MSP Cyber Capability & The Cyber Resilience Gap
In this video, Ryan Weeks and Wes Spencer discuss the intricacies of cyber resilience for MSPs, focusing on building an assume breach mentality and integrating business continuity. They explore frameworks such as the Cyber Defense Matrix and the Cyber Kill Chain to highlight the importance of transitioning from a technology-centric to a people-centric approach in cybersecurity strategies. The session emphasizes the critical need for MSPs to adopt a proactive mindset to effectively detect, respond to, and recover from cyber incidents, ensuring a resilient cybersecurity program.<ul><li>Cyber resilience is an operational state combining cybersecurity, business continuity, and organizational resilience, requiring continuous improvement to maintain.</li><li>The concept of 'left of boom' and 'right of boom' is crucial, with 'left' focusing on prevention and 'right' on detection and response after an incident occurs.</li><li>Effective cybersecurity involves people, process, and technology, with a focus on integrating these elements to enhance detection, response, and recovery capabilities.</li></ul>
Guests
Video Transcript
All right, welcome. We are live for the Cyber Resilience Workshop. Joining me, my co-host and hosts on the cyber call here, Gary Pika, west Spencer, and Ryan Weeks. Welcome everybody. Hello. We don't have any video on you, Andrew. We don't, no. That might not be a bad thing. I'm not sure why we don't have video on me for real. No, no. I got your smiling face. I see you. Oh, do you? Oh, okay. Okay. Maybe must be. It must be Gary. It could be that new fancy set you got there, Gary.
All right, here, you're, thanks. Okay, so let me just set the stage real quick 'cause I want to jump right into Wes' and Ryan's session. It's, it's fantastic. I got to see the preview of it. I got to, we're gonna be hanging out with these guys. Um, but first I want to thank everybody for joining. We got a huge, uh, turnout and, and so I really appreciate everybody, uh, investing their time, energy, and talents, and spending it with us. Few housekeeping things. Common question, is it recorded?
The answer is yes, it is in the upper left. If you look at the Crowdcast window, you'll see a schedule right now. It should say one of six. Each session will end and takes, I don't know, 10 minutes or so, and that recording will be there. Second thing, when this session ends, um, we'll end the session. Please stay right where you're at if you're staying for the next session. So it'll seem like everything's ended. And then it'll, we'll pull you into the next session.
So it'll be a delay of maybe 15 seconds or something like that. Questions. Um, I hope we get to all the questions, Ryan and Wes, and each, each speaking, each, each of that session is packed. Um, I'll keep an eye out. Gary and I, we'll keep an eye out the speakers. I know we will keep an eye out on answering all the questions. If for some reason we can't get to your question, um, I'll put my email in andrew@thecybernation.com. Email me.
Um, and we will, I'll get those questions to each group that's presenting. Last, there's the cyber resilience agenda. The windows always look different from if you're, if you're presenting, but Wes and Ryan are below, but below them, whoever's below, you'll see a green Cyber Resilience agenda down below. It'll frame out what each session is. Um, today, real quick, we're starting off with Ryan and Wes, um, doing cyber resilience for MSPs.
Um, we're gonna transition into building your incident response plan. And lastly, today we're gonna have a technical session on vulnerability management and vulnerability exploitation. Gary, any words you'd like to share before we kick it over here to Ryan and Wes? Uh, no. Just wanna mention if you are a true methods member, that all of these videos will go into a security track in the training portal. So there'll be available, you know, going forward.
And we're, we're adding a bunch of other content, uh, as well around that, that you can look for in the next four to six weeks. So, and then the last thing I just wanna say is I want, I want to thank everybody, uh, today, Ryan and Wes and you, Andrew, not just for these couple days and the work that went into it, but for just everything that you, you have been doing, you know, for the industry. Um, we've tried to pick up this flag and move people forward, uh, as best we can.
So, uh, I, I, I, I, I want to, I wanna just, you're all really busy people, and so I want to just commend everybody for, for their efforts. Me Busy. Come now. I spend most of my time on snap Filters. Alright, so with that, let me introduce, uh, the CISO of Data Ryan Weeks and the CISO of Perch, Wes Spencer. Uh, let me let you guys kick off with your slides. Um, we'll, we'll give a quick intro into it. Ryan, do you wanna see if you can drive those up there and, and we'll get things rolling?
Cool. All right. So the MSP Cyber Resilience workshop, we, we talked about who's here already. Alright. And, um, let's talk about this session in particular. Um, so, man, you know what's really interesting, the three things that we were talking about when we were, you know, getting behind the scenes doing this that we really wanted to convey to, to you all, is that, you know, GU are the days of just thinking about preventative and detective controls. Um, oops, we can go previous. Oh, sorry.
That's okay. Um, and that, you know, if you, you know, listen to, you know, some of the best of the best out there, and you, and we've got him here, right? It's, it's today we have to assume that we're compromised, period. And so Ryan's gonna introduce, um, a, you know, a a a bunch of different concepts, but they're all gonna come together.
And the, the, one of the concepts he's gonna be talking about is something called left of boom and right of boom, which is really the actual incident when it happens, why it's important, and what we can take away from building an assumed breach mentality, uh, into and cyber resilience into our practice. Second thing, Wes, you know, we've been talking about frameworks quite a bit, um, on the, um, cyber call, right? And, um, you know, how do those, um, apply to building cyber resilience?
Uh, a lot of frameworks, you know, if we just take CSF West, you know, we're talking about things that happen prior to, uh, the incident, right? Or the actual event, preventative identified, protect, detect controls. The event is happening between prevent and detect. And, um, you know, so we will notice that, you know, we move very much from a technology centric approach to a people centric approach. So you're gonna be talking about that.
And lastly, Gary, tomorrow, you, Matt and Mike Ard are gonna pull all of these concepts together that we're gonna talk about in this session and bring it into a go to market strategy. Yeah, man. And that one, uh, we went, uh, went over it and, uh, no slides. We're just gonna go straight at it, take questions. We'll role play. We're gonna talk about lead gen, leveraging the message, taking all the technical stuff.
