Cybersecurity: Amplified And Intensified

Episode 30 - COVID-19 and its effect on cybersecurity with Scott Davis

September 20, 2021 Shiva Maharaj/Eric Taylor/ Scott R. Davis
Cybersecurity: Amplified And Intensified
Episode 30 - COVID-19 and its effect on cybersecurity with Scott Davis
Show Notes Transcript

Scott is an innovative senior technology professional with over twenty years in leading IT infrastructure and network security compliance for businesses of all sizes, including six years in managed services.

Scott has in-depth knowledge of multi-year business continuity planning, cybersecurity planning, technology documentation, workflow design, project management, and network design.

Scott’s background and knowledge of PCI-DSS, HIPAA, NIST, GDPR, CIS Controls, CCPA and other state breach notification laws allows Scott the ability to quickly identify and develop a plan to bring organizations to compliance quickly.

Scott is currently a Sales Engineer with Liongard, a Adjunct Professor with NuPaths, and Scott also produces and records a twice a week video podcast, called The Morning Breach.

Scott Davis
https://www.linkedin.com/in/scottrdavispa/
https://twitter.com/scottrdavis
https://themorningbreach.com/

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/

Shiva Maharaj:

Good morning. Welcome to another episode of cybersecurity amplified and intensified with your host Eric Taylor, myself, Shiva Maharaj. Today we have Scott Davis of Scott r davis.com. And a little company name line guard, but we'll get to them later. Scott and company around, aren't

Eric Taylor:

they? We? We need to dive into those guys a little bit. Haven't heard of them yet.

Shiva Maharaj:

So who is Scott and what the Scott do? Yeah. So

Scott R. Davis:

Scott is obviously I'm a sales engineer over at Lion Guard. Been with Lion Guard a little over a year and a half before that six years of the MSP space. Before that, you know, enterprise IT but all in all, 20 years of cybersecurity IT infrastructure knowledge background, I teach cybersecurity at Harrisburg University here in Central Pennsylvania. Well, in tune with the community from different community calls conversations with Eric back and forth. And really with line card I talked to msps every day around the globe. So constantly in the know of what's going on, and how does it help people out?

Shiva Maharaj:

So now that I know you're a 20 year expert, because I feel like we all started her in and around year 2000 giving us that 20 year chip? How is CMMC going to save us all when it's only for the DB,

Scott R. Davis:

um, it's not going to save us all, because let's be honest, you know, unless you're forced to do it, you're not going to do it. And even when you're forced to do it, you know, a lot of times you look for ways to get around things. I mean, you look at HIPAA, the amount of health care facilities that I've walked into that say, Oh, we were healthcare, oh, no, we don't follow HIPAA. Or you're missing this, you're missing that, you know, there's always so many pieces of the puzzle. And when you look at, you know, using that puzzle analogy, when you look at what CMMC is, it's that, you know, million piece puzzle compared to HIPAA is you know, is that 100,000 piece puzzle, and the more puzzle pieces you have, the more puzzle pieces that are just going to end up missing or just not fully compliant. And CMMC is still really new, there's a lot of energy around it, because we really do need some sort of a standard. And by saying a standard, it's not like the NIST recommendation standards, but really that standard that's forced upon us. Because at the end of the day, time and time again, we've seen it, it's been proven, businesses don't do it unless they're forced to do it, but

Shiva Maharaj:

we met and they don't do it. Look, HIPAA is a perfect example. Right and see just criminal justice information. So everyone wants to say they're HIPAA certified or HIPAA, compliancy just certify HIPAA seizures compliant, or certified. And mon is you walk into any of these places, 10 ways till Sunday, they are not compliant, which brings us to documentation. So yeah, I have a feeling you might be pro documentation,

Scott R. Davis:

I am pro documentation, it actually all started, I worked a few months under contract job at a analytical lab that, you know, collect the ground samples, you know, did all that biological stuff, but documentation was crucial in that environment. And it all came from that chain of custody, you know, you go out to collect a sample, you know, what happens with that sample, how it was collected, date, time, everything had to be thoroughly documented. And it was ingrained in me there, even though it was a short contract, but how important documentation was to that business as a whole. But looking at it,

Shiva Maharaj:

finished transforming it, thank

Scott R. Davis:

you and transforming that into it. It's crucial for us all, you know, we're gone way past the days where that one IT guy should be the keeper of all the knowledge in his hat. You know, the analogy of you may get hit by a bus isn't just reality, it's you now you may get stripped by COVID, you may be out for two weeks, you may get sick and not be allowed to go into the office. There's so many reasons why documentation is crucial. And the core aspect of that is information sharing. And that's one of the things Lion Guard does amazing is it automates so much of that documentation, and ultimately, why I decided to join Lion Guard,

