1
00:00:09,040 --> 00:00:12,880
Anoop, welcome to the Evolved Radio podcast. Thank you,

2
00:00:12,880 --> 00:00:16,535
Todd. Glad to be here. Alright.

3
00:00:16,535 --> 00:00:20,295
So, we're gonna be talking about, everyone's favorite topic in

4
00:00:20,295 --> 00:00:23,895
the MSP industry, security. We're gonna take a a sort of

5
00:00:23,895 --> 00:00:27,515
interesting route on this as well. But, you and I chatted

6
00:00:27,575 --> 00:00:31,115
about this, an idea that you would frame that I really liked,

7
00:00:32,280 --> 00:00:35,800
and we're gonna talk a bit more about sort of left of the boom, versus

8
00:00:35,800 --> 00:00:39,399
sort of a lot of conversations in our industry tend to focus on right of

9
00:00:39,399 --> 00:00:42,300
the boom. And I'm a big fan of,

10
00:00:43,160 --> 00:00:46,875
the governance end of of security, which is, I think,

11
00:00:46,875 --> 00:00:49,754
something that doesn't get as much play as it probably should in our industry, and

12
00:00:49,754 --> 00:00:53,114
I know this is something I think you're passionate about as well. And you had

13
00:00:53,114 --> 00:00:56,875
this idea around security as a utility, which I really love as a

14
00:00:56,875 --> 00:01:00,335
framing on this. So you wanna expand on that idea for us?

15
00:01:01,090 --> 00:01:04,930
Wow. Security as utility. That's a high level concept, so we'll

16
00:01:04,930 --> 00:01:08,550
we'll start out on the hard stuff. So I think

17
00:01:08,930 --> 00:01:12,690
the idea is today, a lot of people think

18
00:01:12,690 --> 00:01:16,134
of security as an additional tool that

19
00:01:16,134 --> 00:01:19,814
you Right? Like, hey. It's discretionary. Let

20
00:01:19,814 --> 00:01:23,255
me look at all these different tools and

21
00:01:23,255 --> 00:01:26,854
choose what I like, which is fine. But I think the

22
00:01:26,854 --> 00:01:30,280
idea behind utility is you don't choose your,

23
00:01:31,140 --> 00:01:34,659
whether you want water this week, this month. You don't choose whether you want

24
00:01:34,659 --> 00:01:37,880
electricity this week, this month. It's just presumed

25
00:01:38,580 --> 00:01:42,360
you have it. And, obviously, for MSPs, they are providing

26
00:01:42,685 --> 00:01:46,525
utilities. They are providing core network infrastructure. And so the

27
00:01:46,525 --> 00:01:50,365
idea behind security as utility is it's just part of

28
00:01:50,365 --> 00:01:54,045
what you have to deliver as part of your service. And the

29
00:01:54,045 --> 00:01:57,650
only thing that's really, worth debating about there

30
00:01:57,790 --> 00:02:01,470
is what goes into that? What what is foundational? And I think

31
00:02:01,470 --> 00:02:05,149
that'll go towards the governance question. Yeah. And I think that that

32
00:02:05,149 --> 00:02:08,989
is a, I think, a very common question. Right? Because I often pose this to

33
00:02:08,989 --> 00:02:12,775
people of, yes. Security is required. We're much

34
00:02:12,775 --> 00:02:16,455
past the days of, you know, you've got firewall and AV. It gets a

35
00:02:16,455 --> 00:02:20,295
lot more complicated than that. But it does sort of get, a bit

36
00:02:20,295 --> 00:02:23,895
of an odd question of, like, what is the minimum that that people

37
00:02:23,895 --> 00:02:27,110
should instill and expect that their clients to consume?

38
00:02:27,329 --> 00:02:30,689
Right? So, yes, you need some type of

39
00:02:30,689 --> 00:02:34,530
XDR. You probably need some type of asset monitoring and

40
00:02:34,530 --> 00:02:38,370
event management. Does it actually go to having, like, a SIM

41
00:02:38,370 --> 00:02:42,065
tool, or do you need a SOC? Should you enforce MSA? Like, those

42
00:02:42,065 --> 00:02:45,905
are a lot of the most more common sort of catchy questions that

43
00:02:45,905 --> 00:02:49,745
people have of, like, well, is there a uniform answer to this? Like, should you,

44
00:02:49,745 --> 00:02:53,504
as an MSP, take on a client that does not want to enable MFA? Or

45
00:02:53,504 --> 00:02:56,420
maybe that's sort of a good place start as far as some of the fundamentals

46
00:02:56,560 --> 00:03:00,160
of that. Right? Yeah. Great question.

47
00:03:00,160 --> 00:03:03,860
And and this, in fact, this question is why

48
00:03:04,400 --> 00:03:07,700
I believe, NIST, US National

49
00:03:08,334 --> 00:03:12,015
Institutes for Standards and Technology, put out their first version of

50
00:03:12,015 --> 00:03:15,635
the cybersecurity framework because of the market confusion

51
00:03:15,694 --> 00:03:18,834
around what should go into a security

52
00:03:19,135 --> 00:03:22,940
program, what should go into a security stack. And,

53
00:03:23,239 --> 00:03:26,780
the second, version was released last year,

54
00:03:27,080 --> 00:03:30,379
and it calls out five pillars or we call them five pillars

55
00:03:30,760 --> 00:03:34,440
of cybersecurity framework. And, I'm not gonna go

56
00:03:34,440 --> 00:03:37,180
through them because they're better better left to Google.

57
00:03:38,735 --> 00:03:41,635
But it does answer the question, what are my foundational

58
00:03:42,735 --> 00:03:46,575
pillars of cybersecurity? The thing about the framework

59
00:03:46,575 --> 00:03:50,130
is it doesn't prescribe what you have to do.

60
00:03:50,370 --> 00:03:53,890
It just says, here's the five pillars. If you're not if you don't

61
00:03:53,890 --> 00:03:57,410
have a solution, in each of these five

62
00:03:57,410 --> 00:04:01,170
pillars, well, then you've got a gap. Right? I mean, that that's that's

63
00:04:01,170 --> 00:04:04,770
basically what it's saying. And each pillar itself has a number of

64
00:04:04,770 --> 00:04:08,265
sub categories and and you can delve into

65
00:04:08,504 --> 00:04:12,345
get as complex as you needed. Right? If you're dealing with an enterprise

66
00:04:12,345 --> 00:04:16,024
or financial services institution, you'll really want all the subcategories filled

67
00:04:16,024 --> 00:04:19,750
out, or you can get as basic as needed for depending on your

68
00:04:19,750 --> 00:04:23,270
client needs. So for, like, a

69
00:04:23,270 --> 00:04:26,650
typical SMB, like,

70
00:04:27,110 --> 00:04:30,789
and, again, like, this is a consulting answer as well. It depends. Right?