And now how do we do those important things, which is we gotta figure out how our customers will, will fund it, and how to bring on new customers. Excellent. All right. So Ryan, let me kick it over to you and enjoy the show, everybody. I'll be keeping an eye on q and a and, uh, like I said, enjoy and thanks again for being here. Alright, cool. Awesome. Yeah, let's get to it.
So, cyber resilience is quickly becoming my favorite, uh, topic to, to talk about, but I think first, let's let's norm on what it is and what it isn't. Um, it is the measure of your business's ability to operate despite adverse condition, stresses, attacks, or compromises. Basically, it's the ability of your business to continue to operate no matter what cyber, uh, situation might be thrown at it.
It might be operating in a degraded state, or it might be operating, um, in a, uh, you know, in a state where, um, you know, there's, you know, significant degradation. Uh, but the ability to recover quickly and get back to operations, it exists when you have information security, business continuity, and organizational resilience together jointly. And it is an operational state of a business that requires continuous improvement processes, both to attain and to maintain.
Cyber resilience is not a buzzword. This is a really critical concept for people in information security, and it really needs to be internalized so that you can figure out how to take this idea and achieve it for, to become a truly resilient organization. Right?
So I, I know that the, you know, the word has been getting kicked around quite a bit recently, but I think it's getting kicked around because it's a really important concept, not because it's the latest and greatest word that re you know, gets people to take dollars out of their wallet, right? So really, really important concept that we're, we've been defining here. Uh, you know, we've been discussing quite a bit on the cyber call.
And when we talk about cyber resilience, we start talking about a lot of frameworks. And we've covered, um, you know, on the cyber call, the cyber defense matrix, we've covered, um, you know, the NIST cybersecurity framework, which really is made up of these five functional areas where each functional area has a set of capabilities, right? And when I say capability, I don't mean a tool.
I mean, the combination of technology, people and process that are necessary in order to fulfill the objectives of that functional area. Some of them may be technology based, some of them may be process based, but whether they're process or technology based, you always need people to operate them. So people is usually the first thing that we talk about, right?
And so, as I said, cyber resilience is this combination of cybersecurity, business continuity, and incident response kind of jammed together. You can kind of see roughly how they overlay there on the top where cybersecurity's traditional focus has been on identify, protect, and detect. Some would argue it might also have just been solely focused on identify and protect.
Um, but certainly in terms of business continuity and incident response, you are really heavy on the, um, now that you know, something bad has happened, responding to and recovering to it quick. The combination of those things makes you cyber resilient and it requires people, process and technology to get there. Um, and then we've talked about left and right of boom, right? As a, as a concept.
And, um, you know, in the assume breach era, we, we assume that we are already operating right of boom, which means you must have people processing technology oriented around the functional areas of detect, respond, and recover. If you're not, if you don't have those, then you don't have a cyber resilient organization. You have a cybersecurity program, but you don't have a cyber resilient cybersecurity program. And so we really need to, you know, again, focus on left and right of boom there.
And then let's introduce one more framework, because in security, we love our frameworks. Um, the kill chain, the cyber kill chain, um, and this is basically the seven stages that an attacker will go through. And within each stage, there's an opportunity for us to identify, protect, detect, disrupt, respond, uh, to the activities in each of those stages. Generally, when boom occurs, we're operating in the exploitation phase of the attackers, uh, you know, attack chain.
So take for example, let's talk about an RM copy rise, because that's like, ev you know what, everybody's kind of afraid of these days, right? So attacker determines that they wanna attack an MSP, they want to get access to an RMM, they go to the dark web, they say, Hey, can I get access to, uh, anybody have credentials for any RMMs for MSPs? Someone says, sure, I'll sell you one for 10, 10 grand worth of Bitcoin. Cool. Now I have that access.
I'm gonna go log into the RMM that is effectively working through that reconnaissance to exploitation phase. I log into RMM, boom, I have access to that RMM. Now, the interesting thing is the attack chain starts all over again. Well, now I have access to the RMM, but what am I gonna do with that access? Now I gotta do more reconnaissance. I gotta figure out how am I gonna weaponize this access? What am I gonna use this access to deliver?
Uh, or, or do within the environment scripts, droppers, ransomware, payloads, et cetera. Ultimately, I'm gonna use that access to exploit, then ultimately install that threat, have some sort of command and control over that threat, and ultimately act my injective, steal your data, ransomware your systems. So as you can see, when we combine all of these concepts together, they're all really complimentary, but they are all foundational in people, process and technology.
You cannot do any of this without people, process and technology. And technology is the last thing in people, process and technology. Um, so let's talk about people, process and technology from really deep perspective, right? From a a a kind of a drive home. And the, the kind of three areas where I've seen the, kind of the biggest issues with, um, with, with MSPs and, and kind of driving their programs towards maturity, uh, not even cyber, it's just the core cybersecurity program.
Number one is shelfware. Um, the conversation in 2017 and 2018 was, Ryan, what do I buy next? What's the next security control that you recommend that I buy to protect my MSP? And it was all technology and we were buying technology and deploying it largely with its defaults without any real process in place to ongoing carrying and feeding and managing of that technology and not really, not really kind of devoting the people time to that technology to really make it effective.
And that leads to technology largely becoming shelfware, which means it's something that might make you feel better, but it doesn't actually make you safer. It might check a box from a compliance perspective. 'cause you can claim you have a capability, but it, to have a capability, you have to have a combination of people, process, and technology. So if you have technology right now in your program, the question you should be asking yourself is, do I have the right people managing it?
Are they devoting the right time to it? Do I have the right policies surrounding it? And do I have the right processes to maintain that technology and to maintain the information coming out of that technology and how it might feed into other phases of the, um, cybersecurity framework, like the response and recovery phases. Right? Hey, hey, Ryan. Yeah, go ahead. So, um, two things. One, you know, historically as MSPs, we like problems that technology can solve. Yeah. Right? Number one.
