Skip to main content
Right of Boom
January 30, 2025

Threat Informed Defense & Why it Matters to MSP/MSSPs

In this video, Rich Struse and Aaron Chernin discuss the challenges and opportunities for MSPs in implementing a threat-informed defense strategy. They explore how the MITRE ATT&CK framework can be leveraged to prioritize cybersecurity defenses for small and medium-sized businesses. The discussion also touches on the importance of using standardized terminologies and frameworks to improve communication and effectiveness in cybersecurity practices.<ul><li>The importance of using standardized frameworks like MITRE ATT&CK to describe adversary behaviors and align security measures accordingly.</li><li>The need for MSPs to translate technical security measures into business impact language that end customers can understand.</li><li>Emphasis on the importance of prioritizing security measures based on threat intelligence and potential business impact rather than just focusing on vulnerabilities.</li></ul>

Guests

Andrew Morgan

Video Transcript

Hey everybody. Welcome. We are in session, I can't believe, 1 28 of the cyber call. And we have an awesome one for you today. Um, so good to see so many of you talking about write a boom. I can't wait to see you all. Um, it is, uh, one week from, uh, Wednesday, Wes one week Wild. Um, And we got the pre-day going on. Yes. And apparently Keith Bartold is gonna make me like ride in his plane till I puke. It's just gonna be wonderful leaving That. Yeah, yeah, yeah, yeah. No, no, no.

You are, you are the sacrificial lamb. Wes Told I require an injection seat with a parachute. I'm gonna use it early. All right. Um, well, uh, a Ann, wonderful to see you. Wonderful to see you all out there. Um, let me set the stage real quick and we'll get on into it 'cause we have a fantastic guest today and an awesome subject. Um, we saw Aaron Cherin, uh, former CEO and founder of Perch and now CEO of Roost in the audience.

So we figured we would just pull Aaron in 'cause he actually knows our guests very well, worked with him, uh, in the past life. So, um, if you potentially work with Rich, just raise your hand, we'll pull you up too. Um, so, alright, um, I'm gonna just, uh, call out. Um, there's a phenomenal webinar tomorrow that I'm privileged enough to do a fireside chat. We've had John Barrows on the cyber call before, but this is the original CRO of Thrive Networks.

They were one of the first, if not the first MSP to monetize in 2 0 6. They sold the Staples, um, and they've got pretty good legacy. They're now, um, a thousand plus employee, uh, MSP Global. And, uh, we're gonna be talking with jb. He goes by j jb and he became built his own sales org training organization and he teaches and coaches the biggest, the big SaaS companies in the globe. Salesforce, LinkedIn Box, Dropbox, you name it. Also many MSPs and MSPs.

And we're gonna be talking about trends and how to, uh, stay ahead of them and you know, what, how AI is making your traditional salesperson obsolete. So I encourage everybody to attend. It's gonna be awesome. Um, the other thing I'll just, I'll just stick this in chat since we're gonna be talking about the, um, center for Threatened Form Defense. Um, there's a company called Lumo, great people there. They did a great blog on it. So I put that into chat.

You can take a look at that, right, right up on it. Um, and I think that is it. Wes, am I missing anything? Phyllis? I think you got it. Yeah. Alright, cool. So lemme set the stage and we'll intro Rich. So I was thinking after last week's conversation with, um, the folks at Black Point, um, which I thought was a great one. It was great to have John, uh, and Dave on talking about the, you know, the new evolution or the, I shouldn't say evolution, the, just how phishing is evolving.

You know, Wes and Phyllis. I, I thought it was really fascinating how threat actors are just continuously evolving, you know, tried and true tactics, but in different ways in which they do them. And I thought, you know, how should we be looking at our defensive strategy, right? Should it just be, you know, framework driven, um, you know, should you know, which is obviously, you know, our friends at CIS or should there be more to it than just throwing in controls and policies?

Um, as luck would have it, Aaron reached out to me and he's like, you know, I was talking to Rich Stru the other day, and I think you should chat with him, Andrew. And, uh, rich, um, is like many of the great security people that we've had on Incredibly humble. So when you say that, you know, he was instrumental in the start of the Center for Threat informed defense. I've heard him on interviews, he's like, well, I didn't, I came up with the name.

That's all like, and Rich, we know it was more than that. So with that, um, I'm excited to talk to you about this, uh, concept and what you're doing at Title. 'cause you really have spun off really what the genesis of it was there now, um, and I'm bullish on hopefully you coming down market because we were talking about that as well. So with that Rich welcome, tell us a little about yourself, your background at that small agency called Mitre and, uh, what you're doing today.

Yeah, well first of all, thanks, uh, thanks for having me. It's, it is great to have this assembled, uh, group of, uh, of panelists. So, you know, it is old Home week and, uh, thanks to everyone in the audience. Uh, yeah, so Rich Truce, I'm CTO now of Title Cyber. Um, we started that in, uh, basically December of 2021, um, and talk more about that.

But for about four and a half years I was at Mitre, um, where I, uh, created and then co-founded and ran the Center for Threat and form defense with my colleague, uh, John Baker, who is now the current, uh, director of the center and doing a, a fantastic job. Um, the, the real insight there at Mitre was, you know, MITRE as a nonprofit works, uh, on behalf of, uh, for six federally funded research and development centers.

And when I got there, being mostly a private sector focused person, I said, why don't we do a privately funded research and development center? And I don't know, they, they said, okay, go do it. And um, so we, we stood that up, uh, in, uh, November of 2019 with I think 13 founding members.

And today the center is, uh, in the area of 30, uh, you know, either non both, uh, sophisticated enterprises, you know, the big banks and, uh, healthcare companies, a lot of the big security companies and then nonprofits, including folks like CIS. And I've had the pleasure of working with Kurt and Phyllis and Tony, uh, uh, over the years there as well.

