Skip to main content
Right of Boom
January 30, 2025

RMM Services for Adversaries

Guests

Andrew Morgan

Video Transcript

Hey everybody. Welcome Andrew Morgan here with Phyllis Lee. Wes Spencer. Gary is out today at, um, some planning meetings. Welcome everybody. It's great to see you all. I have to tell you that I messed up. I'm apologize for some reason. My other computer, I was just in the central time zone actually working on right of boom planning and which we'll be announcing soon for February, 2023. And it didn't set back, and our guest got the invite for an hour later.

So I'm seeing what I can do to get him on earlier. In the meantime, again, I, my apologies for that to you all. I, it's a great topic. We can't do it this week. We'll do it next week. Um, but in the meantime, I'm gonna let Wes and Phyllis chat a little bit about the ransomware task force and some other things that Phyllis is working on. I'll be working in the background to see what I can do. Um, again, welcome everybody, and thank you so much, uh, for your patience and, uh, and everything.

So, And Andrew, I'd be lying if I said I hadn't done that multiple times myself when I'm dang, it's a long time zone it, man. It happens. So, uh, all good. If, um, if Garrett's able to join us later, uh, we will just shift right over, if not, um, no big deal. So, um, Phyllis, I wanna start with this. Um, you know, we've been talking about is a's information sharing and analysis centers for years now, like I love that probably most MSPs, will you gimme a yes or a no in chat?

Are you familiar with ISACs? You know, not just, I know what it stands for 'cause Wes just told you the name, but you, can you explain to somebody what an ISAC is? Gimme a yes or no in chat. I'm just curious. Um, but Phyllis, everyone knows that, you know, you're, you're known as the director for the CIS controls, which is great, but maybe less known among MSPs is the MS isac, the Multi-state isac.

So before we jump too deep into this, um, mostly yes is coming back as you can see, but a few nos. Yep. So let's start with this. From phyllis's point of view, how do you define an isac? Like what, what is it in layman's terms? Yeah, sure. So, um, there's a couple things where there's ISAC and then there's is a, or is a, however you wanna say it. So, ISAC is a special construct set up by DHS Department of Homeland Security, um, for what they deem as a critical infrastructure, right?

So there's FSI sac, which West used to, um, play a big role in. He headed up the financial sector isac. Um, and then there's transportation. So every, um, critical infrastructure or vertical, um, DHS has DIG designated, has an isac, so SLTT, state local, um, territory. And tribal governments here in the US also have an ISSAC called the multi-state.

MS isac and Issac's role is to provide information threat sharing that includes advisories, et cetera, advice, best practices, as well as training, um, incident response support, et cetera, to whoever they're responsible for. So for Ms I Sac, it's the s ltts. The interesting fact about Ms I Sac is it's one of the largest ISACs, if not the largest ISAC in the us and it is fully funded by the federal government, so it's free. So, um, the other part of CIS, the MSIs SAC gets funded by DHS.

That contract is managed by CISA and all the members get those services for free, which is nice. 'cause most ISACs they do have to fund themselves, and so they have to charge, Right? So even as, as nonprofits, they, I mean, there's immense expense that goes into running an ISAC that I don't think people always think about. You know, like, um, Intel analysts for example, right?

The worst thing you can do as an ISAC is just pipe, uh, an unvetted feed of, um, indicators of compromise out to your members. When if, if you have small members that don't know how to deal with it, I was always, you know, talking to FS ISAC about this is like, guys, I'm not Bank of America, so if you pump me an unvetted raw feed, I, I can't do anything with it. It's gonna be full of noise.

So the need to have Intel analysts that are carving through member reports, understanding what's happening in the federal sector, threat research with external parties, and then combining that back to members to tell a story of what's happening. Um, I think that's a vital piece of what ICE should be doing, don't you think? And I said, yeah, I agree. I agree 100%. Additionally, um, with that membership, I think you get one or two free sensors, which we call Alberts.

Um, and then so we have a 24 7 SOC that, um, you know, does, um, detection, et cetera, and we'll notify victims, um, if, you know, they see something happening, um, on that victim's network. So, And I love that by the way, because I, to my knowledge, you might be the only ISAC that actually provides some amount of like management of detection response.

And that's actually, uh, I guess I can share this now, that's one of the reasons PERCH went to market was we came out of financial services isac and we were constantly preaching to them like, Hey, small members don't just need a feed coming into a threat intel platform. They can't do anything with that, right? I mean, it's great for them to have all of this immense tons of intelligence they can search for, but they don't do anything with it.

Why don't we have something they can, like a team that can actually look for those threats on the network. And you guys are actually doing that. Um, who, who's eligible for MS. isac as a, as a client? This is, um, well, I'll let you answer. Yeah. So any state agency or local government. So, um, schools K through 12, um, anybody in public sector that's SLTs, yes, yes. David Ellis, municipalities, um, local governments, local agencies, et cetera. Everybody is eligible.

Um, you just really need to go to the website and register. National Guard even is eligible. So, You know, what's ironic about that? Uh, I have insight now into like the riskiest industries. And this is always changing. It's sort of, you know, in flux from the cyber insurance side of the house. And of course cyber insurance knows more about breaches than anybody, even the federal government. 'cause they're the ones that pay these things out.

And one of the top three most risky is, um, government and sled, all of the, you know, school systems all, you're just rated much higher. And I think part of the reason for that is what you just mentioned. They don't have the budgets, they don't have the capabilities. And so to be able to roll MSIs sac into this, I think is, is pretty awesome. Right? Yeah. I mean, I will say one of the biggest, um, like one of the largest communities right now, um, um, reaching out to us are the K through 12.

