Cybersecurity: Amplified And Intensified

Episode 20 - Understated or Overblown: A Kaseya saga.

July 12, 2021 Shiva Maharaj/Eric Taylor/Brian Weiss/Robert Nelson
Cybersecurity: Amplified And Intensified
Episode 20 - Understated or Overblown: A Kaseya saga.
Chapters
Cybersecurity: Amplified And Intensified
Episode 20 - Understated or Overblown: A Kaseya saga.
Jul 12, 2021
Shiva Maharaj/Eric Taylor/Brian Weiss/Robert Nelson

On this episode Brian Weiss and Robert Nelson join us to discuss how the Kaseya incident has affected its MSP customers and their customers, the failings of most compliance regimes, Kaseya choosing Fire Eye over its own recent acquisition Rocket Cyber and the effects of this incident on Municipalities whose providers use Kaseya on CJIS regulated systems and data. 

Eric Taylor | LinkedIn 
Twitter: barricadecyber 
www.barricadecyber.com 

Shiva Maharaj | LinkedIn 
Twitter: kontinuummsp 
www.kontinuum.com   

Brian J. Weiss | LinkedIn
Twitter: bweiss805
www.itech-solutions.com 

Robert Nelson | LinkedIn
Twitter: techplanet4u
techplanetnow.com 


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

On this episode Brian Weiss and Robert Nelson join us to discuss how the Kaseya incident has affected its MSP customers and their customers, the failings of most compliance regimes, Kaseya choosing Fire Eye over its own recent acquisition Rocket Cyber and the effects of this incident on Municipalities whose providers use Kaseya on CJIS regulated systems and data. 

Eric Taylor | LinkedIn 
Twitter: barricadecyber 
www.barricadecyber.com 

Shiva Maharaj | LinkedIn 
Twitter: kontinuummsp 
www.kontinuum.com   

Brian J. Weiss | LinkedIn
Twitter: bweiss805
www.itech-solutions.com 

Robert Nelson | LinkedIn
Twitter: techplanet4u
techplanetnow.com 


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

Thank you for joining us for another episode of cybersecurity amplified and intensified with Eric Taylor myself Shiva Maharaj our recurring guests Brian Weiss and we'd also like to welcome Robert Nelson of tech plant I know we are going to discuss the hot steaming pile of shit that is gonna say, Where would you boys like to get started?

Eric Taylor:

We could pick up right there.

Robert Nelson:

Number one thing that I thought was kind of interesting was because is now given fireeye I guess to people, or at least a limited period of time to work their way through this thing. But they'll they have rocket cyber,

Shiva Maharaj:

the rocket cyber acquisition came on the heels of the purchase acquisition by connectwise. And rocket cyber based on all of the press releases is supposed to be the saviour of everything. I haven't heard anything about rocket cyber actually detecting or mitigating. Oh, wait, no, they don't mitigate because rocket cyber is nothing more than a log collector with absolutely zero intelligence.

Robert Nelson:

So that'd be kind of like Sumo logic. Commonly, they put it in a different form.

Shiva Maharaj:

Well, Sumo logic collects and you have to supply the intelligence whereas rocket cyber is supposed to be a manage SOC slash Kool Aid because we all know how much of a turd most of those guys are in the channel for the most part, all but two of them have been quiet throughout this entire incident. But my question is why now I love fireeye. I think mandiant is a really good company, as as far as great tech, why is to say using them and not using the golden bastard child that is rocket Sabra,

Robert Nelson:

the old it seems like it would be a great way to show off their technology.

Eric Taylor:

I think two things you know, you got one where you don't, you don't want to have everything from your internal systems, you know, being the front of it, I guess. But at the same time, you want them to be the front of it, you know, you've purchased as recommended SOC as opposed to be the Saviour, but yet you are going with a third party to do all of your analysis and you know, logging, just doing everything from Mandy and so is rocket cyber really not up to snuff that that they say it is

Robert Nelson:

okay, I was sold rocket cyber is like to have another set. I've also when I'm out delivering pizzas, if something were to happen, I could get flagged in and know about it. Bar a lot you I tried to rely on it. But I never could get a good clear answer of anything that was an issue, I got a lot of noise, but nothing of any importance that I ever found. I really liked the office 365 part that they were trying to roll out. But I was having some weird issues with it. And of course, every time I submitted a ticket, it's under development, or we're still trying to work the bugs out or you really need to go buy another licence for this or another licence for that. So then when they rolled over into the minimum, I just walked away as CEO, I'm not paying you one thing when you're working on it, you know, a really good price what I thought was really good value when you're working on it. I could I had the patience. But then when you want to charge me like you're real, then you need to be real. So I walked away from it. Plus, then because I have bought them out. And I'm not unlike some other guys. I'm not a fan of them.

Brian J. Weiss:

So here's here's my answer shivah to that question number one, how did they know rocket cyber was an infiltrated they?

Shiva Maharaj:

They said well, pletely separate and VSI is not being used on that staining polish it? I mean, sorry. SOC.

Brian J. Weiss:

Yeah, I mean, they said that marketing wise to try to keep people from freaking out. But until you know the depth of what actually happened? How do you know what type of lateral attacks did or

Shiva Maharaj:

didn't happen? Are you telling me that they may not be that truthful with what they say in public?

Brian J. Weiss:

100%? I mean, it's all PR, you know, you don't want people freaking out and jumping ship without knowing all the info. So you try to tell them things to calm them down until you do know the info. So and then the other thing I would say is rocket cyber just isn't enterprise level threat hunting bottom line there log aggregation, it's, it's more compliance

Shiva Maharaj:

than it is security. But is there any real threat hunting there other than if you can commands or searches and queries that every other manage? SOC, might be using.

Eric Taylor:

So they're going to they're going to put in just like hunters, and you know, I'm going to may potentially inadvertently bash hunters a little bit here, but they are just parsing what they know. But in the setup and configuration, at least when we were all part of it, you know, you would put in your alien vault product key, you will put these other API keys in for your external threat feeds. And then it would parse all those API keys and external threats against your stack to see what was there. So they didn't have it all internally built by any means.

Shiva Maharaj:

But that's just using third party threat Intel realistically. And going back to your comments about Huntress I think Huntress demonstrated some extensibility of their agents and their capabilities by accident. I think they showed really how deep they are any company with system level access can get into endpoint.

Eric Taylor:

Yeah, that's really so that we were kind of hinting around the other day, but we never really talked about. So they said, they, as an Huntress said that they were able to re inject a legacy, ie xe, the agent e xe and some legacy DLL files, but I never got a straight answer. Did they do that from their platform itself? Or do they give it to the MSP to put it back on their servers?

Shiva Maharaj:

They did it preemptively for the MSP via their agent or their system level access.

Eric Taylor:

Yeah, cuz their agent is supposed to only be a one directional thing, log collection and some middle.

Shiva Maharaj:

Once your system, you can do whatever you want, right? It's on the company. Now in this case, I don't think hunters did anything wrong by swapping out those files for files that would do nothing but benefit the MSP. I just, I'm waiting for the day that and I hope it's soon that Kyle drops the Hey, we're doing a managed SOC offering. Now, Robert, you use them? What's your experience been so far?

Robert Nelson:

So far, it's been good. I mean, I don't use them extensively, I'm slowly rolling them back out to some of my what I consider my high value targets. But so far, it's been good. I've noticed things like so in bitdefender doesn't update and some of those executables change, you see hunters picks up on it, they flag it, they make sure they're the right thing. And then they clear them and whitelist them on through. And of course, once they, I guess once they're in their system as good, then they are everywhere is good. But I thought that was pretty interesting to watch some of those updates happen. But you know, it's a persistence checker. So if you're looking at but here's the one thing that really bothers me about casaya. And we've had this discussion individually is, this is the third time in three years they've been breached by reavell. Bar evil, and they are reaching out to another company that was breached by somebody less than a year ago, to help them rocket cyber replacement. It's a group of breached companies now are offering services. And at one point in time, do you finally say, look, I can't trust you anymore?

Shiva Maharaj:

Well, according to their CEO, only 50 msps were hit. And despite it being a life changing event for those msps and their customers that got hit cornerto CEO, it's just being overblown. It's not the biggest incident in the history of ransomware.

Brian J. Weiss:

And they're just small businesses, right? So we don't we don't care, you don't count. They don't count.

