uh, I think is very important. You know, that's where you get into, you know, least privilege. You know, those types of identity concepts and, and things like that. Um, but, but that really only covers a small section of accounts, which is interactive.

What about the service accounts, the things like that, that's where companies leave a lot of attack service exposed. Uh, I think that that doesn't get addressed near enough. Um, especially up the chain. Yeah. So I think service, can you just, can you touch on a little bit more to service accounts? 'cause I think you're exactly right on that. Yeah. So the way that I break down identity is in, now it's in three ways.

It used to just be an interactive account, so somebody who has their hands on a keyboard and a non-interactive account, uh, a process or some, some account that does something that doesn't need a human. Now we have this third account type, which is robotic process automation, which is somewhere in the middle, um, which creates its own set of problems. But yeah, those are the, the three identity buckets that I kind of break things down into. Yep.

Uh, yeah, you, you could talk for years about RPA risks as well, for sure. Uh, that's something we haven't had to, it's been a period of bliss in the channel. Uh, but those days are coming for sure. Um, okay, so maybe a follow on to that. It's not just identity, it's not just usernames, it's not just passwords. It's not just the presence or absence of MFA, but we're seeing bad guys shift towards things like, your token is valuable, your session is valuable.

These are things that bypass MFA, and just let us insert right into that, that session for the user. So unpack that for us a little bit too. We talked earlier about, about this, um, MFA adoption being a problem, right? Because it's a pain, it's something that it, it hardens the user experience. So what we end up doing is we set a threshold for how many times we're gonna bother our user community by prompting them for their MFA. And we say that's once a day.

So if you're already authenticated, and I can now hijack your session, I can bypass what is more than likely one of your top security controls. And unless you are a technology for organization that has something like user behavior analytics or adaptive authentication, um, I'm probably not gonna be prompted for MFA again. Yeah. That's why those types of attacks are, are on the rise. Okay? Right. And so what, obviously we know we don't throw the baby out with the bath water.

MFA is still critically important, but what do we do about that? So if you hear, okay, now bad guys are going after sessions. What, what do I do? I just reset sessions every so often. What do we do? I think you have to address transitive trust. So you compromise a session on node A. The problem is that likely there's already a trust between node A through Z. So I can move laterally.

If you can stop that lateral movement, the east west through a, a proper privilege orchestration program, something like that, then you shut down that MFA bypass. They may be able to compromise one thing, but likely they won't be able to to move, uh, east or west. And then if you have a strong identity program, dash a accounts, things like that, your standard user account has little to no privilege, then you're really talking about dramatically reducing an attack surface. Oh, good god, man.

We we're just saying we don't even have MFA out there, but the Come on Man. Right. And to Microsoft's point, like 98% of the attacks that they see would be addressed by multi-factor being in place. Like Yeah, I see. I see it. Right Gary, it's like we're still, we're still addressing this with our end user clients, aren't we? Um, so you, you kind of had just another thing stacked on top of the mix to talk about.

So Chip, maybe a question over to you both from your experience and just SaaS alerts as well, transitive trust, all of those issues around session management. Like do MSPs have grips on that at all? I'm just gonna guess probably not at all. Um, I, I know for certain some of the MSPs in our community are getting coming to grips with it because we've seen multiple instances where successful compromises have been, have been, um, executed using session tokens.

And we've really laid this out in our, among our partner community very, very tightly. I mean, our policy internally, we expire every session token every 12 hours. Um, and for our engineering team, they all use Fido to get in. Anybody that has access to any cloud resources, they've all got UB key. Um, so, you know, we, we, we, we take it very seriously internally, but I also, we see it in the MSP community as well.

I, I, I, this one, you know, sort of caught me by surprise when we started presenting it that people object having to, to re-authenticate in the sael once or twice a day. Again, roll us back just 10 years where most people were working on-prem with a workstation connecting to active directory locally, they had to come in and turn on their computer or flip it up or, you know, tap the keyboard to get their monitors turned on and log in every day.