So that's the default. That's how in all the years I've been doing this, that's how we're trained, right? And then the second piece of it is we also know how to price tools. 'cause we know what we pay for 'em, and we can figure out how to price 'em, pricing the people in process, right? That's probably why it, it ends up in that shelfware type thing. So this is really awesome the way you're showing it. Yeah. Hey, hey, professor weeks. Yes, sir. This is good stuff, man. Uh, really like it.
So let's do a thought exercise real quick on this one. Yeah. Uh, in chat, those of you that are watching, man 529 Gary Pika, you know how to run an event, my friend. That is insane. That is awesome. Okay, so you 529 people watching, pick those capacity outcomes. Don't think about everything in your MSP. Think about like cyber security alone. I'm just gonna leave it generic for a minute because I'm very curious.
Pick your number One challenge is it, don't look at the people process technology part. Look at the capacity outcomes. Where are you most challenged for adoption burden to scale wasted effort? Pick one. And I want to, I just, I wanna see it all roll through chat. And I want to know where your capacity outcome challenges are for a minute. All right. Couple wasted effort and adoption. Come on. 529 people. Gary, is this like a bot farm? That, okay, there we go. It is real people. There you go.
There's A, there's a Little delay in it. Wes, Look at this, Gary. A lot Of adoption. Brian. Yeah. Is this surprising you? No, not at all. Right? One, because they, we default to technology. We try to put some process in place, but if we don't have the people, right, it doesn't, as you said Ryan, it doesn't get the, uh, it doesn't get the care and feeding. Yeah. And that's the part, and especially as, as you showed as you move, right? A boom, right?
It gets really heavily dependent on the people part. Yeah. I mean, you've all heard me say, right? Uh, tell stories about MSPs will come to me and say what to buy next. And I, and I tell them, don't buy anything. Go back and make sure that the things you already have are actually providing you the outcomes that you want.
And this is a great framework to go through those capabilities you already have and saying, am I getting the most out of my RMM am i, am I instrumenting it for cybersecurity with the right set of people, processes, and technology capabilities to achieve the best possible outcome of what the RMM is already capable of? There's a lot of things you can do with an RMM before you should ever go buy something else.
So make sure that you're investing in the capabilities, the controls, the tools you already have before you go buy something else. Unless, and here's perfect, you know, I'll give you the, the exception to the rule unless that technology is going to specifically help you solve a people and process problem, right? And so that's, that's a very key thing, right?
You can bring technology in if it's going to help you scale, scale your people in your process, but don't bring it in just because you need another capability in your program. You need to be very deliberate about why you're bringing that technology into your organization. And I love seeing things scroll.
I was kind of surprised by the burden to scales of, uh, to, to, you know, if I'm being honest, but poor adoption, inconsistent operation and shelfware are the three most common issues that I see, uh, with MSPs. And so I think, you know, if you're looking at yourself through the lens, what we've kind of learned in this little section, you know, session right here was that shelfware to poor adoption. Most MSPs seem to be following in that slice of this graph. So, um, steal this slide, right?
Uh, take a screenshot, go and use it to analyze your program and your capabilities. You know, what I see in real life, you know, I know a few MSPs, um, uh, is that when you tool stack true methods, we call that centralized services, right? It's everything in your tool stack. Uh, we see that many times people are more defensive than offensive with the tools, and because they don't have the people in process around them, they can actually create more risk than they reduce.
And it's very, very common across the MSPs that we meet. Yeah, I think that's a great point. Especially with like remote access technologies and firewalls, right? People having firewalls, not caring and feeding for them, and them ultimately being compromised as a means of access into an organization is a great example of that. Andrew, you were gonna say something?
I Was just gonna say, well, it's interesting about, you know, shelfware and, and what you were just saying, Ryan, if you listen to Sunil Yu and his presentation, um, at the enterprise level, he talks about the same thing, the same challenge at the enterprise. And it's typically around Wes I'm gonna kind of ask you to verify. But he talks about, it's the same thing around sim and, uh, as a result becomes shelfware. Um, and because it's so people and process head, um, driven.
Does that make sense to you, Wes? Um, it nerds like me are notorious and I mean notorious for jumping right into the cool technology with complete reckless abandon for people and process and how something scales. And I almost, I honestly feel like I became a CIO at a bank only because I would ask those questions of like, how are we gonna run this? Who is going to run it? In what ways are they going to run it? I'm like, does no one else ask these questions?
And I know you guys on the call, you think about this as well because you run, you know, you, you had that managed IT approach too. But you know, most it people, we just wanna jump right to the tool. It's, it's the fact it's a problem. And I did wanna ask one more follow up question because this is so good. And, and also partially because I wanna see if we can denial service, uh, Crowdcast. So in chat, again, pick one of three people, process or technology, which one is the hardest for you?
Pick only one. Wes, you want me to create a quick poll on that? I mean, you can, yeah, that's fine too. I also just wanted to see a bajillion chats go through again, just because again, I, I'm pretty sure if we keep this up, we can, uh, break Crowdcast People in process. Man, man, it's going crazy, But man, I should have asked that question before I let in. 'cause they're like, well, I don't want to agree or disagree with Wes, so I better not put technology there.
But it is okay to put technology. I think most of you guys would've picked that ahead of ahead of it anyway. Now that does Gary and, and Ryan, that doesn't surprise us at all, does It? No, not at all. No, I think there's a, there's another complimentary model to this. And again, you know, if you've been listening to me on a cyber call, you know, like I love frameworks and mental models for, for dissecting problems, the plan build, operate model, right?
You, you plan a technology, you, you plan to build it. You need to plan to operate it. Planning to operate something means planning the people and the process steps that are gonna go into the technology. It's not just about buying it and deploying it and getting, you know, blinky lights. It's about actually planning to be able to operate that technology over the long term.
I think that's where we fall down a lot when we purchase technology is we think we're gonna put it in, it's gonna make us safe and we don't have to do much with it. A lot of security technologies unfortunately require care and feeding. So we're, we've talked about capabilities in terms of people, process and technology. So I want to hand it over to Professor West and I want him to do a deep dive into capabilities.
