Cybersecurity: Amplified And Intensified

Episode 26 - Matthé Smit Director of Product Management, Datto RMM

August 23, 2021 Shiva M./Eric Taylor/Brian Weiss/Matthé Smit
Cybersecurity: Amplified And Intensified
Episode 26 - Matthé Smit Director of Product Management, Datto RMM
Chapters
Cybersecurity: Amplified And Intensified
Episode 26 - Matthé Smit Director of Product Management, Datto RMM
Aug 23, 2021
Shiva M./Eric Taylor/Brian Weiss/Matthé Smit

As Director of Product Management for RMM, Matthé is responsible for driving the RMM product roadmap and managing the product management team. He plays a critical role in making Datto RMM one of the most scalable remote management platforms in the world.

Over the last 15 years, Matthé has exclusively worked in the managed services market working for leading software vendors. Having worked with countless MSPs across the world, Matthé has a deep understanding of the space and a strong focus on finding simple solutions to complex technical problems. Matthé is located in Amsterdam, Netherlands.

Matthé Smit
https://www.linkedin.com/in/matthe/
https://twitter.com/matthesmit
https://datto.com

Brian J. Weiss
https://www.linkedin.com/in/brianjweiss
https://twitter.com/bweiss805
www.itech-solutions.com

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

As Director of Product Management for RMM, Matthé is responsible for driving the RMM product roadmap and managing the product management team. He plays a critical role in making Datto RMM one of the most scalable remote management platforms in the world.

Over the last 15 years, Matthé has exclusively worked in the managed services market working for leading software vendors. Having worked with countless MSPs across the world, Matthé has a deep understanding of the space and a strong focus on finding simple solutions to complex technical problems. Matthé is located in Amsterdam, Netherlands.

Matthé Smit
https://www.linkedin.com/in/matthe/
https://twitter.com/matthesmit
https://datto.com

Brian J. Weiss
https://www.linkedin.com/in/brianjweiss
https://twitter.com/bweiss805
www.itech-solutions.com

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

Good morning Welcome to another episode of cybersecurity amplified and intensified. Usual hosts, Eric Taylor, myself and Brian Weiss of I tech Solutions. Today we have Mateus Schmidt from datto with us MJ. How's it going?

Matthe Smit:

Hey, guys, what's going well,

Shiva Maharaj:

for those of us who don't have the benefit of knowing who you are, would you like to give us a little background on yourself and datto? Absolutely.

Matthe Smit:

So I'll start with myself. I am working as the Director of Product Management for datto Arman. So I'm responsible for roadmap and what we put out as a product. And I have been on the RMM journey for for quite some time, I have been on this for over 15 years now with different RMM for a vendor and then I joined centrestage, the startup that eventually became auto task endpoint management. And now datto RMM been a very interesting journey where the we've been able to grow the team. But the most of the people that were were there at the start, when was centrestage are still with us, core developers and all of the founding people. And it's been an amazing journey. And so datto course we do many different things. Most people I know as for business continuity, the backup, but of course, we have one of the leading PSA products, and the RMM product is doing fantastically well for us. So it's been, it's been really, really nice to be part of this journey. And we have, we have ambitious goals, we were investing quite a bit in more in product teams, we we have an ambitious roadmap, but one of the things that we've been doing is just making the product better every single month, we have been on this is rolling cadence of just shipping product every single month and with the goal to make it better. And that's, that's, that's what we're planning to do in the future as well. And as a product manager myself, one of the things that we'd like to do is stay externally focused. So talk to the MSP channel all the time. To capture feedback, we do it in product we do everywhere to make people tell us what we are, we need to do to improve, because that's what it's all about. And yet,

Eric Taylor:

and before we get started, I mean, we want to just put out there just as a disclosure, that myself shivah and Brian all use datto in some way, shape or form. So we were talking a little bit before the show today that you had Dom Kirby, who works for Pax eight, as put out recently, the to pretty much in a nutshell, where you really should start looking at getting rid of your RMM. And going with some sort of various solutions, whether it's, you know, shivah was taking the impression that this is be more of a push for Microsoft workplace that they're pushing through, I tend to agree with them there. There's definitely some some points in here that will definitely put in the show notes. But there was really one thing that really stuck out to me, as I was skimming through this was, you know, when you are picking your vendor, and you are trying to determine Alright, R, is these folks going to be on your side? Or are they going to potentially not care about security so much, and become that rat or Remote Access Tool? Like, you know, what Kaseya has done as somebody other RMM platforms in recent history has done where you're essentially just weaponizing, a third party malicious actor to leverage that system. What would you say about that? matej?