Um, and really, you know, your story about, you know, came up with the name, uh, you know, when, when we were talking about building this privately funded research and development center, which was all about how do you take the great work that the Mitre attack team was how done and was doing when I got there? Uh, how do we describe all of what people are using attack for? You know, what is, you know, because I saw, you know, red Teamers using it to describe their engagements.

So Blue teamers using it to figure out what detections they're writing. I saw vendors starting to talk about it from the perspective of mapping their capabilities. And we saw CTI people, you know, first and foremost using attack as a common language. And so I said, well, people are doing all this good work, but there's no good name for this discipline. And that's when I, one day walking down the halls of Mitre three said, threat informed.

And, and we had the name for the center, but it's actually, I've been really gratified to see it's also taken on as sort of this, this extra life as the name of, of kind of this discipline. Yeah. It's very, very cool, rich. And then before we get into like, some questions, talk to us about title. 'cause you've kind of taken what you've built and, um, are helping organizations. You have a, a freemium version, but I, I thought it was really cool when you shared it with me.

Um, and then I'm going to continually hound you with, along with Phyllis to see if we can bring that down market or at least work on, you know, maybe the top five attacks, um, that are in the community defense model. So we can bring it down market to help so many down here. But talk to us about title real quick. Yeah, so, you know, my, my two co co-founders, uh, Rick Gordon and Frank Duff were also, uh, at Mitre.

Uh, and what, what, I think the thing that I took outta my experience in, in running the center, and it's, uh, it was a, it was a great, it was a great run. Um, loved the people we were working with, loved the work we did, super proud of it. And again, I'm thrilled to see where John and his team have taken it to the next level, uh, to places I probably would never have been able to do. Um, 'cause they're a lot smarter than me. Uh, I'm just, I'm just a little crazier probably.

Um, but what, what we saw there was, you know, dealing with some of the most sophisticated and well-resourced cybersecurity teams in the private sector from, and probably anywhere from around the world we still saw. And I kept hearing the, Hey, this is great love. I love the fact that we've just created this data set, or I love the fact that we've just funded the development of this open source software, but it's not really very usable for us because now we gotta go integrate it.

And we have a maintenance tail. We have all the, and and ultimately what I heard people saying without necessarily saying it in, in this, in so many words, was they were looking for a platform. They were looking for a platform that would make their implementation of a threat informed defense as systematic, repeatable, scalable, and cost effective as possible. And we looked around, there wasn't anything out there. Mitre wasn't gonna be in a position to build such a thing 'cause it's a nonprofit.

So, um, my two co-founders and I set out to, to build, to build title. And, uh, so that's what we do. We're a SaaS platform that we've developed, um, that is designed to, to be that foundational place where you manage all of your view of the attack knowledge base. And, and that's, I think, a key point attack. And I love the attack team, love the work that Mitre does. I think they'd be the first to say it's a starting point.

So what Attack does, it's a great starting point for understanding adversaries and their behaviors and groups and software and campaigns and all of that. It's necessary but not sufficient. We need, you know, you're in a, the aviation sector, so there are threats that are specific to that sector. There's knowledge that you have in your environment based on past incidents or TTPs. What do you do with that? How do you integrate that in?

So our platform is designed to allow you to take attack, make it your own, expand it, enrich it, um, and then answer the fundamental question, are my defenses that I have deployed in my environment good enough to protect me against these threats? And that's, and that's where I think what we do is provide that focus.

Um, and that, and threat form defense is really about using an understanding of adversaries in their technical trade craft to help us organize, assess, and sort of prioritize our defenses. So it, it works in combination with, you know, the sort of more traditional asset and vulnerability management approach. It, it's completely consistent with, um, you know, control, uh, frameworks.

Um, but it just helps us really sort of focus on if these are the threats that I, I need to worry about most, what are the, what are the defenses I need to have in place? Yeah, I love that. I love that. And really excited for you what you're doing, rich. And with that Mr. Spencer, let's get dig on into this a little bit more. Yeah, that Sounds good. Aaron, I am gonna ask you a question first. How do you like that? Tell me your favorite rich story. Uh, let's see.

Uh, I wasn't ready for this, but I think my favorite rich story, man, well, there was that one time we competed against each other, uh, at Mitre. Um, and then, um, hmm. And then the, uh, I would say the time that was the most intense, uh, rich time was, uh, when he was moving sticks and taxi from Mitre to Oasis. Um, that was some of the most, uh, intense times. What do you think, rich? I I, you know, that was, that was up there, that was up there.

Going from DHS and Mitre to a true international standards organization was a hard fought battle. But it, in the end was worth it. And thank, you know, people don't know. I, I don't, I don't know if people know that, you know, um, sticks and taxi, there were legions of people who, and when, you know, I, I was the catalyst for creating it, but it was created by other people. It was really, you know, it was really shaped by so many members of the community.

But Aaron early on in particular was a critical advocate. And I, and I think if Aaron, for whatever reason, hadn't been part of that, I don't think, I don't think sticks and taxi ever would've gotten off the ground. 'cause he was a passionate believer in the power of automation to improve cyber security. He saw the value of it and, and he was just relentless in, in helping, you know, uh, us at DHS, uh, actually move it forward, especially in the financial sector.

So, um, is that good enough, Aaron? And, and when do you pay me? But this was about, this was supposed to be about you. Yeah. It's all got you So tough. Did either of you ever believe that fast forward, you know, half a decade, maybe more than that, you'd be sitting on the cyber call, of which it's primarily MSPs, almost 6,000 people that listen to this. And you're both here talking, uh, to MSPs about cybersecurity. Do either of you like fathom that would be a thing? NN absolutely not.