71
00:04:30,949 --> 00:04:34,125
But, like, what are some of the basics that I think people should be expecting

72
00:04:34,365 --> 00:04:38,205
around sort of, like, beyond, some of the things that we tend to

73
00:04:38,205 --> 00:04:42,045
see as as just sort of a norm. Right? So you probably have some

74
00:04:42,045 --> 00:04:45,645
asset management. I've seen some people confused around, like, what this actually

75
00:04:45,645 --> 00:04:48,845
means. But if you have an RMM deployed and it's collecting,

76
00:04:49,880 --> 00:04:53,180
you know, at least asset information and maybe some SNMP

77
00:04:53,720 --> 00:04:57,400
information around sort of non agent deployed assets, then, you

78
00:04:57,400 --> 00:05:01,160
know, you basically got inventory collection. Whether or not it's formalized in

79
00:05:01,160 --> 00:05:04,455
any way, like, yeah, you can probably check that box. And I I see some

80
00:05:04,455 --> 00:05:08,215
people get a little confused around that. But, like, I I I think there's some

81
00:05:08,215 --> 00:05:11,895
confusion about how to actually go about and what qualifies as

82
00:05:11,895 --> 00:05:15,735
checking the box on these things without some independent verification from

83
00:05:15,735 --> 00:05:19,289
a third party provider with some expertise around this, I suppose. Right?

84
00:05:20,630 --> 00:05:24,310
Yeah. I mean, what on the asset side, the the core

85
00:05:24,310 --> 00:05:27,849
idea there is if you don't have inventory

86
00:05:28,389 --> 00:05:32,205
of what's on the network, then how can you how can you protect them? Right.

87
00:05:32,205 --> 00:05:35,645
Right? So that is, really the first pillar of the NIST

88
00:05:35,645 --> 00:05:39,425
cybersecurity framework. It's called identify, and it's identifying

89
00:05:39,965 --> 00:05:43,565
what are the assets on the network. And what's important about

90
00:05:43,565 --> 00:05:47,300
that, at least to me, is it's not just the

91
00:05:47,300 --> 00:05:50,280
laptops and servers. Right? It's every,

92
00:05:51,379 --> 00:05:55,220
device with an IP address on the network. You want to know what's

93
00:05:55,220 --> 00:05:58,740
there. Right? And so discovery of what's on the

94
00:05:58,740 --> 00:06:02,395
network is a key part of identify. Right? And that's

95
00:06:02,395 --> 00:06:05,514
that's that starts with the basics. What do you have on the network? Yep. Once

96
00:06:05,514 --> 00:06:09,134
you know what's there, then you can begin to look at the second pillar,

97
00:06:09,435 --> 00:06:13,115
which is protect. Right? Protect is all the stuff

98
00:06:13,115 --> 00:06:16,095
you do left to boom to prevent

99
00:06:17,050 --> 00:06:20,830
an intrusion on that network. Yep.

100
00:06:21,530 --> 00:06:25,290
So NIST gets a lot of airtime. Lot most people, I think, are

101
00:06:25,290 --> 00:06:28,730
probably familiar with that. Whether or not they've sort of looked deeply at it and

102
00:06:28,730 --> 00:06:32,575
then have have established some policy and procedure around that framework or

103
00:06:32,575 --> 00:06:36,255
other, I tend to be a fan of, more of the CIS

104
00:06:36,255 --> 00:06:39,935
framework. I I feel it's more consumable. And maybe this is different. I haven't looked

105
00:06:39,935 --> 00:06:43,770
at the sort of the updated, NIST framework, but, I found, like,

106
00:06:43,770 --> 00:06:47,290
a CIS feels a little more, modular. Right?

107
00:06:47,450 --> 00:06:50,570
Where you you you you can kinda look at it, and you're like, okay. You

108
00:06:50,570 --> 00:06:54,410
know, how how intense do we wanna get around security? We won't don't wanna do

109
00:06:54,410 --> 00:06:57,985
sort of, this giant spreadsheet of NIST. We're gonna start with

110
00:06:57,985 --> 00:07:01,825
just sort of phase one and maybe phase two, and then we'll look at some

111
00:07:01,825 --> 00:07:05,585
situations where maybe phase three makes some sense. And then there's other systems

112
00:07:05,585 --> 00:07:09,265
like ISO, seeing a lot of other organizations now looking

113
00:07:09,265 --> 00:07:12,970
towards getting SOC two certified. How would you

114
00:07:12,970 --> 00:07:16,650
sort of if someone asks you, like like, what should I use? Like, NIST is

115
00:07:16,650 --> 00:07:20,490
is pretty industry standard. But is there sort of a place for CIS

116
00:07:20,490 --> 00:07:24,270
or ISO, outside of a client just requesting those in your mind?

117
00:07:25,384 --> 00:07:29,005
Yeah. Absolutely. I mean, each of them have their place. So

118
00:07:29,544 --> 00:07:33,065
this cybersecurity framework, we think, is a good

119
00:07:33,065 --> 00:07:36,585
place to start to take stock of your

120
00:07:36,585 --> 00:07:40,389
security program. Right? Again, like, what do

121
00:07:40,389 --> 00:07:44,090
you have in place as far as your security program? What are you missing?

122
00:07:44,389 --> 00:07:47,830
And, you know, you've got a lot of solutions. So the first part about that

123
00:07:47,830 --> 00:07:51,555
is just understanding where do your solutions fit in. If you

124
00:07:51,555 --> 00:07:54,995
have, like, Huntress or ThreatLocker or

125
00:07:54,995 --> 00:07:58,835
BlackPoint, etcetera, do you understand where that fits in the

126
00:07:58,835 --> 00:08:02,294
NIST cybersecurity framework? Right? And and that's typically

127
00:08:03,474 --> 00:08:07,270
detect, respond, recover. To your point around,

128
00:08:07,910 --> 00:08:11,690
CIS, so CIS is prescriptive. Right? So NIST,

129
00:08:11,830 --> 00:08:15,290
CSF is a way of understanding what you have and, therefore,

130
00:08:15,590 --> 00:08:19,030
what's missing. CIS is prescriptive, which is good.

131
00:08:19,030 --> 00:08:22,705
Right? And if you just want to, say, look.

132
00:08:22,705 --> 00:08:26,245
We want our our clients' networks hardened

133
00:08:26,945 --> 00:08:30,785
to the best practices available. I think CIS checks

134
00:08:30,785 --> 00:08:34,544
that box. Right? Because it says, hey. If you've got

135
00:08:34,544 --> 00:08:37,670
Windows 11, desktops,

136
00:08:37,970 --> 00:08:41,809
laptops, we've got a standard that you can follow to

137
00:08:41,809 --> 00:08:45,410
secure those devices and also for Linux and

138
00:08:45,410 --> 00:08:49,250
also for macOS. Great. So now I can go to a

139
00:08:49,250 --> 00:08:53,095
client and say, hey. I'm going to we're going to do an

140
00:08:53,095 --> 00:08:56,774
analysis, understand what you have on on

141
00:08:56,774 --> 00:09:00,074
those endpoints, where there are potential

142
00:09:00,615 --> 00:09:04,154
risks, involved, and then do some remediations

143
00:09:04,694 --> 00:09:08,320
to harden them. And if you do that much and this is why not

144
00:09:08,320 --> 00:09:12,080
not just you, Todd. I I think there's people in in our space that are

145
00:09:12,080 --> 00:09:15,760
now talking about getting to CIS compliance because it

146
00:09:15,760 --> 00:09:19,520
is prescriptive. It tells you what to do. It gives you something you can point

147
00:09:19,520 --> 00:09:22,935
at and say, we are meeting, you know, best practices

148
00:09:23,154 --> 00:09:26,675
in at least hardening our our endpoints against

149
00:09:26,675 --> 00:09:30,515
attack. Right. And and I think one of the things that I I feel

150
00:09:30,515 --> 00:09:34,355
often gets overlooked in some weird way is more sort of,

151
00:09:34,835 --> 00:09:38,610
you know, the shoemaker's kids go without without shoes. And and not that

152
00:09:38,610 --> 00:09:42,310
people are being, sort of absent about

153
00:09:42,370 --> 00:09:45,889
protecting their own house, but I feel like it doesn't get the same level of

154
00:09:45,889 --> 00:09:49,250
approach and rigor, certainly around sort of policy

155
00:09:49,250 --> 00:09:52,264
management. And I I feel like it's a really good place to start because, like,

156
00:09:52,264 --> 00:09:55,865
if you're gonna protect your clients, if there's anything you should be

157
00:09:55,865 --> 00:09:59,704
doing is is really hardening your own environment because Yeah.