Robert Nelson:

Well, they look on social media, those people that are the members of the 20 that used casaya are just they said like, it ain't no big deal. We quit providing services to our clients for a week, it's no big deal.

Shiva Maharaj:

All these Kaseya users at the 20, which is a master MSSP or loosely called Master, they all have the same talking point. It's an off patch week. So we're not missing anything, which means the 20 has invested in spin and marketing and legal to give them their talking points. But let's consider something here. Just before the ESA got popped, what vulnerability were we all dealing with

Eric Taylor:

pretty nightmare,

Shiva Maharaj:

and there was a patch. But now, three patches now, but there was one on Wednesday, despite it being a piece of shit and doesn't work, which is okay, that happens. At least there was a patch, which is more than I can say for the ESA putting anything out How were the 20 msps are the msps that are part of the 20 or any MSP using Kaseya going to roll that out. Because I know they didn't have Intune configured, I know that 90% of them are just serving pizza. So the first major

Robert Nelson:

patch come out on Wednesday and the 20 couldn't roll it out. And then of course, the updates have come out since they haven't been able to roll out because I don't think they're going to be live again till Sunday. If everything works, right alleged, you know, yeah, allegedly because they had a cocytus deal. They were going to be live like last Monday or Tuesday they started going live that all of a sudden they pulled the plug. Nobody knows why other than we can guess they found another hole in the Swiss cheese that they had to go back and play. While you're on that topic. I don't know if you saw Fred mikolas video from maybe Wednesday, or perhaps it was Thursday morning, where he stated all of the vulnerabilities that were exploited have now been patched.

Shiva Maharaj:

So how many vulnerabilities were used on this thing? Is that why they took Is that why they took them out and they pinch hit with the CTO who said absolutely nothing of substance.

Eric Taylor:

Yeah, because all he did was reiterate their thing that what the our CFO said, but I want to know, is that part of what was disclosed yesterday or the day before of the portal that was left vulnerable since 2005. That they just recently talked about

Robert Nelson:

it. You're talking about the article that came out with from crabs. So did they was that vulnerability exploited and is it now patched or did they just choose to continue to not patch it because it's only been 16 years

Eric Taylor:

to invest? So from what I gather from that article, they disclosed it, it's never been patched was as part of the exploit. I don't know y'all hunters put out a video not too long ago of kind of walking through how to use a wrap around Mimi cats to exploit it, which is kind of creative. You know, from a pen testing standpoint. I was like, Huh, I never thought that shit. So I'm actually scribbling down notes on like, Alright, I know how to freakin go after this now, but it's this is just even that is huntresses best guess of what's happened? You know how that reavell got there? Right. So I still see on Twitter, unofficial conference, our unofficial reports that more and more people are coming out saying they have submitted vulnerabilities to Kaseya that they have never patched in over 13 years.

Shiva Maharaj:

Hey, Brian, you are a former to say a partner despite not having any equity. How have their update cycle run on the platform in terms of vulnerabilities and potentially new features.

Brian J. Weiss:

So I mean, I haven't used their BSA product, it was on prem when we are using it since 2018. I felt like it was very poor communication back then. Anyway, as far as, hey, you've, we've got a vulnerability, you need to patch your on prem server ASAP. And it goes in it falls in line with this, hey, we added a wax rule to our sass platform for this vulnerability, but didn't bother to inform any partners, they should do the same thing for their on prem servers until we get this patch. Right. But

Shiva Maharaj:

would you really want to put that out there and affect your valuation and pre IPO? That doesn't make any sense?

Brian J. Weiss:

Yeah, I mean, these are the types of concerns I have when you know companies like this go public is what's going to happen with leadership, and what direction are they going to be taken, the company is going to they care more about the moon er, than they care more about PR than they do their partner base at some point in time. Right. One thing

Shiva Maharaj:

I wanted to discuss, I don't know if you guys heard Fred Buccola speak about this is Kaseya cares from 2020, which was to say, as money grab at federal funds. And let me expand on that, because maybe that's not what it was. But I think it was it was just bullshit wrapped in altruism. They hired attorneys, accountants and everyone else to help their partners get a piece of that cares, money pie, and I'm pretty sure it was for two things to make sure there, the Kaseya bills kept getting paid by their partners, and to make sure those partners got through COVID to continue paying his bills. This isn't because they are helping anyone This is because they are helping themselves. But as I said, wrapping it in altruism

Robert Nelson:

once a company goes public, yes, their priority does shift to the stockholder. I mean, it has to that's just part of part of being a public company does not

Shiva Maharaj:

but the shareholder doesn't get the golden parachutes that sea level gets

Robert Nelson:

no but they look they're looking for that value. They're looking for that stock growth and those dividends or whatever, that's why people invest in them. It's not the there becomes a focus on on trying to raise that value. I mean, look at what solar winds is doing is they're, they're spinning off their least profitable section off into something else so that they can get their stock value back up for everybody. Well,

Brian J. Weiss:

I mean, when you're not private, and you know, partners, like us have more leverage when it comes to voting with our dollars, right? We don't like Xander, we, we don't use them. The minute they go public, our dollars have less leverage, because now it's all about public stock price, because private equity who still likely owns the majority of the company, even though it's public now sees that public stock price as their driver for making more money, versus

Robert Nelson:

the market marketer making money not on selling their services anymore. They're making money on trying to get that stock price up.

Shiva Maharaj:

I want to ask a question here. We keep talking about using your money to vote by which vendor you buy when you consider the MSP channel as a whole. Do you think that's even a possibility with the sheer number of fanboys for any particular vendor? I mean, you say something marginally not nice not even bad about certain vendors, you will get an entire slack room ready to hang you

Eric Taylor:

could just like when I I had that same experience when I talk, you know, little throw a little shade at hunters because everybody was thinking that they are managed soccer. I'm like, No, no, they're not

Robert Nelson:

huntresses like that. pacsafe is like even Kaseya themselves and Robert other

Shiva Maharaj:

RMM to have you ever had an incident where a salesperson sent you something an email, and when push came to shove, they said no, despite it being an email twice.

Robert Nelson:

And one of them was the head of Pax eight. Who finally just said, Well, we can't we can't honour what he said. I mean, it was so it was a pricing issue. And I was in the middle because I use your straight up. I'm using syncro for the most part now and I was working on the integration it looked like it was really good. And I get all my CSP stuff through cynics who have been very, very good as far as easy worked with and everything a little slow to respond with tickets, but overall like the BSA incident now they are not used for shit this weekend. So true. So the guy told me everything I needed to do to get my price because they'd mentioned a better price to me a while back and said, Here's everything you need to do to get a better price I did it. He said, oh no. It was like, What are you talking about? I said, Well, here's your email, dude. I can't I don't understand. I mean, it was just like a total like I was talking to an alien or something. So I reached out to Patterson i think is his name. We had a couple of conversations didn't really get anywhere. I've got one little one thing left with packs a, I'm trying to figure out what to do with and then I'll be 30 with them. But it's it's just not as great as some people are getting some fantastic experiences with my guests. But it's not me.

Shiva Maharaj:

I think vendors are starting to get to the point where you get the treatment based on how much effort you put into them and building their social media profile. If they know you're going to be their cheerleader, they will pave the rolls the road and roses for you to walk on

Eric Taylor:

though you buy seeds goes to a company,

Robert Nelson:

they need to pay me some attention. And because my MSP group is ranked number 43 is one of the most influential

Shiva Maharaj:

trolling group or the real group because I know you have to

Robert Nelson:

that's that's the group I created to troll Ryan Christopher Smith. Gotcha.

Shiva Maharaj:

That list is bullshit.

Robert Nelson:

We rarely even posted there, but it's number 43. Of all seven

Shiva Maharaj:

members of groups.

Robert Nelson:

It's kind of like 800 members at it.

Unknown:

Oh, wow.

Robert Nelson:

Okay, without, but I reject as many as I like it's a it's a quality versus quantity thing. I reject a lot of people.

Shiva Maharaj:

Are you guys coming across any msps that have been directly affected by this Kaseya incident, I see both Ryan and I'm sorry, Brian and Eric shaking their head here. For those of you listening Who wants to go first to tell us about what's going on there.

