Session 1
Guests
Video Transcript
All right, everybody. Welcome. We're starting a few minutes early just kind of to picture, and we have a beach ball. We're kicking it around before everybody is coming on in. And, um, wanted to, uh, get the crowd going. We've been, uh, getting a lot of requests over the year for best practices on vulnerability management, um, and a lot of the cyber, cyber CNS conversations. We've had, Dennis, getting some feedback on your side possibly. Um, but, um, just do quick. Dennis, Dennis. All right.
Test. Yeah, Dennis, I, I muted you. I don't know if you're logged in twice or something. I muted you for the time being. So can you just take a look at your settings? Possibly? Um, hey, Chris, Sears. Hey everybody. Um, we are gonna get going very shortly and under a minute. Um, I put up a poll and, uh, I'd love for you guys to let us know, uh, what you might be doing internally also. Um, if you have a question, send 'em in to ask a question.
And if you have anything you might, you know, be thinking about that you really wanna make sure that we talk about today, uh, please send that into the questions area as well. Um, so with that, let me just check. Hey, Tim Fornet, how are you? Good to see you. Um, it was great seeing a lot of you at write of Boom. Adam, thanks for staying up late over in the uk. Dennis, I'm gonna take you off mute. See how that sounds? See if it's a little bit better. Is it better? I, I, Is it Echo?
What happens is when I'm talking, I sometimes hear, but that's okay. I think it's a little bit better. It is better, A little bit better now. Whatever turned Out the volume, um, I usually don't have a problem. Usually don't have problems with feedback. Alright, well, Carl, somebody speaking of somebody that never has problems with feedback, welcome Carl Bickmore to the show. Um, wow, that was a transition. Like that one. Hey everybody. Um, everybody's coming on in here.
Andrew Morgan hosting this vulnerability management best practice session, um, with two awesome friends and colleagues of yours. Um, Dennis Hanick, CTO of Wat sec called Vic Morris, CEO of Snap Tech. Um, so as I shared, if you're just coming in, I have a poll. Um, please, uh, ask questions. We want this to be interactive, just kind of set the stage.
Um, after I, um, kind of just give a, a high level statement of the reason we're doing this, um, I'll let Carl and Dennis tell a little bit about themselves, their company, how they approach vulnerability management. And then from there, um, we're gonna go through some questions both from a sales and operational perspective. I have some, uh, URLs I'll share. Uh, one of them is just this fantastic, um, CS a, um, asset, uh, repository now for vulnerabilities.
And I don't know if you've seen it, but it's fantastic. I'll be sharing that shortly. And then Dennis is going to probably, uh, around one four, I'm sorry, two 40 Eastern time area. Give kind of a quick demo of how he approaches, uh, vulnerability management, um, today. Darn Ryan, I was trying to get you on stage. If you're just lurking, um, we would love to get you up here to get your input if you want, or if you just wanna lurk, you can do that too.
I'm sure it's probably nice to, uh, just chill out there with the friend sheet, probably making a bunch of noise. So with that, let's get on into it.
So, setting the stage, um, you know, I think historically, Carl, I'm gonna put this to you, but historically, right, over the course of the past umpteen years, maybe up until the really, almost the July 2K incident, as Robert xFi likes to call it, um, patch management was, and, and common third party patching was what most MSPs did and do still to date you on a, on a, on the margin, right? On whatever our RMMs could do is what we did traditionally.
That's really well said, really well said to to that, that respect. Um, however, you know, we get the pandemic workloads shift like crazy up to the cloud distributed workforce. Um, we've done cyber calls and just looking internally at our own systems as MSPs, you know, Jason Slagel was on, and I think, I think, you know, something like north of almost 50 applications, 40 some odd API integrations. Um, we've got iot and we could go on and on and on in terms of threat vector out there.
Um, so all last thing I'll say is, you know, again, post July 2K, um, we've seen a wholesale shift in how cyber insurance is looking at not only SMBs, but certainly us as MSPs and questionnaires that went from, you know, five years ago. You know, a few questions in a heartbeat. And here's $10 million of coverage to a few years ago. There are page or two now, seven pages. And what's showing up regularly in cadence with C-I-S-I-G one is vulnerability management, internal external scanning.
Are we seeing a change, Carl? And you know, what you think is an MSP, and as you answer that question, maybe tell us a little bit about yourself, your company, and how you approach the market and Yeah. Okay, great. Um, well, o of the seven questions you asked there, I'll start with the first one, the introduction, which is the, hi, I'm Carl Bickmore, CEO of Snap Tech. It, uh, I see a lot of friends on the list here. Chime in. Good to see you all.
Uh, a as you know, I'm always a fan of sharing what we're working on, and I want to hear about what you guys have got going on, so I'm looking forward to some good questions too. Um, look, I think the thing is is for me, I got involved in cyber CNS very early our organization did because we just saw the hole and we were looking and trying to find the product that could, could hit our need.
Um, and so, you know, we've been providing, you know, guidance as far as like, you know, what features we would need from an MSP standpoint. And then very early on, um, this great idea came about to, to invite a whole bunch of MSPs of that conversations and MSPs. And that's how I got to know great guys like Dennis and a whole bunch of other ones that have been joining us and working on the Cyber CS product with us for a couple years now. Uh, it's pretty exciting.
Um, but you know, from my perspective, I just felt that I couldn't see everything. In fact, I, I got really sick and tired, like we had this goal, this, this thing that we tried to get around tool penetration of just making sure our RMM agent is installed on every device it can be inside of a network. And it was like so rarely, a hundred percent, there was always something that came up or some issue.
And, and I just started to like, look, you know, if that's my only portal into running patch management or patching third party apps through whatever automation we have for that, or running scripts, how am I going to really get a handle on what's going on, let alone all the switches, firmwares, the vulnerabilities on iot, the vulnerabilities on any network device out there, the firewalls. And so I just felt the huge hole.
And so I've been excited on working this and I'm really excited to talk about how we're using it. I mean, I think the biggest thing from the approach standpoint is we're using it in many ways.