158
00:09:59,944 --> 00:10:03,545
You know, MSPs are a very valuable target because you hold the

159
00:10:03,545 --> 00:10:07,210
keys to hundreds of other companies. So why hack one

160
00:10:07,210 --> 00:10:10,890
company when you can hack another and get access to a hundred other companies as

161
00:10:10,890 --> 00:10:14,650
a result of that? And And we've seen that. Right? Yeah. Some very scary

162
00:10:14,650 --> 00:10:18,330
events around this. But I still feel like so many MSPs that I

163
00:10:18,330 --> 00:10:21,845
see are really very distinctly focused on client

164
00:10:21,845 --> 00:10:25,285
management and client security. And if you ask them about their internal

165
00:10:25,285 --> 00:10:28,725
policy, like, they'll often tell you, you know, here are the things that we have

166
00:10:28,725 --> 00:10:32,180
deployed. Here are a couple of things that that we do. But they're

167
00:10:32,180 --> 00:10:35,720
pretty loose on the formalization and the policy

168
00:10:35,860 --> 00:10:38,980
around the management of this. And I I think that's why this this whole idea

169
00:10:38,980 --> 00:10:42,180
of sort of this left of the boom appeals to me is what better place

170
00:10:42,180 --> 00:10:45,860
to start than Mhmm. Formalizing and understanding your own

171
00:10:45,860 --> 00:10:49,235
security so that you can then take that and consult to your

172
00:10:49,235 --> 00:10:52,915
customers around, here's what we do. Here are the basics that are required. This is

173
00:10:52,915 --> 00:10:56,215
the things that that we're gonna implement for you. Any thoughts on that?

174
00:10:57,315 --> 00:11:00,995
I think you're absolutely right. I mean, you should get your own house in

175
00:11:00,995 --> 00:11:04,550
order, and you should be able to present that to your

176
00:11:04,550 --> 00:11:08,310
clients and prospects that, hey. This stuff,

177
00:11:08,310 --> 00:11:12,070
we're we're recommending that, you use. We use

178
00:11:12,070 --> 00:11:15,510
it ourselves. To give you a tangible example from this

179
00:11:15,510 --> 00:11:18,634
morning, I was talking to a partner of ours

180
00:11:18,935 --> 00:11:22,394
who said, hey. Before I run this pen test

181
00:11:22,855 --> 00:11:26,214
on, you know, this client, I'd like to be able to show

182
00:11:26,214 --> 00:11:29,894
them, you know, what we did on our own network. And

183
00:11:29,894 --> 00:11:33,510
so we went in and and take a look, at at the

184
00:11:33,510 --> 00:11:37,110
results from the pentest we ran on on their network, and it had some

185
00:11:37,110 --> 00:11:40,870
criticals. And I said, I I'm not quite sure you wanna you wanna share

186
00:11:40,870 --> 00:11:44,550
this. And he was like, no. No. I really do because we

187
00:11:44,550 --> 00:11:48,064
believe in that transparency with our clients. And more importantly,

188
00:11:48,204 --> 00:11:51,964
it shows that even we will have issues. And better yet,

189
00:11:51,964 --> 00:11:55,404
when I show them in, you know, the next report a month, we'll show them

190
00:11:55,404 --> 00:11:58,845
how we how we resolve this issue. So that's that's almost

191
00:11:58,845 --> 00:12:02,330
radical transparency if you think about it. But the fact that he was

192
00:12:02,330 --> 00:12:06,029
willing to show his own report from his own

193
00:12:07,769 --> 00:12:10,250
network to a to a client, I mean

194
00:12:12,170 --> 00:12:16,005
Yeah. Maybe that kinda gets to some of the the sales tactics that I I'd

195
00:12:16,005 --> 00:12:19,765
like to talk about here as well. Mhmm. And, you know, interestingly, I've had some

196
00:12:19,765 --> 00:12:23,525
some sales, or some, security and sales experts on the past.

197
00:12:23,525 --> 00:12:26,885
And I said, you know, okay. A lot of lot of FUD is used in

198
00:12:26,885 --> 00:12:30,699
in the sale of cybersecurity. Like, is is that is there a better way

199
00:12:30,699 --> 00:12:34,220
to do this? And surprisingly, I've had a few people say no. Like, FUD's great

200
00:12:34,220 --> 00:12:37,519
because it works. Right? What's your sense of,

201
00:12:38,300 --> 00:12:42,060
like, the the story that you shared there almost goes in a different direction in

202
00:12:42,060 --> 00:12:45,765
my mind is is just sort of stating the obviousness of, like,

203
00:12:46,065 --> 00:12:49,845
everything is imperfect. We have to understand sort of how security gets applied

204
00:12:49,904 --> 00:12:53,745
and, you know, what good enough looks like. Obviously, we need

205
00:12:53,745 --> 00:12:57,490
to cover some of the criticals, but, you know, again, more more sort of

206
00:12:57,490 --> 00:13:00,850
like a policy angle of, like, you just need to do these things. Right? Like,

207
00:13:00,850 --> 00:13:03,970
there's a certain way you build a house. You have standards. There's a certain way

208
00:13:03,970 --> 00:13:07,490
you implement security. There's standards. Right? Like, more of a just sort of

209
00:13:07,490 --> 00:13:11,105
a a a transparent and and very kind of

210
00:13:11,105 --> 00:13:14,944
vanilla conversation about that. But maybe that doesn't sell as well to someone who is

211
00:13:14,944 --> 00:13:18,785
not concerned or paranoid about security. What's your feeling on sort

212
00:13:18,785 --> 00:13:22,545
of utilizing FUD as a sales vehicle for security? I I

213
00:13:22,545 --> 00:13:26,060
don't like it. And I don't think security

214
00:13:26,280 --> 00:13:29,500
vendors or our partners need to use it either.

215
00:13:30,200 --> 00:13:33,800
If you look on the news, there's enough, you know,

216
00:13:33,800 --> 00:13:37,480
screaming headlines on security incidents

217
00:13:37,480 --> 00:13:41,024
that you don't need to add more gasoline on that fire. What the

218
00:13:41,024 --> 00:13:44,565
way I like to approach it from a sales point of view

219
00:13:44,945 --> 00:13:48,704
is solving business problems. And let's face it. The

220
00:13:48,704 --> 00:13:52,385
the clients we're talking about, their primary concern

221
00:13:52,385 --> 00:13:55,830
is not cybersecurity. It it really isn't.