Eric Taylor:

I guess I'll jump in. I mean, just kind of talked about last episode that you know, some of these msps that we're talking to are scared, they don't know what to do. They don't know. Now they're they're probably going to be having talks with Kaseya about how they're going to financially benefit them and make them whole again, as the CTO is pretty or the CFO said. So I think they're, I don't know if they are actually going to end up paying the ransomware for these affected companies. Because solution is granted is in the mix doing a negotiation, which sucks, I really wanted to be part of that that have been great. But anyway, I don't know if they're just paying through those guys and trying to make some of these guys whole or, you know, if they're saying okay, well, you had to pay, you know, $20,000 whatever the amount is, will give you a credit on your bills, you know, equal to that plus whatever. I don't know,

Brian J. Weiss:

Fred came right out and said that he's not going to pay any of the ransom Bitcoin because the American doesn't deal

Shiva Maharaj:

with veteran john way. Yeah.

Eric Taylor:

But he did say we're going to put financial backing to make these msps whole again. So explain to me what the fuck that means.

Shiva Maharaj:

I know, I know it's a PRC? No, I think what he's going to do, because there's so many affected despite him saying it's just an overblown incident that, you know, the White House and intelligence agencies have to get involved in, they don't have better things to do. I think he is looking for msps to go and negotiate their ransom, and then come to to say it and say, Hey, get back on our feet, we need $100. And whether or not that $100 includes the $50 for the ransom, not that it's going to be 50 because A is going to dole it out and have plausible deniability to say we didn't pay any ransom. So we gave the MSP is what they asked to get back up and running,

Robert Nelson:

that's gonna be given back to him and credits there that there's no way they're going to give that back in cash. Because what would prevent somebody you give them the cash, and then they cancel, you have no chance of ever recovering? So you're going to give, you're going to give it back to them and credit?

Shiva Maharaj:

No, I can't be credits. Because when you consider what the ransomware are for some of these companies, they don't have that kind of cash laying around. I think what it's going to be is there's going to be some kind of agreement that the MSP has to sign saying, if you take money from us for helping you for our fuckup you can't sue us,

Brian J. Weiss:

and you have to honour all

Shiva Maharaj:

contract terms, or extend your contract by 5 million years.

Robert Nelson:

Well, it's got to make sense because you still are you. It's gotta make sense if they were in fact, in a pre IPO stage or preparation. It's got to make sense because I've got to account for it moving forward through this. So they can continue on to that stage and then their thoughts could be if we got through it, we go IPO we can raise enough money to help overcome whatever ended up happening,

Brian J. Weiss:

what MSSP in their right mind would stay with Kaseya if they if this event affected them. That's my first question. There are many

Eric Taylor:

probably all of them. They're all scared you guys Think about it. Let's go back into the flashbacks of your situation you got hit with ransomware before What if you were sitting on a pot now for a week, not knowing what the hell's going on, your clients are up your ass because you can't do anything. You know, you're sitting there holding the bag in the middle, you're not getting any support from your vet your possibly any support from your partner vendors. You're getting reamed out by your customers. You're probably losing customers right now. Like that's some of the conversations we're having with clients or prospects. They're like, Look, I don't care what's going on. I need my business backup. I don't care what the hell Kaseya or the MSP is doing. I need my crap back up.

Brian J. Weiss:

Well, so here's the thing. I mean, the two people that I know the two, one of them's in MSP group and other ones in a partner advisory board, the one in the partner advisory board had 5000 endpoints, and literally Saturday was moving to datto RMM. Basically saying, I'm done. I need an RMM now and he's literally doing truck rolls where needed to get it installed or hopefully GPO or in tune, if he's

Shiva Maharaj:

got that set up. Did he was he able to restore the computers? Or is this someone who has a down server but not cryptid?

Brian J. Weiss:

Correct? Yeah, down server but not crypto. So I guess there's two different boats you could be in right down? I mean, down server, whether you're SAS or on prem again, why are you stick? Why are you waiting around to use an RMM? That may cause you more damage? Why not just jump ship to another one right now?

Robert Nelson:

Well, how many days do you weigh in which you finally just say, okay, y'all told me Monday or Tuesday, and now you've all of a sudden changed your so you go and make promises to your clients that, hey, we're going to be fully back up again on Wednesday or Thursday. And then Okay, now you're telling me Sunday, what happens if Sunday comes? And you say, well, we had another little glitch is gonna be a couple more days. So I could see especially somebody is larger that depending on the client that Yeah, you may even end up in a split situation, I would have jumped on that Friday.

Shiva Maharaj:

As soon as I heard to say, guy popped, I would be calling another vendor saying take my money.

Brian J. Weiss:

And there's two issues there. Robert, right. There's did your client get popped? Are they actually down? Right, which, you know, let's face it, I'm not going to wait for Kaseya RMM to come back up to address my client being down. So that's a moot point. No, I'm not gonna you know what I mean? So I immediately need a different RMM and a different tool, as I get them back up and running to take control over things. Again, let's make

Shiva Maharaj:

this a learning experience here. Let's actually teach something for once in our lives. Maybe you went through a ransomware event because of concerns bullshit, Brian, how long did it take you to get onto a new RMM.

Brian J. Weiss:

So luckily, we are already halfway through migrating to a new RMM, which is why only half our clients got hit. And we already had it installed, just not configured, ready to disable Kaseya. We immediately after, you know, obviously, we immediately disconnected the server from the internet. But we had to do some discovery on it. So after we pulled the SQL query logs, identifying what systems got touch we down that server and never booted it back up. In fact, I think I might have physically destroyed it, like an office space. But yeah, I mean, we were lucky in that sense. In my opinion. RMM is one of the easier things to migrate to definitely a lot easier than say a PSA, it's just a matter of how do you get the agent on the machine?

Shiva Maharaj:

I mean, let's unpack that. One of the biggest things that all vendors hope for is it's gonna take you too much time or it's too complicated to move. I know that myself, Eric, and three or four other msps jumped ship from connectwise, June, July of last year, and within three or four days, we were fully rolled out each on datto RMM. There's no real issue in being able to migrate, I think,

Eric Taylor:

no, there's not. And just like what Brian was saying, it's all about getting the agent, you know, you can get at least a baseline configuration put together on RMM and get that thing rolled out. And you know, then work on the configuration of the patching and other, you know, alerts and monitors and all that other garbage that you need to build out over the course of days, weeks, months, whatever, you know, your stack looks like but also talks a little bit that we have started out before the barrier of entry into the industry, right $50 for data you have $50 a freaking credit card and you have a number of agents that is as easy to instal as Adobe

Shiva Maharaj:

Reader, even Adobe readers order man,

Eric Taylor:

maybe trying to find the right version online, maybe

Shiva Maharaj:

just use the cracked version that everyone seems to want to instal on their system. Please don't do that. That was

Robert Nelson:

you need to make sure you got two agents on your system, your data, your desire, whatever and then just go buy a single synchro are a terror account, set up a policy that's nothing but information. Does it actually do anything and then instal it on everything so you have a second way into everything.

Shiva Maharaj:

Okay, David mode

Brian J. Weiss:

threat actors would love to see us do that,

Shiva Maharaj:

oh my god, increase the surface area for attack. I mean, that makes perfect sense now.

Eric Taylor:

So I mean, with that said, I mean, I wouldn't say you would have to do to RMM agents definitely doing an RMM agent and doing some sort of remote session platform, whether it's, God forbid, ScreenConnect, or it's splashtop or TeamViewer, or something. So if your RMM goes down, you're not dependent on that RMM for your remote access, you are depend on a third party application to get you back in let's go through that.

Shiva Maharaj:

If you're using Intune. You shouldn't need to do that because you wrap an E xe or just load an MSI and boom, you're off to the races. Okay, fine. If you're on prem, maybe you roll a truck

Eric Taylor:

or GTO, but most of us don't even need to do that. You just do the SOS or quick assist or whatever the the variant is for that particular screenshare. And you're good to go.

Brian J. Weiss:

What we do is we rely on Intune or GPO for workstation stuff, if it comes down to that on prem servers is where I think that would make sense where you're going to have maybe a pre installed another way to connect remotely, because especially if you're relying on GPO configuration, right, that's how we currently do it. And what we did recently is any on prem servers, we could easily roll a truck to and get to we even ripped off the secondary access,

Shiva Maharaj:

there's an easier way to do this. Most of the I know, all of us in here are using some type of EDR platform, you can launch a shell through all these EDR platforms now and just roll out a new programme.

Brian J. Weiss:

Yeah, and and even do take some of your monitoring you do in the RMM and move that over to EDR.