If they went to lunch, they had to come back and log in. Like it's, I actually blame Microsoft on this. I'm gonna get myself in trouble. I know, but they, Microsoft with 360 365 has had trained people that, Hey, once we have a trusted device from a trusted IP and a trusted user, we're just gonna let your session open forever. And you never have to be inconvenienced to log in again.

Well, that's not the way business computing started or any kind of application can that, That's a great perspective. We forget, right, that it wasn't that long ago where every time you came back to your desk, you had to log, you had to log in again. Yeah. I mean, how many MSPs out there like virtually? Raise your hands, guys.

Remember that, you know, you advised your, your, your customers in, you know, in 2010 for their on-prem networks, that they should have a, a policy where you had to hit control, alt, delete every time you stood up away from your desk. Like that's what you did. Now They did have their passwords on the other side with a sticky note. Yes, they do. But, but the point is, like, it's just not really that inconvenient to have to re credentialize yourself.

It's not that big a deal if you're using password managers on top of it that are, you know, remembering all the stuff you don't wanna remember in your brain. Like it's, it's just not that difficult. Yeah. I think that's also 3, 6, 5. I mean, like, it's frustrating when you're using 10 other apps and all day long. Right. But like 365 is so much of the attack surface, right? Just with all the other apps use OAuth. Yeah. You know, I think that's 'cause we're old.

So my kids, None of you are older than me. My kids though, though, my kids, you know, they, they, they're on their Chromebooks all day every day. Yep. In Google Classroom. And, um, they never log outta their laptops unless they have to. They're constantly logged into Google Classroom. They never have to remember their password. And when they're due, it's like doomsday. They're like, what's my password? What's my password? Because the last time they did it was like, you know, months prior.

And so I think you, like, there's definitely like this generational issue where, you know, I never had to have a, I didn't have a cell phone, I never had a cell phone at work. Like all these things of always having access to everything. Like I have the Gmail app on my phone, I never have to re-log in. Do, do you know what I mean? Like, you're used to this convenience. And so those of us old school and I worked at the government agency, I'm used to having nothing, no rights.

So I come out and I get to work at home. I feel like, holy cow. You know, so it just depends on Chip. While were You, while you're on your rant, can you just, since you already went down this path with Microsoft, can you just talk about real quick about, you know, sharing, uh, uh, URLs, you know, when you're, when you're sharing documents and, and some of the things you found there. 'cause that, that one I think is just as fascinating when you're like, I blame Microsoft, I blame Microsoft.

Well, look, and Google, Google has no free pass here because, you know, Microsoft, you at least have a lot of granularity about how you share documents. Again, very few people choose to use it. And the easiest thing to do is to create an anonymous share and send it wherever you want. Um, you know, Google, once you decide that you're sharing something outside of the organization, it's outside.

So Google seems to be taking the attitude like, all right, well we're not gonna provide any more granular area about this, so don't do it unless you're really, really sure. Um, you know, make sure you come back and, and, and unshare it later on. Which of course we know no one ever does.

Like that's our conversation of course, 15 minutes ago, data growth so fast that nobody has the time and money to go back and reevaluate the permissions inside the organization, let alone where stuff is external.

So It's just all discipline Chip, I, when I, I was having a conversation last week with, um, with your partner Jim Lippy, and um, one thing he was saying is, when you get new customers, almost every single time when an MSP rolls it out to a customer, you're finding like old guest accounts that they use for some reason. And again, there's no discipline or process and they're just left out there, right? That is literally a hundred percent of the time.

But what's worse, Gary, is probably 5% of the time, within a three or four days to a week of SAS alerts being put on a new customer tenant, we find an actively compromised account that's been actively compromised for months, maybe years. And, and they have no idea because no one can do the user behavior analysis to see what devices and where these accounts are being connected from. So, you know, that's, that's the really scary one.