Shiva Maharaj:

what kind of assets is Lion Guard collecting for whether it's msps internal it or what have you,

Scott R. Davis:

sorry, my kid got me some allergy. So I'm fighting some allergies home here, but naughty COVID. It's not coming. But I take a trigger test on a regular basis. Thanks. Now, I do take a test on a regular basis just because we have kids baseball or out in the community so much. And that's what my doctor wants me to do. And that's really who I trust when it comes to the matter. But to go back to your question line guard is, you know, it's more than just an automated documentation tool. It's really that best practice analyzer for everything in your stack. So we examine firewalls, switches, your cloud services, Microsoft 365, your servers, and we're collecting all this data, dropping it into a JSON format running best practice analyzers on to that telling you what's changed. You need change monitoring for you know, a historical time period. And just putting all that right into your documentation tools, your vcio tools, you know, it's that really making that gold standard of documentation because your n Tech's don't have to collect it.

Eric Taylor:

So as lanc are just getting my ignorance here but is line guard have agents that are deployed or is it like, you know, Some of your competitors where it's just web based and the technician has to upload, you know, that data for your analysis.

Scott R. Davis:

So if it's behind the firewall, we do recommend an agent. So you know that agents there to collect it, run the script, encrypt the data, send it to the line guard portal. But typically behind the firewall, you're going to have an agent installed. We only need one. Gotcha.

Eric Taylor:

So when you when you're looking at that, and we're talking about cybersecurity, you know, we always want to talk about, you know, zero trust and zero knowledge and things of that nature. So like, if we're sending our data to Lion Guard for analysis, can we trust that data?

Shiva Maharaj:

I mean, can we trust you, but line guard?

Scott R. Davis:

Well, you can trust me, I think I'm a pretty honest guy. I like saying that the truth is always going to come out. So you can either tell me the truth today, or I'll find out about it in a year or two years, whatever. But at the end of the day, you know, your requirements of what you need your vendors to do, is different than what mine are, what Eric's would be and do a vendor assessment. It doesn't matter if it's Lion Guard, if it's XYZ, if it's, you know, QuickBooks, do your vendor assessments and know where and how you're storing the data. Outside of an NDA, I can't really get into line guards, security practices. But I do know, does line guard have security practices? We do. And what I was just going to say is, when I was at the MSP space, we use line guard, and I did a vendor assessment on them, and they passed my falsifications.

Shiva Maharaj:

Okay, how would you rate your dev sec ops for Lion Guard across the MSP space, vendor wise, because I see a lot of new vendors coming out. And security is not one of the focal points of what they do. It's about pushing out the bells and whistles, and especially with you guys, where you're getting near unfettered access to systems with your collectors, I would hope that, you know, better dev sec ops in most of the channel,

Scott R. Davis:

I would say security is ingrained in the culture at Lion Guard. You know, it starts with day one. You know, we're constantly pushing cybersecurity looking at the best practices looking at NIST looking at what's required across the globe, again, outside of NDA is it stuff I can't get into. But I will say that it's ingrained into us from the phishing campaigns to x y&z

Eric Taylor:

gotcha. So I guess, let's circle back just a moment there, just because I don't want to get too far off that track. But the, when we're talking about zero trust, and we're talking about, I'm losing my train of thought, so you mentioned a minute ago, where unless somebody or a company is being forced to do something, and we made mention of the whole CMMC and you know, the, the whole joke around all that the of course to my screen, we'll have to have some fun editing, sorry, shows. Um, but let me bring this up, come on to your screen, the owners of right, there we go. So we we were bringing up unless a business is required to make a change. And I've made this statement many times, even in our grid, a business is going to do everything as cheaply and as long as possible until they're forced to do so we see those who are on this on the YouTube and there'll be a link down, of course, and the audio version of it where federal agencies are required to do zero trust cybersecurity requirements. We've seen a lot of the stuff with Biden coming out with an executive order, even as executive order, like you said, CMMC is still very, very new. We talked about HIPAA a little bit, where even though we have these compliances put forward, but all of us can walk into any of these type of locations. And, you know, it's a gamut. When when What do you think, either from a Scott Davis personality or a Lion Guard personality, this going to make people actually adhere to some sort of compliancy

Shiva Maharaj:

or security? Because we know they're mutually they can be mutually exclusive?