Shiva Maharaj:

Here's a question for Eric, this is something you and I have been considering scaling back the use of a seminar SOC on the endpoint, because we're using a different vendor that has managed threat hunting, then Brian, you and I, you're using a separate vendor also does the same thing. So I guess maybe Robert, and Brian is smarter you guys, do you think every client should have a managed threat? response platform?

Eric Taylor:

You're not building it out? internally? Yes. Okay. How about you, Robert? Yeah.

Shiva Maharaj:

Is that something you guys are going to do? Or in the process of doing go to trial,

Brian J. Weiss:

I just sent an email to my clients in response to this, and hey, we weren't affected, that we can tell. But we have no idea how serious this thread actually is. So we're rolling out our MDR service to everyone right now, for the next 30 days at no cost and sending them quotes for what it's going to cost after the 30 days,

Shiva Maharaj:

are you going to do typical vendor douchebag move and say, Hey, if you don't cancel within 30 days, we're gonna ding your arm for it. And we're not auto charging clients, if that's what you're asking, that's good.

Brian J. Weiss:

But what that tells us then, so if they say they don't want it, the question is okay, when it's not here, sign this form, that you're not getting it. It's alright, you need to tell us when you're going to pay for this then. And then if they say never, then that's a whole different discussion, right? It's like, Alright, listen, we're gonna have to look at either putting security in place sooner than later or finding you a new IT company.

Shiva Maharaj:

Now. I'm happy you start you're talking about that, because in our private Slack, where we make fun of each other, you mentioned that insurance or new renewals are coming around for you and some of your clients and it's becoming a stack of encyclopaedias. You have to go through what are the new applications looking like for you and your clients? And I can only imagine because we are still not asked, but the industry is still in the Kaseya incident. Some of those applications are going to be adjusted before finalised.

Brian J. Weiss:

Yeah, I mean, the applications I've seen are a complete shit show because the questions they ask and the answers they allow you to give don't make sense. There's one I saw the other day, where do you have MFA configured? And it asked me router? To answer this and answers endpoint and I'm thinking, Yeah, go ahead.

Shiva Maharaj:

You have to have MFA in front of an SQL injection. Yes, that would have stopped it because half of our industry things had MFA, any code injection command injection would not have been able to get to Kaseya or as Robert likes to say Kaseya

Eric Taylor:

I'm just gonna sit here and eat my head

Robert Nelson:

keyboard your your questions are being written by people that don't understand it because they are in there expecting certain answers and they haven't engaged anybody to say this is how you do that.

Eric Taylor:

I don't know how you did it. I do want to be fair, and cut off Brian because I love doing that a lot of these guys are like I've said before they're scared shitless they they're looking for a way to give them an answer they can fucking believe at this moment. So whether it's Hey, if you had our service, we would have stopped it aka threat hunter thanks

Robert Nelson:

through like Danny at threat locker.

Eric Taylor:

Yeah, thread locker,

Shiva Maharaj:

but they are zero trust

Eric Taylor:

but not zero knowledge.

Robert Nelson:

There is Zero trust but not zero knowledge, so to speak. Now, if you want to shift over to that discussion, do you want zero trust and zero knowledge or D? Zero trust I like I'm like you, I want zero trust and zero knowledge. I don't want you to know nothing about my clients, period, I really don't even want you to know their names. You know, I'm your customer. You sell me for a true SOC,

Brian J. Weiss:

if you have a true SOC back in you that it's not going to be a zero knowledge relationship.

Shiva Maharaj:

But that's a different today.

Robert Nelson:

I'm not talking about a SOC. I'm talking about something like threadlocker. Yeah. When you start asking those questions, it's a whole down dance around, they are in essence, same thing, I got a discussion yesterday about how does the 20 do zero trust, because my understanding is there, cuz I instance, it doesn't even make use of the multi tenant solution that they have. So there's, it's not possible for them to do zero, you can never implement it under that solution.

Eric Taylor:

Yeah. Cuz the way that their architecture is built, so you get a bunch MSSP is part of the 20. And you have in their head office, they have a bunch of network admins, or whatever that are, you know, taking care of all of the members. So they gotta be able to see all of those tenants at any given time and do what they got to do. And you know, I'm not gonna throw anybody under the bus by any means. But I've been told that if you are a member of the 20, and you start reading scripts, you can start seeing scripts from other members of the 20. You can use scripts

Shiva Maharaj:

from it's a community, it's crowd sourced support.

Robert Nelson:

Yeah, it's more more like a community than individual msps,

Eric Taylor:

that's makes me want to put some sort of ransomware payloads I do not run me.

Shiva Maharaj:

Oh, that just means everyone's gonna run it, because

Robert Nelson:

that would be funny.

Brian J. Weiss:

So I do want to give a plug though, to tech rock, they've been helping me to cut through all the crap with insurance. And the underlying issue is that your insurance brokers that you deal with that hand you the forms to fill out, all they do is pass that information off to the carrier who then has their own underwriting team that analyses everything. And so you've, you've got this separation and between you and the person that's actually classifying your risk. And so there's naturally a breakdown of communication there, especially when the questions they ask don't even make sense in some cases, whereas a company like tech rug, who's specialising in this, they actually built out their own underwriting team in a house and have developed relationships with carriers where the carrier's trust their scoring system, and the questions on their application actually makes sense. You're like, Oh, this is, this is what I'm used to seeing, like, you know,

Shiva Maharaj:

isn't that what john Murchison is doing over at Black points as well?

Brian J. Weiss:

He is, but from what I understand he can't get me E and O insurance. And I

Shiva Maharaj:

mean, cyber, I don't think he's teaching

Brian J. Weiss:

and it's a big no no, to have no and cyber with two different carriers. You want them with the same carrier, so they don't point the finger when it comes down to a

Shiva Maharaj:

claim that an insurance company would never do that. Why would they ever make you jump through hoops so they don't have to pay out on your claim? Come

Robert Nelson:

on, just get your cyber liability from breach security. They just asked you do you want 25,000? You want 50,000 a year? They don't ask no questions.

Shiva Maharaj:

isn't gonna pay for Eric's lunch while he's remediating your shit.

Brian J. Weiss:

One last thing here. On the insurance front is the two carriers that are kind of ahead of the curve right now are Beasley and Lloyds. So those are the two we're looking at. We're with CNA now that I'm trying to get off of

Shiva Maharaj:

CNA got popped in February. Yeah, they did. Yep. Yeah.

Eric Taylor:

Oh, and they just release it. They've got another data breach from outer the rancour? Yeah, from the ransomware. After the it's all part of the buzz after the ransomware incisa.

Shiva Maharaj:

They announced that this morning.

Eric Taylor:

Yep. So it's great, guys. It's just freakin great. I mean, you know, whatever.

Shiva Maharaj:

So I want to do a little round robin here. I don't want to talk about Robin Robins. But it's all with you, Robert, since it's your first time joining the Cabal, what are you doing differently now for your clients that you weren't doing a year ago?

Robert Nelson:

I think the you know, first of all, we're an extreme rule area here and trying to get people to understand the security issues out there is is proven to be a big deal. So basically, we're still on an education campaign and trying to get people to try to upsell their their posture, you know, rollout more enhanced tools that would better protect them and starting to do so just starting to do more to try to verify that, that things are working as they should but probably not doing near as much as what I should be doing.

Shiva Maharaj:

How about you, Brian, what are you doing today that maybe you weren't doing a year ago for your clients,

Brian J. Weiss:

I mean, this recent event gave me a lot of time to kind of reflect and, and have flashbacks to what I went through three years ago. I'm at the point now where it's like, it feels bad to say this, because I feel like I'm leaving a part of the small business community in the dust. But like, if a client doesn't care about security, I don't have the time of the time to give them the time of day. So how that saying goes,

Shiva Maharaj:

I mean, why should you if they don't care about themselves, right,

Brian J. Weiss:

it's just too much of a risk to take them on and then have to deal with, you know, not only worrying about my own house, which I'm constantly revisiting, looking for gaps, but then have this client that I just know, has gaps because they don't care about security. And so we're, you know, I'm looking obviously, in the CO manage space dealing with IT departments that are struggling, that need help getting into the cloud and move, you know, getting a better security posture, because they talk our language, and they care about security, and they have a

Shiva Maharaj:

budget, I hear there's a really good book out there on co managed, maybe you should check it out. I'm not gonna say who it is. Maybe I should check it out. Because I know you guys see eye to eye on co managed,

Brian J. Weiss:

we see a little differently, you know, co managed with one IT person working in the client seems like a nightmare to me.