222
00:13:55,830 --> 00:13:59,270
Right? It is if you're a dentist, it's making

223
00:13:59,270 --> 00:14:02,970
sure that the, dentist, application

224
00:14:03,110 --> 00:14:06,645
network is running. Right? If it's

225
00:14:07,605 --> 00:14:11,445
manufacturing floor, making sure that all connect through the network, there's no

226
00:14:11,445 --> 00:14:15,205
problem there. So what they're trying to do is they're trying to

227
00:14:15,205 --> 00:14:18,965
do their business, and they're counting on you, the MSP

228
00:14:18,965 --> 00:14:22,530
partner, to do your job and make sure the network

229
00:14:22,530 --> 00:14:26,330
stays up. Right? So from a cyber cybersecurity point of view,

230
00:14:26,330 --> 00:14:29,810
it goes back to that utility, which is in order for us

231
00:14:29,810 --> 00:14:33,404
to make sure that you can continue to

232
00:14:33,404 --> 00:14:37,245
run smoothly, we need to secure this network. We need to follow the

233
00:14:37,245 --> 00:14:40,785
CIS standard. We need to do vulnerability discovery,

234
00:14:41,565 --> 00:14:45,005
and and patch management on those. Right? Those are all left of booms

235
00:14:45,245 --> 00:14:49,060
boom stuff. I I something

236
00:14:49,060 --> 00:14:52,760
that really cuts through the noise on this one, though, is insurance.

237
00:14:53,220 --> 00:14:56,680
Right? So and that tends to be the driver,

238
00:14:57,220 --> 00:15:00,915
to the business discussion, which is when your

239
00:15:00,915 --> 00:15:04,675
clients are selling to their clients, and their and

240
00:15:04,675 --> 00:15:08,214
their clients are asking them for the the cyber insurance

241
00:15:08,275 --> 00:15:12,120
policy, that drives the business discussion. Right? And the and the

242
00:15:12,120 --> 00:15:15,899
cyber insurance questionnaires are quite rigorous these days, and they do require

243
00:15:16,920 --> 00:15:20,600
most of the stuff that you'll find in this CSF. Right? And so they

244
00:15:20,600 --> 00:15:24,345
come to you as as a managed service, provider and say, hey. Can

245
00:15:24,425 --> 00:15:27,225
you help me fill this out? Like, yeah. Well, if you're on our tech stack,

246
00:15:27,225 --> 00:15:31,064
you're you're good, hopefully. And then you just you basically

247
00:15:31,064 --> 00:15:34,665
identify all the stuff you're doing, and now you're solving a business

248
00:15:34,665 --> 00:15:38,045
problem. Right? And if you have a gap, like, you don't have cybersecurity

249
00:15:38,185 --> 00:15:41,870
awareness training, which is required in this CSF, it's

250
00:15:41,870 --> 00:15:45,710
also required for for cyber insurance, then

251
00:15:45,710 --> 00:15:49,550
you fill it. Right? It's just a business discussion. It's not a, hey. Did you

252
00:15:49,550 --> 00:15:53,090
know business email compromise you can lose your payroll?

253
00:15:54,065 --> 00:15:57,505
Which is real, but that's that's the FUD part. Right? Right.

254
00:15:57,505 --> 00:16:01,025
Versus you have to do this in order to get cyber insurance. You need cyber

255
00:16:01,025 --> 00:16:04,705
insurance in order for you to continue to win business. Yeah. And

256
00:16:04,705 --> 00:16:07,685
I I mean, I've certainly seen a number of organizations

257
00:16:08,065 --> 00:16:11,750
getting denied cyber insurance. And, you know, if you're not

258
00:16:11,750 --> 00:16:15,110
stringent about these things, like, there are situations where

259
00:16:15,110 --> 00:16:18,490
companies are being denied, policy claims because,

260
00:16:19,110 --> 00:16:22,885
either, like, they they weren't diligent about, you know,

261
00:16:22,885 --> 00:16:26,645
being accurate around the those those, questionnaires they

262
00:16:26,645 --> 00:16:29,365
have to fill out. Right? So Well you know, you need to be on top

263
00:16:29,365 --> 00:16:33,145
of these things. That brings up another good point, which is,

264
00:16:34,050 --> 00:16:37,650
hey. You you did the right thing in

265
00:16:37,650 --> 00:16:41,410
filling out the survey, but maybe you weren't precise

266
00:16:41,410 --> 00:16:45,250
enough or truthful enough. And you have to be careful about

267
00:16:45,250 --> 00:16:48,985
that, for the point that you're making. So give you a tangible

268
00:16:48,985 --> 00:16:52,605
example you brought up earlier, MFA. Right?

269
00:16:53,065 --> 00:16:56,904
Oh, do you have MFA, you know, deployed? And you

270
00:16:56,904 --> 00:17:00,480
check the boxes. Yep. We've got MFA. Right? And

271
00:17:00,560 --> 00:17:04,179
and by the way, these questions are written like yes, no, binary.

272
00:17:04,559 --> 00:17:08,319
They're not. Right? You could use the blank sheet of

273
00:17:08,319 --> 00:17:11,460
pay all the details. Right? So if you have accounts

274
00:17:12,400 --> 00:17:16,194
in your Microsoft three sixty five that are not

275
00:17:16,194 --> 00:17:19,494
protected by MFA, particularly a global admin,

276
00:17:20,194 --> 00:17:23,954
and you have account takeover on one of those accounts

277
00:17:23,954 --> 00:17:27,794
without MFA, even if you all the rest did and you file

278
00:17:27,794 --> 00:17:31,460
that claim, they they will likely deny it because that account was

279
00:17:31,460 --> 00:17:35,299
not protected by MFA. And in your application, you

280
00:17:35,299 --> 00:17:38,820
said it was. Right? So that's super important to to get

281
00:17:38,820 --> 00:17:42,659
right. Yeah. That's exactly the situation that I heard about is, like, there was

282
00:17:42,659 --> 00:17:46,365
some account that they that was just overlooked that wasn't covered. And I don't

283
00:17:46,365 --> 00:17:49,645
think it was even the one that got compromised. It was just evidence that they're

284
00:17:49,805 --> 00:17:53,565
like, they they, the the they weren't accurate about

285
00:17:53,565 --> 00:17:57,405
the the management of the policy. Right? Which I think, again, gets to the sort

286
00:17:57,405 --> 00:18:00,210
of this whole point of kinda left to the boom. Like,

287
00:18:01,730 --> 00:18:04,210
the reason that I think there's a few reasons why I think this is so

288
00:18:04,210 --> 00:18:07,970
important to focus on is is, again, like, right of the

289
00:18:07,970 --> 00:18:11,809
boom and management of those things is incredibly important. And I think, like,

290
00:18:11,809 --> 00:18:15,284
doing tabletops, doing scenario planning, and being really

291
00:18:15,284 --> 00:18:18,825
diligent about what is the response to the the Holy Hell scenario.

292
00:18:19,284 --> 00:18:23,044
But, you know, hopefully, in some cases, you don't actually have to get there. And

293
00:18:23,044 --> 00:18:26,340
quite frankly, there's a great consulting opportunity in the governance and

294
00:18:29,539 --> 00:18:33,159
customer. So I see this as it's not sexy work,

295
00:18:33,220 --> 00:18:36,020
but, you know, there's a lot of money to be made and a whole lot

296
00:18:36,020 --> 00:18:39,640
of heartache to be avoided in just spending a lot of time on it. Right?