Um, and so right now they are now subject to state privacy laws, which I don't know how many MSPs are supporting, um, um, K through 12, but they're subject to privacy loss. Think about it. And these poor IT staff departments, they're like, they're usually two people, maybe one to three. The bigger counties or the more well funded have maybe four to five.

They went from supporting really just teachers and the schools like, you know, a few hundred to literally thousands and thousands, and the bulk of their end users are K through 12 students. And now they're responsible for making their school district come into compliance with their state privacy laws and support end user support to these K through 12. And it's really difficult. And so there's a lot of outreach on like, how is it that we can become compliant with these privacy laws?

Um, you know, it's very interesting. They all want IG one implementation group one training, or how is it that they can do that? And in addition, you know, their biggest end user perhaps, or maybe, I don't wanna say offender, but the one they, that needs the most training, the teachers, they can't be trained because of the teacher's union, which I think is so fascinating. 'cause the teacher's union is saying, Hey, we need teachers only get trained on how to educate students.

That's our number one priority. Cybersecurity has nothing to do with that. So it's just so interesting. Um, you know, and that's really for historical reasons. Everyone has Chromebooks. Everyone is doing online learning or some, some virtual, like many people of course are back in person, thank goodness. But homework, collection of homework, all that, checking of grades, all that stuff is online now. So it's so interesting.

And I would even push back on the whole, like, uh, you know, teachers don't need to be, I mean, we teach sex ed, we teach like financial ed. Yeah. Why do we not teach cyber ed? Like that's a huge component today, especially you look at what happens with, you know, older folks being, you know, swallowed up and, you know, all kinds of scams and frauds.

I mean, there's absolutely a need for that, let alone just plugging the future of, um, stem, you know, and really finding good young talent that is interested in cyber. Because, you know, we, we see if we don't start this at the youngest of ages, we're gonna really struggle with having a pipeline of talent, and it's not gonna get fixed until we address that. So I I totally agree. Um, there's, oh, yeah, go ahead, Andrew.

I was gonna say about, to that point a little bit further, Phyllis, like, do they acknowledge at all, like, okay, you don't wanna attain your teachers yet. What about all the social bullying that happens online? Forget, you know, risk of a cyber attack, but you know, a teacher has direct impact and influence to their students and one of their students, like maybe dealing with something, you know, right. This moment, right?

And probably are, uh, do you ever, do, do, do those conversations come up and, and why is there such a myopic or shut off you to that? Yeah, I don't know. I mean, I think I, I think it's just, um, another example of where we have old antiquated rules or laws that have not been updated to address cyber. And I liken this to like people who rob a bank, we understand what it means to rob a bank.

And so when you go to court, everyone understands, like, there's these laws, you go in with a gun, it's this amount of time people get, you know what I mean? But when it talks about, um, robbing a bank, you know, online, we don't know how to apply those laws, right? Because you're used to things in a different light. Same thing with training and teachers, they only understand, and even the funding is not for cybersecurity. They only understand educating children in a classroom, not virtually.

They only understand teachers physically educating children. And it's true there. I I find that there's a lack of training in the school system about cyber bullying, about cyber period, even in my own children's schools. And so the school districts are trying to figure out how to deal with the teacher's unions. I talked with one, um, it person and the union pushed back on him when he just did phishing training, anti phishing training to his teachers.

And the union pushed back and said, Hey, why are you trying to, um, trick my teachers? Are you grading them? Are you going, you know, they don't get graded on whether or not they click an anti phishing email. That's that's a big no-no. Wow. And so, you know, it was a big push pull of no, no one's getting dinged. It's just training to make things safer. I promise you, not one teacher will get in trouble if they click on the, on the anti phishing email.

And so you've got those kind of dynamics going on. Um, so, So one more, one more. If I could go, Wes, and I'll let you continue. No, please. Yeah. So I, you know, I know you guys may not see it, but a lot of gray hair in here. I grew up in the era, you know, we were, we had a, we were right next to an air base coming in, you know, the Vietnam war was in full, full, um, progress. So we had, you know, airway drills, duck and cover.

And so, so again, I'm sitting there, okay, so you can train physical security, but you can, it doesn't, to me it's like the two aren't making sense. So they can, they can do a, a fire drill, Right? That You, you don't want me to teach your I can't. I like, so again, it's not adding up to me. I Agree. I agree. And I think that we need to, um, educate our children. You see part of the curriculum, right?

Like, of course, us on this call probably tell our children, Hey, once you put something online, it's there forever. But kids think they put it in a line, they delete it, it's gone. Like kids need that kind of education. You know, we talk about mis disinformation, um, what country was it that I read about? They found the most effective way to combat mis disinformation because they were so close to Russia. This country was doing, it was really just teaching it in schools.

Like, don't believe everything that you read on the internet. Like, how is it that you can actually verify or validate that something is true versus not true, et cetera. And, um, it's a big problem and we should teach it as part of our curriculum. And, and the teachers should have that training. Are you, I'm putting you on the spot on this one, Phyllis. Are you aware of any countries that do incorporate cybersecurity training into, into curriculum at a K 12 level? No.

I'm, I have to re-look at that article. It really was because of the close proximity to Russia that they really need to work on the missed disinformation. Mm-Hmm. Um, but I'll look it up and then I, and then I'll share it back out. Okay. Well, th this is fascinating and it certainly is something that I'd love to see the federal circles really kind of come full circle on and reassess. Um, right. You know, I'd love to see CISA put in some, um, uh, influence around some of this as well.

I realize they can't be the ones to make those changes, but they can certainly advocate for it in a way that, um, may catch ears of others in Washington. So this is good. I, I agree. I mean, I just wanna give you one example as well as to how old and like even the funding, these poor school districts don't get funding for cybersecurity. They do get funding. There's like this one way they can get funding. It's called E-Rate through the library system.