The biggest things is we're using it in our assessment process, both for existing customers and for new customer opportunities, which we always start with an assessment, and we're using it to try to figure out what vulnerabilities our current customers have to look for the things that are critical and to allow us to prioritize the, the things that need to be done and in the order that we can do 'em.
And so I think that's probably the high level of what we're, what we're working on and, and how excited we are about getting a tool like this that's purpose built for MSPs, multi-tenant and, and affordable, you know? Yeah. Really, really well said Carl. And I think it's interesting you mentioned, and John Merchants and, uh, at the right of Boom did a cyber hygiene.
He started off the entire event with, you know, basically it cyber hygiene left of boom and what they see, you know, again, these living off the land, these common things. And you know, you know, there was, I think we all know that, like for example, let's just take the TZ 100 of SonicWall week after week after week, right? He's seeing compromises to this day. So we have to get visibility and, and, and I'm glad Ryan's on, but it comes back to inventory Carl and, and Dennis, right?
You know, we have to be able to see everything. Um, and you know, as you said, if an RMM agent isn't on a device, how do we see it? Right? So, Dennis, how about yourself? You guys are a little bit different. You are an MSSP. Give us a little sense of yourself, Dennis, and how you guys approach the market. Yeah, we don't manage any of our kind of equipment. We're not an msp.
All of our environments are co-managed in one way or another, uh, either internal, it, uh, sometimes there's an MSP that's involved that we work with as well. Um, we do vulnerability scanning and vulnerability, vulnerability assessments for companies as small as 25 employees up to multinational publicly traded companies with thousands of, uh, uh, external, well actually more than thousand external IP addresses and tens of thousands of internal IP addresses. So it's kind of a wide range.
Um, and we've been doing it since, uh, before it was something that came down to, to the mid-level. Small companies, large companies have have known about vulnerability management for a long time. But you're right, that the insurance, the insurance environment has really, is really driving a lot of changes and really forcing a lot of smaller companies to think about vulnerability management in a very different way. Yeah. So Carl, back to you.
You know, I, I, I see that there's, as an MSP, you need to ask three really important questions when it comes to vulnerability management. And, and again, we're gonna expand on this, but just kind of hear me out here. You know, are you scanning everything that needs to be scanned? Um, can you clearly identify your top risks? And do you have confidence in the accuracy of your vulnerability findings?
Now, all that said, again, I'm really happy Ryan is on the call because he always starts with your inventory. So Carl, you know, you're sitting in front of a prospect or customer, we have those three most important questions, but how do you even approach these days customers about their assets, all their, you know, their inventory data flow, which we're talking more about, you know, how do you kind of bring that together?
'cause you always, and I love how you do it with a new prospect, you won't touch that environment without an assessment, right? So let's talk about that. And you don't give those away. No, no, no. Uh, you know, the smaller ones are about 20 billable hours typically. Uh, and, and you know, like there's various things we do, some of which cyber CNS helps us with, some of which is physical observation and interviewing of the customers.
Uh, and we have a pretty decent sized, uh, checklist or assessment approach that we think we're generally following the categories of the n cybersecurity framework. But those are pretty universal in how we approach. And so we think about identify, and I feel, in fact, I feel like that's one of the best things to do when you're talking to a pro prospectus first is refer back to a framework and help them understand how there's significant pieces they probably haven't even thought about.
Most assessments we do with net new customer opportunities have very little to nothing in the, in the detect category. And they have practically nothing to zero in the respond and recover. They just have never thought about it. They never thought about how that works or how they would work with a current provider or their current, uh, uh, um, uh, IT staff, whoever they may be. They're just, they just, they just keep hoping things will run and keep trying to protect, right?
Um, but pointing out the things that don't show up by that approach, the things you don't even know. And, and so I always, for years, well before I ever even got involved in, uh, cyber CNS, I mean, we're talking back in 2012, I used to say to customers all the time, first you have to identify, then you can apply best practices, then you can create a plan, then you can manage the plan. I used to say it is a four step process, uh, and it's a real simple idea.
If you can't first identify how in the world are you going to actually do anything, and that's exactly how we sell our assessments too. It's like, look, I can't, um, I can't do, and, uh, anything with your it, without actually knowing what you have. If you want, I could give you some kind of generic idea, but be honest, it wouldn't be useful unless I, I've actually looked at it and we've actually analyzed it and gone to the ins and outs and know what it would take to protect you.
You know, that's what it would be. Uh, I'm seeing comments in the questions there about 20 hours for a small assessment. Look, if you're gonna spend, I don't know, a day on site, typically maybe four hours, if it's a shorter one, taking pictures, reviewing, interviewing, scanning, setting up a cyber CNS box set, you know, we use a nook for that. But you can do it lots of different ways.
Uh, and then you spend the time running the scans and checking and then verifying all the various cloud things, and then you run the reports, and then you have the, the engineering for the roadmap, and then you deliver the meeting. It comes out to about 20 hours on a smaller assessment. So It's really funny, somebody, and literally as you're saying, the roadmap call, because I know that's a big piece for you, literally what Felicia just wrote, right? You know? Yeah.
In other words, you're, you know, Roadmap with budget is the then deliverable one of then deliverables. Yeah. Yeah. And, and Dennis, before we head over to you, you know, you talked about using a, a, a framework, and I love what Sunil has, you know, the keynote speaker from the write of boom, you, I mean, you pull that out, the simple five by five grid of, you know, the NIST cybersecurity framework and then, you know, data networks, users, applications, et cetera.
And at least you can, again, this common language with a customer, right? Carl, like start to help them understand. And then couple that with how Brian Blakely, uh, who I think is masterful from Cosen of, you know, don't ask your customer, you know, where's your inventory? Where's your data? What's most important? Ask 'em how they make money. How do you make money? Okay, great. What systems support? Like if you, if what system was down, what could, how, how would that impact you making money?
Bring it to their level, and there's where the success starts to come from. Is that, is that a fair approach, Carl? Yeah, that's exactly right. I mean, look, the thing is, is most of the folks that we're talking to don't know how to manage it. They don't know how to measure it, and they've actually never thought about it.