Matthe Smit:

Right. So I think you touched on a few talks, I believe, and I think many msps still believe that that a managed device is better than an unmanaged device. Right. So if you don't have visibility, or what you are responsible for cloud security, and you can't compare the response to immediate things that you need to do, let's take a print nightmare recently like it as an MSP, you need to know where your servers are, what's your example honorable and you'd like to response to that immediate threats, perhaps make a configuration change at scale for like, for businesses to do that, they need something that that helps them do that. And I believe that the RMM products that my msps buy today are designed to help them do that, that visibility, that Mike's scalability of their best practices and their responses. Dennis, is something that I believe is going to perhaps be even more important today than it's ever been. Like, it's important to understand your patch level of everything that's out there. It's incredibly hard to do without proper tooling, but as you pointed out, it is essential to be really smart. About that, and what I mean is you want to, you want to, you want to indeed pick a vendor and a product you trust. Like, you want to make sure that your vendor is someone that you can rely on. And they do all the right things, and they have the right process in place, and they they invest in building a folder that is really secure. That is very hard to do. Like we all know how complicated sober isn't complicated security is. It's almost impossible to do that. yourself, I believe. So even though you need that kind of technology, you have to ask yourself the question, is this something that like we I still know msps that like to build their own management technology or, but it's very similar to the signing to host your own technology and publishing it on the web? Like, is that something that you really want to spend your time on and securing it that way? There are there many, many other things that come in play here. But like for one, and of course, I'm an RMM. Guy, but clearly, you need an RMM to keep your customer secure. And you need you need to make some some really good decisions on what vendor Where do I put it? How do I configure it? How do I secure it because there is still a responsibility that you that you have as an MSP It is a very powerful tool set whenever production use. So you need to be smart about security, like how do you configure it? How do you get access to one level? It's and then like, he touched on a few other things. But I, I believe that you are going to be more secure with an armor in play.

Shiva Maharaj:

You know, this brings up an interesting point here. Let's say you and I met about a year ago, just a little over a year ago, I was using a another RMM. And my client went through a pen test pen testers were able to get into that RMM, which is not was not datto RMM, to be clear at my sales guy got yourself and your counterpart, Ian on a call within a couple days. And the level of comfort I had with your security mindset and your security posture, had me purchased datto RMM, sight unseen. With that said, Can you talk to us a little bit about how is datto investing in the security of datto RMM through your eyes as part of the team? And also, I don't know if this is something you can get into but highlight the difference of being an RMM platform versus an RS RMM instance, like some of the other players out there?

Matthe Smit:

Sure. Sure. Um, I think it starts with the organization. Right before even talking about the product. I think datto is is a security company we few years ago, to Pong, a seesaw as the first one in the space Ryan weeks, I think everybody knows him by now. But our CEO said, Hey, Ryan, you built a mature secure company is it like an like you run your own security group. And because think hernial, we saw how important that was for our partners. And that is a massive group that we have right now. So we have our own people that know about process about like really good security practices, we have our own pen test pen testers, and they help us across the board with all our products to elevate our game, and to keep every single team focused on security. So on a on a on a, on a global level, on the company level, I think we have something credible people that help us stay on top, what matters here. But then within each product for like the our member, we have security people embedded into all the teams and security processes around how we develop our products. So like when you when you look at how we produce our products. In our software development lifecycle security is a part of that, like our design and engineering it and testing it. Is it part of like just everything that we do, there are multiple processes that we have implemented where for example, a developer cons, like make it change your product, and the product like then that there is a like a multi layer approach here where someone can check in code, someone else approves it. Sometimes it's more people, and that someone else deploys it, and someone else can touch production environments. So it's it's a very mature way of thinking about how we deal with code. But I think and this is, this is one of the things they can touched on this. This is not this product that we're talking about is not like, Hey, we have this on prem products with an IAS front end and a sequel back end. And that's hosted somewhere in the cloud. And let's call it a cloud solution. Now, this is something that was designed to be a cloud platform from day one. This is all kinds of micro services that all have their own area of work or tasks that they need to do talking to other members micro services. And that's that's what the platform is. And if some area like monitoring engine where we process the alerts is busy, we can scale that up. We have load balancers in front of them. And if the if the UI needs more resources, we'll add more UI servers. And if the single area is down, if let's say one of our PSA integrations is down, there's no impact to other parts of the products like this is, this is truly a scalable SaaS solution as how I think you're supposed to design and today that that means that from, like an architecture like we we obtain, I'd say the blast radius or problems within certain compartments of the box. And then of course, we have multiple, multiple regions. But the way the way it works is, mostly there is no platform ready to take over, there's no no place where you can really insert, like VSA like a Trojan or something because, like, it doesn't work. And then, on top of what all the things that we do, we have like continuous monitoring, continuous security monitoring, we have like almost continuous penetration testing going on to just make sure we provide a reliable, trustworthy, secure platform to our partners. And that, like settling datto has the resources to invest in those people, those processes and annotation tests cetera, it's much harder to do that. When you're when you're startup and you need to, you need to cut corners to get features out. For us. There is no bigger feature Advent security, it's probably right now, it's the one feature that matters. And everything else should be like tier two, or tier three securities is tier one. But you can't it's it's not a feature that you can you can build to say, okay, like, this is the release where we're going to add security to now but you can, you can take into account everything. So, so hopefully that answered answered your question, actually.