They can, they can get money for internet access and they can get money for hardware to access the internet, but they can't get any money to use for cybersecurity, right? So everything, even their funding mechanisms are outdated. 'cause that money is already earmarked for things within the school system. So they just can't take money away and just be like, okay, now we can dedicate this, these dollars for cybersecurity. Just, we really need to update how we fund our schools. Indeed.

I had no idea we were gonna stumble into this conversation, but this is fascinating. Um, what, what a huge problem you have. Hey, Wes, one thing you know, you mentioned is your insights in cybersecurity about, you know, attacks on, you know, municipalities, K 12 sled because they don't have have the funding.

Just curious, Phyllis, does that collab collaborate, or corroborate, I think is the right word with all the threat, um, research you guys have looked at, like in for the community defense model for Verizon data breach, CrowdStrike did, is there a corresponding by industry as well, did you see those as being some of the top being attacked? I see.

Um, so I would say when we looked at it for those top five attacks, um, like ransomware and, and malware, et cetera, um, it seemed like all industries were being hit. I haven't gone back and looked to see K through 12 in particular or SLTs other than to say SLTs are recognized as a high target. Mm-Hmm.

Um, and, and when I came back from the MS IAC conference, also noting that, um, K through 12, 'cause I had a special session for K through 12, K through 12, um, just like everybody else are having a hard time getting insured. Um, and they want to know how is it that they can get insured when they really, they can't fill out that questionnaire from cyber insurers and answer yes to all those questions. Like MFA came up so many times.

I, I did, I did also like have a, a cloud service provider there. The one that I think is most prevalent in classrooms, which I guess you could guess, like I asked, um, Google to be there to say, how can we help these guys implement IG one in the classroom? And, um, you know, the number one thing that came up was like, we can't say we, we, we can, um, apply MFA across all our end users because not everyone has a phone, right?

How are you gonna ask a kindergartner to, um, use MFA to log into their Chromebook when like, kindergartners don't have phones? Or, you know, some parents don't want their kids to have phones and bring them to school and it's expensive and some kids can't afford phones. Like, it's like a big issue. Um, and so, you know, just like everybody else, the K through 12, these school districts are like, we need cyber insurance. We're getting hit with ransomware.

How is it that we're gonna be able to, to do all this stuff? So RSA tokens and UB keys, someone mentioned that, and they're like, I have students who are losing Chromebooks. There's no way I can give tokens for MFA. Maybe we like have an implantable year old UV key in them, right? Like, inject each student one, Right? Regardless of age, kids are gonna lose their laptops, let alone, you know, you know, a hardware token. So Yeah, for sure.

And, and now you understand, uh, not you, but those listening understand like, this is why education as a whole is such a risky area. It's such a, it's such a mess in so many, many regards. No wonder, you know, from the insurance side of the house, they say, oh, you're in education. You know, your rates are X percent and a significant X percent higher than other industries.

And there's certainly carve outs and limits that exist around all of these things because, um, it, it's a, it's a huge challenge. Um, there was a bunch of questions that came in early. I wanna pull this back a little bit around when you had mentioned that, uh, MS. ISAC is available for like municipalities, for example. A bunch of folks asked about like cer like what about if it's a private, like municipality of sorts? Uh, maybe it's some kinda like electrical co-op.

Are those eligible as well into MS isac? That's a good question. I'm not quite sure. I mean, if it is like state funded, then yes. Okay. If it's privately funded, I think we're walking a fine line. Um, Okay. And, and there's another problem because I think you have some of these, like, and I don't know enough about the structure of them, but some of these very rural electrical co-ops that have to be like somehow supported, um, maybe at some local level.

And I know there's membership fees to join and things like that. It's the only way that some of these rural areas are able to get, um, local, uh, uh, electric electrical service. So I don't know how how that works, but I thought I'd ask the question. Yeah, Yeah. No, that's a good question. I would say let's go to the website, like the MS. IAC website hopefully gives more details. Okay. Okay. Sounds good.

Um, another question I had for you, you mentioned ISOs ISACs, there's a separation between the two. One of those key criteria is what's designated as like critical industry. And we can maybe pop a link up in a second when I get a minute to Google for it on critical industry, or someone on in chat wants to do that for us. But, you know, I wanna come back to a, I'm gonna put you on the spot again. Um, John Strand made a comment that I thought was really insightful, uh, many months ago.

He said, I'm not even sure I like this idea of critical industry anymore. Like, where did that, like, what happened with that? Why is it not all industries are critical? Do you, do you happen to share that opinion? Um, and does that opinion have any kinda like challenges or, um, issues with, um, that separation between ISACs and ISOs? Like, are ISOs truly at the little kids table? Or is it just a name designation on critical industry?

And that's really all the difference is I think it's a little bit of just a, um, a name difference, honestly. Like, I think everybody falls into a critical infrastructure, quite honestly. Um, it was in the past, you know, it, it kind of goes back to authority. So if you look historically, DHS has authority over what they have authority over critical infrastructure and key resources. Meaning they're the ones who mandate the regulate the regulations.

They're the ones who can tell power, Hey, you have to do things this way. Or they're the ones who can give funding. Oh, Hey, sunny. And so, Yeah, one of the, I I even messaged, uh, miss Ja, uh, Slagel, but, uh, he's ignoring me. Um, but yeah, I figured we'd get some MSPs, uh, and you know, their perspective. 'cause they're the ones on the front lines, so, So, so, yeah.

So, um, but Isal also now is a new construct, meaning that anyone could set up an iso, you're still a part of a critical infrastructure, probably, but perhaps a special interest group within the critical infrastructure. So I do believe almost everybody falls under critical infrastructure, right? They have, um, I think even like, it is one, so MSPs would fall under there. I think.