So if you keep it simple and in terms that they understand to help them understand the impact and that they have no idea what they would do, it then produces the action of the desire to want the assessment. Whether they do something with us or somebody else, or take it right back to their own team, it's, it is none of our business. It's a so assessment, but it does give us the opportunity to give them the right quote.
And it's amazing how often we'll get, uh, successful, uh, managed it deal out of an assessment simply because now that they've seen how we approach it, they understand, and now they know they can make better decisions. And so look, keeping it simple to what they understand and helping them realize the risk that's involved by just helping them understand what wouldn't work if there was an issue, um, some of 'em already know this, some have already had the bad experience.
Now you help to remember, because that's so much more common. It used to be back in the day, I remember like, no, you really need to buy back antivirus, you know, back. And they'd be like, oh, I don't know. I never have problems. You know, it's like, that's a lot of money. And then as soon as they have a problem, you, you get it. Uh, you get that budget, no problem. So, right. It's, it's a very similar thing, just helping 'em understand what risk they're really taking.
I like to have a risk conversation and help them understand the risk. Yeah. Dennis, over you.
Um, and, and I think this is like one of those, you know, especially if there's an incumbent in there and you, you know, you, you were, we're down going down this path of the conversation we've had so far at Dennis, and you look at 'em and you go, okay, so talk to me about how you work with your current MSP and talk to us about your patch policy, your vulnerability management policy, and you gotta, you know, one of those, you know, so how do you approach that piece?
Because again, we don't wanna make it so technical, but it's really important to identify what is, what is the policy for this company? You know, in other words, what's most critical in, in terms of systems, in terms of does it impact, you know, like we can't, we can't patch every vulnerability. So what are the most critical systems? Is it A-C-V-S-S of a certain score? Talk to us about how you, you approach that policy conversation. Yeah.
Well, first of all, we'd also do assessments and, uh, actually at a similar price point to what Carl had discussed. Uh, and it does take about 20 hours to really, even, even with a small company, to go through that, that process. Um, for us, sometimes it's driven by the insurance provider. We have some insurance companies who work with that won't write or renew a policy until we've done a, a risk assessment, um, for them. And a lot of times it's driven by management.
You know, they, they, we work with a lot of small pro, uh, nonprofits and, uh, governments, and they come to us, uh, for the, for the assessments. And it's a similar process. Um, the key thing I think is you have to know your environment. You have to know where things are, what's important. And because you said you, you cannot patch everything. Uh, you run a vulnerability scanner, you're gonna come back with thousands or tens of thousands of vulnerabilities.
You have to know where the important stuff is. So that goes back to really what Brian talks about all the time, which is inventory. Inventory. You've got to know what things are. You gotta know, um, where they are. And, and you have to, who has access to them. Um, you know, when, when a vulnerability is published, you know, the first question is, is, am I affected? Is this, is this something people can get to from the external side? Um, because that those are the highest priority.
And then, you know, is, you know, is it, is it something that affects a, a device that's important to me, you know, if it's an exchange vulnerability, well, from an S-P-M-S-P perspective, how many of my clients have, uh, exchange servers and how well are they isolated from the rest of the environment? So you really have to know kind of the context of things to be able to prioritize what's most important for you to, uh, to patch. Yeah.
And as, as, uh, if you haven't heard the Sunil, you, um, keynote, it is out on my YouTube, I'll post it if you guys would like it, but he talks about pets and cattle, and he talks about get rid of your pets, uh, exchange. He calls it a pet. Um, get 'em to 365 Carl. Um, you know, so, you know, I was talking to Steve Carter and we'll have Steve on again, on the cyber call. I think you know him. Um, he's the CEO of a company called Nucleus Security Guy is brilliant.
Um, he started his company probably three years ago. Um, he did VM vulnerability management for a big sector of the DOD. And, um, but one of the things he talks about is you gotta come up with, you know, your trifecta, if you will, as an example. He is like, you know, and I'm just reading, you know, kind of what he was talking to you about. He goes, you know, when you are looking at that VMware policy, is it, Hey, you got A-C-V-S-S of a nine. It's being exploited in the wild.
Um, you know, it has to do with one of the mission critical applications, you know, in, in your business. So, Carl, like how do you, when you're speaking to a prospect or customer, how do you get them to say, okay, this is it. Yes, Carl, I agree with you. I see what you're saying. Let's make sure we have a policy. Do you, so two part question. Are you helping them with that piece? How important is that?
Because for you, you know, again, I know you don't, I know nothing's for free, which I love about you. You know, you value your time and your company highly. There's no free lunch or freeze, but it drives a lot of potential project revenue if they aren't signing up for vulnerability management in their managed service. So talk to us about that piece of the equation. Yeah, okay. Well, I think the first thing was, you know, thinking about like, how do you decide what to take action on?
And Dennis talked about it, like, you know, it's very rare vulnerability scan of any kind, be it from any product isn't gonna come up with so many vulnerabilities that it's at an unending level. There's really no way to close every, every loop that might be there. But I think sometimes you have to recognize that, like, okay, well that vulnerability actually couldn't be explo exploited without some other vulnerability being exploited first. Then it's also a pretty esoteric theme.
There are important ones, and then there are less important ones, if that makes sense. And, and, you know, look, it's like going on a journey with the customer, because at first they didn't know any of these existed. They thought everything was taken care of. My IP provider patches me, you know, they're using their RMM, they're, they're applying operating system patches, you know, mostly diligently through automation typically. And then some common third parties get patched.
They don't think about whether there other things are getting patched or firmware updates that are probably even more critical, but that there's not a lot of RMMs out there meaningfully telling you your firewall's pretty behind in your firmware, which is actually a pretty significant actual vulnerability when a firewall has known exploits, right? Because that's the pathway in that all the other exploits become one of the pathways anyway. So it's like taking them on this journey.
'cause at first they don't understand and believe you that there's all those vulnerabilities, and then you have to teach them how to settle down and not want all 10,000 done in the next three weeks, right? Because you, you do that in a, which is impossible, but even if you did another month for now, there'll be another bajillion of them, right? And so it's about understanding how to sort out the signal from the noise.
And in my opinion, they need us for that, and that's what we're here for, right? Yeah. It's all about sorting that out and helping them understand the approach you're taking and using the tools to provide you meaningful information you can then put into your vulnerability management program. Uh, it, it is not about patching every single vulnerability ever found. Yeah.