The, again, I'm not a fan of, of the way, um, either Microsoft or Google will do this. I don't necessarily have a better solution 'cause no one's asking me to come up with one or probably could. But, um, you know, in Microsoft case, the guest accounts for proliferation is, is a big problem. Yeah.

Generally speaking, you know, to Craig's point earlier talking about, um, traversal and moving laterally or horizontally through a domain, it's not really a problem with guest accounts, but where they are a problem is in social engineering. Somebody adds a guest account to a teams, uh, group, and all of a sudden that teams guy's been banging around here forever. He's been in there, new employee comes in, you know, he sees that, yeah, Phyllis has been in this group forever.

I guess if Phyllis asked me to make her administrator or send me a password document, it's okay to do. Like, they don't know any better. And, and that stuff just never gets cleaned up. Hey, can, uh, uh, Wes, before you ask another question, one, one question that I was gonna ask that kind of ties to this is, um, we see a lot of threat actors now, you know, using VPNs, so it looks like they're coming from the US rather than, so how does that impact when you're looking at the geo stuff?

Is that for Wes or me? I Think that's for you. Yeah. Okay. Um, well, we label 'em in SAS alerts to try and help people see what VPNs are, um, you know, which, which VPN is being used, that the attack is a known, or the, the connection of the account is from a known VPN. Um, so we do provide some insight on that. Um, but yes, you're absolutely right.

I mean, the, the incidents of, if you're, if anyone on this call, including however many, many MS Ps out there connected to it, are sophisticated attacker, the first thing they're gonna do is come through a VPN of, of the local country, uh, at least the local country, um, where that, that user's located. We know for certain that that happens all the time.

If you're gonna, if you wanna go after a key executive of a company, you're gonna research 'em on the website, find out as much data as you can about 'em, you're gonna know everything about the company through its contact us information. And if the guy's based, you know, in Australia as the, as the Chief operating officer, that's where you're gonna come from through VPN Australia.

The, the mitigation there seems to me to be pretty straightforward, which is, you know, MSPs could be recommended to their customers. Look, have an approved VPN that you're gonna use. Anybody that's connecting from the outside from any device is gonna use this VPN product. And that way we can build rules that state, if you're not using this VPN product in the Microsoft universe, conditional access, you can't connect in the rest of the universe.

At least SAS alerts can, can snag that and say, Hey, it's not coming from this a SN of this VPN vendor, and we're gonna build a rule to block, you know, to to, to lock that account, uh, as soon as we see it. So, so Gary, to that point, Craig, are you seeing, like, you know, when you, you know, the, the VPNs of old are you like, look, you gotta do something really conditional access related and, you know, true access control? Yeah, I mean, I think at, at the enterprise level, absolutely right.

But I mean, I, I think exactly what Chip said is, is, right. You have to, you have to incentivize behavior sometimes. And having an approved VPN is a, is a really straightforward, uh, example of that. Say, Hey, look, it's pick one, right? We can, we can tune it, we can do all of these things. But certainly the stream conditional access policies, device trust, all of that type of stuff definitely comes up into play. Yeah. Yeah. Very cool. Wes, sorry for pulling it away.

Yeah, no, it's, all of that was, those are good corollaries to, to all of this. And I think it, these are healthy conversations for us all to be talking about, to even think like, let's, let's even do kind of a bit of a threat model for just a minute. You know, chip, you mentioned much earlier that like at SaaS alerts, you guys actually just reset to, or sessions every 12 hours, which I think is awesome.

Um, I, I think that almost eliminates, my brain would tell me that would eliminate pretty much a hundred percent, 99.9% at least of like session-based attacks because of, let's think about how bad guys get access to these for a minute. I was reading about the Genesis market take down like a couple months ago, and one of the things that Genesis market was really well known for was they didn't just sell usernames and passwords like a lot of the dark markets do.

They were selling not, they were also selling session information, and then a pre-configured, um, evil engine X. So you could just log right in, like, just simply just, I purchased the credentials, I purchased the session, I get the configuration, I just load the evil engine X, um, uh, uh, browser configuration stuff and bam, I'm in just that simple.