297
00:18:40,174 --> 00:18:43,535
Yeah. And and to build on that, so right at

298
00:18:43,535 --> 00:18:47,375
boom and maybe we should define these terms because we've been using them.

299
00:18:47,375 --> 00:18:51,215
So boom is when the compromise happens. The compromise can either

300
00:18:51,215 --> 00:18:54,590
be an adversary on network or it can be a malware

301
00:18:54,590 --> 00:18:58,270
detonation on network. Right? Left of boom is a

302
00:18:58,270 --> 00:19:02,050
timeline thing. So left of boom is on the timeline. Everything

303
00:19:02,590 --> 00:19:06,350
you could have done to prevent that boom, and right of boom

304
00:19:06,350 --> 00:19:09,855
is all the activities or

305
00:19:09,855 --> 00:19:13,475
technology are there to detect, respond,

306
00:19:13,695 --> 00:19:17,535
recover, etcetera. Right? So let's talk about managed

307
00:19:17,535 --> 00:19:20,990
service providers. I would argue the remit

308
00:19:21,130 --> 00:19:24,510
for a managed service provider has left a boom, meaning

309
00:19:25,050 --> 00:19:28,490
your clients, whether they tell you or not, are

310
00:19:28,490 --> 00:19:31,930
expecting you're doing everything with the

311
00:19:31,930 --> 00:19:35,475
configuration management of that network to secure the

312
00:19:35,475 --> 00:19:39,315
network as best as possible, which goes back to the standards question. Like,

313
00:19:39,315 --> 00:19:43,015
what is best as possible? Will the standards define that for you? Right?

314
00:19:43,955 --> 00:19:47,735
Right of boom is all the stuff that requires a lot of security

315
00:19:47,795 --> 00:19:51,610
expertise. Right? Is there an adversary in the network? Guess what? That that

316
00:19:51,610 --> 00:19:55,450
takes some security expertise. And a lot of managed

317
00:19:55,450 --> 00:19:58,890
service providers aren't trained in that or don't have a

318
00:19:58,890 --> 00:20:02,650
cybersecurity expert, so they will tend to outsource the right of boom stuff

319
00:20:02,650 --> 00:20:06,455
to the huntresses and black points of the world. Right? And then if you

320
00:20:06,755 --> 00:20:10,515
have a recovery scenario, that's, you know,

321
00:20:10,515 --> 00:20:13,815
again, that's a whole another, you know,

322
00:20:13,955 --> 00:20:17,794
talent in in doing the forensics and doing the insurance filing

323
00:20:17,794 --> 00:20:21,509
and doing the recovery of those devices. So back to your point,

324
00:20:21,509 --> 00:20:25,190
Todd, is left of boom is where, as a

325
00:20:25,190 --> 00:20:28,630
managed service provider, you can go in and say, hey. I

326
00:20:28,630 --> 00:20:31,690
will follow I will make sure you're up to standards.

327
00:20:32,149 --> 00:20:35,955
NIST CSF, I think, is very good from a board governance point of

328
00:20:35,955 --> 00:20:39,495
view where you can say, here's where we stand across the board.

329
00:20:39,554 --> 00:20:43,075
Here's how well deployed we are with these various technologies. We got a gap

330
00:20:43,075 --> 00:20:46,820
here around MFA. We're gonna correct that gap. Right? We have

331
00:20:46,820 --> 00:20:50,580
cybersecurity awareness training. We're only 80% of the way there. You know, we need

332
00:20:50,580 --> 00:20:54,360
your help client to get to a % with all with all the folks.

333
00:20:54,420 --> 00:20:57,940
Right? CIS, we've got a few endpoints that need some

334
00:20:57,940 --> 00:21:01,305
work. We'll take care of that. To your point, I think that's really

335
00:21:01,785 --> 00:21:05,625
expected from a managed service provider. And as long as you're you're

336
00:21:05,625 --> 00:21:09,465
following best practices, you're you're in good shape and your client's in

337
00:21:09,465 --> 00:21:13,085
good shape. Yeah. I like this idea of more engagement

338
00:21:13,145 --> 00:21:16,900
with the customer and drawing them into some of the decision making because, you know,

339
00:21:16,900 --> 00:21:20,420
it's never perfect. Right? Like, hopefully, you're getting kinda 90%

340
00:21:20,420 --> 00:21:23,940
coverage, but it's certainly never gonna be a %. And I sort of describe this

341
00:21:23,940 --> 00:21:27,640
as a security version of, uptime. Like, I I'm an old,

342
00:21:28,100 --> 00:21:31,335
Citrix administrator. So, you know, uptime and and,

343
00:21:32,055 --> 00:21:35,895
the presentation layer being blamed was always a big problem for me. That's right. But

344
00:21:35,895 --> 00:21:39,275
I always describe to executives like, look. We can do five nines,

345
00:21:39,815 --> 00:21:42,615
but, you know, here's the price tag for it. You go to Austin sort of

346
00:21:42,615 --> 00:21:46,029
whistle and be like, oh, like, maybe three nines is good enough for us. Right?

347
00:21:46,029 --> 00:21:49,549
So that that type of discussion has to happen at a security level is,

348
00:21:49,549 --> 00:21:53,149
like, here are all the necessary controls that are con

349
00:21:53,230 --> 00:21:57,075
kinda nonnegotiable, and here are some of the controls that, you know,

350
00:21:57,315 --> 00:22:00,835
some of our clients have and some of our clients don't. And, like, I I

351
00:22:00,835 --> 00:22:04,534
will if you have some questions about this and understand how it fits your organization,

352
00:22:04,674 --> 00:22:08,355
let's talk about that. But maybe it doesn't apply to you, and maybe we could

353
00:22:08,355 --> 00:22:11,894
save a few bucks here. But recognizing here are the risks that that presents.

354
00:22:12,070 --> 00:22:14,710
And I think, like, we tend to get this wrong in a lot of ways

355
00:22:14,710 --> 00:22:18,390
in the industry of, like, this is the prescriptive approach. It has to be

356
00:22:18,390 --> 00:22:22,230
blanketed. Every customer needs these things. And there are certain providers where that

357
00:22:22,230 --> 00:22:25,350
makes a lot of sense, and there are cert certainly certain customers where that makes

358
00:22:25,350 --> 00:22:29,155
a lot of sense. But that's not necessarily a broad brush that everyone can get

359
00:22:29,155 --> 00:22:32,835
painted with, so it requires some level of discussion. And I think this is

360
00:22:32,835 --> 00:22:36,135
helpful to have those those, those consultative

361
00:22:36,515 --> 00:22:40,215
discussions with clients so that they kind of understand the risks and the the

362
00:22:40,275 --> 00:22:43,929
the costs associated with how much is enough and how do we make

363
00:22:43,929 --> 00:22:47,289
that decision. Right? And I and I think you

364
00:22:47,289 --> 00:22:50,730
you you want to have that discussion, and then you want to have

365
00:22:50,730 --> 00:22:54,510
those decisions documented. Right? So

366
00:22:54,890 --> 00:22:58,065
if you present I know you mentioned SIM and

367
00:22:58,865 --> 00:23:02,705
XDR as an example, and I would consider those higher

368
00:23:02,705 --> 00:23:06,465
end offerings. And it it you know, what's

369
00:23:06,465 --> 00:23:10,225
oftentimes not spoken about that is the human labor that

370
00:23:10,225 --> 00:23:13,920
goes into monitoring those logs and alerting us. That's where your real cost

371
00:23:13,920 --> 00:23:17,440
is. Right? Mhmm. And I agree not

372
00:23:17,440 --> 00:23:21,280
everyone needs 24 by seven monitoring just depending

373
00:23:21,280 --> 00:23:24,180
on what kind of network it is and what's at risk. Right?