Shiva Maharaj:

Oh, it did. Thank you.

Eric Taylor:

So when you're talking about security, and we're talking about RMM, you know, I'm not sure if you're able to elaborate on this. But, you know, Conti just had one of their, their operatives, you know, kind of go rogue and just completely Polish their entire playbook of you know, this is how we do things. And that's how we get past so foes. That's how we get past this, and that and everything else, you know, here's all the tools and stuff like that has datto What does, I guess? What is the timeline for datto to take on some of these ransomware or threat actor playbooks that may get put out there and you know, maybe put something out there on a partner portal, you know, behind a wall or a publicly facing judge to say, hey, we've analyzed this, these are just steps that we're going through of, you know, possibly mitigating, monitoring and mitigating for these type of threads, things of that nature.

Matthe Smit:

So our, our security team does analyze this, like the moments we see this, right, like, and there have been examples of this in the past, where we've learned about something, a certain thread of vulnerability. And with our security team have decided, Okay, let's let's help our partners and respond to this. And sometimes that is, by deploying, like something in our map, like, we have written multiple scanners, or exchange proxy mogoeng vulnerability we had, when the the big fire I set of tools was stolen, with the solar Wits breach, we put out responses, and that was either like a component in our amendment script, but also something we, for example, we published the scanner for that one on GitHub. So every every other and the speak of benefits, we've done that multiple times now where our security team learns about something, we have a dialogue internally, and we say, Okay, what do we need to do, and, and we, we have this RMM products, have the capability is like capabilities are infinite. If you take into account our own store and our components, I tell the engine for automation, but also the way we publish it to our partners. And what we've done all on a very regular basis, we publish things there every week is just make these best practices available. So you can just download it to your system. So I think what you're asking is, is there something you can do with this as far as documentation is concerned? Well, yes, but we'd like to generally take it one step further, which is we will help you get like the solution in place so you don't have to script it yourself. And like we have dedicated thinking about that. There are other like security, like documents that we put out there a lot of FA Q's and others Things that we do we make them available on our documentation site for one. But generally, we like to take it to the next step,

Shiva Maharaj:

you brought up the app catalog in the commerce store. And for those that are unaware what those are, that's the, in essence, a repository of scripts and applications you can use, you can deploy with datto, RMM. And about a year ago, you and I had a conversation about requiring MFA for risky actions, it was more of a suggestion than a feature request or a promise to deliver in light of the Kaseya breach. Last month, has anyone revisited that where if I wanted to upload a new component, I would need to be challenged with another MFA push notification, say with duo because you guys are highly integrated with them, or some kind of additional authentication? And same thing for deploying across, you know, multiple devices, anything that we can deem risky?

Matthe Smit:

Yeah, yeah, of course, like, we have had many conversations about this. Also, recently, of course, like how do we protect msps from either making mistakes, or like someone like gaining access to their RMM, or like I'm using the arm and carry the automation engine scripts are the most powerful thing to to abuse. Like with MFA, I've mandatory for everyone we think we like it didn't stop everybody to get but if you have a rogue employee or someone like getting access to system through like a stolen phone or something like that, they can still abuse the RMM. So how do you how do you minimize that blast radius. And one of the thoughts there is an additional layer of like authentication, like to FA doesn't really make it more secure. I mean, most they'll probably do that. But more to prevent mistakes, or big changes to like, tell people, hey, you're making a really big change here, like, here's another two FA challenge. But the assumption is, if someone can get in, they can probably also like deal with the initial step up authentication, initial to FA is not really easy to step up, because you're already at that, like double authenticated level. So one of the things that we've been working on, and we will release native does your work like spoiler, but we're announcing this at a datto call, later this year, is this the additional workflow, the approvals were, we're going to, we're going to make it much harder, or actually, we're going to, we're going to make it so that if you are making a risky change in RMM, you're going to need someone else to approve that. And that, that that includes, hey, I'm making like I'm building a new component, before you can actually use it on all your devices, someone else needs to needs to approve it. And that, like limits someone from from doing something really scary, which is abuse Dr. map. So that's it's just one of the many things that we were working on, we were definitely doing something in that area. And that's not too far out.

Brian J. Weiss:

What one of the things that we recently did is we actually did a combination are we kind of focused on lease privilege, in that manner, where we created a dev role in RMM, that has a separate login for any of our devs. And we gave that dev role. It's the only one with permissions to add components. And it can only see our test site. So if you log into a role where you can add a component, you can't even see all of our client machines, as you can see as a test site to be able to test the component out. And that helps me sleep better at night, knowing that I've got least privilege and where the the accounts that my guys use on a day to day basis can't do this. It's but but I do believe there definitely needs to be a level of change control added where when certain changes are happening that could be detrimental. Whether it's a threat actor or you know, willful misconduct. With an employee, a rogue employee, you've got some sort of secondary approval to keep eyes on that. So yeah, the reorg in, you know, first thought is like, yeah, I want to re off, but you're right. I mean, anytime you get past certain layers of security, and part of that is the initial offs, especially with MFA, doing a reorg is assuming that they're not going to be able to react, but how did they get it in the first place? Right? Maybe they gained access to the desktop, maybe it's an employee who does have Access granted, so it's always nice to have a second pair of eyes verifying that something's legit.