But I have to think that there's lead time there that takes, it takes time for a bad guy to get it, to get into a dark web, to a dark net monster from, from the initial access brokers through. So I would even say, going back to this age old argument, like Phyllis you mentioned of like, we're all used to control delete to log in versus 12 hours. I, I would even feel better about what if we reset sessions every week?

Like I, I don't know, does anyone here know and chip, maybe a question to you, do you, do we know the actual lead time it takes for that stuff to go from access brokers to a market to being purchased by a bad guy? I would think 12 hours is awesome, but I'd also think 48 hours, 72 hours would be acceptable too, in most cases. What do you think? I mean, what, what scares me is that that's one of the, the, the target areas, the attack vectors that we've seen a big increase in.

So that tells me that there's a lot more awareness, um, in the, you know, the, the black hat operator marketplace, um, and there's an economic incentive. So the pace with which those token session tokens are gonna get moved around, I think it's gonna increase. I mean, our internal argument, to be honest with you, with my team was, you know, I, I want this to be four hours and you know, our sales team and Jim and others are like, right, are you kidding me?

Like, I can't even operate that way, which is how we wound up with all, you know what, everybody that has access to any, any engineering access, you go and Fido, the rest of you can all, you know, we can go with 12. So What you're saying is you head up the sales Prevention team. Yeah. Look, you know that sales isn't my job, Gary, that's Jim's job. I'm just teasing, but I get it. What about orphan workloads though? What's that? Orphaned workloads though?

That's, I think that's where you get into a lot of problems. Like, especially, can you elaborate cloud? Can you elaborate A little? Um, yeah. So I mean, um, something gets spun up in the cloud and it's, um, it's a persistent server, and then whoever used that server or whatever application team gets done with their testing for gets to shut it down.

But it's still out there, it's still listening likely because computes semi low, it's not costing a lot of money, so it's gonna go unnoticed and it's gonna sit out there for days and days. And because CSPM isn't really, that's where you, it sits out there and eventually something becomes exploitable. You have a vulnerability, and then it doesn't really matter what your session limits are and all of that other stuff.

That's, that's one of the things with, with cloud computing that went away, was the whole provisioning process. Anybody can spin up a workload. Yeah. Craig, what's your thought?

And sorry guys, if I'm, if I'm turning into interview for a second here, but we hopped over something, which is the pervasive tokens on iPads and iPhones and, you know, these tokens that never expire, like you, you know, I, we haven't seen that as an attack vector yet, but I'm just wondering, you know, more on the enterprise side, Craig, where, you know, where you're, you're tilted more than I am. Is, is this a concern and are people seeing it? Absolutely. Yeah.

We, we've done a lot of research into Chromebooks. We ended up not allowing them into the enterprise when I was at hp, um, iPads and Macs, but with, with third party management software installed on 'em, stuff like that, um, definitely no, no, true BYOD, it had to be vetted and through cybersecurity and we had to be able to manage monitor device. Interesting. Gary, over to you, my friend. Yeah. Well, I wanna ask, I have a couple questions, but I wanna make sure I get this one in.

So Chip, you recently released something I believe is important for anyone that may be using an RMM solution. Can you talk about, um, this, Um, yeah, so two weeks ago we released, um, a, a new module called Unify, which takes device data and correlates it with the SaaS application data. That's the easiest way to explain it. Uh, you know, again, when we first launched SaaS alerts, we were a hundred percent focused only on the software as a service applications side of it.

Um, you know, we realized through working with the RMM vendors and really monitoring them for their internal security, right? There's a wealth of data that we can pick up about all of the devices, very similar to what you would do using Intune. There's just not enough penetration of Intune in the the SMB marketplace because it's an expensive product. So, um, so what does That look, so what does that look like in the end? Like, you take this data, what, what's, what's the outcome?