374
00:23:24,800 --> 00:23:27,220
But being able to say, hey. We did an assessment.

375
00:23:28,675 --> 00:23:32,515
You know, we we think, XDR is an option, but you

376
00:23:32,515 --> 00:23:36,035
may not need it for for for what you're trying to protect. But

377
00:23:36,035 --> 00:23:39,795
maybe, Microsoft three sixty five

378
00:23:39,795 --> 00:23:43,440
MDR is is a good idea

379
00:23:43,440 --> 00:23:47,060
because most of your attack surface is on Microsoft.

380
00:23:47,360 --> 00:23:51,200
Right? Yep. And so if if we're looking at the Azure logs and

381
00:23:51,200 --> 00:23:54,865
we're looking for, say, impossible travel scenario where you've gotta log

382
00:23:54,865 --> 00:23:58,625
in from Eastern Europe and you have a log in in New York at the

383
00:23:58,625 --> 00:24:02,305
same time, that might be something where we

384
00:24:02,305 --> 00:24:05,905
we do actually wanna say, hey. Let let's let's stop this

385
00:24:05,905 --> 00:24:09,700
login. Yep. Because we know that can't be the case. Example where you're

386
00:24:09,700 --> 00:24:13,540
you're making a risk based decision based on what's at risk and

387
00:24:13,540 --> 00:24:17,300
what the threat environment is like. Yeah. And I think that goes to the point

388
00:24:17,300 --> 00:24:20,924
of, like, what the manageable situation is in a lot of these scenarios is

389
00:24:20,924 --> 00:24:24,605
isolation is in in a lot of cases good enough. Right? Because then we can

390
00:24:24,605 --> 00:24:27,725
deal with this later. Like, do do we need to wake some someone up at

391
00:24:27,725 --> 00:24:31,325
three in the morning in order to verify some security event, or do we

392
00:24:31,325 --> 00:24:34,213
isolate the event or the user and then someone at six in the morning can

393
00:24:34,213 --> 00:24:37,840
be like, oh, that's a false alarm. Okay. Click. Right? Right. So, you know,

394
00:24:37,840 --> 00:24:41,679
the the timeliness of these of these events and what their response

395
00:24:41,679 --> 00:24:45,120
to them is is is sometimes pretty variable from client to client.

396
00:24:45,120 --> 00:24:48,885
Yeah. Yeah. One of the other things,

397
00:24:49,325 --> 00:24:52,365
I I wanna get sort of your perspective on a few things. You mentioned,

398
00:24:53,005 --> 00:24:56,684
pen testing, and, got a couple couple of

399
00:24:56,684 --> 00:25:00,284
things here. I guess, like, the the fact that your your like, your

400
00:25:00,284 --> 00:25:02,610
company, has a fairly heavy,

401
00:25:03,870 --> 00:25:07,630
focus on this, and, like, this is a fairly crowded space. And I'm curious

402
00:25:07,630 --> 00:25:11,309
sort of the thought process of of, how you guys approach the

403
00:25:11,309 --> 00:25:14,830
market and what the offering was and and what your thoughts are around sort of,

404
00:25:15,434 --> 00:25:19,195
the competitive landscape in in that area of the security security

405
00:25:19,195 --> 00:25:21,375
awareness and security event management.

406
00:25:23,195 --> 00:25:26,634
Yeah. And I I it it's an interesting time to be in the

407
00:25:26,634 --> 00:25:30,410
cybersecurity space, just because there are

408
00:25:30,630 --> 00:25:33,990
so many vendors and so many tool options, which

409
00:25:33,990 --> 00:25:37,830
frankly increases market confusion around what do I need

410
00:25:37,830 --> 00:25:41,205
to buy, which is kinda what we're talking about. We we took the approach

411
00:25:42,325 --> 00:25:45,544
of how can we simplify

412
00:25:46,325 --> 00:25:50,085
all of that for for our clientele, which are managed service

413
00:25:50,085 --> 00:25:53,684
providers. And so we have what we call a unified attack

414
00:25:53,684 --> 00:25:57,049
surface management platform. What makes it unified

415
00:25:57,350 --> 00:26:01,110
is we we say, look. You have a a set

416
00:26:01,110 --> 00:26:04,890
of attack surfaces. Right? And if you go back to the CSF

417
00:26:05,909 --> 00:26:09,510
asset identification, that's the first we do. We look at

418
00:26:09,510 --> 00:26:13,245
every attack surface, external, cloud, and behind the

419
00:26:13,245 --> 00:26:16,845
firewall. And the first thing is identify what all

420
00:26:16,845 --> 00:26:20,065
those devices are, and then we'll scan them to identify

421
00:26:20,764 --> 00:26:24,524
what the attack surface looks like from an adversarial point

422
00:26:24,524 --> 00:26:27,890
of view. Right? So that's vulnerability discover it's asset

423
00:26:27,890 --> 00:26:31,570
identification, vulnerability discovery. Right? And we don't just

424
00:26:31,570 --> 00:26:35,090
stick to software vulnerabilities. So we look

425
00:26:35,090 --> 00:26:38,550
at all exposures. So things like, do you have an SSL

426
00:26:38,690 --> 00:26:42,325
certificate expiring? Because that matters.

427
00:26:42,865 --> 00:26:45,685
Have you not set up your DMARC and SPF,

428
00:26:46,545 --> 00:26:50,225
correctly for that client? Because if it's incorrectly set up, they can they can be

429
00:26:50,225 --> 00:26:53,680
subject to spoofing attacks. Right? And and and

430
00:26:53,680 --> 00:26:57,060
then other business challenges with email as well.

431
00:26:57,840 --> 00:27:01,600
Do you have insecure services like you have FTP running on

432
00:27:01,600 --> 00:27:05,280
this website? That's not a CVE, but it's an it it's an

433
00:27:05,280 --> 00:27:09,045
insecure configurate. Yep. Right? So those users that we

434
00:27:09,045 --> 00:27:12,725
look at, MFA is another one. We'll look at m three sixty

435
00:27:12,725 --> 00:27:16,185
five and Google Workspace because that's a significant attack surface.

436
00:27:16,485 --> 00:27:19,705
And if your if your user accounts aren't properly secured,

437
00:27:20,830 --> 00:27:24,429
an adversary will take that before they use an exploit of a

438
00:27:24,429 --> 00:27:28,269
CVE. So the reason for unifying it

439
00:27:28,269 --> 00:27:31,330
is we look at all of these security exposures.