And, and spot on with that, Carl, I'm gonna put something in for everybody in chat right now, if you haven't seen this resource, like, again, this is credit to Steve Carter. Steve is like, look, historically you had to pay for threat intel and, you know, vulnerability information about, you know, doing something in a certain period of time. And, and, and let me explain what I mean by that, Carl.
You know, a vendor might come out and say, we have a critical vulnerability, but to your point, it may not be critical in this particular situation for this particular client, this asset, I just put up, um, this new one and, and I'm, I'm, I'm sure Ryan Weeks, if he's out there, maybe he could comment on this, but Steve is a big fan of this.
If you're not paying for some type of threat, you know, like, uh, you know, he was mentioning things like, you know, whether it happens to be, um, you know, uh, something from FireEye or you know, Mandy, and you know, and, and you know, their threat intel, vulnerable intel information. He's like, this is fantastic.
Because once you define really what the, that trifecta is in that customer and see if any of those show up in ceases information, um, it gives you a patch timeline, like, get this done by this period of time. And then there's some kind of third party Carl that we've talked about often, right? In all of our peer groups together that it's beyond us, right? There's some third party with some authority here saying, this isn't just us saying patch this in a certain period of time, right?
This is the US cyber command saying, patch this in a certain period of time. So, um, anyway, Yeah, it's to take, it's good to take some of that, uh, subjectivity out of it where you can, and it's all about what actually applies to them and knowing their environment. Like Dennis said earlier, I think there was a really good question, Mike Travis said, what would you do about vulnerabilities that are not fixed by automation? I, I wanted to address that real quick if I could.
Um, the, the fir first thing is, is that, um, I think the first thing he have to think about this is something Aaron Churnin did a great job at write a boom talking about vulnerabilities are yes, patching, but it's also configuration.
This is one of my favorite things about cyber CNS is it does check a significant number of configuration vulnerabilities around protocols and use around registry settings that lead to things that get you to some of the hardening things that that CIS teaches us about. And so I think, uh, you know, look, there's configuration vulnerabilities, there's passing vulnerabilities. There's more than what cyber CNS finds, but Cyber Cs has been great for finding a lot of them for us.
But the, um, the real key is, is, you know, when you bring these up and you want to do them, these should be paid for projects or some type of add-on to your managed service provider, you know, on a monthly basis to your MSP deal, to pay for the work to do this, because this is above and beyond they have to get there. Yeah, CIS cap Profil is example. Good hard check, great tools.
There, there are many tools you could use in this, but the key thing is, is you, you can't just now bring this out and start doing this work, you'll work yourself into unprofitability if you don't find a way to either turn it into regular projects or additional monthly billing. Yeah. So, Dennis, I'm, I'm gonna put one other, uh, asset in here, and this one is first dot, or we're gonna, again, I'm, I'm assuming Ryan Weeks knows about this one too, but this is really cool.
This is actually every single day they update this, and you can download all of this data, um, of all of the, so, so think about an enrichment beyond the MVD, the national vulnerability database of information that, that we're kind of giving you here, uh, to again, scan quickly. Maybe your customer has some esoteric applications, maybe they have ot. Um, and again, Dennis, as I come over to you, you know, we've talked policy a little bit.
What about SLA, you know, how do you, you know, you're working with a co-managed customer.
You're scanning, you're providing the detail, you know, you know, when should it be patched by, when does it need to remediated by, you know, um, how do you reconcile to make sure that, you know, if we have a thousand assets that we're not finding 917, you know, how, how does that play out for you and how, and what do you Well, And a lot of ways it goes back to a kind of a management principle of there are two kinds of tasks.
There are urgent tasks and important tasks, and we all tend to focus on the urgent tasks. And that applies to vulnerabilities. There are urgent vulnerabilities, and there are important vulnerabilities. And the important ones a lot of times are ones, and I mean, I'm saying vulnerabilities in a broader sense. Um, these are the things your vulnerability scanner won't tell you. And, uh, I know some of us got to enjoy John Strand's rant on, uh, legacy protocols in, uh, windows.
And I tell you, one of the, the best sources of information if you have access, is talk to the penetration testers. Ask them, you know, this vulnerability over here has a high CDE, do you think you'd ever ever use that to, to exploit? And they'll say, nah, that's too, too noisy, too difficult. And so, well, how do you, how do you exploit the network? And they'll point to things that, that are technically or not vulnerabilities.
They're basically things that are within Windows that are there because they wanna be backward compatible with things that may not break them. So things like LLM and R and some of the old SNB stuff, um, again, you know, those are important. They're not critical, they're not non urgent, but they're important because sooner or later there will be someone inside of your environment, and those are the tools that they're gonna use to basically do that lateral movement.
So I look at it from kind of two perspectives. What are the urgent vulnerabilities and what are the important vulnerabilities? Yeah, yeah. Yeah. So, um, and, you know, when do you work with those co-managed customers on the quote unquote success of the program? Dennis, are they, you know, you guys are doing the scanning, they're coming into a lot of them coming into cyber CNS. You have a remediation plan.
I know you're gonna show it shortly, but do you work with them on what success and how you define success? Yeah. And, and that success is focused around what I call the important vulnerabilities. If there's something urgent, yes, then, then the metric is, okay, how quickly can you get this remediated on your really critical devices? Um, but we do a, we do quarterly calls with, uh, with the IT team, and we bring up the, uh, the dashboard and we look at the vulnerabilities.
And, you know, from, from quarter to quarter, we highlight, okay, these are the things that, that you should be looking at, you know, as important because their background, um, but their things will be, um, potentially used by an attacker to move lot through your environment. So our primary most important metric is those important vulnerabilities. Are you remedi or mediating those over time? Are you getting better?
Are you getting closer to the goal, which is to close off these, these doors that the, the penetration test will tell you they use most often? Yeah. So, so Dennis, I'll let you kind of start to set up. I know you're gonna show maybe like 10, 15 minutes or so of how you approach, you know, vulnerability management so people can have a show and tell.