Um, you know, of course, obviously DOD, the, the government lens transportation power, um, everybody, I, I do believe falls into a critical infrastructure. That structure was set up really because of funding and to really delineate what DH S'S authority is. Um, the, is a construct came later, um, you know, to say, Hey, we recognize that there's these other communities that want to share. And so DHS doesn't necessarily, um, manage those ISOs, but it does recognize them.

And when you create an is a, you do get some legal protections, you just have to apply to be one. You become one, and almost everyone gets to become one. Um, and so, you know, it just depends on what community you want to have. Um, and, and you can create that iso Can I, can I change subjects? Just a tiny, tiny bit, but it kind of go, you're making me think of something Phyllis. So you mentioned, um, you know, uh, some of this idea of like collaboration, federal government, all of this stuff.

And one of the things that we've done a good job of in the past, um, probably five years, is sharing actual threat intelligence data, right? Like, I'm seeing this IP address associated with this particular threat campaign, these ioc, like we're getting good at sharing what we call IOCs with one another. We, we, and we've even developed, um, technologies to do that, like sticks and taxi, if you wanna look those up.

Um, those are basically just open source, um, protocols or like a taxonomy to be able to like express and share that information. We standardize all this, but you know, something we're missing is, we're missing the ability to share incident data.

And I think incident data is one of the huge gaps that we have because we, we, like, you look at like vendor threat report, a, vendor threat report B, and it's, we know that it's only the things they happen to see, there's a lot of stuff they're missing out on. We're not sharing cyber incident data at the top level. And, and I know that you have a lot of insurance carriers that have that.

You have federal government that has some of that, like, you know, FBI and those, you also have, um, certain vendors like incident response that have it, but we do not unify that at all, and it's a huge problem. Do you think that ISACs can serve some kind of middleware to be able to share a, as a broker of that kind of data to where we can actually get better incident data? Is that, what do you think about that? I think that that's a great idea.

So, and I'll give you an example of an organization that was set up just for that, and it was called the, uh, for the dib, the Defense Industrial Base. Um, they created, um, a voluntary program where organizations could share incident response data.

Now, one of the biggest barriers in my opinion of, um, organizations sharing incident response data with an isac, which is recognized as a government entity many times, is that, um, they don't, you know, no one wants their company to be known as the one that got, that got compromised. And so that, that is a big barrier for folks sharing. So, um, there was, um, I forget the name of the program, uh, for DIB partners because of all the supply chain issues.

And we used to, um, say number one rule of, of DIB whatever is, don't you, you can't say who's a member of dib, kind of like fight club, right? So it was like, um, they did set up a government entity where you fill out a form, they anonymized the form, and you could just submit your incidents, you could submit the malware for analysis. And then that organization sole function was to turn that around and share it with all the members, right?

And so it would be like, okay, here, you know, uh, a company a victim saw this, um, you know, and here's what their IOC is and here's, you know, malware and, and they'll, they would push out a report for the incident response. Um, it took a while for that organization to actually, um, um, kind of go, hit it off the ground. And then they started having conferences once or twice a year, and it was very well attended. And you really, um, built this trust within that community.

Um, and of course you had like, the bigger organizations shared more, but you know, it was nice because they actually were sharing with like, you know, bank of America, you know, would never share with Columbia Bank, my local, you know, Columbia Bank down here, right? Um, that just is never gonna happen. And so it was nice that that was happening, um, within that community. I would love to see, um, organizations do that more. I would, and I think ISACs would be a great venue.

It's just that organizations have to see that as a way of not being held liable for the fact that they were compromised. Not getting, you know, an f on some report card somewhere, some big black eye. But I think that's a great idea, Liz. I happen to think we have a pathway to make that work, right? The same argument you used of organizations saying, we're not share, sure, we're gonna share.

Threat intelligence came from what you just mentioned of like legal coming back and saying, we're not sharing that. That puts a ton of burden on us. And then CISA came out, not cisa the organization, but cisa the ACT in 2015. And that sort of came in and said, Hey, if you share with your IS a, that is net that cannot be subpoenaed. You have all of, I forget the term they use with that. That's rights. That's, but you have the protections.

So I, I happen to think that if we could add onto this and say, incident data is also something that can be shared to the IS a or ISAC as an intermediary, we still need a mechanism to share it, right? And I'm gonna, I'm gonna pop this in here. For those of you who haven't seen it, I reached out to the Sticks and taxi folks the other day and asked them, Hey, are you guys building upgrades to Sticks and Taxi to be able to share threat, I'm sorry, incident data? And they said, yes, we are.

And so there's a link to it if you guys wanna look at it, it's open so I can send it. But I think this is cool stuff. I mean, imagine, Andrew, I know you wanna talk, but, uh, I'll be super quick on this. Imagine the future where we're now sharing between ISACs and the federal government actual incident data so we can actually see, we know for a fact this threat actor is doing these, TTPs is going after these Indus uh, uh, industries with this much damage. And we know this for a fact.

Like that's powerful stuff that we don't have visibility into right now. But we have some of that stuff right now. I mean, if you, if you look at the aggregation that Duo is doing and, and the aggregation that, um, uh, open DNS is doing and aggregation of those types of things, we're getting some of the external threats, um, unified and, and why I don't think they're sharing a lot with the world. They're using that to protect the world proactively in a lot of ways. Yeah, fair point.

The data's there. Yeah. I have a question for you, Wes. So they're also, they are built into the system, I'll say are like penalties. Like, so when Target was reached, SEC came down and they're like, we're gonna give you all these fines and we're gonna do all this stuff to you because you didn't do what you were supposed to do. So you got breached. There could be like a lot of fear like that.

And you coming from a highly regulated, um, you know, financial sector, you know, what are your thoughts on that? Well, one of the things, it's a real deal thing. You can Google for this search, FDIC enforcement orders. These are public orders that the FDIC has enforced against individuals and organizations that they've said, you have egregiously, you know, broken X, y, Z to leave and explain what's happened.