Um, and, and we'll go back to, uh, one of our, one of the previous models that we discussed that we love here on the cyber call. Right Before you do, I'm gonna still let you handle the slides for me. Ryan, if you don't mind, while we're still on this, I have a third question that just popped into my mind. Okay. I'm gonna call you guys out on the carpet for a minute or maybe, maybe I'm not gonna call. So, okay. So I asked you to pick people, processor technology. You picked one.
I also asked you to pick capacity outcomes. Now give me a yes or a no in chat. Did the challenge, the capacity, outcome that you pick, does it reflect what the biggest challenge that you pick from people processor technology? In other words, if you, you said poor adoption, then I hope that you chose people as your gap. So tell me yes or no, did they match or did they not match? That's great. That's awesome. And it's okay to say no. It is super okay to say no.
Yeah, no, I Think it's, I I love your final Exam for this sheet. For this slide. Yeah. Got a lot of yeses. So that means, uh, okay, Ryan, you were successful. Good. Yeah. And again, steal this slide. I'll give credit to Optiv. I actually hijacked, uh, this slide and some of its contents from Optiv. Um, I loved it. The first time I saw it, I got so excited. Um, it just, it just puts something in such clear terms for me that I've been wrestling with.
And so now I, I love just looking at everything kind of through this lens. Um, but anyway, like I said, we, we want to deep dive even further into capabilities and bring it back to some of the other frameworks we've been talking about. Wes, why don't we, Yeah, let's do that. Do that. So we've covered people, process and technology. Let's go to our old friend, the cyber. Yeah, here we go. Our old, our old friend. Yes.
And, and by the way, Adam, I see you in chat sort of mostly doesn't seem that black and white. You're right. It, it's definitely not that black and white. I love models for the same reason Ryan loves models. It's just a good way to get us thinking about something. But it is always okay for us to sort of, you know, go out of that bell curve or that, that, uh, skew of where the model goes. But, but you're exactly right. It's not always that black and white.
It's just a good way to get us thinking. Okay, so how many of you guys give me a, uh, no. 'cause I think most of you guys would be a yes, but gimme a no. If you've never seen what you're looking at here, this is while I'm waiting for those to come in because of that delay. Um, this is what we call the Cyber Defense Matrix. This is developed by one of our friends, Sunil Yu. Um, Sunil is, Hey, Jason Gel. I see you checking in there.
Hey, uh, um, this is, uh, a, this is a fantastic, again, model to think about. And so if you're taking a look at this, good. So no are coming in. Thank you guys for the, no. So let me explain what you're looking at here. And by the way, you can just go to Cyber Defense Matrix, I think.com. I think it is. I'll look it up in a minute to make sure, but okay. So you can check this out and read all about it. This is not mine. This is Sun Neil's.
Um, I met Sunil many years ago at an FS IAC conference. And you know, Sunil is a technologist. He's a guy that just likes to think big picture. And what you see here at the very top, you guys should recognize the identify, detect, protect, respond, recover. That is the cybersecurity framework. Then on the left, we've got some domains that he picked. And interestingly, these domains are used in other frameworks. Um, one framework that this is used in is the, the, um, CIS critical controls.
Those are actual prescribed domains that we use. And so this is really interesting. This is a model that, uh, Sunil has kind of developed to help us, um, demystify and clarify how, where, where we may have gaps in our strategy, things that we may need to address, and just an understanding of what we have that goes where. And, uh, Kyle, Hans Lovin, and my, myself, Kyle from, from s most of you probably know him.
We did a, a talk on this, um, at V Cyber Con a year ago on demystifying cybersecurity. We got so much good feedback on this. I'm like, man, this is such a great slide. So what you see right here, the idea is you can take this and you can kind of map through what things do I have in place, where do they exist and what does it cover for me?
And one of the things that's really important is if you look down here at the bottom, this degree of dependency, notice that traditionally, and this is not always prescribed like this way every way, but most of the time, identify and protect based tools or, or things that we do to cover this gap are usually technology focused. Lemme give you an example. Protection on networks is a firewall. That's pretty technology, right?
I mean, yes, there's some setting up and getting it up and running, but it's pretty fire and forget, right? But then go way over to like, recover on, you know, data or users or responding. Typically, those are very people dependent processes. Not that technology doesn't augment, but people are very traditionally very driven in participating in all of that. And so this is a really interesting framework just because it's a great way to start thinking through this.
Don't just slap vendor logos in here. You can slap processes in here. You can slap, um, things that you do. Like maybe you look through your incident response processes and you begin to understand how do I recover to an incident that affects an application? You know, you might think through that and what, what, maybe there are some vendors that you have in place to help with this. Yeah. And the other thing you can do here is, right, we said people, process and technology.
You can have three versions of this. One for people, one for process, and one for technology. And use that to figure out where you're deficient in one of the three areas in each of those buckets. Absolutely. This is great. Uh, we're with our peer members right now. We're doing a special project that lines up pretty good, uh, with this. But one interesting thing I wanted to say here was think about what's changed.
Like look down those domains, Wes, and this whole business has been built on devices and networks, right? And now what we see is applications data user is, you know, every day it's moving more and more in that direction. Yeah. So that's one of the reasons, right? Um, that we see, you know, some struggles around MSPs. It's, it's a different's a different way of thinking, right? About security than two or three years ago. Yes, uh, very much agreed and great comments coming in. Jason's right?
It's, it's a friendly, the, the CIS model's very friendly and it's approachable implementation groups to get started is a great pathway. I agree. Um, I like Justin's comment of like, ask your vendors where they fit in the grid. And come on now, Tim Fornet, uh, I perch fits every single one. 'cause we do all the, uh, blockchain, ai, thready threat, you know, stop the threat before it's found kind of thing. I'm just teasing guys. Uh, but no, I think, think that's a, it's fine to do that. Okay.
So let's continue down this journey. Uh, let's take this a step further. So, uh, the next thing that Sunil shows is where he, he kind of took this and he, he began and notice that he shared this in 2016. This is the kind of futurist that, uh, that Sunil is, right? This, this is like, if you watch this live with him, your mind would be like blowing right now. Be like, I can't believe he's thinking about it like this. So he takes this idea of like, okay, when does the boom happen?