Eric Taylor:

Well, let's also not know, let's not overlook that possibility of being able to still, you know, to walk the dog to off cook tokens with a man in the middle of Jackie is good all the time will penetration code or bidri says Where are we are you able to still that to off when you try to log into Microsoft 365. And as long as we're able, if we're watching that API, those API calls we can log into. So being able to still that original to FA code is not that big of a deal to the other side of the equation is locked. In some of the other threat actors now are essentially asking for insider threats to compromise a network. So being able to enforce a second layer of protection, authorization to get something done is more of a mission critical. I'm not sure how some of the smaller groups will do it in less, you know, the owner of the company is only an authentication method. And the the general technicians, if you will, will be the person who will invoke the the change request to add from the comm store or whatever. But if you have like a one man band, that may be a little hard, they just need to be a little bit more careful of what they're doing. But it's going to be interesting to see how some of that stuff really does play out.

Shiva Maharaj:

You know, speaking of insider threats, we can't talk about that without discussing ransomware. And one of the newer features that I think was launched by datto RMM was the ransomware monitor, that's something you want to get into a little bit better.

Matthe Smit:

Absolutely. Yeah, that's a that's, I think it's an it's a very exciting feature. And it's also an important one. And we see it as, like an important line of like detecting when something is not. So a lot of effort gets spent on preventing issues by like you do patching, you have no antivirus getting third party patching fingered system in a correct way, but still know this stuff gets in, stuff gets through, and then the inevitable outcome is ransomware. And what we build with with one of our teams is is an engine that detects the outcome of ransomware, which is files get encrypted. And we do this in real time, and we will be able to, like with like certainty, like under percent is still in it is always a scary number to name but it's very close to 100% certainty that you need to have ransomware. And we are able, what the RMM agent is able to detect it tell you first of all, like throw tickets in in autotask, or some some other means that your customer has ransomware. So you're not waiting for them to tell you give you phone call. So it's it starts with that. So you can respond quicker, you can potentially, like limit the exposure to other devices or other things. But of course, we also have automated actions. So you can automatically isolate the device from the network, which is really, really cool. We, we make it so that device counts, we can't access any other resource on on on the network other than our memory. So you can still remote control into it. But a potential attacker that has gained access to the device is now locked out of our command and control servers don't work anymore. So you can't use it as a as a foothold into the network. It's very powerful feature. And then also we do kill the ransomware while it is trying to to encrypt, which, which mostly saves a ton of files, right? Like we still need certain files to be encrypted, to detect the ransomware but we will help you save a ton of files and and look out the potential attacker. So yeah, that's that. That's that feature.

Eric Taylor:

So the one thing I want to push back on and this is kind of where, you know, the the friendly asshole look, Nikam comes out to some degree is that, you know, the report that was put out, probably about, what, two months ago, where a quote unquote security firm went through and did some testing of the ransomware module and you know, gave it glorious reviews. And, you know, as a pen tester, I got a hold of it. And I can say from my experience, it's not so great. You know, even the report said that there was 30 variants of ransomware that it was able to detect, I was able to throw four or five different ones on there created support tickets and everything. And though it doesn't seem like it's, I think it's still a work of art work in progress. The The main thing that really rubs me the wrong way with the datto RMM is the inability to have any sort of tamper prevention turned on the agent itself. So you know If you take the call t playbook and some of the tools, they're talking about how to kill system level applications that don't have tamper resistance on the data is not going to stop you by any means. So is there something in your pipeline? Have you evaluated that? And is there something in your pipeline where you're going to actually start looking at trying to implement those safeguards on this RMM platform?

Matthe Smit:

Let me let me Yeah, good. All good points. So let me let me touch on the first few things that you said, we had in one of the most respected security tool testing companies out there MRG, ffls, run analysis on all this product before we actually launched it, we actually said, Okay, let's, let's determine if this is any good before we decide to push it out to the market. And the conclusion was, yeah, it's actually like works, it's great. It's not not perfect, but like Korea, we use that. And we had that information. And we made that, that available before we launched it. But then in the in the last couple of months, we deployed it over to over a million devices. And that gives us a ton of fantastic data a week, we are seeing ransomware activity across the world. And we also report get reports where we, we missed something. So when I say it's 100%, accurate, accurate, accurate. That is, when we tell you, you have ransomware, you have certainly ransomware we look at certain activity on the device. And we we analyze like, Hey, is this ransomware like there's automated stuff that you do on a on a device, or I don't know, let's say you encrypt or while you you automatically change images from one size to another, right? Or you use Photoshop to automate that, in many ways that that is very similar to how ransomware behaves on an endpoint, but we make meaning to make sure that we don't flag that as a, as a ransomware activity and isolate your device or kill Photoshop, right. So we, we, we mentioned that there are no false positives like that. But then, on the other end, we we have taken like the most colon ransomware versions out there and said, Okay, what happens and let's make sure it works against them. And, but also, this is like, a never ending cycle, like ransomware changes all the all the time. And we're learning and we are changing our engine, as we detect new ways of how people mess up your system. We've made a number of tweaks in the last couple of months. And it's like, I'm sure there are new strains out there that we're going to we're going to add but the way it works is we're not looking at a certain signature say this is rents we're like stain and then like have acted keep up with them like an antivirus engine. Now we look at the the outgo So anyway, it's it's it's not like a like in like pre release or new progress version. No it but it is like ongoing learning and ongoing development. We have people on this products we have like, like just team working on things like this, like, like this is this ongoing for us. And it's important. The other thing that you touched on is this tamper protection. And this spinner like it wasn't asked me for ransomware detection, because before with admin rights, we're able to remove an RMM agent from an input, we'll get that right like they go into the control panel and remove their RMM agent you can you can hide it from there. But people with admin credentials have a way of when installing applications it's trivial to do that. Especially if you'd really don't want there are men that are men agent on your PC. So we have been working on a number of things to make that harder to remove like an RMM agent or or to kill it. There are ways of like how it works today already so if you try to kill the RMM like mint that does ransomware detection, it will relaunch automatic but then like they're all also way ways around that. It is of course almost impossible to stop someone that has full system prison that is on your endpoints to make them not kill this and that's what we see with with anything but we've been these that like it's another layer of protection. Fortunately like this is still early days and save for for this ransomware detection technology that most attackers are not even considering that oh arm and ransomware detection so they are not killing it but rest assured we are taking steps to make it harder for people to do that.

Shiva Maharaj:

You know one of the things and correct me if I'm wrong here that I'd like to see this datto RMM ransomware detector do is really monitor the datto RMM folder because When Eric when we, and by we, I mean Eric tested a strain of ransomware against the monitor that strain crypto code or encrypted the datto RMM process on files. And that effectively stopped it in its tracks. And based on my conversations with Ian, one of your colleagues, and this was a few months ago, well, that folder was not be monitored. And there's also a certain number of files that we don't need to get into publicly that need to be changed to trigger the monitor. And has there been any change to the monitor to look after that folder? And I think

Matthe Smit:

that instant 100% correct. So let me the the monitor, like does check every every single bit of the hard drive until you exclude it in the possible to say I don't come check this disk or that for. However, I think that I think the problem that you're pointing at is if we corrupt the rent the RMM agent and an order ransomware agents through encrypting all the files that it needs, yes, it will, that will effectively be the same as killing the agent, and it will be able to, to trigger the next step. What we also see is that, like, even though some some ransomware out there, tries to encrypt every file on the on the on the disk that's mostly not in their intent, like what they want to do, because that doesn't allow the user to see the ransomware note and operate their machine and do the payment. Right. So but it's true, if you have the correct that the RMM folder, like everything that we need, it will right now be able to kill or under it. That is that is true. One other thing that I wanted to touch on is we like with with RMM, we really don't want any exclusions, right? Like this was a competitive threat some time ago, after the Kaseya breach, like certain products out there, they require exclusions in your antivirus audits, I don't know scan me and just like Trust me. That's not what we need with datto armor. I'd like you can you can like scan IDs with antivirus you can like you don't need any exclusions. And it's actually the case that if you ever decide to deploy ransomware, with an RMM component, the scripts and we see that, like ransomware detection detects that ad is causing encryption to happen, it will actually kill the RMM agent. So it is it's almost like protecting, like the RMM agent itself against doing some something

Shiva Maharaj:

or that is pretty cool. I guess one question that I have for you. It's more of a feature request that I'm putting you out in the public. So hopefully you can get it rolled out by later today.

Matthe Smit:

Sure, yeah.

Shiva Maharaj:

When you guys isolate, you only allow the agent to call home to the datto RMM ecosystem. One thing I would like is for me to set a couple URLs that can access the computer and use case would be let's say you are post ransomware incident and you need to do some IR maybe I want CrowdStrike or the CrowdStrike agent to get into the machine or communicate with the endpoint. I know Sentinel one does that they allow you to choose a few services that can connect to an isolated device. Is that something you guys have assessed? Or plan on, including later on?

Matthe Smit:

It's the first time that I've heard about it, but perhaps someone in the team has. It's not it's it's it's a great idea. And I'll definitely bring it to the team. I can't promise on delivery later today. But it's fine tomorrow. Yeah. Now it's something simple. It's a good idea that the question is, like, do you have hold the IPS URLs that you want to allow? Or like, do we want? Like, do you want it to be simpler and like, allow CrowdStrike? or allow this or how that's

Shiva Maharaj:

like, it's simple. Because if you give me too many options, I promise you, I'll mess it up. So maybe you guys work with the popular AV vendors and say, Hey, what do we need to allow us to or what have you, so that post incident, he can communicate with your servers or what have you. And speaking of whitelisting since I've been on datto, I have not had to whitelist anything, but I'm going to trigger Eric here because I know when he you, he's moving from the defender to CrowdStrike and bitdefender EDR loves bringing up alerts that datto RMM is using the command prompt to launch PowerShell and he wants signed PowerShell. So I'll let him take over there.