But Carl, as he's doing that, I know maybe in a traditional sense this isn't vulnerability management, but can we talk about how and why you are a big advocate for ad hygiene and O 365 and checking, you know, like checking again, tool penetration, like why does that all come into this for your, for your view, if you will, of the overarching equation of, you know, this security assessment?
It, it's, you know, it's just about being comprehensive in pointing out all the areas that something could be a risk. You know, we've all seen the, the reports where, you know, somebody's got 30 accounts that, um, are, you know, inactive but enabled so they could be logged in and who knows what's going on against them, that, that's a little bit about that. But honestly, we're just trying to paint a comprehensive picture.
I mean, we just did an assessment for a company this last month that we delivered that had 25 employees and around 110 paid office 365 accounts, let alone all the security things. It's like sometimes there's risk involved to just blowing, you know, 900 bucks a month on Office 365, they didn't need to, right? And so that's a risk too, to an organization of just being inefficient.
And so to me, it's about being comprehensive and understanding that risk of bounds in all the areas in your authentication, in your hygiene, in your practices, in your policies, in the applications in the clouds use. So we get very comprehensive with an intent to try to get to the most important risk management. And we typically, one of the big deliverable in our executive summary is, here's your top 10 risks. These are the things we think you should hit first, as an example. Got it.
It could be any of those things. Right, right. Good. Dennis, you were gonna say. Yeah, And I would say that, you know, way I look at it's patch management is part of vulnerability management, and vulnerability management is part of risk management. And you have to look at the organization from that holistic view. Um, one of the things we look at is financial transactions.
That's never gonna show up on a vulnerability report, but what kind of financial transaction do you know, what kind of controls do you have around that? So you have to look at it in, in terms of, you know, the broader question of risk and, and understanding what those risks are, and vulnerability management is just a part of that. Yeah. Well, and, and Dennis, as maybe as you share your screen, I'll segue to that whole thing again with cloud workloads.
And, you know, um, a very dear friend of mine, um, has the largest, you know, it was, it used to be like the Great Plains and the vision and all, but it's called Dynamic Communities, and they have about 300 members. And you, you, maybe you wouldn't be shocked, but I talked to a lot of their consultants over the years, and I'm like, okay, so you know, this is pre Azure, but now even during Azure, um, these consultants have unfettered access to their accounting systems.
Um, they might have multiple VPN sessions going, and, you know, you ask about what their hygiene might look like. And so, you know, Carl, um, that that true or false, like that alone, you know, we talked about third party risk, you know, I mean, that's the thing on our annual SOC audits, I think it was about three years ago, our auditors started saying, Hey, what are you doing around supply chain? What are you doing around your third party vendors?
They started asking us to do more, or started pointing out that, and look, we've seen nothing but that in the CMMC process. It's all about supply chain, but it, it's so true. How often do we get in and find various vendor accounts, not limited based on time, not restricted on their administrative abilities, they could just get kind of free run to things. It's pretty risky stuff.
And the fact that it's running off of somebody's network that you have no control over what they're doing and who's in their network and what's going on it, it's gotta be as concerning if not more concerning than the things that you've got within the network. In fact, probably more is a better answer because it's unknown to you, and it's, it's a big, big pathway into your, your, your driveway, you Know? Yeah, don't forget, so don't big one in there.
And I think I get a thumbs up from Ryan Weeks on this. Your vendors are inventory that is an inventory category, and it's a big one, especially when there is some type of vulnerability or exploit for that vendor. Uh, you need to be able to ask, or not even for that vendor, like the SolarWinds, you need to be able to ask all your vendors, are you running this? And if you are, what steps to you taken? Were you vulnerable? All right, Mr. Dennis, we can see you.
Well take us through how you approach things. Okay, so the first thing, uh, just as a reminder, this is a multi-tenant dashboard for MSPs. Uh, we're gonna look at one demo company here, but you, uh, have the ability to choose the company that you wanna look at, and you can look at, uh, all your client's companies within this dashboard. Um, this is not gonna be a full demo because that would take far more than an hour just in itself. I'm just gonna try to hit a few highlights.
This is the, uh, the screen that you come to by default. And I've talked to a few people using cyber Cs who don't fully appreciate, but this, this is the overview dashboard. There are actually many other dashboard views that are available, and you can create your own dashboard views. Created a view for ourselves that basically has all the widgets that we need to do.
Basically we do sort of a quarterly snapshot, um, of the, uh, dashboard, and we just created a, uh, dashboard view that shows all of the widgets that we go into that. So it makes it much, much easier for us to create those reports. Um, let's start with what I think we wanna all agree is kind of the baseline, which is assets, um, on the asset screen. And this is a little slow because, um, because I'm, uh, uh, streaming the audio as well, but, uh, the video as well.
But, Okay, so this is an asset view. You can click on any one of these assets and get a tremendous amount of information. Uh, you can also, um, I'm let this finish just to show you the amount of information that you get from, uh, this one. This in part, this particular instance, this is a MacBook. Um, but you get applications course, there's some compliance information. Um, you get a view of the interfaces.
Um, if we go down here, we, we see it, we see the discs, um, uh, and dis physical virtual discs, we can still have encrypted green means that the disc is encrypted. Um, we got on here, we have a, a virtual, we have a security report card. Give us information about, um, whether the antivirus is up to date, local firewall. Um, there's compliance information. And then, uh, you know, this is just a, you know, a lot of information about this particular device.
There's also a, a, uh, a dashboard view that is a, a grid view. Dennis, are you having a little internet issue? Do you want me to show my screen or something? Or, Uh, are you, are, are, are you seeing the screen okay? Yeah, it's, it is just, it's, it's rendering pretty slow, so I didn't know if you Or not. It's slow. Um, Uh, let me just log in and see if, If that would work better. We can do, we can do your screen and we just kind walk through it.
I do think we have some issues today and, and, um, I'm not sure why. Uh, anyway, Go ahead. Continue. Okay. Yeah, you, so this is, this is the view, and, and if I drop this down and show, um, show all the assets, uh, it is really, it has really been slow today. I apologize for that.