There can be fines, there can be cease and desist where you're never able to work in the finance industry ever again. There can even be, in theory, there can be, um, there can be prosecution. Uh, that's crazy stuff to me. And I will be for sure. We look that stuff up. We, we would, we were very well aware, Phyllis of those kinds of things. And this is where I think regulators, um, in industries where they have the ability to carry out enforcement actions, have a lot of teeth for sure.

That's enough. Drive. Are you guys pilots? I'm pilots. So I am And never ask a pilot if he is a pilot. 'cause if he is, he'll tell you. And if he's not, there's no reason to embarrass him. Right? But the, but the key thing of that is, is that they have a, a concept in, in the FAA called a NASA report.

And in the FAA, when you make a mistake and you cause a near air collision, or you cause a, um, uh, or a, a a you brick, um, certain kinds of airspace or something like that, you can file a NASA report and tell in the report what you did, what happened, what caused it, what mitigations you've put in place, and what learning you're doing around that. So you don't do that again, and they cannot find you for that event. Hey, sunny, can I make a quick comment about that real quick? Sure.

I was speaking with a lady, and we'll have her on at some point. John Strand introduced me to her. Her name's Tara Wheeler, brilliant, brilliant lady, uh, that works in more of the GRC area. And she's developing a third party vendor assessment risk platform as we speak. And she's a pilot and she's actually using the process and procedures of aviation and trying to bring them into cyber. And I guess maybe you can comment on this.

She's like, have you ever noticed that in aviation, you know, she starts pulling out these pamphlets every single, I think she said monthly something is coming out. You have to review it, you have to do this. And over a period of time, there are processes and every, and if you're in that, that field, you have to abide, you have to do these things. There's no ifs, there's no should i's. And you review them every single time you fly.

And she's like, why aren't we doing a plane that, you know, that what we've learned in aviation, in the cyber, can you comment and maybe you can do a better job at me? Sure. And aviation didn't learn that on its own. It came from other industries like medicine and places like that where they implemented checklists and they implemented, um, things of that nature. Counting sponges in and out and in, in pilots. Um, we have built a, um, culture of examining what went wrong.

We have podcasts on every crash that ever happens. What the FAA got, right? What the FAA got wrong YouTube channels all based on this. Uh, everybody's doing continuous learning.

A checklist of a checklist over checklist in the, in the, in the cockpit cockpit resource management things that we have to manage so that we can use our things, decision making, um, matrices and even five different emotional attitudes that we have that, that, that can harm us as a pilot such as hubris, uh, uh, this could never happen to me or in vulnerability. Uh, and, and different, different mental attitudes that we come to the thing.

And, and I don't think we've yet, we're, we're such an immature industry that we really haven't come to the place of saying there's even a regulation framework, let alone, um, the, uh, a disciplined methodology of improving the number of breaches per X every year. So we're, we're a long way from that. But it's a, it's a, it's a great way to bring a a, a technology that's working in another field into our field. That, that's kinda what she was saying, Sonny. And she was really out.

I, I gotta put you two together as pilots. And then I don't know if, uh, Steve Pollock's on, but another, I'm sure there's a lot of Oh, Oh, they're all saying they are in the comments. It's, oh, it's funny how many Ms. P owners are at pilots, Right? Yeah. Like Keith Bartol, if he's on as a pilot. Um, yeah, there's a lot of them. I, my, I didn't realize my, my chat was not scrolling Wess over to you. Sorry. I, Jennifer Lynn Walker's a pilot. They're just throwing it in there, you know. Yeah.

The pilot's, uh, we, we, we, we we're, we're the most awesome people in the world. Everybody looks up to us, right? Well, I did stay at a Holiday Inn last night, Sonny. Does that qualify me? Well, I was meeting 'cause we're up in the air. That's the only reason they're looking up to us. That's awesome. Sonny, I'm just curious what your comments and thoughts are on all this whole conversation.

Just, uh, just open, open question to you from the education side of the house to, um, ICE a and ice house and sharing incidents, all this kind of stuff. What, what are your thoughts here? Um, I think the, I think the sharing matrix is a terrifying idea to a person whose livelihood is bent on, on keeping that sharing stuff. And we've got to have a framework. That's why I was talking about the NASA reports.

I think we need to have a framework for information sharing that, that, um, eliminates threats to the person that's sharing. Mm-Hmm. Um, and, and if you had, uh, if you, if you had a, if you had an issue, if you reported it and then no one could come after you with litigation or something, that would be huge. You know, then people wouldn't be afraid of doing it. We'd become more and more and more strong. But the, the, the threats to coming after people are multi-variate.

I mean, they're not just getting fired, it's also getting sued. Um, we we're, one of the really interesting things I was in CMMC that's going on this last week was we we're sitting around at, um, evolve ConnectWise Evolve and talking and in A-C-M-M-C group. And one of the things that came across is, you know, no one's really failed these CMMC audits yet.

And when they do and they've got a million dollar contract writing on passing that audit, what do you think that company that fails the audit's gonna do to the auditor? They're gonna sue 'em and they're gonna sue them and the C3 PAO, uh, for, for doing that. And it's, so the auditor's now under threat of suing to, to not pass. This is a huge threat to the auditor. What's the odds that the auditor's gonna fail him? So, so sonny not tell Them how to pass.

So do you think there, there might be hold some hold harmless regulation knowing that to, to mitigate that and let the audits be, the People that are running CMMC are not doing it at a regulation level. They're doing it at A DOD um, uh, uh, DFARS level. Um, it's sort of how do you do the regulations rather than actual regulations? And, and so they, I don't think they have the ability to hold harmless. Has anyone even gone through A-C-M-M-C evaluation? I didn't think anyone.