Um, so I remember being in some of these, uh, I think NIST used to have, uh, security content automation protocol meetings and meetups, uh, in very large conference rooms to talk about cybersecurity standards. And I was pretty much the only one from the private sector, um, in the room. So I didn't expect to be doing cybersecurity for MSPs or enterprise based on how the early days, um, of these standards started. They were very federal government focused.

They were very academic, they were very research center. Um, they were rarely ever applied. Yeah. And what I, so yeah, I I, I certainly wouldn't have foreseen this, but I, I'm really glad that we're, we are here and, and we are, you know, know sort of as a community, uh, where we are today.

Because the reality is if we are not, you know, if we're just talking about cybersecurity or just helping the, you know, the companies and the organizations at the tippy top of the pyramid, um, you know, we're losing the battle and we're missing the point. So I think it's, it's really critically important that we're always sort of saying, are we, are we helping, are we actually advancing the state of cybersecurity writ large? Or are we just, you know, help?

You know, when I, when I was, when I was looking, uh, to, for my next thing after, after Mitre, you know, people say, oh, you come work for this bank. It's like, oh, well that's interesting, you know, to help one bank be incrementally more secure. I'd much rather try to try to, you know, take a swing for the fences and, and do our part for making it fundamentally easier for people to apply things like the Mitre Attack framework.

Because my goal and my metric for success is a year or two down, or however many years down the road, there are people and companies all around the world that are being protected by, or, or, uh, where Mitre attack is helpful to their defense that they have absolutely no awareness of it whatsoever. It's, uh, it's, you know, it's kinda like tick sticks and taxi. It's plumbing beneath the, beneath the, uh, the hood.

Um, and so from, from my standpoint, this is exactly the kind of community we need to be successful with, because that's how we're gonna have impact at scale. I mean, it's the only way we're gonna have impact at scale. Well said. And that's, I remember in the early days when we were talking to John Strand, he said the same thing. If I could just put words in his mouth of like, how he is like, oh, MSPs, like, they're all the same. They're terrible.

And the more he got to know 'em, he is like, there's a whole community of them that are growing and really doing better and, and, and deeply care. And how else do you reach the common good? And now John is passionate about, you know, helping out. He is gonna be it right, of boom. And he's just an amazing person. And I think that's well said. You know, like the common good, how can we do the most? And so I, I think what you said, rich, that comment brings up a question.

Most MSPs today might be aware of what Mitre is, or Mitre attack. Maybe they went to Mitre attack and looked at all the techniques and like, Ooh, that's scary. I don't even know what to do with it. Is that a problem that MSPs are there today? Like, what does, what does that mean? Does that mean that more needs to happen? Is it okay that they're just loosely aware and they're not doing anything with it? Just open-ended comments. What are your, what's your reaction to that? Yeah.

Well, I, I think that's true. And I think it's, I, I think it is, um, uh, a byproduct in part, and there's no, this is no one's fault, But I think for a long time, you know, you've had the, the threat intelligence community talking to itself. And people, uh, you know, admiring the problem.

And I mean, I, when, when we were doing in, in the heyday of sticks and taxi development, you know, I, I was thinking, oh, wow, these threat intelligence and these threat intelligence platforms are, you know, that's going to be where it's all at. And, and you know what, what I think what we finally realized is people, unless, you know, for, for the vast majority of humanity, threat intelligence is a means to an end.

And I think we were very much in that, in that tiny rarefied group where threat intelligence was the end. Um, and so I, I think as we, as we transit, I don't wanna say down market, I, but we, as we transit to where we need to be, uh, 'cause my, my local doc, my doctor, my internist doesn't have a security team. They don't have a soc, they don't have a cyber threat analysis cell. They, I, I, I, I pray they have an MSP or an MSSP that's providing their security.

If I want my data to be safe, they need to be enabled. Um, so I, I think the reality is it's been, um, you know, while all the, you know, MITRE has made everything as a nonprofit operating in the public interest has made everything freely available. Um, you know, that's, that's the first step, right? But, you know, what do you do with it? And there's, so there's been this great community of people, and MIT's done some work with Mitre Attack Defender.

That's, I think, really laudable, um, to sort of build up the training, uh, with, uh, and, and education component. And lots of other people have done that, other vendors in particular. Um, but I think what, and this is, this is, comes back to, you know, somewhat of a self-serving statement. They need more, you know, they, they need something that's gonna help them. Okay.

So they understand the notion of adversary, understanding adversaries, TTPs, they're, you know, I think that's like a big, that's a huge step. Oh. So if I understand something that, that, that maps adversary behaviors, and then I can map that to defenses and actions we take and use that to start informing my, uh, understanding of our security posture or my customer security posture. That's huge.

But if we expect every service provider out there to sort of build something on their own and do that from scratch, you know, again, doomed. And, and why would, and why would they? So, um, I think, I think having the knowledge enough of it, just enough of it is a great starting point. So that's why I'm super excited to be down at, at, uh, write a boom, um, just to learn what people's pain points are. Um, 'cause I, you know, I don't come from an, uh, from an MSP or MSSP background.

Um, so I'm sure I'm gonna hear lots of things I didn't expect to hear. Um, and lots of, you know, it, it'll be interesting to hear, you know, what, what do people really care about? Um, but I just having that knowledge or that, Hey, there's something there that's half the battle. Yeah, that's well said. Aaron. I want you to follow up on that a little bit.

You know, you've talked a lot about standards and, um, you know, how enterprise and large government use standards to drive, you know, processes behind what they do that doesn't scale down market. I mean, you even created perch in the earliest of days to really be that like, let me ingest my intel from sticks and taxi and actually do something with it. 'cause that's what down market, that's what they need. They just need to do something with it. They're not gonna do threat actor attribution.