Shiva Maharaj:

I try to absorb them. And by absorb I mean, tell the client to fire their one person in house and just hire us.

Brian J. Weiss:

Yeah. Or if that person is really good, hire that person. And do Foley man was

Shiva Maharaj:

good. They wouldn't be looking to you

Brian J. Weiss:

fairpoint co manage. There's there's like four different models, right? The model I like the best is actually the var model where I'm going in and I'm maybe just selling a tool to build that initial relationship time and material man,

Shiva Maharaj:

it works about you, Eric, what are you doing for your clients today that you weren't doing a year ago? And for you? I think this takes two viewpoints, right, incident response, and then post incident response where maybe you're picking up some managed services or manage something or the other.

Eric Taylor:

Yeah. So we're doing a little bit more these days of the MSSP model, I guess where go post incident and we get people cleaned up, you know, they want us to stay around naturally, which we're honoured to do, you know, we're putting together services and things of that nature, keep them going forward, the existing clients that we do have, we're actually doing what's called atomic red teaming, we will actually go through the mitre attack framework, we'll pick a certain topic, you know, email phishing, you know, let's say you got an email, fish. And just like the ones that were that I talked to you about early this morning, where Microsoft Office has a vulnerability, I will call it a vulnerability, maybe it's just a configuration, the threat actors are able to bypass the notifications of our macro warnings, you can actually execute macros inside of a office document and start doing what you want to do without being forced to enable stuff. So you're going through those type of threat vectors, you know, in this kind of goes back a little bit to Kaseya. And some of the people that were on beating up on zoom calls and everything It's okay, cuz they got pop your workstation got a vulnerability or some sort of malicious payload, what is the next stop on your chain that you are what's the next place that you could stop that chain? Typically, your EDR typically your firewall, typically, whatever, right? It's like, I'm gonna take this big old freakin generation one, which I call lovingly the anal probe of Amazon, because it's kind of what it looks like, almost, I'm gonna go throw this thing through your window. Now how you're going to stop me from further getting inside of your house is the same concept. Yes. So really doing that into atomic red teaming and CSS put up their version of atomic red teaming now, which we're starting to study and learn with. I've actually got a class on that next week around that and breaching the cloud infrastructures and things of that nature. So the cloud is secure. What are you talking about? Yeah, just just pop up on it. improperly configured,

Shiva Maharaj:

was born because you have it practitioners who didn't know how to configure DNS. That's all it is. I did want to go through going something you just said about what would be the next step to blocking after they got through Kaseya? Or any RMM? What do you think because we've seen many antivirus platforms say they stopped it or they could have stopped it. We've seen the threat lockers of the world saying they would have stopped it. But as far as I can tell, no one stopped short of Kaseya, who put a wife in front of their SAS platform.

Eric Taylor:

So the web is the point of vulnerability, you're breaching the web app. That's that stop gap. The other stop gap is certain permissions and configurations in the Kaseya web app itself, you know, not being able to manipulate the K upload and the DLL files and being able to inject and remotely execute code would have been another stop. That's another poor coding problem. But once you're able to do that and get in and then start deploying everything, That you're doing now there's several layers that could have stopped this before the key agent or agent ESC that's on all the devices running system would have ever got compromised. Bo, you're there. You've already hurtled yourself over five fences. Now what's the next fence or trench that you have? And it really is your EDR it really is those next levels of you know, maybe autobill elevate what might have been able to do it, you know, running a chain

Shiva Maharaj:

talk about Huntress because in the incident, while things were potentially still going down, they were swapping out that setup data in that case, setup dot e xe. So I got a quick

Brian J. Weiss:

funny quick story on that the guy that had the 5000 endpoints whose server was shut down, and that didn't get affected all of a sudden freaked out. Why? Because he got a notification that Huntress deployed this file, and he thought it was the threat actors when really it was Huntress. So he had a heart attack for a second until he figured out Oh, this was hunters trying to protect me. So who got

Eric Taylor:

that notification? firmware? EDR? What's his EDR? If you're able to say

Brian J. Weiss:

I didn't ask him that. I will have to ask him that though.

Eric Taylor:

Cuz I haven't heard. I have heard that there are reports that are unconfirmed that bit defenders EDR did stop it on some a some networks. Now I'm not sure if that's early in the chain or toward the later chain as things are getting developed was after iocs were made public? I don't know. That's the same thing I'm talking about. I don't know.

Brian J. Weiss:

But But I agree. 100%. with Eric, it's really EDR actionable SOC that's going to stop this. Because there's no way there's no way to build to know how to build the mousetrap ahead of time.

Shiva Maharaj:

What are the top three socks? You guys would choose? Go for Brian?

Brian J. Weiss:

Oh, I'm in the blackpoint camp blackpoint cyber. Okay, Eric,

Eric Taylor:

they were a little bit of a hybrid. So I'm out. You know, we're doing our own. So we're using Sumo logic and we're using CrowdStrike. You know, we're building it out.

Shiva Maharaj:

How about you, Robert,

Robert Nelson:

I'm still trying to decide,

Shiva Maharaj:

go to blackpoint. I like what John's doing over there. The only thing is you're going to need an AV engine. And you could probably just use your current vendor and get rid of the EDR portion. Because that's what you get with the Black Point side as well.

Eric Taylor:

Yeah, I would highly recommend Black Point if you can't do it yourself, do Black Point and do dark queued for your firewall. Love, you know, with your if you've got an EDR or if you got to manage SOC Sam, that's, you know, doing your, your endpoint and you got one that's doing your firewall, you're doing pretty damn good. So definitely build it out. That's what I've been recommending you go to those two guys. The cost isn't that bad, you know, most msps should be able to absorb most of those costs. Most

Shiva Maharaj:

good msps.

Brian J. Weiss:

Yeah. Well, to tell you the truth, I mean, really, the client should be the one paying for it, not the MSP know, the

Eric Taylor:

MSP should get on you know, you're, you know, we're about to go because I beat up Matt Lee on this. The MSP is providing or buying a service from the MSP is to MSP his fucking job to make sure that they have the proper security stack is don't be like, Oh, well, if you don't want to do this, xy and z, that's part of my stag, okay. But we'll still service. You know, it's kind of like what you said, Brian, either you are onboard, or get the hell out of my way. shitter get off the pot?

Shiva Maharaj:

Well, I think if you're gonna take that viewpoint, you have to have two sides of your business, you have to be a VAR. And you have to be a managed services provider. No, to me,

Eric Taylor:

I'm a consultant. That's all I am.

Shiva Maharaj:

Well, to me, I think a managed services provider is a company that has a package that you get sold, and you have to absorb all the parts of that package. You don't want it you don't want everything and you don't want to pay it, then yes, I'm a consultant, I'm a bar, I'll sell you what you want. You want me to do anything? It's TNM. And that's it. But my SLA for my managed services is a lot better than my SLA or TNM, quite honestly.

Eric Taylor:

But does that because you still run an MSP still having the var side of stuff? Does that not still put you at risk?

Shiva Maharaj:

No, that I don't have I don't believe I have risk on either side because I am not sharing risk with clients and I make an incredibly clear they are responsible for their data, the risk is all there so I'm just there to help my plan or have a subscription that I sell them is meant to help mitigate the downside ultimately, it's their risk. I'm not one of these msps that comes out and says we're just like your internal it or it's like having us but we're not doing that bullshit.

Brian J. Weiss:

Yeah, I think the average MSP generally speaking is gonna have more ensued liability or risk with a fully managed client versus of our relationship because the fully manage tend to think, you know, in God, we trust you know, in a tech we trust and barricade cyber, we trust that you're just gonna have their back. And and so if you're not having the conversations with them, identifying where they're secure, gaps are there just assuming they don't have any? I have a question for you, Brian, how

Shiva Maharaj:

many msps how many IoT providers no matter what they want to call themselves can even understand risk, much less identify it, whether it's for themselves or their clients.

Brian J. Weiss:

I mean, I feel like I think back to my days, you know, before I got into security, it was all about grow, grow, grow, I cared more about getting more clients and more income than I did, evaluating risk that came along with that. So it took an emotional event for me to look at things differently. And I would imagine that's the same for a lot of msps out there, they just they haven't

Shiva Maharaj:

really long it's not art for you, it took a catastrophic, catastrophic event. That let's be honest, you're probably just overblowing it if you were to ask because they have CEO.