There have been about a dozen so far, and they're all provisional at this stage. They, the, the laws, uh, it's October before the final, uh, rule is in place, right? But, um, all the provisional ones are expected to be just grandfathered in at that point. Um, and, and these audits are, are like a hundred thousand dollars right now because they're having to bring the DOD people into them and stuff like that because the DOD is verifying that the, uh, level two guys are actually doing it.

It's, it's a whole nother burden. I really don't want to hijack this, this conversation. The really interesting thing to, to me is how do you, how do you keep the children safe? I mean, do you have children that can literally cannot learn cybersecurity yet? I mean, they're, they're, they're, they, a lot of 'em can't even type yet when they're getting into school. And, um, keeping them safe and, and keeping the, keeping the school safe from them is, is an amazing task.

So I saw, you know, some folks said they do support K through 12. Some MSPs do support K through 12. Um, It's usually a very specialized group of MSPs that do that, I think. Oh, really? A lot. I think there's a lot, there's a ton that deal with E-Rate.

I don't know about on this call, but I did put up a poll if, if you haven't hit yes or no, could you, could you hit the poll to just maybe give us some more meaningful data because we have hundreds And E-Rate no longer supports it or security, the IT support or security. Interesting. Interesting. I'm gonna try and see if Lisa Mitchell will join us too. 'cause she has a great question for you, um, uh, uh, Phyllis in terms of, uh, the ISACs and cyber insurance.

But, um, but Sony, are you, you know, seeing the need or, I mean, you, you deal with regulated clients, right? Um, are like, do you have healthcare as an example? Or, and, and are they ever mentioning like the hiac? Um, which is the second biggest, The the doctors are barely really doing HIPAA and high tech. Mm-Hmm. I mean the n the, the hospitals are pretty good at it, but, but the doctors are stumbling forward into, into compliance. Right? Right. Interesting.

So Phyllis, like, almost 40% of MSPs in so far that have answered are in fact dealing with K 12 and sled. So, um, That's awesome. I'm curious, I I put a question on the chat, like, you know, are the K through 12 asking for cybersecurity help? Are they asking for compliance with privacy laws? Are they asking for help with getting cybersecurity insurance?

But, and Phyllis to your, just real quick to you don't most, when you're talking to MS ISAC members, don't most of 'em say they are working in some capacity about MSP? Yes. Yes. I was just saying to Wes before the call, we have to get more MSPs at the Ms IEC annual meeting next week to brief, you know, um, many organizations, SLTs don't know what to ask of their Ms.

P, you know, how is it that you can ask for cybersecurity or how is it that MSPs can help these SLTs, even though come to the table with, hey, he, here are the things that you're needing, um, or that you probably need and this is how we can help you? Um, many, um, well pretty much every SLTT, um, you know, has the opportunity to fill out the NCSR National Cybersecurity Review, which is a self-assessment, um, that maps UN NCSF as well as, um, CIS controls given out by the MSI sac.

And many of those s ltts don't fill it out 'cause they don't know how to, they don't know how to self assess. Right. And, you know, it would be great if they could work with their MSPs or MSPs could say, well, you're already, these are your responses for the NCSR. And that in turn is how those s ltts can get funding. Right, yeah. And then also show improvement over time.

One K through 12 school districts said they were able to show improvement over time with their NCSR scores, which helped them, um, get their cyber security insurance again and with like little to no, um, increase in rate just by showing that they were improving with their cyber security Program. Andrew, I'm trying to page Will Brooks, if he's on Will, knows all of the answers on this stuff. He actually deals with a lot of schools and insurance. I don't know. Will, are you on chat?

Can you DM here so Andrew can see and you add you in?

Yeah, it's, and by the way, Phyllis, you ask a really interesting question and I I encourage anybody to go back a few weeks when, um, Eric Till and David Bennett were our guests, Eric being, um, one of the, uh, like he provides fractional legal to many MSPs, uh, in our audience and was an MSP owner himself and was talking about the potential liability though, if it, if helping with questionnaires, whether they're cyber insurance questionnaires, Phyllis or the type of assessments you are, you're mentioning.

So it'd be interesting to get his take on that as well. Right. Um, because if it's not aligned, you know, in your scope of work and your MSA, he was suggesting that, you know, there could be liability in those areas. So, um, anyway, um, will is will on usually here? Yeah, if you scroll up. Um, he's right there in chat. Um, it just, his name's just Will, that's why I couldn't find him. Oh, let Me try find him. I might suggest, will you add your last name? My friend?

Uh, Will's an actual be bad Against security rules there. Fair point, Sonny. Uh, I'm trying to find him real quick, quick here. Uh, and by the way, I didn't, I didn't know if you just click on his name from chatting, Adam. Yeah, I can. Oh, there he is. Okay. Hey, will, there you are. I'm gonna try and get you on here. Hopefully the, all the technology works well too, right? We're it's usually We're going YOLO mode here. I like it are, Um, I like relaxed cyber call though. This is fun.

We're just kind of shooting it. Well, I'm glad you are relaxed. I was freaking out and trying to get Garrett on initially. I had enough F-bombs I think to put myself in jail. Um, Phil, uh, yeah. But, um, uh, put taking, uh, Phyllis back to our NSA days. Um, but Did you guys mention the new reporting requirements that came out in the new, um, act that was just signed by Congress? Are, are you talking Sonny, about the new, um, on Abus rollup that had the cyber incident reporting stuff?

We had talked about that I think Andrew, when it first came out, but we haven't really discussed it much since then. You wanna, uh, yeah, I guess you got some thoughts on it Sunny. Uh, I was just very blown away by the number of people, including MSPs and IT providers that are, they took the, a list of, of what they called those, uh, critical industries and they said all these people have to report all their cyber events within two weeks.