Like, when does the incident actually begin? When, when does a threat become a threat, right? Not just a, you know, a port scan and a discovery that you have an unpatched VPN that did not get addressed and a bad, you know, not just that, but when the exploitation actually happens. And so this is what Sunil Koch calls this, like left and right of boom. And you guys hear us say this on the cyber call all the time. Like, detection picks up or prevention leaves off prevention.
The idea behind prevention is let's stop the known bad things. That's a wonderful thing. But we also know, and Gary, you, you say this over and over, this assumed breach mentality is about this idea of eventually it's gonna happen. So when it happens, there's a couple questions that should go through our mind. One, how does it happen? And like, where in all of this does it happen? And what do we do once it happens?
And so I love that SNE kind of takes this, you know, pre and post boom, the left of boom before things happen. It's all about what he calls pre-event, structural awareness. What's going on in the world around me? What do I know? What do I see? What am I aware of? What things should be addressed and tackled? But the right after something happens becomes situational awareness. In other words, after the event happens, how do I know that my situation has changed?
How do I know that things have happened in my organization that requires me to do something about it? Because now everything has changed. And so let's again overlay something new on this. So hit the button again for me, uh, professor weeks, if you would. And let's kind of take this and keep it in the background. 'cause I wanna show you the overlay. But now what I'm doing is I'm taking the cyber kill chain from our friends over at, um, oh shoot, who are they from? Uh, miter Lockheed, right?
Lockheed Lockheed, yeah. Yeah. So now what I'm doing is I'm overlaying this, and this is just my like, really bad PowerPoint. Best I can do word art overlay. So bear with me right here. Um, in fact, I think it should have been, no, this, this is correct. Okay, so if we take the kill chain, the kill chain is a fun way to kind of think through the, how the process of an attack happens.
You know, how bad guys, I'm not gonna give you a lecture through the whole thing, but how reconnaissance happens for them to be aware of what's out there, how we weaponize something to understand like, what is it that I found that's weak and how can I do something against it? Um, like how do I build an exploit to go after that? How do I deliver it? Has the actual exploitation happened? And then how, what happens after the installation command and control and actions on objectives?
In other words, ransomware is typically the big threat we're concerned with, right? So if we overlay this on top of the cyber defense matrix, look what we see, that exploitation phase in the kill chain is kind of, it kind of straddles the fence, doesn't it? There's an idea of exploitation where we say, I would love to stop it. And in some cases we might, you may have a solid EDR that sees it and stops it.
You may have a firewall that sees shell code passing and kills out that piece of the the stream. You may, whatever it may be, you may have prevention tools that stop it, and that is awesome, and I sure hope you do. But the reality is we don't always have that, right? And so now we have exploitation that kind of maps over into the detection phase. And now it becomes this question of if the boom happens, these are the things that I really want to spend my time detecting.
Exploitation, installation, command and control actions on objectives. Does that make sense so far? Comments from my esteemed panelists? Yeah. The one thing I'll note right now is, you know, there's an assumption here, the way this is laid out, that boom happens, exploitation happens, and then you go all the way through the kill chain to act on objectives, and then that's when you recover.
The real idea of cyber resilience is to shrink the detect to recovery capability as early as close to that exploitation as possible to minimize the damage. So don't assume recovery happens after acton objectives. Recovery can happen at the point you detect exploitation or detect installation or detect command and control, right? Or, or prevent even, right?
So don't, you know, realize that the goal of cyber resilience is to shrink that as close as possible, as close to that boom event as as as reasonable as you can. Wes, before you move on, also, can you talk to us about, you know, when we think about an incident, oftentimes we haven't set things up correctly, and I'll talk about things in a second, but this is where I want you to expand correctly.
IE logs, we talk, you know, we talk to Chris Laer a lot and we're trying to understand what has occurred. And yet, because we haven't been able to set up things properly in the environment, we have nothing to go back from a reconnaissance perspective from our side and try to figure out, um, you know, how to, how to, how to, uh, actually demystify, for lack of a better word, demystify what's, what's occurred in the attack. Can you talk a little bit about that?
Because this, you can't go on, you can't undo this after it's occurred. You go, oh, I wish I had taken care of that. I, maybe I'm not totally following Andrew, I'm so sorry. You mean kind of like how, at what points of like the kill chain themselves, are we talking about like, uh, where we wish we had the ability to go back and see where those things happened? Is that kinda what you mean? What I'm saying is a lot of times people don't have logging, let's just take something simple. Okay.
They don't have logging set up. Yeah. Yeah. And we're like, Hey, we know something's happened, but we can't figure out what's happened. Yeah. Okay. I'm with you. So if you could talk a little bit about that, that this again takes people and process for us to shrink that correct, Ryan? Yeah.
What, what do you think, and this might be a hard question, but on average, what do you think, uh, once you hit boom, the timeframe, uh, before how long before it gets to that next, that next around exploitation? I mean, obviously we saw with SolarWinds it was from March to December, but Yeah, you know, in general, I will say one, it depends on the type of attack, right? So, and I hate the depends answer, but it really does. Yeah.
But more and more we're seeing that the attackers are becoming patient. It's, it's really gone from days to weeks to months now that the, like from the point they've exploited, uh, an entity to the point where they actually act on the objectives, they can be in there for half a year before they actually do anything. And they're getting to learn your business in some instance, better than you know it because they're trying to figure out how to cripple it.
And you, I Think that means you're saying all the major vendors are already breached. Well, everyone should assume they're breached. Yeah, Exactly. Yeah. And Exactly. And there are so many reasons. Now I'm on rabbit trail, and I'll say it quickly so we get back on topic, but there's so many reasons for it, and believe it or not, sometimes it's because they're insidious and they're watching and they're learning.
Sometimes it's because they're stupid and they literally have so much access to so many things and they, they can't prioritize you over everybody else. And it's just, it's almost like ticket taking. Like, I'm serious about that. They have so many, they have access to so many different orgs, uh, and then sometimes they just don't really know the value of what they have. Um, it's unbelievable. But, but these things are all can be true. Uh, very much so.