Eric Taylor:

Robert, if you don't mind is the Robertson knee deep in this thing, especially with his rural area, you know. So Robert, you know, as an MSP, you know, you do some var stuff, you do some MSP stuff, but except for education, what would you say is some of the biggest push backs about getting businesses, especially in your area, or anywhere else?

Robert Nelson:

It's money, man, they just don't, they're not going to spend it.

Eric Taylor:

How are you overcoming that hurdle, though, for sometimes,

Robert Nelson:

I keep a very vibrant, bright fixed business going. I've always got something to do.

Eric Taylor:

And I think that's the way to

Shiva Maharaj:

go. When they don't choose your manage programme, which is, let's call it let's say, for lack of a better word, since you're all encompassing platform for them, you just serve some as a break fix. And for those of you listening break, this is just another term for time and material,

Robert Nelson:

put some tools on their cell and block time and say, here's my recommendations. What do you want to do? It's basically, hey, do you want to stay at this? it's gonna cost you this much a month, you must add that I mean, I don't have any all I give proposals out for all uncompensated, but I don't have any that would just let me do do what I want to do. I've got a couple that are starting to get that way. They're starting to realise. It's like, oh, my god, there's so much to this stuff. And we're not doing half of what we need to be doing. And you know, there's they're starting to realise it costs money. It's almost like having another employee,

Brian J. Weiss:

I've got an interesting outlook that I thought about over the weekend, too, as I was thinking about quitting my job. And it had to do with doing residential services. I'm like, if I mean, I don't really enjoy working on computers anymore and fixing them. But if, if that's what you enjoy doing, there's almost like less risk in just doing residential off. Like

Robert Nelson:

there's literally less, I think there's considerably less risk than residential. They're just more of a pain.

Brian J. Weiss:

Yeah. I mean, you got to deal with more personalities, right? You got to be a people person, I guess. But you know, in all fairness, it's like, so what you can't access your Facebook or your photos, you got ransom, that's not my problem. I mean, it's a kind of a sad way to look at it. But I mean, when it comes down to it, if you like fixing computers, and you don't want to have the stress of getting hit with some big ransomware event across all your clients overnight, do residential.

Shiva Maharaj:

Have any you guys seen this article here, it's about a town in Maryland that got shut down because of the Kaseya vssa hit.

Eric Taylor:

I heard about the grocery store, but I have not seen this one.

Robert Nelson:

And that's in the Washington Post.

Shiva Maharaj:

A post and I can share the link in the description of the video and the podcast later for you guys. And Robert, I can share this in our slack where we all congregate. But an MSP was hit and a town is down how many towns across the country? Do you think this has happened to I get that we're just you know, perpetuating an overblown situation.

Robert Nelson:

Two years ago, our sheriff's office was here. They were down for four days.

Brian J. Weiss:

But this is this is only a small, you know, small 50 msps. There's no nothing to see here. Exactly.

Shiva Maharaj:

Move along. You're talking about 60 customers. Yes, a few days ago was 50. So that number keeps going up. Surprisingly, I mean, how is that even possible isn't to say a giving us exactly what we need, truthfully, according to reavell. They've got over a million endpoints. Now. The reason I bring this up is municipalities love dealing and sieges. Because they have to access federal systems.

Eric Taylor:

Here we go. Brian. What the fuck?

Brian J. Weiss:

So are you are you talking about the fact that Kaseya is and FedRAMP and see just

Shiva Maharaj:

No, that was last week's That was last soapbox for me to get up on

Eric Taylor:

but that's what I brought up in the conversation that me and Brian were on with some other folks yesterday and me and some other folks rolling rounds and rounds like a donkey show

Shiva Maharaj:

know what I'm talking about is part of CGS and part of any business and a municipality is a business is having an incident response plan. And if you read through this article, they're dead in the water.

Robert Nelson:

It is hard to get anybody to understand exactly what they need to be doing and what they need to be planning for.

Eric Taylor:

I've come up I've talked about this a couple times. This is the best way that I've done it. You walk into their frickin net work. And like, All right, I'm going to pull this cord out of the wall. I'm bringing all this stuff down. Now what?

Shiva Maharaj:

Let's take it one step further, when you're dealing with seizures, you're getting federal funds to get in line with seizures, requirements. What was that money spent on? If I didn't give you an incident response plan? That is almost pocket? I'm sure. Well, I know that's the answer. But I wanted to stretch it out.

Brian J. Weiss:

Are you saying that government misappropriates funds,

Shiva Maharaj:

I didn't say that,

Robert Nelson:

Oh, well just go like, in my area cares. Money flowed freely through the federal government down, you know, for the pandemic, and they were supposed to be working on responses and stuff like that. What did they do? They upgraded hardware, they bought a bunch of zoo, you know, set up zoom and a whole bunch of meetings. They're talking about now, they're not going to use zoom anymore. And somebody said, Well, what are y'all going to do with all that? All those cameras, special cameras, you bought everything out? That said, Ah, I don't know. We'll try to figure something out here one day. Yeah. And that was just six months ago that all that so they have no federal monies like Christmas presents to them. It's just free money. It's not in the budget, like all around, hey, what do you think you'd like to make your job easier? Or what toy do you want? So it's, it's a, it's a joke.

Shiva Maharaj:

I want to get a little political here, because I think we have a nice cross section of viewpoints. And whoever wants to abstain, we won't let you. I read an article yesterday that some politicians and some advisors are telling President Biden he needs to give Putin an ultimatum to get involved and start dismantling the ransomware groups in Russia, or they need to make cryptocurrency illegal. So these guys can't get paid. Now, is it me? Or is that absolute bullshit, that'll just, you know, keep the federal hog spinning and spending when all they really need to do is put something in place that forces companies to secure themselves,

Robert Nelson:

they need to put a standard in place. The minimum here's what you got to have. And then they've got

Brian J. Weiss:

the safe harbour laws that they're rolling out in some states, right? Where if you can prove that you meet certain criteria, there's no civil just like with just like with

Robert Nelson:

HIPAA, if you can prove that laptop was encrypted, then we won't find you for losing.

Shiva Maharaj:

But HIPAA is such a steaming pile of shit. I think HIPAA is worse for what it was intended than can say is for what it was intended.

Robert Nelson:

But it's that it gives you that safe harbour and that's what you're looking for.

Shiva Maharaj:

I don't want a safe harbour, I want to have a system where or a standard where people actually have to do something, and not just in front of a code execution.

Robert Nelson:

Here's where that comes in it. Okay, if you put the rules in and create a safe harbour, then the insurance companies are going to say you've, they'll fall into those rules, too, because it helps protect what they have to pay.

Shiva Maharaj:

Well, the insurance companies are the ones that are gonna drive all this. So Exactly. If they can take it to a point where you're not allowed to pay a ransom. It's great for them. It reduces their exposure exponentially.

Brian J. Weiss:

The double edged sword that I see with going the route, you're talking about chiva. And that's essentially what they're doing with CMMC. Right? is you start you having you start having people create regulations, who probably aren't the right people to be doing it in the first place. Maybe they're breaking laws somehow. And there's some news article that comes out about them.

Shiva Maharaj:

Are you talking about the C three PA, oh, that by the DOJ for money laundering, and one of the people already pled guilty to getting killed jobs, because I don't know what you're talking about.

Brian J. Weiss:

touching on that. But if you think about you know, America, one of the great things is being able to start a small business and make something for yourself, Well, if out of the gate, your costs are so high to meet those requirements, you know what I mean? how it's gonna be harder to afford to be a small business or all the small businesses that are in the government supply chain gets squeezed out because they can't afford that now. Right.

Shiva Maharaj:

So let me ask you, let me ask you a question Shiv.

Robert Nelson:

I will have to drop off this car because I got another call coming. Okay.