Um, the outcome really is an a, a nice tidy interface that we've created that allows the MSP partner to match up devices to users. And then, uh, as soon as they see an action taken by a user on a new device, they can flag that in a particular way. Like you can imagine Christmas time, there's all kinds of new devices, right? Uh, and I don't, I'm not saying that facetiously by the way, we see our new device detection alerts, which we've always done. We get a new device itself.

We get that information from Google, from Microsoft, from Salesforce, uh, slack, also, you know, most of the SaaS products provided, and you really do see a big bump right? In the holidays, but, you know, add, add up, new device with new location with different hours, you know, you can correlate all this stuff together. Yeah. Now you have a much higher probability that you have a potential compromise going on.

And, and we're using the RMM data and the device information, um, from the RMM to, to provide additional correlation to the SaaS, uh, account usage. Yeah. In theory, that's like super powerful, right? Like any, every time we can add one more vector, right, to correlate, that's a big deal. Well, This, you know, where it helps the most, Gary is in, in actually reducing the signal to noise ratio, right? Or, or improving the signal to noise ratio. Yeah.

And that's, that's the biggest complaint I think any MSP has ever lobbed directly at me about our product and every other, you know, product that's trying to do monitoring is how do I tune this so that I'm not getting blown away by so much wind that, you know, I never, I never hear the birds chirping. And, and that's what this really helps with. You can, you can really dramatically impr improve or increase, um, your certainty that you have a compromise event going on.

If you could say that is absolutely not a device that Gary Pika has ever used before, and it's the middle of July, like, something's not right, you know? Yeah. I mean that's, listen, that is a great point with just in general, there's so much signal noise from so many areas now. Like, I remember the first time early on when we first installed, like way, way back in the beginning customer number, probably 15 of Kase, right?

And the first time we, everybody turned it on and there was just alerts everywhere. And I was like, okay, this is completely useless. Like, if we don't figure out how to understand the difference, uh, of a false positive in some way, we're not gonna be able to get data that we could use. And it was effort, right? You know, to get there.

But, so I think that's super important, but think about it, they got 20 other things that are sending them some type of alerts, and a, from an aggregate standpoint, an MSP either has to figure out how to do that with technology or a third party, which is expensive, but they got, they're gonna have to figure out otherwise what good is knowing what's wrong if it's buried and what's right. Yep. That's, that's, that's, that's the perfect way to turn the phrase, Yeah, absolutely.

Um, so a couple things I want to ask Craig, if you had like a magic wand, right? And what would be the ideal identity and access management policy and implementation look like in a perfect, oh My gosh. Uh, I don't know. That's, that's such a hard question. I would say, like we talked about identity governance, that's really important. So people can't snowball permissions when people leave the company, their, their account's not out there to be compromised.

I think there's a lot of, a lot of things You're saying basic, the basics 1, 2, 3 discipline. You, you just basic discipline will, will solve the vast majority of problems. I think that's the biggest thing. Um, unfortunately identity was neglected for a long time, and then covid happened, and now it's getting all the, all the attention. Um, but nobody knows how to sell it internally really, I think is why it has such a slow adoption rate. Gary, can I just ask Craig something to that? Yeah.

Go point is that, you know, Craig is, you know, for SMB, you know, I think CIS controls and MSPs have really a, a, a, you know, gravitated toward Phyllis and, and what they're doing there. Is it really just, you know, um, looking at role, uh, you know, activation deactivation and, and trying to come up with something policy based and, and can it, and then the next question is, can we put some type of automation in place for MSPs and replicate it?

And that, you know, some, not trying to lead the witness, but is that what you'd be getting at? Yeah. Yeah. The, I think the thing is, and and you're, you call 'em personas, right? So a group of people that likely do a similar function in the company and what level of privilege do they need to have? That way you don't have to have every single person with their own configuration.

You can say, oh, you're in this role, you get these level of access, and when you join, when you leave, it changes dynamically. Mm-Hmm. That level of automation is the only way to have identity governance. You cannot do it manually at scale, at least. Mm-Hmm Mm-Hmm. Interesting. But you think about how many MSPs are out there right now that have thousands of users under management spread across 30, 40, 50, 60, a hundred, 300 customers, right? Right.