Um, okay, so going back to chat here, I see some good things. Yes, the pseudo make me a sandwich with the kiddos did work. I finally got some food in front of me. Uh, so, uh, I, I think that's pretty awesome. And yes, I will take Bitcoin for slides. Um, Ian, uh, I am very good with that. Okay, so let's move on. Let's hit a button again and I wanna talk about some paradigm shifts that exist in all this.
So if we draw this line right through the middle, in between exploitation is that straddling the fence between protection and detection. There are some interesting things that come up out of this, and I wanna walk you through some thoughts.
So you probably often said these things yourself, and you're not wrong when you say any of these, we often say things like, well, the attackers have all the advantage, you know, they only have to be right one time, and here I am having to be right every single time. Right? That that's, you ever said that before I say that? I still say that that's true. Very, very, very true. They only have to be right one single time. They can try and try and try. It's like the whole make a light bulb.
I only have to find one way to make it correctly is what the dude said, right? Um, also things like there's no risk to them. Trial and error. Like no risk at all. What's the worst that's gonna happen? They get caught on, you know, port scanning your infrastructure and, you know, um, maybe they tried something and your prevention defenses failed it. Dude, they live in Ukraine, they don't care. Like there's no extradition around here. Like, have fun with that. No big deal, right?
Also, you know, this, this idea like pre-boom, identification and protection always take the center stage for countermeasure as well. They should. In other words, if I can do a great job knowing what's in my network and knowing what's in my client networks, then I can do a great, a better job preventing all the things. In other words, again, just to go back to scenarios.
If I know what's in my network and I patch the weak stuff in my network, it's going to definitely reduce my attack service in many ways. Not to say I'm not gonna get hit by something, but it's gonna make it much more difficult evidence. Talk to Chris Laer from, uh, solace and, and ask him how many of the incidents that you deal with are things that should have and could have been prevented.
Lack of two factor, not patching your VPN stuff, you know, credential, you know, misuse and theft, uh, phishing attacks on and on and on, right? It's not zero day stuff, it's normal hygiene. And so this is where pre-boom, it's important to spend time on that, right? And then also here, this is interesting. I saw this at my banking days. If you try to do detection at the reconnaissance phase, we call this noise for the most part.
How many times does your auditor come in and say, well, I show me all the port scans you're looking at. And I say, back to that auditor, I don't care about the port scans. And they're like, well, what do you mean? I'm like, I get port scanned all day every day. Let me just open you up real quick. Let me just put CTA on my public network just for a second. And you can see all the port scanning and they're like, holy crap, that happens all day every day. I'm like, yep, that is called noise.
Could I go back in time and look at that and use it in some certain ways? Well, sure, but right now it's just noise. Okay. So now that we have all that, let's talk about after an incident occurs. So now let's look at the, how the paradigm really shifts. And Professor Weeks, I'll let you smack that button for me again. Um, and, uh, look at, so after, after the, after the boom, look at this, all of a sudden the defender has the advantage. And that may shock you, but it's true.
In other words, we now only have to be right once. Go look up again at the kill chain, see that we can detect the exploit, we can detect installation, we can detect lateral movement, we can detect persistence, we can detect command and control. We can detect potentially some kind of action on objectives, like them actually beginning to just, uh, deploy the ransomware. All of a sudden this entire mindset shifts.
And all of a sudden now I'm like, wait a second, I only have to find one piece of all of it to know that something happened and begin to take action, going back into this idea of resilience. And all of a sudden the risks change because for the bad guy, if he screws up or she screws up, I don't wanna assume gender's here, they screw up whatever, all of a sudden we've detected them. So they have to be careful and quiet and sneaky in what they do.
Look at protection, it's not nearly as important because they've already gotten through our defenses and they're going to continue to get through our defenses through things like, uh, lateral movement, privilege escalation, things like that. Look at how detection becomes critical stage. And then response and recovery is, is really, really of importance here. Does this make sense?
I I I, this is to me guys like overlaying the cybersecurity framework, parts of CIS, which I'll get into in a minute, the kill chain on top of all of this, on the, uh, the defense matrix, like all of a sudden, so much of this kind of hits home doesn't, it really begins to help us understand. Yeah. And what's interesting here is that if you think traditionally where MSPs where we've come from, right?
Really, it, it is all been where we have the disadvantage rather than where we have the advantage. And that's the change in thinking. Now that has to happen. We want to be able to have things that, you know, when it happens on our turf, but most of what we've deployed historically has been on their turf. Yeah. Does that make sense? Right? Yeah. Based on what you're explaining. Yeah.
I think, you know, when you think about the kind of mentality in the IT channel, since attackers really took focus in 2018, there's been a bit of a victim thread, right? Like, we're not ready, this, this isn't fair. How do we protect against these things?
Well, you actually like the, the problem is you haven't set yourself up with the right defenses, with the right kind of resilient capabilities to really combat the threat because you've been focused on identify and protect capabilities, not so much on detect, respond, and recover capabilities. And now is the time to complete that full spectrum of capabilities in order to really be resilient to this type of threat. Bingo.
Does that post boom give credence to, you know, honeypots, which we brought up before on the cyber call. You know that? What are your thoughts there? Yeah, I mean, that's a detection, uh, that, that's an area of detection that largely MSPs have ignored. Not because they don't think it's important, just how do I deploy it in a channel friendly fashion. Um, but yes, that's a mechanism of detection. Um, that then grants me the ability to respond and recover.
If I place that somewhere, I put it on the network. Um, there are other honeypot style things you can do, like an active directory or like files like canaries, like our friends at Huntress do and some others. It's a lot of ways to do honeypots and yeah, it, this idea of deception, we, we brought Chris Sanders on a while back, if you're interested, um, go hunt through the cyber call on our discussion with Chris Sanders. He is a, a leader, uh, on, on deception. Okay? So this is good, by the way.
Jason Slagel, I see he says that I'm stealing his slides. That's because I stole your email, Jason Slagel, and I'm now reading everything you've got going on, my friend, and you got way too much skyline orders in your email. Uh, you need to stop eating all that skyline. Uh, okay, let's move on. So let's push, let's punch that button again and, uh, but wait, there's more.