Shiva Maharaj:

No problem. Thanks, Robert. For those who want to get in touch with Robert it's tech Planet now.com. And his name is Robert Nelson. And he loves using SEO

Robert Nelson:

because SEO Messiah like Mr. Taylor is yet

Eric Taylor:

to get Robert, thanks for joining. Thanks,

Shiva Maharaj:

Brian. What sort of 40 are you on? Cuz I don't want you to give out too much detail. older, younger, younger. Oh, you're a baby. Okay, you, Eric. I know which side you're on. So I'm gonna have to ask you this question. Wait, wait, which

Brian J. Weiss:

side of 40 I'm 42. So that puts me so much for Oh, since

Shiva Maharaj:

you said younger. Well, I

Brian J. Weiss:

understand now what you're asking. Okay,

Shiva Maharaj:

so we're all over 40 Do you remember a time when to open a business unit you needed a real plan and money to do so and you just didn't have to pay $264 to the IRS to get an Ei n

Eric Taylor:

No. Even when I was younger, that's all you needed. You know, the The mindset was always there to actually get a also, you could sell fund yourself, like I've done my business and every business I've ever had is self funded. You don't need a business plan, you don't need all that crap, you're using a roadmap, say this is where I'm going, here's all the steps I need to take to get there. But that's, yeah, but it's just not elegant. It's not typed out,

Shiva Maharaj:

you don't need, you don't need a business plan, per se, like, if you're going to a major bank to get funding. My point is you need to know where you're going right, you need to have a direction, you also need to have a way to either fund that yourself or get funding or you know, couch surf till you make it like Mark Cuban did. It's not like nowadays where everyone in their mother can open a company and just let it languish. And whatever, like owning a company in the 80s meant something as compared to now every one of their mother owns a company because they think they can write shit off. That's a whole different podcast, by the way. My, my point about having a standard is, let's say, mandate, MFA is mandatory. Let's say you have to have a logging service. Let's say you have to have a next gen AV or whatever they want to call that Kool Aid bullshit, which is just an antivirus product. Like that's what I'm talking about, Brian, let's have some minimum baseline practices that we have to follow. If we're going to sell a service to a company and manage it. Let's have an incident response plan. If something goes sideways, yeah, right. That's what I'm talking about. I'm not talking about getting level one with CMMC, or whatever, it's 150,000 to 300,000, that you're paying some three pa Oh, God, jerky off for lack of better words. And when it comes to CMMC, I firmly believe and I've said this many times, it should be for the God by the god charge 150,000 charge $300,000 to go through the audit, if you pass, you get the money back. If you don't pass, they keep the money. And that's your penalty for being full of shit and saying you already

Eric Taylor:

Yeah, I like that, or at least allow or at least one revision or one revisit to the to the thing. So in case you

Shiva Maharaj:

like but you know, there's a difference between messing something up making an honest mistake and saying, Hey, I have all my control squared away, and you got one loose leaf paper saying I accept this risk. Something times. I mean, come on

Eric Taylor:

now, because we don't know anything. compliancy is doing that at all.

Brian J. Weiss:

But I mean, you you touched on something I mean, it's incident response related, but really around business continuity, because let's throw Kaseya out, let's just say please, please no matter what, no matter what the threat is, if something happens, and you can't operate anymore, like this grocery store chain that didn't have any POS machines anymore, it's not a question of how does the threat happen? How do we protect it? It's okay. Like Eric said, I'm walking into your business, I'm going to tell you right now, all your POS machines just went down? What's your business continuity plan to continue business? How are you going to continue business, right,

Shiva Maharaj:

you know who the winner is going to be in this entire situation, Microsoft, maybe many companies, many enterprise companies run on 365 to some degree, some may use G Suite for their email, but they're still using the Azure AD identity. And I know that the road that's being explored by myself and many other msps is to have Intune, do everything. And you keep you know, instead of having x 1000 number of RMM agents, you keep three, four or 500 as an emergency case, and that's it. They're not they're not deployed, you just have them, you need to onboard off or do something like a major project, you use them and you pull them off. I see Microsoft really winning with endpoint manager.

Brian J. Weiss:

Oh, yeah, for sure. I mean, they're gonna bring enough items that the RMM currently handles for us, I mean, major issue, major thing there they have a gap with right now is network devices, right? How do you manage and keep a list of all your network devices in one place, if they're not already cloud managed? So but it's getting there. And then kind of the, the other thing I'm thinking about is, okay, let's take all the pieces of an RMM and say, Okay, if these pieces are going to eventually go over to Intune, what's left? I mean, maybe some sophisticated modern monitoring and alerting, but can we move that to EDR? You know, especially if it's security related. I would 100% agree with that, that they're going to be I feel like they're already winning To tell you the truth teams is the future essentially.

Eric Taylor:

Yeah, I mean, I think some of it is going to go back to a little bit what we talked about before, you know, having an EDR on your endpoint and an EDR on your network infrastructure. So a shameless plug but not sponsored by dark gift but you know how you want to sponsor star cube you can Oh would love that but he take Bitcoin my wallet address his you know, there are Taking your firewall logs and parsing all that traffic, it probably is not going to be much harder for them to start spinning up than pulling Sis, sis logs of your network gear, you know, so you have your backbone infrastructure, if you will, going through an external auditing log like dark cubed, and you've got your endpoint, monitoring and logging going through Black Point, then that may help get you rounded out, you know, and then you have Microsoft for your entire identity stack. And that may help round out the entire picture, you know, with your, your AV EDR, or whatever. I don't know, it's an interesting discussion to try to figure out. But I think that they'll be in a position to do it soon.

Shiva Maharaj:

That brings something to mind. In the last year, I think I've reduced the number of vendors, I haven't deployed on my clients, I have tried to simplify it as best as I can with overlap, like the onion, because I know that Eric loves that analogy, but I don't see the point anymore to having to three dozen vendors on a single client. Because to me, that's just two or three dozen access vectors.

Eric Taylor:

Hmm, yeah, I

Shiva Maharaj:

mean, I really love this blackpoint could really get to a point where they don't need an agent, they can pull API from from our RMM tool, the problem you're gonna have there is if the the RMM tools have a myopic view of the market, they don't want to build help build other vendors, even though it will give them more extensibility. Now, because then what's the stop the black points, or any one of these guys have a system agent on that, right? What's stopping them from doing the same thing that an RMM can do? Not much. And I would rather take a network tap from blackpoint, and pair it with Intune, than any other combination out there right now, in terms of network protection, without without me having to build it from the ground up.

Brian J. Weiss:

If your sock doesn't have some sort of agent it can use? How is it really going to stop threats, it's gonna have to depend on a third party tool, right?

Shiva Maharaj:

We'll take a look at a sore platform, they're gonna be sore platforms, just going to use a dragon blank here. But a sore platform is just going to use API access to your endpoint to do whatever they need to do because it's running. And so what's a one CrowdStrike all the big guys out there, they can handle the remediation for you. Which is what, in essence, blackpoint is doing right? They're not doing the EAP. But they're doing the EDR. And they're actually doing real threat hunting. I'm not sitting here wondering if they are real.

Brian J. Weiss:

Yeah, yeah, I guess I just question if the SOC is going to be hindered if they don't have their own EDR tool that they can use and even modify over time as the threat landscape changes, and they realise they want their tool to have some new feature or be able to look at data differently. That was points for blackpoint. With me is they brought up the fact that Yeah, we use our own EDR tool that we've developed and continue to develop to ensure we can have the shortest amount of time you know, to stop a threat, versus relying on a third party EDR tool, where they're at the mercy of the roadmap and development of the vendor for that tool. And so they're they're limited and you know, flexibility there.

Shiva Maharaj:

Let's take perch security, and let's take blackpoint and put them up against each other. Both are managed socks, but I think would you say black points a managed sock or is it an MDR? MTR?

Brian J. Weiss:

Aren't those the same thing?

Shiva Maharaj:

Yeah. Oh, Eric, can I say it good triggered sugar?

Brian J. Weiss:

I don't I don't know what to believe anymore with you know, because apparently rocket cybers rocket divers and hot seven Polish shit,

Shiva Maharaj:

right? rocket cyber is really good Kool Aid. And it does a really good job of collecting useless information. Well, collecting all your information, keeping it a nice shiny place that you pay a lot of money for. Nothing

Eric Taylor:

will save me Brian's gonna go down this rabbit hole, I'm sure because, you know, he was me and him had many, many discussions in other forums, and he was like, rockin cybers a sock. And I'm like, No, the fuck they're not. He's a cat is that like, No, it's not. Like, look at this. I'm asking these questions. He's like, crap, it's not.