Alright, well look, I mean, we don't need to, I if, um, if it's too, you know, just maybe, you know, hit some high level things and, and yeah, whether it's mediation reports or whatever, Yeah, this is, this is, this is not a demo of the full project. I said that would take a a, a very long time to do that.
But I gotta go down to the remediation plan, which is, to me the, um, you know, probably the, the single most important piece of this, of this product, if you run vulnerability scanners, you know, when you get the report back, it'll tell you, you know, you have these, you know, 400 vulnerabilities, um, related to, uh, say Firefox or Chrome. Uh, one of the great things about, about cyberspace is that rolls that up into here's the remediation plan.
Yes, you have, um, vulnerabilities in, um, let's just say, you know, Cisco WebEx four devices are, are affected by that. And if I click on this, it'll show me what are those four devices. So it's a really easy way to zero in and, uh, focus on the devices and what the patches. And, and one of the things I think it's important too, Dennis, that we get asked commonly is, you know, is it integrated with my tool stack, right?
And so if you're running, you know, as an example, you're running, you know, Autotask, um, Ryan, uh, they, they would only be running auto tests, right, Ryan? Um, and, you know, do I want tickets created? Do I want tickets created for each, you know, e each machine, do I want tickets created for each, you know, the same device, you know, the, uh, a heterogeneous homogeneous device per company, or do I want 'em globally?
Like gimme all devices on one ticket that have this particular vulnerability? And tho those are choices you can make. Is that fair, Dennis? Yeah. Uh, yeah. And, uh, you know, one of the things that, that I like is, is there are a lot of things that you will get from this tool that you don't get from, and I've used, I've used probably every enterprise vulnerability scanner in the market at some time or another. The quas and the, and the, and, and all of those.
And, you know, those are great tools. They cost a lot of money, but there are a lot of things that this tool will tell you that those tools won't. Um, I'm not gonna go through all of these because obviously my screen's not refreshing very quickly, but, um, compliance information, you can get that from some of those tools, but it's all separate module that you pay for separately active director integration. You, um, a lot of detailed information about active director.
What are the, the reports that I'd like to pull is how many enabled users are there that have not logged into this, uh, into active directory for more than 30 days? And I'm always surprised at the number that I finally do initial assessments with clients. I'm like, you've got 40 people that haven't logged into Active directory since 2021.
You really need to go in and clean it up because everyone with account as a potential target for, uh, uh, an attack inside your network, uh, firewall information you mentioned that earlier firewall, Dennis, This will plug directly into a Microsoft Secure system. It will get you, um, the information you could pull down from Microsoft regarding your secure score. Not gonna, Dennis. Yeah, I think probably, hold on. Your, your bandwidth is a little bit challenging, to say the least. So, okay.
We are voice and you know, the app, so I'm, I'm sorry about that, guys. Um, we can stop sharing. Let's, let's just talk more about actually the, the plan and everything. But, you know, thank you to cyber CNS and, and as well as PAX eight that were kind of behind, you know, us doing this. They really wanted us to, you know, get some good inform. You can just stop sharing your screen. Just click that.
I, I think the, I think the key thing though is, um, looking into some of the major features there, Andrew, around the remediation plans, the asset views that you get and some of the configuration stuff is powerful. The firewall modules is very unexpected for a lot of people. The active directory, the active directory, Azure Active Directory modules are all very strong for some quick looks at what's going on. And that's, that's some of the major features we like.
There's been some great chat I've been working on too about ways to deploy it out there using either Nooks and how you might put in the switching config. Don't forget, there's agents that you deploy out for this as well, that brings a lot of information no matter where the device is, which is helpful too. Yeah, our, uh, Tim Fornet, who's out there talking, um, who now is doing some amazing stuff over at, uh, roost and Automation, he built an entire GitHub repository and a bunch of scripts.
So whatever RMM you use, um, I shouldn't say everyone, but he has the vast majority of them in a GitHub repository. Carl, um, in, you know, I'm gonna ask to see if people can push some questions. Um, and also, um, I'm really intrigued that people are saying, you know, this is, I'm, I'm, I'm honestly, I'm shocked and I would love for some, you know, to hear this, like, we've got almost 80% of respondents saying vulnerability management is now part of their core offer.
So I'm pleasantly, pleasantly surprised that, you know, I would've guessed that it would've been the opposite. So my, well, this Is an elite crowd that listens to Andrew. Come on now. My next, my next question is, um, so you're, you know, 80% of you are have now put this in your core offering. I'm curious, you know, are you uplifting? Are you, are you charging more for it?
Um, how, maybe some comments, and Carl as pe we get some feedback from folks, um, in here, uh, in chat, how they're doing that. Um, talk to us about packaging and pricing, because not everybody's gonna say yes, right? So how do you approach that, you know, new customers? It's probably like, you know, again, the days of when Perch was just coming out and, you know, the sox sim new customers, it's a lot easier, right? You know, right.
So how do you approach it when, Well, yeah, new customers, you can bake it all into the user price and, and, and cruise along. And yes, your user price may be more expensive, but you got some good points as to why getting back to the existing customer base that, that you didn't have this offering for. I think the best thing I could say, it's been a bit of a mixed bag. You know, there's some that we've been able to simply, uh, raise their per user price.
There's some that we've actually added a security services add-on, that's a fixed cost service. Um, we kind of centered it around the concept of an audit process and then remediation. And so we'll say, Hey, on an annual basis, uh, you know, this quarter or this quarter, this quarter, this quarter, we're gonna do these various scans. We're gonna do these various activities.
And, um, based on the results of that, we'll propose projects that, uh, that you would need to pay for to do, uh, as an example. Uh, so as, as an enhanced, uh, security or additional auditing, which works well for compliance and security things. Um, and then, uh, you know, there are a few customers that, that we've even rolled the product out to that we didn't specifically charge them for the product, but we're using it for our benefit because it makes us more efficient and knowing things.
It's like we run our external scans for every customer through it, whether we've got a specific thing for that or not. Uh, just because it makes it way easier for us to report and know if there's an issue that's popped up that that, that we're gonna need to, to know about. Uh, so it, it is a journey to get there. You don't turn all your customers all in one day if you've been in business for a while, but you can take a couple of strong strategies that really do work.