And if you have a a, if you pay a ransom, you've gotta report it. I I, I may have the times wrong on these two weeks or 24 hours, but I think if you pay a cyber ransom, you have to report it like incredibly quickly. And if you don't, there are serious fines and, and, and stuff like that that doing it. And I don't think the people in our community know that that's changed. Huh. That's really, that's really interesting. Sonya. And even even things like manufacturing have to report.

I mean, that's considered a critical industry. Everybody I think falls in one. I I just actually saw, I'm looking in my multiple tabs on my, on my browser that Uber got fined For that particular for reporting. Yeah. So pretty much, and they're a transportation company, which is one of the critical industries. So there is no not reporting anymore.

And if you guys have clients that are, that are being breached and or paying ransom and you're not reporting that you're putting them in serious risk of going outta business just from the fines. But it, sonny is it the MSP's responsibility to report or is it the client? Sorry. Well, it depends I guess on who got breached, isn't it?

Well, of course, I'm just suggesting if it wasn't just for clarification, if you're the MSP, sonny, and your client got breached, If I'm the MSP, I'm more than likely advising my client to, uh, report That I, that's all I wanted to make sure that you're not, you're not reporting for your client if you aren't the vector Of, you know, there's, there's a certain point in the future at which you may get liable since you're the outsourced it for them doing that.

So I can't, I don't know where that line is actually drawn. Right. But I would probably give them a little time to report and say, should I report for you? And then, and, and ask them if they want me to report. Right. Interesting. And I I shared it. You guys checked this out. The CSA made this as simple as possible in terms of like a one pager. I, I I shared that one pager there. It gives you all the stuff you need to know about even like what types of activity you should report.

Unauthorized, accessed to denial of service longer than 12 hours, malicious code on your systems, targeted repeated scans. That's a serious, that's a crazy one. Targeted repeated scans against services on your systems. That's Like all day every day. Right? That's what I'm thinking. Yeah. Repeated attempts to gain author unauthorized access email or mobile messages associated with phishing attempts or successes.

There's a double asterisk on that one, um, about that one going to the Annie phishing working group ransomware against critical infrastructure. Uh, wow. So, so Wes, I'm gonna see if I can get Eric, I'm trying to get will up, but I'm gonna try and get Eric till up to just really quickly, um, comment if he could about, um, the legality of, you know, the reporting piece here. Um, Hey Will, Hey guys, what's going on? Can you hear me? Yep. Gotcha. Can you hear us?

So Will, in interest of time, I know we got 10 minutes left and we're getting Eric up as well. Give us your thoughts around, we were talking about around education, what a mess that whole space is MFA, for example, often not being everywhere. How the heck does insurance handle that stuff? And, and you are a licensed agent, so I guess you can legally say, Yeah.

Um, I mean, we're starting to see that insurance companies are pretty much declining schools, schools along with all the other ones, municipalities, hospitals, all that kind of stuff. If there's no, if there's no MFA in place, but then what we have is the schools asking us questions. What does MFA everywhere mean for a school? Like, can you exp expect, right?

I think it was, uh, sunny, you were saying you can't expect a a, a second grader who doesn't even know how to, you know, type yet to use MFA. So it's kind of like, there's no official answer from insurance companies, but at the same time, what you run into is that, uh, thanks. Am I frozen? No, we got you. Good. Okay. I'm frozen on my screen and I look really weird. Um, but anyway, Wouldn't say anything about that.

But You can't really expect, uh, or we can't really ask these insurance companies to give us specific information because half the time they don't even know what good security controls are and are using it for data collection. They're Place. But from what I've gotten in kind of pinging different insurance carriers, what they mean for MFA when it comes to schools or just security controls in general. Keep going. I think we definitely this Time Now he's now he's now He's frozen. Now he's frozen.

Okay. Well, I think the schools are gonna have to become more creative than, than UB Key and YubiKey and, and, uh, duo, I think they're gonna have to use a lot of windows, hello and the equivalent in the Google world and let the kids' face do it, or let the kids' fingerprint do it or stuff like that. Because if they, if they can get their, their device open, uh, that's two factor authentication. I mean, But, but, um, oh, Gary's here. Sonny, just curious. Yeah. Jerry Junior.

Just Sonny, just curious, could do you think if, if segmentation, you know, or, or a separate Sure. Well, segmentation is a big piece of any level of security. I mean, for years schools have segmented stu student, um, uh, networks from, from the, the administration networks and I, I don't know that they've successfully really, really isolated 'em because they, they're really smart school kids are always hacking into the, into the things.

But the truth is isolation is to, uh, lower level depreciated networks is gonna be one of your biggest tools for keeping the school safe. Well, e exactly. And that's, that's what I'm wondering That cloud-based tools that the kids, that kids are accessing. Yeah. Yeah. That's what I was curious. I think you're right, sunny like Windows hello is a Fanta. I mean it's, I think that's a potentially fantastic solution.

Uh, but again, we're gonna have to get through the, the parents, my, my metric data, my student's gonna be, you know, uh, we gotta figure something out here. Yep. Yeah. Um, hey, so I know we have about seven minutes to the top of the hour. Just wanted to say a few things. Number one, um, you guys, most everybody hung in there. I just want to, to thank Wes, um, and Phyllis for just ad hoc, um, very grateful to you guys.

Um, I will get Garrett back on the following week, and again, I'm sorry to all of you all that we're expecting the, uh, no big, the, uh, dark utilities. It's gonna be a great, um, session. So we'll do that next week, assuming we'll, um, Garrett can join us. Um, so don't, don't unsubscribe me or hit a spam. I'll, I'll re I'll repost it all and, and everything. Hey Andrew, can I just say this on your behalf, just for those listening, I don't think you guys know what efforts Andrew goes in.