Mm-Hmm. They're not gonna do, they're not gonna get into producing Intel themselves. They don't even know how to like, detect it. Right? So I guess my question for you, Aaron, is from what Rich said, is that okay, that that's sort of down market is, uh, should, should it be doing more? Um, or, or just what are your lessons learned from all these years of, of serving MSPs and where they're at compared to where enterprise is at? Is it a huge gap? Is it a problem?

I don't think, um, the vast majority of folks, whether they're an MSP or not, um, need to learn, um, how these standards work. Um, or the guts or internals, uh, like the JSOM format for the newer ones or the XML for the older ones, um, um, maybe only 5% need to understand. Um, what I do think though is the masses need to, um, demand it, um, and make sure that the products they buy, so speak with their wallet, have it, even if they don't know, um, how to build it by hand.

I'll give you an example. Like, who's gonna, who's gonna buy a network card that, um, doesn't know how to do TCP ip? No one. Uh, now how many people can build a TCP IP packet by hand? Almost no one. Um, but we demand that we have access, uh, to the standards. And the same thing goes with your web browser. It's using, you know, dozens of standards, um, that, that a lot of people can't do by hand. Um, with, with that in in mind, um, on the IT side of the world down market really understands it.

Like, imagine if you bought a processor and when you got back to the office and you opened a box, it was actually a hard drive. Um, like the IT industry would that, that company would be Oliver Reddit for years to come with a ton of memes. Um, now on the security world, when we go and buy a security tool and we get into the office and we install it when we're done, um, who knows if it's what we actually buy? Who knows?

Uh, because a lot of the words that we use to even talk about our security controls have not been standardized. Um, so we need to speak with our wallets and get excited whenever there's a standard. Um, I wouldn't even necessarily try to pick a winner. In most cases in the security space. There's not competing standards, it's just one. Um, so find the standard in the space and speak with your wallet.

Wes, what's interesting is even Sunil and the Cyber Defense Matrix talks about even Mitre, their terms are actually counter to what they, uh, mean in cyber. In, um, CSF, they'll talk about, uh, you know, identifying threat, uh, threats and vulnerabilities versus detecting, and they interchange the two throughout the nomenclature of CSF. So it's really interesting, Aaron, that you point that out.

Yeah, I would, uh, um, a sneak preview to my right of boom presentation, but I did some, uh, CVSS version three. Um, uh, I was a part of that group for a bit and did some dabbling in there. And the first thing I did was remove any, uh, terms for the, of the word risk. Uh, 'cause CVSS doesn't measure risk. And there was something like 30 or 40 occurrences of that term, um, in earlier versions of it. Yeah. All right.

Last question, rich, before I flip over to Phyllis and let her, uh, grill you NSA style. Um, let's go back to the Center for Threat informed defense for a minute. I know you're not there anymore, um, but I know you've clearly illustrated you, you understand the plight of small business and MSPs at, at large, where MSPs are serving anywhere from 20 to, you know, 80 clients. They have huge sprawl, but they themselves are also still small business. What is the center for threat informed defense?

Does it have any application towards small and midsize business? Because I know there's a lot of like public private partnership they've gotten into. Is there any opportunity there in your opinion, just, just asking Rich, the person with Rich, the Rich's experience, not asking you to give a formal response? I'm just curious given all we've discussed already.

Yeah, I mean, I think the, the most honest answer is that the, the center is trying to, we, you know, we always said we, we advance the state of the art and the state of the practice. So, you know, in the areas where the center has, uh, worked to advance the state of the art, like in modeling out sequences of adversary behaviors and attack flows, unlikely that, you know, the s and b market is gonna be a direct consumer of that r and d anytime soon.

But, you know, if you look at the work the center has done with things like the, um, uh, top threat calculator that they, uh, put out, uh, you know, and if you go to the Center's website, you can, you can easily find that, you know, it's something that pretty much anyone, anyone can use. Um, so, uh, yeah, I, I think there is applicability. I think it's important to understand, you know, sort of what their, what their target universe is.

Uh, you know, so you're gonna see a lot of code up on GitHub. Um, but, uh, I, I think, you know, they, they continue to strive and they continue to do a great job to, uh, be relevant. You know, they did a, they did some work that started when I was there, uh, released after I left just identifying, uh, TTPs commonly used by insiders. And, you know, it is, it is just really interesting.

So for those organizations who are thinking about how do I, I even begin to identify, uh, you know, the technical behavior of, of insiders, um, you can, you can go to that and, and it's, it's, it's, uh, freely available. There's no, there's no gatekeeping, and you can just sort of get a perspective. And, you know, like so much of what Mitre does it, it, you know, they're just trying to make the world a better place and, and do it for everyone. Yeah. Awesome. Awesome.

See, speaking of, uh, internal threats, I see, uh, Aaron's cat has joined the chat your street cat, Phyllis, you're up. Okay.

So Rich, um, you know, he talked about, um, the small medium businesses of which many MSPs are, and as you know, um, many of the small medium businesses really don't have the resources to look at the different verticals, look at, you know, specific threat actors and their behaviors, et cetera, or even, you know, run adversarial emulation, which, you know, many folks think, um, is effective. So, um, what can a small organization do who doesn't have those kinds of resources?

Yeah, I mean, I think, you know, the, just to be clear, the, uh, you know, if we start thinking that your typical SMB or your typical, uh, small, uh, MSP is gonna start, uh, building dossiers of different nation state adversary groups, uh, you know, again, we're, we're we, we've lost the game. So I think it's incumbent upon the community to figure out ways to make it easier for people to identify, you know, alright. Uh, you don't need to necessarily know much about the, the groups.

And that's actually a really interesting point, maybe to take a bit of a detour, you know, attribution is, uh, something people love to talk about and people love to attribute stuff to particular adversary groups. But the reality is that information is, is not that as useful, I think is a lot of people think it is.