Eric Taylor:

Thanks. I'll take it from here. But yeah, this is definitely something that I've been harping on because any EDR with its salt, men even deal with CrowdStrike we're getting a lot of pushback because the EDR will actually block RMM from executing the the datto agent will invoke command prompt that then invokes PowerShell, through a command lit for a randomly generated ps1 file set is self signed or whatever. So flag go in and say, Alright, nobody is allowed to run unsigned PowerShell at all, it completely breaks RML No, like nothing works. Um, so I don't know what the, the fix would be. Because if I, if I go then start adding my certificate, my wildcard certificate to power show, it's only going to work for the ones that I generate in those who are in the datto eco center will know that when you're running RMM, and you're on a pull site, or account variables or anything like that, you're not gonna be able to pass that when you are deploying a ps1 or a module, because there's nothing to pass through. Um, so is there anything on the roadmap of datto, creating, maybe even their own scripting engine, kind of like, you know, as much as I want to throw up in my mouth when I say this, but like labtech, automate has their own native scripting engine, things like that the guild get around some of these things. Is that anything that you guys have been taking to heart that I've been beating the drum on for about a year now?

Matthe Smit:

So let me let me start with the last thing, you said, No, we're not building our own scripting language, which I think is not a great use of resource for us. And it creates like a new attack vector, right? Because you're effectively building something that like, like any interpreter as, like, a lot of weaknesses. So and we know that most of the people that use datto, RMM, most of us these days, they have our, like, smart, smart power users that know PowerShell, they prefer to use PowerShell. Versus like, like a graphical script that doesn't doesn't really make them more more productive. And, of course, we try to cater to the people that don't have that knowledge by including the call store and a lot of the fantastic scripts for free. On your in your previous point is, do we consider and consider adding some form of additional protection there where you can essentially sign your own scripts in our Madden or and we sign our own own scripts? Yes, absolutely. That is, that is what we're planning to do. So you like the end goal here is that you would be able to configure your endpoints in a certain way that you only allow sign scripts to run, and datto RMM will still work. We, we don't want to automatically blanket, like, sign everything. Because we don't think that that makes it necessarily better from a security perspective. And it like, but it's definitely something we're planning to do. There. I mean, there are ways around it clearly, like we've we've seen this in the, in the field where even endpoints that like have like this, this Aussie journal, like on the announced transcripts, run, attackers can go around it, but it's still another thing, like a good like hygiene thing to do. It's just another like, look to put on your your bicycle, right? It's another another good thing to do. And it's it's, it's definitely out there with with some of the other security things that Ray

Eric Taylor:

so I'll just push back on that. Because there Yes, if you just go in and say, okay, only run encrypted or signed certificates unless you are removing the backward compatibility of PowerShell 2.0. And you're not enforcing only assigned, like you can't do but you know, execution bypass command lit where it will, you know, tank, your, your script from running, then yes, you've got to get around. And it's not just, hey, let me just set up this thing. And then, you know, we're good to go. The there's more steps to do. It's just like with anything with Windows, right? So, you know, just because you have PowerShell doesn't mean PowerShell logging is turned on. Right? And just because you have PowerShell logging turned on doesn't mean it's very verbose. So there's always those extra layers you got to put in place to make it work the way it's supposed to work. Yeah,

Matthe Smit:

yeah. It's, it's an ongoing conversation. And perhaps we want to set some time aside in the future to dive into edit a bit more. It's ultimately something that's going to need to happen.

Brian J. Weiss:

One of the challenges I see in our industry is in this kind of gets back to the ransomware detection and even some of the stuff Eric just drilled into the average MSSP out there isn't caring about the things that Eric cares about. Right, they just want to support their clients. I mean, if you look historically, at the MSP industry, we've chosen convenience over security. And so, you know, you take, you take that mentality, along with being told by vendors that, hey, we're going to protect you against ransomware, or our products safe. And, and they take it. I mean, they don't even add a grain of salt to it, there's like, Alright, I'm secure in the end, then. And then what they don't realize, you know, they don't know what they don't know. And then something happens. And now all of a sudden, you know, the vendor is a supply chain, attack vectors, right, like we recently saw earlier this year. And so I think it's imperative that, you know, we're careful on, you know, anything to do with security, that we're not over promising and under delivery, because it's very easy to make that sale when you're doing that, and then not making people aware of, hey, there's also best practices that go along with this product, right. And I think, you know, believe it or not, Microsoft, even though they're enterprise focused, is doing a good job, where they've got a security center, and it's telling you, hey, you're using our product, it's got all this security in it. But if you don't set it up the best practice, it's, you know, it's actually more of a threat vector than it is security yourself. So, you know, I'd really love to see vendors like datto, you know, and I know you guys are already working on this, but but come more to the forefront of understanding that, hey, your tools, while they offer a lot of convenience and make our lives easier. They also it's a double edged sword. And if they're not configured correctly, or if you've, you know, the push for the MFA was a big, big one that datto was one of the first to do. But again, it doesn't just stop with MFA people shouldn't be just sleeping at night. Okay, now that I have MFA enabled. So that's a battle I've seen is that, you know, it takes an MSP who's been through an emotional event to understand the importance of security. And so some of them aren't even listening out there or even following best practices. So it's, it's a challenge for the vendor. But at the same time, the, you know, I cringe when I see vendors over promising and giving msps that that feel good sleep at night failing, when really they don't have it. Right. So what does datto plan to, to kind of implement kind of what Microsoft has across all their products? Where you log into your portal? You know, let's say it's datto Cirrus? Right, and, and it's flagging you saying, hey, these devices have local logging enabled? Right? You should disable this. Are there any plans for something like that?

Matthe Smit:

Yeah, I mean, there are a couple of areas where this is really important, right? And I think what you're touching on is MSP hiji. Like is my RMM authored correctly, perhaps I have more admins than I need. And like everybody's a full admin, we see that perhaps we have five people with API x is enabled, perhaps that's not working. Perhaps there are no other like restrictions, perhaps you don't have agent sandbox internal, there are a couple of things that we have in feet in the system, that are just really good to turn off. Perhaps they make like to edit an additional step, like perhaps you need to approve something right now. And then as part of our our security best practices and the documentation that we put out, and we say, hey, you need to do this. It's part of the implementation process, but still people like sometimes needs being encouraged or reminded because everybody has more stuff on their plates than just managing an RMM. Right? No, nobody's thinking about RMM 24, seven abs, people like myself, well here, but so we like the RMM hygiene is one part. But also, the second part is endpoints configuration, right be the the endpoints is in a certain state, where it is perhaps not in the most secure state. might might happen, like patching is a good example. Like you have a patch or blind state, perhaps not to go blind. But there are a lot of things that you could be doing more perhaps should be doing that our best practice. And I think, in both of those areas, our man has a role to play, we need to make it easier for you to do the right thing, and to help you do the right thing for your customers and, and it shouldn't necessarily in that case, have to the like, like trade off between security and convenience. You can you can make applying best practices more convenience. And

Eric Taylor:

so you you made a mention a while back that I'll kind of loop into our current conversation where you know, your ransomware module is sending some telemetry back for your team to analyze, is it dedos plan and I'm hoping you're saying yes, where you are starting to pull telemetry does have some degree around your partners and Partner endpoints that will show hey, these are our 10 riskiest partners and starting to really sit down with him like, Look, you need to clean up your house, like immediately, or something needs to happen. Right? So that's going to be a risk to you guys as well. Yeah, if you have, you know, partners or not taken the due diligence assay of securing their own house, you know, one partner gets hit with ransomware, because they weren't secure, you know, Dad has got a bad reputation on the market. So

Matthe Smit:

Well, I mean, if MSP gets hacked, because of not using to evade this was a few years ago, it makes makes us look bad, right? So the same thing is like with that, like password for like hygiene, right? Like we we have, we are checking credentials against known, like password lists, for example. Um, that's, that's something because we like we take responsibility for the platform. But to your point, like, if the MSP has like an attack like that, it's it's our problem as well, like, and then both the MSP looks at us to also mess up the market. So we can't wait, like we're doing everything in our power to prevent things like that.

Eric Taylor:

Are you getting to a point where you may eventually terminate a partnership because of potential malice from an existing partner?

Matthe Smit:

We might? Yeah, damn, I

Eric Taylor:

love you guys.

Shiva Maharaj:

question here. One of the things you and I had a conversation about matej, when I, when you were kind enough to listen to me babble, before I moved over, you said, or maybe it was even that datto RMM only allows level zero or level one type data to be read by datto employees, or that's the only thing that you guys can see. Everything else is relatively zero knowledge. Is that a fair recollection of that conversation?

Matthe Smit:

We have a lot of rules around what people can do. Internally absent listener, like we look at this all the time, what can people see when it's it starts with, I think support x, which is a key part of of the story. Our support, people can log into anyone's account, unless use Galactus. or

Shiva Maharaj:

know where I'm going with this is there's a you have a level a classification level of what type of data can be seen without that support access? And I think it's either level zero type or level one, is that correct?

Matthe Smit:

It could be I'm like, I'm not 100% clear on,

Shiva Maharaj:

there's one one level type of data that you guys can see without support access. Is that a fair assessment?