And so that level of complexity, uh, to get there is really what we're up against every single week. We end up there somehow, Andrew. No doubt. No doubt. Yeah, man. Oh man. A she, um, so, uh, the last thing I had was, um, you know, kind of unpacking and you did, you did talk about this, um, Craig, you know, adversary in the middle attacks and how phishing campaigns leverage credentials to bypass MF MFA, but we've talked a lot about it, so I wanted to ask the question specifically. Yeah.

Um, very, very simply put right man in the middle, phishing, somebody trying to get you socially do something or proxy a session through their, their machine impersonate something. Um, the way to bypass that is generally, or was at least MFA, and then, you know, the user community started to complain about things like MFA fatigue.

I think, like I said, a a, a proper privilege orchestration, um, program will help address that and any sort of user behavior analytics, and you're starting to see a lot of the, the different identity providers out there add that into their offering because, um, you started to see attacks like MFA bombing where companies would disable MFA. So you're starting to see a lot more user behavior analytics being part of the default offering from those companies.

So I'm hoping that will increase the MFA adoption rate and also start to stop a lot of these attacks that MFA was originally designed to stop. Yeah, it's crazy. Chip, as we're coming up on the end here, just about five minutes left, is there anything we should have asked today or missed, or anything else that you want to share?

Uh, about kind of when you sit every day and your whole life now revolves around trying to protect end users for, you know, for MSPs from this, what is I'd say would be the biggest attack surface right now? Like, what do you think about what still keeps you up at night? Well, what really keeps me up at night, like I said before, was our own internal infrastructure.

And not because there's anything wrong with it, but because that's, you know, that, that, as Craig correctly pointed out earlier, the bigger attack surface is actually the, the cloud and the pa, the platform and the, and the clouds, um, the cloud platform itself.

Um, but on the, on the MSP side, you know, look, we've seen a, a dramatic evolution in a relatively short amount of time, at least in our community, of, um, of best practices being implemented more and more often of people learning how to talk to their MSPs. You know, that's the one thing I, I mean, talk to their customers. That's the one thing we didn't touch on at all today, is the communication aspect of this.

It's so vital that MSPs bring across the importance, uh, to their customers of just better configuration management and frankly, pay a little bit more for 365 and get some better features on the security side. Don't, you know, cheap out buy business basic and hang out down there in the, you know, at the, at the five person startup company level, working out of a garage forever.

Because eventually that's gonna cost you, it's gonna, it's gonna, um, you, you don't just don't have access to all the tools that you need to do the job correctly. So I think MSPs, you know, I encourage them to bring that message to their customers as much as they can. Um, and to help them understand that there's, you know, there's a, an ever evolving threat universe. They've moved to the cloud for better security. It's way better than the, what they were doing.

Some other, you know, some other notion on premises. But don't just stop there. It's not like, just 'cause you made this one choice, you don't have to make others. You, you, Yeah. And, and you know what, I, I, I, I ran a couple panels, um, at, uh, in Vegas at, uh, Kaseya, uh, connect last, uh, week and, and had some, um, uh, one session. It was a co-managed session. So we had some people who would work with an MSP and why they choose an MSP. And we had some larger, uh, MSPs.

And what I've seen, I get to work with a lot of the, I know I sit on a couple, couple private equity boards and I know a lot of the other companies, and the message I'm trying to push down to the average MSP is the companies now that are MSPs that are at scale, they've tested it and figured out how to get this messaging down, right? You see a company like Thrive that like just, they just push out SaaS alerts everywhere and explain it on an email and said, look, you got 45 days you can opt out.

We start billing you in 45 days and almost get no opt-outs. So, like, the story it's telling me is when companies are figuring out how to get more of their security stack to their customers at scale, maybe it's us and not the customers. 'cause it's the same customers. We all deal with the same type of SMBs that it is us and the baggage that we drag behind us about what we think our customers are willing to or not willing to do.