What really is more important is what are the technical behaviors that, you know, if I'm, uh, if, if I'm concerned about a, a given nation state adversary, the vast majority of humanity just wants to focus on, okay, so then what are my technical, what are the technical, um, uh, things that adversary is gonna try to do in my environment?

Not necessarily what they're even gonna try to accomplish, but, you know, oh, they're gonna try to bypass user account control and they're gonna try to escalate privilege this way. They're gonna try to move laterally that way. Um, whether a particular nation state group does that, or, you know, the ransomware operator, uh, does that, does it really matter? If it works, you're still owned? Maybe the impact will be somewhat different, but it's still a, it's still a, a really bad day.

So, um, I think we need to get to a place and, and, you know, we're, we're doing some work with this in our community edition and others have, uh, are doing some work, um, to try to make it so that you can identify a general threat area Mm-Hmm, ransomware, uh, data exfiltration, financial fraud, and, and have that turn into a threat profile, uh, behind the scenes that you can then use to sort of rack and stack your defenses.

I mean, ultimately everything to, to, to our mind, and this is sort of what animates us at title has to come back to, and what do you do about it? Mm-Hmm. You know, mm-hmm. To talk about, oh, and then this adversary does, then they use the super laser and they shoot the, you know, it's like, and what can you do about it? Because if there's nothing you can do about it, you can't give someone useful, practical advice for what they can do about it.

Uh, other than like, well, and then buy my shiny laser reflector for 1995. Um, you know, we're not doing, we're not, we're doing a disservice. I think, you know, people need to know, here's a problem, here are the potential solutions, um, in a way that, uh, I think is independent of the given solution provider. That's where I think control frameworks can be really helpful to talk in about the problem in, in terms that are independent of any given particular product or service.

Um, but can serve as a useful guidance for kind of categories, which is also, I think, you know, where Sunil work and the cyber defense matrix, uh, is really helpful. Rich, can I add No To, uh, that's what I figured, but I'm going to anyway. Hey, uh, 'cause uh, some of what you're talking about plays into some of the chat that I'm reading here.

Um, if, if attack ma, when as MA attack matures and as more use cases for attack gets built into products, um, you shouldn't have to make the decision, um, whether or not you're going to use attack. Just like you didn't make a decision to use CVE or not in vulnerability management, right? Like CVE is how you vulnerability management and attack, um, is how we're gonna look at the ways in which people, uh, attack us.

And so imagine if you had an incident, um, escalated to you by your SOX sim provider and it included the attack, you could then use that attack information to go figure out what kind of security controls you can go back to your client that they're missing, uh, that they need to go get now, uh, because of that incident and without the attack. Um, it would just be a bunch of guessing. Yeah. And that's, I think that's a critical thing.

We're seeing more and more vendors of security products, more and more threat intelligence providers. We see CISA doing it here in the US is, is doing that mapping to a, to attack just because it's such a huge efficiency win. Because now we're using a common nomenclature, you know? Right. If someone tells you, Hey, go to the store and get a donut, they can say, they can use the word donut and you know what to get.

You don't say, well, you take some flour and you take some, so when you take something and you put it and you put it in a OID shape and then you deep fry it, get one of those, you know, uh, so that common language, it's a simple idea, but it's really, really important. So, you know, threat intelligence being mapped to attack, but Aaron, you're absolutely right, it has to work behind the scenes. It has to be working on behalf of people.

This technology, security technology should serve people in organizations, not the other way around. Right? Mm-Hmm. You know, we're, that, that's the goal is to keep people in organization secure our data, secure our, our our data private. Not that we will become experts in, in every live security tool or standard. The other thing I'd say is, uh, you said is attack matures.

I think it's also really important, um, if, if you can't describe something in attack that shouldn't be your problem, right? That should be, you know, attack shouldn't be a box you stay in. You know, I think attack is more of a way of thinking and a way of organizing, and that's sort of our philosophy. It's a great starting point.

But if you've identified adversary behavior that doesn't, that doesn't, you know, that isn't in MIT's knowledge base, you go put it in, you know, using that same mechanism. It, it goes in, it goes in your matrix, um, and it's helping you because you don't wanna tell people, oh, well, you know, they're, they're, that group isn't in the knowledge base, so you can't defend against them. Uh, that's, that would be crazy. So, Right. You know me, I'm always about defense rich, so I agree with that.

And you know, like you're saying, Erin, what attack provides is that standard way to describe the steps, the steps in an attack, right? So the nice thing about having a standard way of describing the steps in an attack is that hopefully you can have a standard way of describing what you really need to defend against. So when we all say we need to defend against ransomware X and we can, we can, we can agree upon the defenses because we've agreed upon those steps in that attack.

And so, um, you know, that's the power of something like a Mitre attack framework. That's the power of the standard. Exactly what Aaron was saying earlier is like, you don't need to know the nuances of attack CTI has broken the attack surface up into a bazillion different parts of which we don't need to. What we need are the results of that where you actually understand how to mitigate against whatever, right? Whether it's cloud, whether it's enterprise, whether it's mobile.

However, those different attack types are described. We just wanna know at the end of the day, did we do what we needed to do to defend against all those different attacks? Um, and so I think, you know, it's been a great conversation.

And Rich, I think you were trying to say that as well as, um, as Aaron, so, um, and I, you know, I also liked it when you say it's not necessarily, um, who actually implemented the tack, who the attacker is, but what really are the steps in that tack and how you defend against it, right? Like, is it ransomware? Are these the steps versus is it some hacker group or whatever? Um, we'll leave that to, in my opinion, US government and other people who care.

Those of us, we just, we just want, we just don't wanna be, um, get, get notified of being a victim or be a victim. Um, so I, So someone made a great observation in, in, in the chat, you know, tools that start off as, as, you know, nation state tools for, you know, get, get distributed, get used by, you know, the, the attacker tools become democratized.