So me being the nerd, I thought, you know, I wonder if there's some overlap and overlay into the critical controls and we could pop them in here independent of vendors, us dirty vendors that always wanted our logos in here. Let's get rid of vendors and let's just get into processes, people, technology and where that would map in. And so, you know what I did, my friends, I spent a couple grueling hours very, uh, like my eyes went crossed. I think I gotta get new glasses, prescriptions.
So I'm gonna take donations for my fund of doing this nerd work from you guys. Uh, but notice here we see some really interesting things. These are all from IG one, this is from the critical security controls implementation group one, IG one is like the beginners stage. How do I begin this journey?
Now, interestingly, when you get past control like 16, there's a bunch that are in there that are all people based and they actually don't align anywhere into, um, the, the cybersecurity framework, which is a real shame, I think. So anyway, if you were to take these look at, look at just where we see implementation group one fill in. Do you notice anything? Lemme just pause and chat. What observations do you make from IG one alone? And I'm not hating on IG one.
I'm gonna make some really good points about CIS and how it maps in. But what, what, tell me in chat, what are your observations here? I'm playing professor with the all day today. I It is coming. We, I promise you. I sure hope so either that or, uh, we're, uh, limiting Gary's chatbots weak on detect. Okay. Yeah, we weakness on detection. Yep. Uh, Keenan says all technology. Yes, very true. Uh, Justin, most things seem left of boom. Yes, very much so.
I'm just curious what all you guys see here. Uh, yeah, lots of left of booms. Okay, good. So I'm gonna keep watching in case anything else comes up that like strikes me. But, um, a few things I'll say about this, keep in mind there's about, uh, 10 or 15 controls that I did not put in here because they don't actually map to one of the left domains of this, of the cybersecurity framework or on the top either.
And so I, we probably need some point need to, to think through how all this kind of goes through. But yes, very tool driven, not much on detection, let alone response recovery. You guys are exactly right. And so if you were to continue down the journey of IG two and IG three, um, if there's ever a motivation to do so to say, Hey, look, IG one is a great starting place and it's my lighthouse. It's where I'm going to begin the journey, just know that it doesn't end there.
If you just, only ma and again, don't hear me saying hating on CISI, freaking love CIS It is awesome. The controls are so good. Just know that when we're designing, we, we intentionally have gaps and some of these gaps are filled by you. It's not necessarily filled by some technology that I put in place. And I just wanted to illustrate this.
I just, I, I don't think I've ever seen anyone do something like this and take these controls and overlay them on top of the defense matrix and see where things line up. So at some point when I have more time, or maybe if ConnectWise ever gets me, like an intern or something, um, I'm gonna make 'em go through IG two, IG three, and we're gonna see what this thing looks like, uh, in, in its entirety because very, very curious to see how it all stacks up.
But I hope this has been helpful for you guys. Um, Gary, Andrew, uh, Ryan, anything else that you guys see in this? Wes the only thing I'll say is Sun Neil's observation that, you know, he originally did this because as at Bank of America, he had thousands of vendors calling on him. That was his whole impetus for this. And then as years went on, he started to, you know, it was obvious that to him that again, there's no technology or very little technology and respond to recover.
And as we've entered the age of recovery, um, what do we do? And he goes into, we're not gonna go into it now, but I highly encourage you to look his stuff up because he goes into Ryan, you might want to even just, if you could conject on this a little bit, but leaving the CIA triad to something called the DIE triad. And then can you, can you give some context on that of why, why people CISOs like you are shifting mentality, you know, from a CIA to a DIA? Yeah.
So the whole methodology there is that like in order to provide better protection, like CIA really relied on things being relatively static and like persistent, which makes them attackable and allows attackers to gain presence and maintain presence. The D triad actually talks about making your systems, making your applications more distributed.
So we're talking about like applications that are go from like, um, you know, like monoliths to highly decentralized using containerized, uh, you know, um, kind of methodologies. Um, making a lot of your components of your infrastructures immutable, which is the i rates of distributed immutable, making them harder to modify, um, harder to delete, harder to, you know, change in any way.
Um, which, you know, speaks to the kind of integrity component, um, but also to some extent the availability component, um, of the CIA triad. And then this idea of ephemeral where things aren't long lived anymore. So like, great, something gets popped, it's only going to exist for a couple minutes. So that attacker better be really quick with what they're doing.
And that we need to really start, stop thinking about, you know, the CIA triad, which, you know, if you're familiar with like the DevOps model, we talk about the difference between like pets and cattle, right? And the CIA triad, we're incentivizing pets, right? You give them names, you care for them, you feed them, they get sick, you take 'em to the vet, you spend lots of money, you know, that type of thing. With the dime model, you're really start talking about things as cattle, right?
If, if one gets sick, um, okay, it'll recover or won't. And if it doesn't, I'll replace it with a number one. I give it a name, I give it a number, I give it, you know, like just more methodologies that really kind of drive this ability to, to, to, to really protect your infrastructure more, um, is really what that d triad is all about. And, and certainly we're seeing a lot more technology moving in that direction, um, over time.
The one thing I'll say on, on Wes' slide here is you might be enticed to say, okay, well if I don't have a security program at all, like if, if I'm just starting out on my cybersecurity journey, right? Remember, which I said is kind of that identified and protect area, and you're gonna start with IG one, and now you're looking at this and you're going, well, do I need to do IG one plus something else? You should still do IG one. You need, everything builds on each other in, in this model.
And so don't completely abandon the kind of IG one methodology. Just have an idea of how you're gonna augment it with detective capability, respond to recovery capability or how might, while I'm focusing on building the left of boom capability, how might I augment my existing program to do, detect, respond, recover?
Well, is that partnering with an MSSP, partnering with a service provider that does co-management, um, contracting some of those services out, like, you know, think, think outside the box in terms of those things, but don't, don't abandon IG one, you know, entirely because you need those capabilities to continue to move to, to being, you know, kind of ready for that right of boom, uh, moment. Ryan, just, you know, I'm just gonna say a couple things that come to mind here.