Matthe Smit:

Well, none of our support people can all they can look up, look you up in the CRM system, but just

Shiva Maharaj:

the data that you collect, because your competitors, they data mined everything you guys don't to a degree now, right? And the reason I asked this is because a little while ago, you said that you're seeing telemetry data from the ransomware monitor. So is that telemetry data outside of that limited access you once had to the type of data you can collect?

Matthe Smit:

No, I think this is different kind of data. So this is it's like, by the way, it's still all anonymized. But we look at the alerts that we're seeing. And we look for certain patterns, like and and that that is telemetry that those like few engineers can access to to improve the detection engine. Are we in situations where someone tells us, hey, you've missed something, we make our MSP sent all the data that we need to add something if that's the case, because our engineers don't have access to that level of data. So it's only only the specific under adds some metadata around it.

Shiva Maharaj:

And is that specific to the ransomware monitor, or all monitors

Matthe Smit:

does only ransomware.

Shiva Maharaj:

I just wanted some clarification on that. Because one of the things that I would like to evangelize is a more of a zero knowledge posture with my vendors where they know as little as possible. And that was one of the things I really appreciate about datto RMM was the fact that it was very minimal data that you guys collected. But I also do want to be mindful of your time. So is there anything you'd like to close out with?

Matthe Smit:

I mean, this has been a great conversation and like it is fard. Like over conversation that we're having on a daily basis. Like it's all about security. I think you guys are winning at all the important parts already. One of the things that you touched on is not everybody's thinking like you do like as an MSP security should be top of mind. It's the one thing you should be thinking about more than anything else. So like, like really listen to like some of the questions that Erica Shiva and Brian have asked here because ask yourself, hey, are we doing everything? We can our Like are all the things that we're running on these endpoints necessary are we what is our posture towards vendor management? Look, look at the little this stuff. And and outsource if like, if you don't want to do it yourself, because one of the problems that we see is that msps, they assume certain responsibility for certain things, and they actually never put in the effort to make something more secure. And it's not like you don't have to be a pen tester yourself, but at least if you implement to take the responsibility of configuring properly and maintaining it, anyway, it's, it's it's top of mind for everyone, I believe in the industry. And this is not about one vendor versus the others, because this is all about the MSP space in general. Like if, if if, say, msps get hacked, it makes for the msps look bad, right?

Shiva Maharaj:

Trust me, because they as bad, it just makes them look good. I have no, say I say this with peace and love

Brian J. Weiss:

him, it's a want to get back to kind of one of the earlier things I was touching on and that I feel like the biggest challenge in our industry is just, you know, lack of focus on security. And and I think part of it is the fact that small businesses desperately need our services. And if we aren't telling them, hey, we're not going to sell you our services, unless you have a certain level of security, we're enabling those small businesses to go without the security they need. And we're focusing more on convenience and making money, right, versus reducing risk, which takes away convenience and cost more money. So what what I'm really hoping to see vendors Do you know, I agree, it shouldn't be a competition of security, particularly between vendors. But I do think that yeah, I mean, if I'm an MSP who's spending the time caring about security, doing the right thing, I want to be able to stand out against my competitors. And I'd really like to see vendors like datto even go to the point of offering, you know, you mentioned earlier, hey, if you've got a MSP, that's just doing it the wrong way. And as a potential huge threat vector that could make data look bad, we might consider firing them, right. But what about promoting elevation? by you know, almost don't know if you want to certify or give some sort of badge, but it's like, hey, this MSP uses our products. They're following all the best practices, we've verified, we've confirmed this, obviously, it's a revisit thing, right? You're doing it maybe yearly, because you could be great one day, one year and not the other, but a way for me to say, Yeah, I worked with datto. And guess what they consider me their top 10% of msps doing it the right way, you know, and it kind of goes along with your Academy, your training, too. It's kind of that whole piece, right? Is datto thought about anything like that? Because I think until you help differentiate your partners, from you know, the good actors from the lazy actors, it this problems gonna continue to happen, right? Or, you know, it's going to continue to happen no matter what, but maybe we can help mitigate some of it.

Eric Taylor:

Yeah, well, look, I cut that one off on Brian, just because we are like Shiva said, we do want to be respectful for today's time. But we'll definitely bring this up. Because we, you know, we did kind of touch on this that, you know, Matteo and the team are looking at, you know, some of the telemetry coming back and starting to have some of the conversations that are next visit our next conversation, we can definitely have matej go a lot deeper into that. But again, I know Matteo has been very generous with his time, I definitely want to let him go and say thank you so much for coming on today. It's been a real pleasure and being able to build talk with you and really have a real open and frank conversation that we have a really hard time with vendors now. Mostly coming on and you know, Allah willing to take our criticism, and you know, being able to willing to answer this stuff. So thank you for that. I'd love it. With that. Thank you so much for tuning in to another episode of cybersecurity amplified and intensified. Please, if you have not good to intense, amplified and intensified.com please subscribe to our podcast and give us a review. Let us know how we're doing or how poor we're doing. If you're on the social media, please share this was somebody that you think will be benefit, and we'll see you on the next one. Thank you so much.