And I think, you know, so one of the, one of the things that's really important that in the defender community, we sort of take a page from their book and democratize the defenses. Yeah. Um, you know, that's one of the reasons we started out so early with the, the, the freely available community edition of our platform is, you know, we saw there was, you know, an opportunity to help defenders who have too many things to worry about. Too many, you know, too, too much on their plate already.

Uh, you know, we need to make things simpler for them, and we need to, and we need to obscure a lot of complexity. Yep. Um, Yeah. I agree. That's awesome. And, And, and I think it's, it, it does such a good job of neuter, neutering, all of the marketing talk that we get from the vendors, you know, and that, that also goes back to a lot of what Sunil talks about, right?

Because it's so confusing, it's so frustrating trying to understand what a vendor does, and you force them into a common vernacular here. That's that's a, that's what we need, a big part of what we need. Yeah. And, you know, people love to hate on vendors, right? And they love to say, oh, you know, vendors, but, you know, vendors are a huge part of the, of the landscape and a, a critical element. And we need them to be successful. We need our security vendors to be successful.

We want them to be investing in new and improved capabilities. Um, I think, you know, like the efforts we're doing in ma in, in working with vendors to map their product capabilities to specific attack techniques, um, I, I like to think of it as providing an opportunity for vendors to be as clear as possible about what they do and by, you know, and by extension what they don't.

And I think we as a user community, to the extent we put that hat on, we need then need to be adults and, and deal with it appropriately. When a vendor does that and says, here's what I do and everything else, I don't, do not hold that against them, just, you know, that's a fact. They do that they, you know, hopefully they do that well.

Um, but that we understand that, you know, security is gonna be a, is a, is a team sport, and we have to assemble our overall security, um, uh, security infrastructure based probably on a composite of different vendor solutions. Um, but I, I think it's important to really sort of try to be on the same side of the table as the vendor. We're trying to help them be clear and articulate about speci. But, but it gets, you have to make it be specific. 'cause if you ask a vendor, Hey, what do you do?

You protect against phishing. Why? Yes, we protect against phishing, you know, well, what does that mean? Well, let's break it down into really speci into specific things. Then you'll probably have a much more productive conversation.

You know, I, I try to assume good faith on, on the, on, on, you know, on the part of people other than the Aaron, of course, uh, you know, but I, but I, I really do believe, and, and I, I think the vendors are, are trying to do the best they can in the sort of market conditions that they exist in. So let's just make it easier for vendors to be clear about their capabilities in a, in an honest and transparent way. Uh, and then, you know, not punish them for doing that. Yeah. I mean, I, I agree.

I think, you know, we need to, we need to help the vendors about what, what we want. Um, I think also we also need to hold them accountable though. Mm-Hmm. Um, you know, where we, where we use our purchasing power to hold them accountable, like Aaron says, to, to use standards. So they are interoperable. I mean, you know, you will, you know, as well as anybody rich that a lot of organiz, big, bigger vendors, um, they work in the standards bodies.

They work, um, you know, in those bodies to make sure that, um, they are, that the, that the standard has enough wiggle room so that they can put their proprietary stuff in there to lock you into their model, right? And so, um, yes, many times when we talk about vendors, we're talking about those bigger vendors, um, that, that do that kind of thing, that lock us into their model.

But, um, yes, we do need to be clear about what our requirements are and hopefully hold them accountable with our pocketbooks. Um, so, you know, um, you talk but much of security and you know, this, you've been around forever, has been around, um, vulnerability management, management, asset management, and, um, you actually said that in one of your interviews that it's a problem of scale. Um, so how is it in your opinion, that threat informed defense helps in this area?

Uh, I, I wrote a, a blog post when we launched title, and I, it was, I think it was called A Tale of Two Graphs. And I, I had, and I showed a, a graph, I think it started 20 15, 20 17, and it was just plotting the num each year, the number of CVEs issued. And then, so each year, uh, and, and then the other line on the graph was the, the cumulative number of technique adversary techniques listed in attack.

And, you know, the number of attack techniques, you know, went from probably two, you know, maybe 400 up to 600, oh, in that timeframe. And each year there were, um, you know, 20,000 CVEs issued, you know, conservatively. And so like just the scale trying to, you know, just trying to manage all of the potentially exploitable vulnerabilities and exposures, right? A CVE and, and trying to do that across all of your assets, just, you know, do the math.

You know, you have 10, you know, a thousand endpoints, 10,000 endpoints. You have all of these potential vulnerabilities or you, you window it down through CVSS or EPSS or some other mechanism, you're still left with a boatload of things. You have to figure out, you know, uh, patching priority, your patching schedule impact to operations. None of that goes away.

But I think threat, an understanding of threat then helps you prioritize, uh, further and say, okay, what are the things we really care about? You know, and, and this is, you know, even I think independent of attack, you know, what are the parts of, of what are the asset groups in our organization that are most, uh, most attractive targets for adversaries? Uh, what are they trying to accomplish?

I mean, I think there's a lot of reasoning you can do at a higher level and then use that to paint a picture, which will help you prioritize. I prioritization to my mind, is the single biggest thing people in the SEC in the security community need, because there's just not enough time in the day and not enough resources. So, so I, I think, um, you know, that's really the big, it, it's a way of helping you focus. So you can say, alright, I don't have to boil the ocean.

Uh, I, I, I, you know, there are 600 and something techniques and sub techniques in attack. We don't advocate people trying to reason about all of those. You know, we we're really focused on helping people build threat profiles, which is, what is that subset of that attack matrix? Is it 20 techniques? Is it 50 techniques? Is it a hundred techniques that are really critical for where you are today to focus your, uh, and, and understand your security posture?

So I, I really think that's where it comes down to. But I, I do want to just repeat something. There's nothing about threat and form defense that is a get outta jail free card and, or, you know, a, a note from your, your parents saying you don't have to have good enterprise, you don't have to good have good cyber hygiene, right? You need to have good cyber hygiene, you need to have multifactor authentication where it's needed.