Um, you know, one is like, I feel like, you know, not with all this detail, but just kind of looking across the, the, the top at the, at the framework and then overlaying that at the bottom with, you know, how people or technology intensive it is, these are the kind of conversations that every VCIO should be having with every customer.
And this is also a way to talk to prospects in a way that you can ask questions to uncover more paint, uncover more risk, um, to be able to put a, you know, use all the work that you've done in getting command over this, you know, as a wedge in the sales process. We're gonna talk about that tomorrow, but this really lines up. You have to have a way, uh, 'cause with your customers, they just don't want to hear that, Hey, there's more threats. We're charging you more.
They wanna understand, you know, this journey. And a lot of times they come back and say, okay, well you're gonna come back to me again. Yeah, absolutely. Yeah, I am here. Here's where, here's where we are. Right? So, really good stuff, Gary, I'm just going to pick up on what you said. By the way, for those of you, I don't wanna assume that you, you know, hey, we all, we all know about CIS center for and security, we've all done implementation group one. West Ryan, phenomenal job.
I put in the UR in chat. They have csat, which is free, and it's a phenomenal tool that you can assess yourself against. And I think Wes, you know, it really points out, you know, some things here, we're looking at the tool side of things pretty heavily right now, but you know, what about policy, which we're gonna pick up on next with Mike Ard and, and Chris Lair. You know, do we even have an incident response plan and policy in place, Ryan from Datto?
Do we have, you know, a, um, business continuity and plan in place and, and a policy around that? Uh, and so I, let me just ask you guys, and then we'll kind of close up here, q and a and, and, and conclusion. But isn't that a, a big part of what this can help point out in the sales process? Yeah. A, a, a absolutely. You, you have to have some way of communicating this, right? To, and again, I look at it this same with customers and prospects.
We angle, and we're gonna talk about both tomorrow, but in, in principle, Andrew, um, it is the same in both ways. We have to take people without getting too techy on them, and we have to be able to explain the world, the environment, um, what needs to be dealt with by us or somebody else and, and what those potential risks are.
And if you don't have a concept and a framework to do it within, um, it's just like everybody sounds exactly the same and, and customers don't get it and they don't wanna make the investments. Yeah, absolutely. Okay. Well, can we, can we kind of, Ryan, can I have you drive forward here on the go to market?
Gary, can I talk, I'm gonna talk with you through this because this is really, you know, we talk about, hey, and this is all awesome, we all should be doing it internally, and I think that's gonna be one of my points, but we still have to have the cash registering, right? Gary, at the end of the day. So if you hit the, hit a hit a hit it, like it'll, I'll have each one come up, Ryan. Right?
And so again, you know, at, at this point, you know, we, it we have to be communicating a different message, uh, Gary to the prospects and customers. If we're not, you know, having the conversation about using the SolarWinds as a backdrop doesn't have to be that one, but if the best of the best that can spend millions and millions can get breached, right? And we don't communicate that we live in this era, you know, shame on us. Gary. Quick thought on that. Yeah, A ab absolutely.
We we're gonna talk about how to use this with customers and prospects, uh, in the Go-to market session tomorrow. But, um, and listen, if you're not doing this, you're not even setting the right expectations. Mm-Hmm. Like if their vendor is not doing this, then one of two things, they either don't understand or they're lying. Yeah. And like if you said Gary Ryan, you can hit the next one. As you said, Gary, your competitor's gonna be doing it for you. Fair? Yeah.
Andrew, do you know what the difference is between a car salesman and a cybersecurity salesman? No, but I have a feeling you're gonna tell me. Uh, the car salesman knows when he is lying. All right. Um, you know, thi this is the hard work that, you know, MSPs themselves have to be doing this. This is the first time, Gary, you and I have been on this journey since 2 0 4, right? Yeah. First time where I think MSPs have had to do, and don't take this the wrong way, a lot of hard work internally.
We could get by and be the cobbler's kids. But if you gotta be put this in place internally to have command externally, what are your, what are your thoughts there, Gary? Yeah, A abs Andrew, a hundred percent. And this is something, listen, before there was cybersecurity frameworks, you know, I, we've been using standards as the center of our wedge with customers and you know, I made my career on that's how we were able to sell so much recurring, uh, so much recurring revenue.
But until you do it, you're not able to to, um, you're not able to get in front of a customer. And every word you say, they're understanding it more and more because you have that belief. No one's gonna tell you that it can be done cheaper or better if you've done the work, Andrew. Yep, absolutely.
Alright, so the last few things, Ryan, if you just hit through 'em and then we'll wrap up here and we'll, so yeah, I mean, again, do the work Gary, um, maybe the last point I'll have you, you know, hit here at 1 59 Eastern, is talk to everybody that isn't on the cyber call about you can't get $4,000 support for 3000. 'cause that's really, I think if you wanna kind of bring this all together, bring That. Yeah.
And look, if you go back to what Ryan and Wes have taught us today, uh, you can look across to see what is involved right across the matrix and tools process and people, it just doesn't work that way. The math doesn't work because at 3000 bucks, every dollar is going to answer support tickets, pay for the basic tools, and then the rest of your people, they need to go out and do billable projects. So you can stay above break even. That's the reality of the average MSP model.
But once you understand this and you start to build this, the, the cost and the people part, the hard part into your costing, you can weaponize a competitor's low price. Excellent. So just a few things in closing, right at the top of the hour. Wes Ryan, fantastic job bud. That, that, thank you so much for, for doing this. I thought it was fantastic. Um, what we'll do from here, folks again, 'cause we wanna make sure that you can go back and watch these, just listen up.
I'm going to end this session, stay right where you are. I'm going to then start the next session and pull everybody in. Just stay right where you're at. I'm gonna sign off and we'll be right back. Stay where you are again. Gary West Ryan. Thank you. Thank you everybody. We'll see it very shortly and we'll be back and we'll be back at three, right, two right now from Michael Guard. And we're kicking off, uh, incident response.
Uh, I'm sorry, we're kicking off building your response plan right now. Okay. So hang in there.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...