But if I look across and, and see people that are at three 50 a seat and other people that are at 1 25, something is wrong. Right? Yeah. Well that's, you know, we talked about it a little bit before. It's, it's, it's the curve there. There's a bell curve on how much you're gonna spend for what you're gonna get and where that cost benefit trade off is. Look, you asked Craig earlier, what's your perfect scenario?

Uh, you know, I, I know from a previous conversation, his perfect scenario is, you know, credential list passwordless authentication. Like, and, and really, if you really think about it, that would be, that's the dream that we all wanna try and get to, right? We we're using Fido in, in SA alerts, you know, we're obviously a tech forward company, but our, if you in the reality, like, my business data isn't any more important to, to me than the laundromats business data is to them.

So what, what's the reason that the laundromat should be cheaping out on protecting their business data? There really isn't one.

So I would love to have these conversations about identity access management being the, the, the garage door hole that everyone's coming through, that the rats are coming through, go away and get us to focusing on, you know, what's the anatomy of a business email compromise, and how do you train people not to get caught up in a, in a phishing email, click on a stupid link and get their target, their token harvested. Like that's the really complex problem.

But we're still stuck talking about identity access management because nobody wants to take the steps. Well, So Really good. Andrew, today. Yeah. To that point, Craig, maybe close this out if you would you, Craig, how, how have the conversations changed? What should they be looking like? Like you, you mentioned covid, right? And you know, we know the, the, the keyboard is the new perimeter and it really is around identity. Now. How are you reshaping, you know, reshaping those conversations?

Any recommendations? What, what should those communications look like? Cybersecurity. And I think, I think identity has a lot of, um, seasoned professionals in it who, Who don't want to change the way that they're thinking. And cybersecurity. We used to have the luxury of being a traffic cop because everybody, everything flowed through us and we could just veto things. Mm-hmm. Boom, no. Yep. We don't have that anymore.

If we slow the business down, the business will just simply go around with us. And then we all know the, what happens then? You know, brand reputation, damage, compromise, all ransomware, all of those things. We have to be in the business of enablement. And the only way to do that is to understand what the business is doing and tell them why what you're doing matters. You want them to understand why cybersecurity's important.

You also need to be able to cross that bridge and understand what they're trying to do so you can enable them. Simple as that. That, that is so awesome, Gary. I mean, and team, you know, that's the, he summarized a blind. We, there's this guy Brian Blakely, who had on awesome about he, he's awesome at Craig and about how do you make money? And we, and I think as MSPs, we, we forget that we're enabling a business and we're so focused on technology and security that we lose sight of.

They don't, that's not what's on their mind, right? Mm-Hmm. At all. Yeah. And you don't need to monetize fear. You need to monetize sh knowledge share of the reality of, of what the landscape is. This, this gap between how we view the landscape and how customers view the landscape. We can tell how wide it is by how much they pay. 'cause if they solved the same way that we did there would it, it wouldn't be that way. Yeah. Very true. Great stuff.

Um, so Gary, I know you mentioned about what, uh, chip's doing. I just wanted to let everybody know I put in a call to action. One of the really cool things Craig, your team's doing is finally bringing network's auditor at scale, um, and a SaaS multi-tenant platform. So I put in, there's a, a three month trial out there now where you guys can do a networks auditor, which is really awesome, uh, in multi-tenancy. Um, so with that, Craig, really appreciate you coming on.

Um, I know how busy your schedule is. You just got back from RSA, so I appreciate you jumping in here. Uh, literally. Of course. Can't wait to do it again. Yeah. Hour one or so coming, coming back off of that chip as always. Um, thank you for joining us and as great to see you. Um, so thank you. Thanks, Andrew. Thanks guys. Yeah, Thanks everyone. Fantastic Week and uh, we'll look forward to seeing you soon. Take care. All right, bye.

Related Videos