You need to have, you know, all of the things that, uh, we've been saying for years, you don't get to not do those things, but it's when you're ready to advance, I think threat informed defense can make it make your security program much more effective. Yeah. Yeah. And I, and I like what you said, like even outside of whether or not you're gonna use a tech or whatever tool, you kind of need to do that risk assessment of. And we always use that example like where are the keys to the kingdom?

Isn't it this file server or wherever? And then do that prioritization, right? Like, where is your critical, where are your critical assets? Where's your critical data? And then, you know, perhaps that's where, that's where you prioritize high for your patching plan, et cetera. Um, and so I think in the interest of time, Wes, I pass it back over to you. Why Thank you. So kind of you. That's good. Really good discussions. Um, okay, so a big question.

I think we've touched on this, but I wanna dive in a little deeper. And Aaron, I want your input as well. Um, the number one question that comes up on Reddit on RMSP is tell me what's in your security stack, or I'm evaluating eds, who's the best. And I always joke about, you know, like the buzz lightyear meme, like anecdotes, anecdotes everywhere, right? Everyone has a story which is valid and means something, but they're just stories.

I think we all deeply want to be able to assess, uh, and understand not necessarily the question of who's the best vendor. 'cause there is no answer there, right? That's not a, that's not a thing. But the real question is how do I know I have the right coverage and how do I identify my gaps? And there's been a lot of research that's done and gone into this, especially IL's work, right? We keep mentioning him today. But I just wanna ask you that question, like what goes into that in your mind?

I know you've given some talks on that. I'd love for you just to share from Rich's mindset how you might answer that question to an MSP listening today that just wants to know, you know, how does this stack up and how do I identify those gaps and how do I assess my coverage? Uh, uh, first off, if someone said, what is the best EDR, my first question would be, what is an EDR? Um, because every vendor that's got an agent on an endpoint can claim they're an EDR, and no one can prove them wrong.

Um, and I saw in here, you know, defining MSP, like, we need to define what an MSP is. It's not about creating marketing terms, um, like EDR, um, it's about simply having a reasonable defined terminology of what we're gonna call things, um, that we all agree upon. Um, one of the best ways to simply know where you've got gaps in your defenses is to stop calling your products by the vendor name. Just call the products by what they are.

Um, like if you've got, um, some endpoint protection, um, that is the product you have. It doesn't matter who the vendor is. Um, at the end of the day, most of the endpoint solutions stop what they're gonna stop. If a threat wants to get in there, a threat's gonna get in there. Um, also there's this an extreme, I'm gonna be all over the place. There's this extreme focus in the industry on software vulnerabilities, um, and not as much focus on configuration vulnerabilities.

Um, and that was my talk at the last rite of boom, um, that you could have a completely patched device that's not configured securely and it's just as vulnerable. And, um, one of the things that you never hear about in the industry or folks saying, Hey, look, um, I can measure the, uh, vulnerable surface area of a device by software vulnerability, but I can't measure the vulnerable surface area of the device based on its configuration. Um, which is just as big of a deal.

Um, and I'm gonna trade since I answered a question. Can I get a poll, Andrew? Uh, I'm working on my, uh, uh, write a boom presentation still. Uh, can I get a, um, a feeling of how many of you folks are using CIA when it comes to your asset management? Um, if you don't know what that means, have that be an option, um, as well. Thank you. You nothing about DIE. So Rich, curious your comments and thoughts on that same question?

Yeah, uh, first of all, just piggybacking on something Aaron just said, you know, one of the things that sometimes people find counterintuitive, or it may be at least surprising, is when I say that the vast majority of the adversary techniques, the TTPs in attack, do not require an exploitable vulnerability. So you could have a fully patched environment if an adversary can gain a foothold, get into the system through, you know, exploiting the wetware.

Um, the, um, the reality is they're gonna move around, um, and use the same exact, they're gonna live off the land Exactly like an administrator or a user in your environment. And so, uh, you know, just saying, Hey, we're a hundred percent patched and no one is generally, um, you know, isn't enough. Yeah, I, I think I, I think, you know, the, the, the whole question, I mean, fundamentally people wanna know, are our defenses good enough against the threats we care about?

So, you know, uh, the title Community Edition tries to give people some really simple tools and, you know, I've seen some people in chat, you know, being, you know, putting up, hey, I was able to, you know, look at some threats and then I was able to add a vendor in. And that list of vendors is constantly evolving and growing. And those are just the vendors that have agreed to be publicly available.

We also have vendors who we have mappings for who are not, um, who, who don't allow us to make them, uh, publicly available. By the way we work with any vendor. There's no cost for a vendor to be part of the platform. We think it's really important to have as many different independent, you know, sort of neutral mapping or be, be that neutral arbiter and provide those mappings.

But then what our, what our paid platform does is actually do that coverage computation using attack as a common language. And whether we do it or someone else does it, it's that ability to say, I care about this threat. So this ransomware group, you know, their malware uses these three techniques to, to do whatever.

Are these defenses, you know, as Aaron said, don't talk about the vendor, don't talk about their their brand name, but alright, their endpoint protection, does it actually stop this behavior? Does it, does it actually remove the preconditions for the behavior to even work in the first place? Does it detect that behavior? Does it just save some telemetry off someplace? Those are really important distinctions. Those are so that, you know, that's how we think about the problem.

But whether, you know, it's us or someone, or, or, or you doing it the yourself, that's the value of attack. It's that common language. And if you can do that and then not expose that to your user in the SMB, you win because you're making them more secure. You're giving them a sense of their posture based on real data. You know, this is like, you know, evidence-based security. So we have real data on what adversaries do, and and we get more and more of that all the time.