He makes life easy for me and Phyllis and, and Gary and others, like, yes, he's the one that finds the guests. He's the one that does the interviews. He's the one that peels out the content. He's the one that writes like all the things to talk about. So, uh, Andrew, I think you're okay my friend. I I, if anyone unsubs from this, they're gonna get a helicopter flying over their house pretty Soon. Yeah, I mean, and also it was a, I mean, it was a great fun conversation, so It was great.

It was, it was, I feel bad to Garrett though, um, that I did that. Um, but the other thing, um, I just wanted to let everybody know, um, we are working diligently for, uh, right of boom two. It's gonna be in February of next year. Um, it's not gonna be too far from your house, Sonny. I'll just throw out that hint. So, um, it's gonna be in, in the Texas region. Um, we're finalizing everything.

I put the highlight video in the call to action, the green little thing underneath the Hollywood Squares. Um, Wes is gonna, um, Wes is gonna be our mc again, so, uh, Phyllis will be there. Um, uh, hun uh, Sonny, I literally put it in near you so that you couldn't tell me no this time. So, um, so, but, uh, any thoughts on, on, uh, write a boom two, uh, last from you?

Well, I mean, I, I was at Impact it's, um, event last week and I ran into a bunch of impact folks that were there and like, Hey, it's so funny how this happened. They're like, Hey, have you heard anything from Andrew about right of boom? Like, are we gonna do this again? I'm like, it's funny you mentioned this. I literally got off the phone with him like 10 minutes ago and we're talking about it. So yes, it's going on. And Andrew, I just hear back from everybody.

Um, it's such a unique event, right? Because, um, again, the the content is highly tailored and you, you spend a lot of time really organizing as you go through, what are the elements that we're gonna talk about? And let's bring the best of the best that we can find from John Strand, from Phyllis Lee, you name it, we got the best. And so, uh, I, you know, I nothing but stellar comments about it.

So I, I think that's why everyone's so excited about ride a Boom two because just you, you're gonna come away just jam packed with great stuff. Yeah, we're working on. Thank you for that. We're working on the journey right now, and that's one of the great, you know, I I've the best behind the scenes people, which we'll have up on the website this time. But, um, uh, the, we, we take you all, if you haven't been, you we're gonna take you through a journey.

There's no, um, we love our vendors, they support it and they're gonna be there and force all the best cyber vendors and others. Um, but, um, no one, and there will be some of the best vendors like speaking like a John Hammond and, and a John Sson, the guys that really have the technical chops. But it's gonna be not about product. It's literally about our, it's a thematic. Um, last year was around the Cyber Defense Matrix framework, um, moving right to left Sun, boom, sun. Um, yes.

And Sunil will be back. And this year, um, we're actually Wes, we're gonna be, and Phyllis and Sunny, we're gonna be looking at, um, how threat actors attack SMB and MSPs, um, the TTPs they use, um, looking at Mitre attack the risk to revenue associated. I promise you, I'm buried in this in this culture too. And I'm gonna have to have a dictionary for all these acronyms that we're throwing around today. Yeah. But, but it's gonna be great. And, and, uh, we're really excited about it.

Um, so, um, in closing again, I'll, um, I'll, uh, apologize profusely to Garrett. Hope he can join us. Um, Sonny, always great to have you on. You are so awesome. Um, and, you know, um, I'm really grateful for our friendship and all you do for MSPs out there. You're, you are so giving of your time and your, and your staffs. Um, so really, really cool. Um, Wes, any closing comments on today's topic? Any thoughts? N no. I mean, we're in a tumultuous world right now, that's for sure.

And we clearly don't have all the problems solved, but I think that's good. That means that there's room for all of us to continue to join the, um, join, join the communication, right? Join, add in your, your insights, your thoughts, your questions. You know, we don't have the answers. Um, and that's okay. We're all figuring this out together and I think that's what's so great about our journey, especially here in the channel as well.

So Andrew, thanks for building a platform here where we can all get together and talk. It's, uh, such a great thing every week. Yeah. Well thank, thank you for all you guys do, uh, Phyllis closing thoughts from you? Um, No, I mean, I would say again, you know, I wanna reiterate what, what Wes says and thanks to you for holding this, um, webcast every week. It is a lot of work and thanks to everyone who hung in there and really provided, um, a lot of comments.

And so I'm gonna go back and have to read them. But yeah, so, and thanks to all of you who are supporting those K through 12 and SLTs, they really do need your help. And, um, I would say the feedback that I got from right of boom last year, um, a lot of people are like, you know, this is the only conference that I've been to that focuses on the threat to MSPs and, and how to help us, you know, counter that threat.

I mean, literally everyone was like, this is the only conference that's ever done that. So, um, you know, come to write a boom two, um, more of the same, but, uh, even better. And, and it's in Texas so it could be better than that. Everything's big there, Sonny. Everything is very there. That's right. Being from Texas, kinda like being a pilot, you know, if you have to ask a man he is from Texas, he, he, he'll tell you, don't worry. Yeah.

Well, and the big, by the way, the, one of the big feedbacks, I'll just close everybody with this, the big, 'cause I, you know, we had it in Tampa last year and if, for a lot of people that's a tough flight. And so now it's gonna be pretty much a direct central for, for anybody, um, because of the hub of American. So one flight and, and get everybody there. So. Alright, well everybody make it a great week. We look forward to seeing you back here next week.

I've already heard from Garrett that he is, um, free. He, he emailed me. So we will be back and we'll do this again, uh, next time. So till then, everybody, um, wishing you a great one and uh, take care. See you Soon. Take care everyone. Thanks. Bye now.

Related Videos

RMM Services for Adversaries | Right of Boom