And I like taking as systematic and as wide approach as possible. Think annual budgets, not monthly budgets when you're talking to the customers is kind of how I look at it. The other piece is like, this is very easy to monetize in the assessment cell because look, the product, all you, all I have to do is sell one assessment and I paid for cyber Cs for the year. It's not expensive relative to what, how you can monetize it.
And then after that, it's really what makes sense, you know, but I'm all about finding the opportunities to point out to the customer, Hey, there's this new level of vulnerability management we can do, there's this new level of v of visibility and we all have to decide what, what is the plan on how we're gonna attack this. Uh, I saw a really great question for American to chat too about how we handle this in the MSA and, and in fact, a similar kind of question.
Recently, I had a longstanding customer, ours that's a financial management company, say, Hey, can I put you down on our insurance application as responsible for our security? I'm like, well, um, that's not our agreement. Uh, and, and I think that's kind of good answers. Like we don't, um, we don't claim or indemnify the risk of a vulnerability.
Um, we'll, we'll go as far as errors in omissions that can be identified like a traditional, uh, e and o policy because, um, we can't own our customer security unless they're going to give us unlimited budget and take every piece of advice we ever give, which I wouldn't have. I was them, we're there to help 'em. Our MSA is not going to guarantee that there won't be a vulnerability that will hit them.
In fact, we specifically state they're responsible for their security, they're responsible for their backup, but we're here to help and to consult for it, if, if that makes sense. Yeah. And when we write a statement of work for security services or statement work for backup, we'll line item exactly what we will or won't do. Uh, and yes, home network is, uh, not something included. Uh, they'd have to pay additional for that. Just, uh, saw that in the chat there.
I hope that answers some of the questions about how we look at it. But the, the packaging things, look, you can, it's all about fixed cost where you can, it's all about bigger packages rather than feeling like you're nickel and dimming. I had a customer call me two Buck Carl, 'cause it seemed like every time they met me, I had this new $2 a month thing for every user they had to get. And there was a timeframe that's how we were building it.
But we've taken a much more, uh, packaged approach to trying to getting it to, uh, this. But there is still a lot of ad hoc project work that comes out of this security and vulnerability stuff, you know, and don't be afraid to charge for it. You just, you have to, you know? Right, right, right.
Yeah, I mean, and especially Carl, I would imagine, you know, you have a, you have a number of regulated customers, um, a lot of times, um, you know, especially if it's CMMC and, and things like that, you know, you guys put certain process in place where, you know, whether something's air gapped or whatever, you're not, you know, you're going to do vulnerabilities at a certain given period of time and or testing. Is that, is that a fair statement? Yeah, yeah.
We put it on a schedule and a schedule that gets part of their system security plan. I mean, this is part of their policy, right? Everything should start with the policy first of what it is you're gonna try to, what ground are you gonna try to cover? What systems do you have and how are you, what's your priority of attack? Right?
Uh, you know, protecting, uh, the ability to print labels is not the same as protecting controlled and classified information in a critical database, withdrawing plans around some missile, you know? Right. And so there's just differences of things and prioritize how you approach them, you Know? Yeah.
I, I, I love, I love the fact of talking policy with them because, you know, if they can't answer, you know, that if we first, again, we come back to how do they make money and what's most important, what systems support how they make money. And if we can't get into, okay, so what kind of policy do we want to come up with first here? Um, yeah.
You know, we're kind of, of sitting there at a, at a crossroads with them and saying, you know, okay, so you're telling me, you know, these are your most critical systems, but you're unwilling to do any type of, you know, stake in the ground of governance on what and when we do this. So is it just gonna be, you know, you know, and again, I don't wanna extrapolate Carl, but have you run into those situations? Yeah. If so, what do you do there?
I mean, I mean, the reality of it is, is a lot of our customers don't operate their business thinking about risks. They, they not formally, they don't really think about policies. They're not good at. They're, they're a lot like us, uh, at least to how we, we've been as an organization. I started this thing just like, you know, outta the room in my house, and I was just like walking in and helping people. I didn't have any tools. I was just an IT guy to come and help.
And through the years I've matured, right? And so sometimes it's about finding a customer willing to mature and get into that policy and risk mindset, because that's a, that's exactly what the problem is, is most of them, if they're rejecting this, they simply are not mature. And maybe they aren't a good customer is, is an answer. But the other piece is, can you take them on that journey?
And I found that you can, as long as you're speaking their language and you're pointing it out and bringing it back to really simple principles of risk and identification and, and giving us directions, it's like, how on earth would you expect me to handle your it? If you can't tell me what is important to you, uh, I should just make up what's important to you. You know, that that's the kind of the convers, not so flippantly, but that's the kind of how you have to have the conversation.
It's like, really, you should probably tell us what it, and what's a great way to tell us? We'll write it down. Well, well, that's a policy, right? So let's figure this out. Right? Yeah. Excellent. Dennis, last question, uh, for today.
And again, um, I'd love, I'd love if we get some questions being asked, um, but great chat is always everybody Great, great stuff going on in chat then as, um, you know, uh, I was thinking as Carl was saying about, you know, getting the customer understand, I, I thought about Gary Pika because they ultimately, if we can't, it's on us. It's not on them. We're not doing an effective job, uh, from a sales perspective. So that's on us. But Gary also talks about people, roles and process, right?
Um, so if we are introducing, you know, vulnerability management or if we do have it, you know, talk to us about roles and process, how you might wanna look at that within an organization. Well, one of the things we do with cyber is we make the tool available to the internal IT team. Um, and then we ask, you know, how much management do you want us to, how much, how much do you want us to participate on the, the, the man and the management of this? And we layer consulting hours on top of that.
So, um, if, if the, if the role, if they wanna have the role so that the, the internal team is managing the tool and doing the vulnerability management, then we'll provide advice and consultation. Um, if there was to be more, take a more active role in that, we also will do it that way. But from what I, from an MSP perspective, Dennis, from an MSP's perspective, could you give me, and Carl, feel free to chime in too. MSPs have gotta think about, is this gonna sit in, you know, reactive support?