440
00:27:32,235 --> 00:27:36,015
We correlate it with threat intelligence, current threat intelligence,

441
00:27:36,555 --> 00:27:39,695
and we just focus you on the exposures

442
00:27:39,995 --> 00:27:43,755
that bring actual risk to that network. So for

443
00:27:43,755 --> 00:27:47,259
example, if I scan a network, I will find typically thousands

444
00:27:47,399 --> 00:27:50,919
of CVEs. But if I look at just the ones that have an

445
00:27:50,919 --> 00:27:54,440
associated exploit, it windows it down by about

446
00:27:54,440 --> 00:27:58,200
90%. And that's really significant because

447
00:27:58,200 --> 00:28:01,654
now to address risk, you only you

448
00:28:01,654 --> 00:28:04,554
focus on the ones that have an associated exploit,

449
00:28:05,095 --> 00:28:08,534
address those, and that will in

450
00:28:08,534 --> 00:28:12,215
turn raise we we publish the security score, and it

451
00:28:12,294 --> 00:28:16,090
it's highly efficient. So instead of just doing patch

452
00:28:16,090 --> 00:28:19,310
management, you're actually addressing risk posed

453
00:28:19,930 --> 00:28:23,610
by an adversary. And that applies across all these different attack

454
00:28:23,610 --> 00:28:27,450
surfaces. Right? So unifying it allows me to reason about where

455
00:28:27,450 --> 00:28:30,985
do I need to focus my efforts today? And that's why we do cover a

456
00:28:30,985 --> 00:28:34,825
number of different attack surfaces. Okay. Cool. And I think that that covers

457
00:28:34,825 --> 00:28:38,025
sort of the other question I was gonna ask. And I feel like I kinda

458
00:28:38,025 --> 00:28:40,905
know where you'll head with this based on some previous answers, but I I'm kinda

459
00:28:40,905 --> 00:28:44,590
curious to get get your take on this is, a lot of MSPs, they're

460
00:28:44,590 --> 00:28:48,350
sometimes concerned about, especially vulnerability assessments and

461
00:28:48,350 --> 00:28:51,870
any type of, sort of threat assessment, of an

462
00:28:51,870 --> 00:28:55,310
environment, whether or not that should come from a third party with some

463
00:28:55,310 --> 00:28:59,145
independence. And they they have some concern of, like, well, you know, if I'm

464
00:28:59,145 --> 00:29:02,845
the one sort of checking all the locks that I installed, you know,

465
00:29:03,225 --> 00:29:06,905
does the customer trust that? I get it from, like, a

466
00:29:06,905 --> 00:29:10,445
unified view. Right? But what what's your feeling on sort of the independence

467
00:29:10,745 --> 00:29:14,090
of who secures the environment versus who verifies the security?

468
00:29:15,029 --> 00:29:18,330
I I think that's more of a compliance issue. So Mhmm.

469
00:29:18,870 --> 00:29:22,710
Let's look at it this way. As a managed service provider, you're

470
00:29:22,710 --> 00:29:26,309
responsible for the daily. Right? The day to day like, you're that daily

471
00:29:26,309 --> 00:29:29,665
driver. You're there to make sure that if a new

472
00:29:30,045 --> 00:29:33,665
port opens, you know, someone opens up an FTP

473
00:29:33,805 --> 00:29:37,405
because they want to download a file or they're talking to

474
00:29:37,405 --> 00:29:40,900
someone. You you need immediate visibility that this

475
00:29:40,900 --> 00:29:44,500
FTP port opened. Now we we need to do something about it.

476
00:29:44,500 --> 00:29:48,200
Right? From a compliance standpoint, it is true

477
00:29:48,740 --> 00:29:52,520
that certain industries will require a third party,

478
00:29:53,125 --> 00:29:56,184
sometimes certified provider to

479
00:29:56,565 --> 00:30:00,105
validate slash audit that you're you're doing the right stuff.

480
00:30:00,405 --> 00:30:04,164
And you'll know because, basically, that client will tell you that

481
00:30:04,164 --> 00:30:07,940
they need a third party. But I would say, should you

482
00:30:07,940 --> 00:30:11,620
be doing investments every day? Absolutely. You should do that every

483
00:30:11,620 --> 00:30:15,160
day. And that's that's what our platform does.

484
00:30:15,540 --> 00:30:18,680
And it will tell you which ones of these you need to actually act on.

485
00:30:18,740 --> 00:30:22,565
From a pen test point of view, I think there's still some debate

486
00:30:22,565 --> 00:30:26,404
on how often you need to do that. And by the way, I I

487
00:30:26,404 --> 00:30:30,105
know sometimes people get confused. What's the difference between a pen test

488
00:30:30,164 --> 00:30:33,144
and a vulnerability scan? There's

489
00:30:33,529 --> 00:30:37,149
there's ample reason to do both. The vulnerability scan

490
00:30:37,289 --> 00:30:41,130
will show you all the exposures you have on your network. The

491
00:30:41,130 --> 00:30:44,190
pen test will then validate which of those,

492
00:30:45,289 --> 00:30:48,895
they can actually exploit. Right? So a pen

493
00:30:48,895 --> 00:30:52,735
test typically, when it succeeds, you have grabbed data that you shouldn't

494
00:30:52,735 --> 00:30:56,495
have access to. You've created an account that you shouldn't have on

495
00:30:56,495 --> 00:30:59,555
a on a given asset, as an example. You've logged in

496
00:31:00,255 --> 00:31:04,070
with an admin credential. So running a pen

497
00:31:04,070 --> 00:31:06,490
test, we would say, you know, quarterly

498
00:31:07,910 --> 00:31:10,970
at a minimum. Many compliance regimes require annual.

499
00:31:11,750 --> 00:31:15,530
So so I think it's, you know, we we basically

500
00:31:15,590 --> 00:31:19,245
support any interval, but I I would think at least quarterly, you

501
00:31:19,245 --> 00:31:22,925
wanna do a pen test on your on your clients. And by the

502
00:31:22,925 --> 00:31:26,765
way, very useful from a revenue and sales point of view is

503
00:31:26,765 --> 00:31:30,605
to run that run that discovery, so you understand what's on the

504
00:31:30,605 --> 00:31:34,090
network, run the discovery, vulnerabilities,

505
00:31:34,710 --> 00:31:38,470
and also run a pen test, and you'll have a really nice cybersecurity risk

506
00:31:38,470 --> 00:31:42,070
assessment for that prospect. Yeah. Kinda goes again back to

507
00:31:42,070 --> 00:31:45,910
this, the policy and governance of more data, faster data, more

508
00:31:45,910 --> 00:31:49,735
frequent, that keeps you on the left of the boom. Right? Right. The

509
00:31:49,735 --> 00:31:53,575
better job you do left of boom, the fewer incidents

510
00:31:53,575 --> 00:31:57,195
you have to deal with right of boom, which, by the way, only,

511
00:31:57,255 --> 00:32:00,840
like, forensics in IR teams actually like that.

512
00:32:00,840 --> 00:32:04,600
Right? No one else wants to be in an incident response scenario. Yeah.

513
00:32:04,600 --> 00:32:07,500
Even the guys doing the work, I'm sure it's, you know,

514
00:32:08,600 --> 00:32:12,225
it's still stressful regardless of Yeah. Of of sort of the scenario for sure.

515
00:32:12,945 --> 00:32:16,164
The other part, I guess, like, kinda relates to this as well is,

516
00:32:16,705 --> 00:32:19,905
the this can be a lot of work. And I think that's partly what scares

517
00:32:19,905 --> 00:32:23,605
people away from the governance aspect of this is is it's not an expertise.