We have real data about the capabilities of products. Let's put that together. We don't have to show people an attack matrix to communicate that. Um, and so, you know, we, we we're passionate about that, trying to make it simpler. I know Andrew's going to be mad at me if I don't continue to try to make it simpler. Um, and, and honestly, uh, you know, that's why I'm so excited to be down at write a boom to, to hear what people are looking for.

'cause you know, there's, we have this idea of what we're doing, uh, today, but I'd love to see what people really want. Rich, I, I'd love if I could just say something, I'd love your thoughts and I'd love everybody's in the audience thoughts. It's like, okay, we understand these are the attacks, here are my controls. Am I able to stop it? Yes. No, here's, here's the gaps. But what I think a lot of what's missing is the translation to the end customer and even to the MSPs.

Like, if you have this mission critical asset that supports 80% of the revenue in your business, as we talk about with Brian Blakely all the time, Wes, right? What's the risk to the revenue? Because if we can get it down to, like, I'll take the community defense model, Phyllis, we have all these attacks and ransomware being a top attack, but imagine if we actually had, what were the stories or business impacts? Well, this, as this ERP system got this, this happened.

The, you know, it was shut down. The company was shut down for this period of time, and they lost this amount of business, this reputation rich, like I'd love, again, everybody's thoughts out there, but if we could somehow translate down to the customer, it doesn't have to be 50,000 examples, right? It just has to be a few, right? And unless there's a lot of the work you're doing at empath, like how do you tell that story down market? Um, d does that make sense, rich, from your perspective?

And then I'd love, you know, your thoughts, anybody's thoughts as well. Yeah. I, you know, at the end of the day, we're gonna be, we're gonna be remembered or, or revile based on, you know, whether we actually made things better. And, and we can't. And we shouldn't expect everyone to be a cybersecurity expert at, or even even cybersecurity literate. We have to translate it to them in terms they can understand in terms that are relevant.

I think your example is great, you know, what's the business impact? What's the, what's the impact to mission? What's, however you wanna frame it. Um, and the more we do that, then it doesn't matter if we have the greatest solution in the world, if people don't use it, if they don't understand it, if they can't apply it, what, what, what difference has it made? So it's, it's really about putting things into, into action and empowering people to defend them to, to be defended.

Well, Well, and I go to Wes, Wes because, I mean, you, you know, you, you joked around years ago, I think in the early cyber calls and some of the things, you know, what's the best way to get budget, right? To have a, have an incident, have a breach? Because then it wasn't about the incident and the breach, it was about, wow, this actually happened to the business. This was the impact to the organization. This is the reputational harm we got. This is the customers we lost. This is the downtime.

The fact we couldn't pay our people you know what I mean? Yeah. That's what all of a sudden it's the eyes open and go, holy crap. That's why we needed to do this. Yep. Because the knee jerk, and, and we just mentioned this in the, the bootcamp we did last week, is if you go pull, if you're listening to, if you go pull, most of your business owners who have not, if you haven't had these conversations with their knee jerk, is what's the cost of a security incident?

I don't know, 10 k, a hundred k, maybe at the most things really go bad. Like, that'd be pretty terrible, but we're fine. You know, no big deal. We'll recover. That's what they think. So of course they're gonna align all of their concerns according to their perceived outcome of an incident. Not recognizing that it's gonna be a million or more.

In most cases, when you compound all of the things that happen, uh, you know, regulation challenges and disclosures and forensics and legal and lost business and impact and all these things, right? They don't get it because no one's ever taken the time to describe exactly what the outcome is gonna look like for them. Yeah, yeah, yeah.

I mean, it was like having, and I know Robert Chaffey's there, like having and Eric having them on stage last year, write a boom, and Gary kind of closed as, as they went through that visceral experience both of them had for themselves, for their customers. And you know, Gary said, if any, you know, is there anybody here after hearing this that feels like couldn't, you know, a a wanna do more in their own business or, or B, have that conviction to their customers of how important this is.

Right. Um, anyway, I, I really well said Robert. I, sorry, Smith, Wes, Whoever that guy is. Whoever. Okay. That guy with the glasses. You can call me Robert. That's a compliment. Have you seen the guy's hair? It is, it is amazing hair. Um, but Rich, um, you know, I know we're at the top of the hour here and just want to thank you so much for coming on and sharing your wisdom.

And I'm really excited, like I said, for you to come to write a boom and here from so many MSPs, 570 MSPs and MSPs, and, and ask them, you know, again, how do we, what is it that we need to do to translate it to our customers? Because that's where we get stuck. Mm-Hmm. And that's why, you know, there we have this amazing gap, right, of the companies that are doing it well and seeing, but our job is to help get everybody there to the finish line.

So, Yeah, no, I, I'm, I'll be down there with my laptop, taking people through the platform, asking lots of questions. I, this has been, uh, a great, you know, I, I, I do a bunch of these. This is definitely one of the, one of the more memorable and fun and informative, uh, ones I've done in a very, very long time. So, um, really thank you so much for the opportunity. It's great to see all of you. Great to talk to all of you, and I hope to see you all next week in Texas. Texas. Yeah.

And Aaron, thanks so much for coming on. It was really great to have you on and all the awesome stuff you're doing at ru. Thank you for that. And, uh, thanks for having me. Yeah, of course. Phyllis West, thank you as always my friends. Yeah, can't wait to see you guys live next week. Uh, until then, we'll see everybody for one more show.

Monday, this time next week we're gonna have, uh, Steve Carter on from, uh, nucleus talking about ai it's great and how threat actors are using it to, you know, to, to search for vulnerabilities and code. And it's gonna be a really good one. So until then, everybody have an awesome one. Take care. Thanks everyone. Thanks Aaron. Bye.

Related Videos

Threat Informed Defense & Why it Matters to MSP/MSSPs | Right of Boom