Is this gonna sit in tools and this, you know, centralized services? That, that's what I meant. And, and Carl, you want to chime in? You're welcome to too. I'm trying to decide if Dennis is gonna go or if I'm gonna go here. Okay, so I'm sorry. The question is, is where does cyber CNS or vulnerability management fit in our offering? Who, no, what roles? Who's in your company? All who takes care? Let's talk roles. Let's take role talk roles and process, because Yes. Yeah. Okay.
So in our, in our organization, the, um, the folks that it's, it is kind of a combination. Um, because, uh, we, we have a role that kind of acts like what some people might call a technical account manager at tam, or we call 'em IT managers. They're, they're highly technical.
They tend to look after our client documentation, and they tend to look after, uh, the systems and they tend to, uh, look after, like when a client has a bad experience, they'll tend to look to write a new SOP or make a proposal for a change that can change a system. They're the same folks that are gonna do our compliance reviews, which we do with a client, whether they have quote unquote co compliancy or not.
It's just us checking our best practices or checking them against CMMC or PCR, whatever their thing is, right? And so they have these checklists that they go through where they validate, and that's one of the ways that we'll identify vulnerabilities and prioritize 'em and create tickets.
But we also have a couple of people on our team now that we've actually taken outta what was traditionally our NO team and made them now soc, not soc in the traditional sense, but just people that have titles like security analyst, um, in an MSP, even though we're not an MSSP, but they think about things like application control. They think about FO firewall vulnerabilities, they think about our security tools, and they look at the cyber C Ns scans. They do those setups.
But also our project people have a big piece in this too, because once an, I think gets identified or scoped, those change projects are almost always implemented by our pro professional services team. So it could be through automation for our no team building a script or running a tool that we do. It could be our project team executing on a paid for project.
And it's, uh, a lot of times identified either through an assessment that we're doing for new or existing customers or through our IT management team. So the answer is, it's kind of, a lot of places do vulnerability management things, and it all depends on which motion, at what time. It really is kind of a full team effort is, is a way of putting it. Yeah. And I think probably over time, um, probably similar to the way, you know, maybe a bad analogy, but I'll use it how RMM early on, right?
We were trying to figure out what roles, what process, who did what. And it, you know, early on we were trying to quote unquote sell RMM. I'm talking back in the 2 0 4 or 2 0 5, 2 0 6 days. Um, I, I foresee probably in the next few years that again, vulnerability scanning, vulnerability management is going to just be part of our staff.
I don't see any way around it based on the, you know, where cyber insurance is going, where compliance is going, um, that, anyway, so we'll stay tuned and see, but I I, I would be highly shocked to not see, see that play out Well for us and our customers. It's certainly table stakes, you know, and I think that that, uh, I can't see how it wouldn't become that way. Yeah, yeah. I'm with you. Yeah. Yeah. From from MSP perspective, whether it's or not, they assume you're doing it.
Yeah, that's always a good point. But one because they don't know the difference. Uh, and two, because they don't know the difference between one IT person and another and skillset, right? So everybody's the same, right. They definitely think of you as doing it. That's true. Yeah. Dennis, really well said.
And if we had Justin Remu from Tech Rug on here, uh, I know he would have an immediate rant about being defensible because, and he's right, he's been in enough courtrooms where you have the, uh, defense attorney railing on the, in an MSP saying, you know, who's the expert and how is my client supposed to know what, what, you know, vulnerabilities should be taken care of? Isn't that your job?
Um, so again, I think part of it is probably being defensible in this whole thing as, as well that, that we have to take a look at. So quick ask, uh, as I wrap things up here in chat, maybe just a why or n why is Yes, this was helpful, yes, this was useful. Should we do more things like this?
Should we bring on, you know, the Ryan Weeks of the world, should we bring on Steve Carter's of the world, um, and, and get some of the, um, you know, people that, you know, truly understand, you know, vulnerability management, a very, very high level. Um, we could bring some of those guys in as well, so, well good. I'm glad people said yes. Uh, to that, thank you, um, Dennis, um, any closing thoughts? Thank you for coming on. Um, really, really not wrong.
It's funny, Michael, um, closing thoughts from you, Dennis? Um, vulnerability management is hard. Anybody who tries to just tried to do it and knows it's hard, um, having the right tools won't make it easy, but it will make it less painful. Um, and, and that, and, and, you know, take the time to, to understand the environment because you can't do it all. You just have to figure out what's the most important thing I have to do, do today?
And then look at that in terms of, this is what's urgent, but this is what's important. The background tasks and the underlying vulnerabilities that are, that are always there, those are important to, uh, also, uh, take some time to, to fix. Yeah. Well, really well said, Carl. Thank you as always for your selflessness, um, and always helping the community. Any closing thoughts from you, my friend? Uh, yeah. Uh, I mean, for me it's been a journey.
Like, uh, I, I feel like Dennis has been miles ahead of me all along. It, you know, I've learned a lot from talking to him over the last couple of years, and he is really pointed me in a few good directions. I feel like I probably make all the mistakes MSP's making. Maybe I'm just maybe sometimes six months ahead of the others, but, or, and there's plenty on behind it. Uh, but the, I think the key things for me is like figuring out how it's kind of across the board.
How you can't approach everything you ever find is a vulnerability that must be solved no matter what. And, and figuring out how to sort out what's practical and important is a big deal. And I think the other thing is don't forget, vulnerability is not just patching and running scans. It's configuration and it's policy and it's assessment and it's auditing. You know, these are the things you need to have in your motions for really actually taking care of the customer's vulnerabilities.
Uh, it's about all risks You can fix. You can fix every vulnerability in the network, but if your password policy is, has a, a minimum of fixed six characters, it's not gonna matter because somebody's weapon's gonna capture a password hash, just take 'em offline and crack them. And whether you fix every vulnerability is irrelevant. So you have to look at it. I Like to have very complex six character passwords.
So, um, how about we close it with this, as Ryan Weeks would say, it's, you know, know yourself, know your enemy, know your battlefield. You're gonna need to know it all to be successful. So with that, thank you everybody. We look forward to doing more of these. Um, and so stay tuned. We'll see everybody on the cyber call Monday. Take care. Have a great day. Thank you.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...