518
00:32:23,825 --> 00:32:27,299
I think that that's easily remedied by some training and some experience in

519
00:32:27,299 --> 00:32:31,059
getting involved in these things and spending time on it. But, you know, it's

520
00:32:31,460 --> 00:32:34,580
it it feels like a lot of work to do this on on any regular

521
00:32:34,580 --> 00:32:38,100
cadence, and that's where I think the tools can be helpful around this automation of

522
00:32:38,100 --> 00:32:41,794
collection. Right? And Correct. Like, tools like yours where you just sort of

523
00:32:41,794 --> 00:32:45,554
says, here are the parameters. This is this frequency. These are the networks. This is

524
00:32:45,554 --> 00:32:49,395
the assets I wanna check. It just kinda does those things. And instead of

525
00:32:49,395 --> 00:32:52,355
kinda having to have events where you're like, oh, okay. You know, it's third of

526
00:32:52,355 --> 00:32:54,929
the month. I guess we need to do all of these, execute on all these

527
00:32:54,929 --> 00:32:58,049
things. Like, you have a tool that just spits back reports for you, and we'll

528
00:32:58,049 --> 00:33:01,809
know you'll know when there's an exception rather than kinda have to comb

529
00:33:01,809 --> 00:33:05,090
through and find things. Does that makes is that am I kinda understanding that right

530
00:33:05,090 --> 00:33:08,924
from a private from an automation perspective? That's

531
00:33:08,924 --> 00:33:12,365
exactly right. It, the automation part is built into the

532
00:33:12,365 --> 00:33:16,205
platform where it'll automatically, not only

533
00:33:16,205 --> 00:33:20,045
do the scans, but also do the analysis. That's a big deal because it

534
00:33:20,045 --> 00:33:23,830
used to take a vulnerability, you know, management expertise

535
00:33:23,970 --> 00:33:26,790
to figure out what this is and what to do about it.

536
00:33:27,730 --> 00:33:31,490
And we do that all, we we do that analysis using machine

537
00:33:31,490 --> 00:33:34,850
learning. And then we use generative AI to build out the

538
00:33:34,850 --> 00:33:38,455
solution and tell you. And then, it's

539
00:33:38,455 --> 00:33:42,295
risk ordered. Right? So for today or this week, here are

540
00:33:42,295 --> 00:33:46,055
the key things you need to work on, and remedy, and

541
00:33:46,055 --> 00:33:49,735
here's the solution. Because if you do this, that's where most of your

542
00:33:49,735 --> 00:33:53,179
risk is. Right? So I think that automation is super

543
00:33:53,179 --> 00:33:57,020
important. The other thing it gives you is reporting back to your

544
00:33:57,020 --> 00:34:00,380
client, which we know is super important. Right?

545
00:34:00,380 --> 00:34:04,220
Because when you meet with your client monthly, or quarterly,

546
00:34:04,220 --> 00:34:08,025
you wanna be able to show progress. Right. And this is a great

547
00:34:08,105 --> 00:34:11,645
which you could say, here were the vulnerabilities we found.

548
00:34:11,864 --> 00:34:15,385
These were the ones we remediated. Here's what your score was

549
00:34:15,385 --> 00:34:18,665
before we did it, and here's where it went up to. And I think that

550
00:34:18,665 --> 00:34:22,429
being able to show what you're doing for your client to secure them,

551
00:34:22,889 --> 00:34:26,489
they don't need to know all the details of all the CVEs and what are

552
00:34:26,489 --> 00:34:30,250
criticals and what are mediums and whatnot. But they do wanna know that

553
00:34:30,250 --> 00:34:33,824
you have their back and that you are, in fact, managing the

554
00:34:33,824 --> 00:34:37,505
risk of their network. And being able to show that in a report is a

555
00:34:37,505 --> 00:34:41,344
really good way to communicate that. Yeah. I like that idea of of

556
00:34:41,344 --> 00:34:45,025
the progression. Right? Like, I think there's reporting that isn't as

557
00:34:45,025 --> 00:34:48,830
valuable, but if you're able to demonstrate progression or at least the the

558
00:34:48,830 --> 00:34:52,590
the maintenance of that. Right? It's for some period, it may be,

559
00:34:52,590 --> 00:34:55,949
you know, we were at 70. Now we're at 88. Now we're at 95. And

560
00:34:55,949 --> 00:34:59,710
then at that point, distributors are like, we're we're maintaining between 95 and a hundred.

561
00:34:59,710 --> 00:35:03,434
We're doing our best, and that becomes a just a quick update rather than

562
00:35:03,434 --> 00:35:06,815
sort of that progression that you move through. Right? And by the way, that is

563
00:35:07,275 --> 00:35:11,115
one of the differences to write a boom. Right? So if I'm paying someone

564
00:35:11,115 --> 00:35:14,815
24 by seven to monitor my network for threats

565
00:35:15,720 --> 00:35:19,480
and they never find anything. That's actually good news if you think about it.

566
00:35:19,480 --> 00:35:23,080
Yeah. Right? But then you ask the question, are they

567
00:35:23,080 --> 00:35:26,520
looking hard enough? Right? Are they seeing everything? How do I

568
00:35:26,520 --> 00:35:30,244
know? Right? Yeah. Left of boom is actually the blocking and

569
00:35:30,244 --> 00:35:34,085
tackling that MSPs do. And to be able to quantify

570
00:35:34,085 --> 00:35:37,924
that with KPIs and say, here's all the stuff we did for you,

571
00:35:37,924 --> 00:35:41,684
and here's how we've improved the security. It's like managing other

572
00:35:41,684 --> 00:35:45,500
parts of the business. Right? You just wanna be able to show, here's

573
00:35:45,580 --> 00:35:48,780
here are the issues we found. It's like you said, code. Code on the house.

574
00:35:48,780 --> 00:35:52,620
Right? We're building the code, and here's the proof points of all

575
00:35:52,620 --> 00:35:56,325
of that. Yep. Fantastic. Well, I appreciate your

576
00:35:56,325 --> 00:36:00,085
time, Manu, and, thanks for for sharing a bit of insights and

577
00:36:00,085 --> 00:36:03,385
keeping us, safe on on the left side of the boom. Any

578
00:36:03,925 --> 00:36:07,145
last, bits to share or anything we haven't covered?

579
00:36:08,725 --> 00:36:12,550
Well, I think, you know, keep looking at

580
00:36:12,550 --> 00:36:16,070
the compliance side of this and the governance side of this, the

581
00:36:16,070 --> 00:36:19,910
cyber insurance side of it. It is driving the right kinds

582
00:36:19,910 --> 00:36:22,490
of decisions, I believe, that,

583
00:36:23,510 --> 00:36:27,145
MSPs will make. And and and that's because there's money at

584
00:36:27,145 --> 00:36:30,905
risk. Right? So anytime you have money at risk, smart people get

585
00:36:30,905 --> 00:36:34,585
together and they say, how do we reduce that risk? So I think it's super

586
00:36:34,585 --> 00:36:38,185
valuable to to continue to look at the NIST CSF, look

587
00:36:38,185 --> 00:36:41,720
at, CS compliance. It will guide you

588
00:36:41,720 --> 00:36:45,420
down the right path for what you need to do for your clients. And, obviously,

589
00:36:45,640 --> 00:36:49,400
at ThreatMate, we're glad to help on the left of Boom side. But thank you

590
00:36:49,400 --> 00:36:53,160
for your time. This has been, very helpful, and I hopefully enlightening for

591
00:36:53,160 --> 00:36:56,727
for the audience. Great. Thanks for your time. Take care, Anoop.

592
00:36:57,266 --> 00:36:58,007
Thank you.