Shiva Maharaj:

So here's, here's my, my take on what a sock is a SOC is parsing the logs in a sim and generating alert for you? At the very basic understanding. For me, at least, I think a managed threat response or managed detection and response is a sock that generates those alerts and then escalates into a team or moves it over to an analyst or someone who can take action to mitigate settler and I think that's what a blackpoint is. I think that's what hunters is, or is going to be I can't see hunter staying as a persistence only type of platform. The guys that are too smart, too talented just to do that. I think they're seeding the market really well the way they are. But I don't see that as

Eric Taylor:

their end all deal. So my definition really as a SOC is a little bit more so. My idea of Huntress and of rocket cyber is a syslog aggregator, I don't think of them anymore, they given you a pretty gooey, they're don't take in a whole bunch of queries and put it out there. A real SOC is a software that you can create and manipulate your own queries in to generate more information that you want. So I SOC is something that you will be able to build out your own. MTR MDR, whatever means threat and detection and response platform SOC is when you get into having a sumo logic, you get into having an elk stack or whatever, and you're building that out, you have database access to the queries. So that's really where SOC, I

Shiva Maharaj:

don't disagree. I do think you're right. I think mine was just an overly simplistic view of it in that a SOC is not built to really react in in the Manage SOC area of the MSP

Eric Taylor:

is to alert you because you're trying to be the initial person, because you're

Shiva Maharaj:

here, right? All these MSP is using a managed SOC have 35 people at their beck and call in house waiting to do shit. You know, they're one man shops. But anyway, that's a different story. Now, you take a look at perch, there is a log shipper from the elk stack that you can put on, it'll do some FIM file integrity monitoring, but I don't think they're built for any type of response. And based on what my pricing was, when I was there, and what the pricing over blackpoint is, like points is more advantageous. I would say there's a lot of points a little bit cheaper, isn't it, and you're getting a little bit better results out of Blackboard than you ever work with or cost effective. And you know what we can do Eric, we can go old school, you can bang on the door and see if they figure it out this time? I'll do that. Not this time. Not this time, because we've never done it with blackpoint. We did it with perch. And our listeners have heard us mention this all the time. I'm game. Oh, yeah. Or let's switch it up. Brian, let Eric bang on when your clients stores,

Brian J. Weiss:

the MDR. MTR SOC has been so over marketed and under delivered, I just call it you've got a sock or an actionable sock. And how do you know the difference? Like like Eric did, like you guys did with perch throws up Matt at them. See if they catch it?

Shiva Maharaj:

Is it in your practice? Not for you? Because I think as as it providers, it's more do as we say not as we do kind of thing. But are you restricting USB access on all your clients by default? And then they ask you to turn it on? Or is it the other way

Brian J. Weiss:

all new clients on our new baseline? It's set up that

Shiva Maharaj:

way? But I suppose

Brian J. Weiss:

I'm not sure I'll have to check that I don't I don't set those policies. We did have internally set to BitLocker all USB devices. But I had to turn that off because I got too many complaints about that. I said why don't you use datto workplace? Why do you have to use a thumb drive? Oh, we need access to stuff offline in computers that aren't going to have our

Shiva Maharaj:

BitLocker encryption key. There's certain people in the channel call themselves the dictator or with my clients on the dictator and I have banned USB devices and drives. While not device drives. We are probably a month away from getting to a point where all USB devices need to be approved and allow listed because that's the new terminology for platforms. We're not allowing even webcams need to be allowed listed. And we're not we're not even allowing off branded and off labelled webcams. Nice because I don't know what the hell those things are calling home to true highway. They're taking the highway to highway But anyway, so you were you were talking about your actionable SOC versus a non actionable SOC.

Brian J. Weiss:

It's that's really just how I look at it now.

Shiva Maharaj:

That way to look at it quite honestly,

Brian J. Weiss:

it's the MTR MDR 24. Seven SOC. like they've all been over marketed and under delivered on. So it's hard to you got to take things with a grain of salt since true

Eric Taylor:

lime, tequila,

Brian J. Weiss:

and you got to test it like Eric wants to do with Black Point cyber now. I mean, really, that's how you know, right? Well,

Shiva Maharaj:

I think we should do that. I think you know, it's a moral imperative.

Eric Taylor:

It goes back to what I said earlier, this is the atomic red teaming that I got put my clients there. Yeah, we put a stack in or we spin up a trial of stuff and we put it through its paces.

Brian J. Weiss:

Well, it's no different than put in a backup system and you don't put a backup system in and just assume it works until the day you need to use it. A minority will do that.

Shiva Maharaj:

What are you talking about

Brian J. Weiss:

Willis? You want to like actually see it working so that you know it's gonna work when you actually do need it. People do that.

Eric Taylor:

And let me actually put this as a shameless plug is I mean we all use datto. So again, you know plug but not sponsored. But on the cyber call, or one of the calls that Brian weeks a CSO of datto was on I didn't even know datto did this and I'm a partner, you guys may but if you're a datto partner, and you're using their backup solution Did you know You could spin up a war, not a war room, but a mock simulation of every last one of your recoveries. And at one time for all your clients and just do that and say, Okay, this week, I want to restore all of my clients. And let's see how crap this looks or what this looks like, if it's crap or not. And I didn't know you could simulate that from those guys. That's pretty cool. I wonder how many other vendors are really doing that. So I mean, huge shout out to datto for doing it. And I love to know if

Shiva Maharaj:

there's other ones doing it. I think datto is just leaps and bounds ahead in terms of business and security process as a vendor in our space. And I don't compliment vendors easily, or usually, but they're, I think they're doing a good job.

Brian J. Weiss:

So I just found out about that about four months ago dealing with a co manage client that we put in a huge device for with a bunch of servers. And what we're doing is we're actually developing out business continuity playbooks based on which servers are having which issues in detailing ahead of time, what you know, if you know, here's Plan A, right, if XYZ happens, what is the network need to look at, like what servers need to automatically come up in the cloud, and then you can define all that ahead of time, give it to datto. So that when one of those events happens, you just tell him execute Plan A, and then they do it all on the back end scripted without having to jump through the GUI, if you're going to do it yourself. And so that's along the lines of kind of what Eric's talking about is how they have the ability to automate these tests of Hey, I want to get my failover environment up and running and see that it works ahead of time. The other thing that's crazy about them that I know other vendors aren't doing is they don't charge you for the virtual resources that you use on the failover environment. So if you're out in Azure land and do an Azure backups, and you need to spin up a failover environment and as your you got to pay for all of those resources as you're on that failover environment, whereas datto,

Eric Taylor:

eagerness de gras all that, yeah.

Shiva Maharaj:

Again, I hate giving vendors that altruistic easy out datto has exabytes of capacity for this data centre they built I think after they moved off of AWS and whether they want to admit it or not. They are losing bcdr business because not as many businesses need the Cirrus line anymore with cloud with SAS workflows. And one drives this that what have you so they have the extra capacity. What I am happy about is that they seem to be leveraging it and making it available to us as partners and our customers at no added cost. I get that it's a sunk cost. They probably depreciated it from the financial side. But I know Kaseya as Robert would say, since he's not here, or connect wise, they would tag you with a price for that. I don't think it would be as nice about it. So maybe they they get one star or altruism.

Eric Taylor:

Anything else anybody wants to talk about today before

Shiva Maharaj:

we wrap this thing up? Eric just wants to wrap this up so we can go go put on the trigger and start smoking some meats.

Eric Taylor:

I do have to figure that out for my next meal.

Brian J. Weiss:

You got to plan ahead when you're smoking for six hours.

Eric Taylor:

Yeah, that's I got a big smoke coming up this weekend because my wife and kids are coming back up.

Shiva Maharaj:

Is there anything else you guys want to talk about before we close this one out? No, I'm good.

Brian J. Weiss:

No, I say let's see what happens with these deadlines that Kaseya has given

Shiva Maharaj:

cybersecurity amplified intensified please check us out like share, subscribe, download, listen, learn, ask questions,

Eric Taylor:

comments, comments,

Shiva Maharaj:

comments and I will also be linking the YouTube channel that's run by eriko Rob barricade cyber for this to get in touch with Eric is barricade cyber comm Brian is I tech dash solutions comm I am continuum comm with a K. If you guys have time for this. Did you see that synnex was attacked to try to get access into the Microsoft tenants that they sell an investor but keep in mind maybe we should talk about that on the next go around.

Eric Taylor:

Sounds good.

Shiva Maharaj:

Thank you for your time. We will see you guys shortly. Take care, buddy.