Scott R. Davis:

You know, I think I think that's a challenge. You know, I've worked with people that came to me as an MSP after a breach after a security incident. And their nature was still I don't want to spend any money on this. And I mean, the one example that comes to mind is he was using the Comcast modem as his firewall. And even after a security incident, he refused to put a you know, an actual router firewall, whoa, whoa,

Shiva Maharaj:

whoa, oh, we got it. We're not supposed to use Comcast firewalls. Please don't Holy shit.

Scott R. Davis:

I gotta go functionality, but it is not a secure firewall device. But no, I mean, for what you need to do, you know. And I think the messaging, it's it really comes down to the fundamental of education. And it's going to get to a point that if you are an MSSP, if you are an MSP and you're providing services to someone that refuses to take that baseline guideline of, you know, this is the minimum you have to do to stay secure, or I'm not going to support you as long as someone's going to be there to back them up to support them to keep lifting them up. And also, when The insurance side, you know, he had a cyber insurance policy. And you know, they're paying that out. But I see cyber insurance policies are getting stricter, I see msps across the globe that are setting their foundations. And if you don't follow those foundations,

Shiva Maharaj:

it's just

Scott R. Davis:

setting that threshold, making sure you're educating the, you know, that end user, that business owner, why cybersecurity is important. When the business owner understand cybersecurity and why it's critical to their business. They put the money into it that needs to go into it, when they don't see it. It's constantly a fight. It's constantly an argument over Why do you need this? Why do you need that. And, you know, at the end of the day, I'm not in it just to sell you a whole bunch of shiny new tools, because it's not about that. It's about putting the right tools in in the right places that that business needs. And that's the core requirement, we all have to think about from the MSP the MSSP, even the IT department side, don't just put the shiny tools and make sure it's fitting little hole, it's patching what you needed to patch. And you know, it's closing one of those gaps,

Shiva Maharaj:

you know, I would throw the vendors under that bus. Because there's absolutely zero barrier to entry. We talk about msps enforcing security, we talk about customers having to abide by and enforce security. What about vendors? They are they seem to have cut themselves out of this chain here. And there. You can go to virtually any vendor in any space, whether it's MSP whatever, as long as you hit their minimum, if they even have a minimum, you are now a partner reseller, or what have you. The only vendor, I think that has a security requirement is Microsoft for their partners who enforce mandatory MFA. And that is it. Yeah, I

Scott R. Davis:

mean, cybersecurity is everyone's responsibility. It doesn't stop at the end user. It doesn't stop with the IT department, it doesn't stop at the vendors that you're using. You know, and you're right. I think each each vendor has to set forth minimum requirements that they're going through, you know, what those are what those turn out to look like? I don't have the answer for that. Because every vendor is different. Every MSP is different, every business is different. And that's why cybersecurity can be so intricate, because what matters to me is completely different than what matters to Eric and you know, what rules are in play?

Eric Taylor:

So is there a framework that's out there today, that's able that you think will check 95% of the boxes from a cybersecurity standpoint framework to implement

Scott R. Davis:

I think there's a number of great starting points. I mean, if you look at cis controls, if you look at you know, the NIST based practices know, NIST has, you know, a giant book to read. So it's recommending a small business or someone that's not doing anything with cybersecurity to start reading this, that's almost impossible, but cis controls in Australia has the essential eight, which I think is actually a really good fundamental starting point. Now it's down in Australia and it's required down in Australia. But you know, there's a lot of great resources there's a lot of amazing people out there that are talking cybersecurity on a regular basis that know the main talking points, you know, make sure you have good security in place, make sure your infrastructure is updated and patched, make sure your software is patched. Make sure you do cybersecurity training because at the end of the day, the weakest link is probably one of your employees that's going to click that link in an email and open up the doors to the hacker

Eric Taylor:

Yeah, I didn't even know about the I'm actually looking at the the website now here. And this is actually pretty interesting. So you know what, from an IR standpoint, when we're going through and looking at stuff we've been starting to actually recommend the sans top 20 or the CIS 20 yo cuz that it does a lot of stuff in it over the latest versions, especially the one that's out right now version eight, it touches basis with a lot of security frameworks that i i agree with and it gets companies introduced into actually making things actually happen. So not only are you applying it you're creating an ESOP. You're educating them and it's a it's like a baby step into Well, I mean, I hate the whole crawl, walk run type of scenario, but if you can do it in some small chunk at least getting them into it, because dammit something is better than nothing. And yo mia shivah talk about this a lot. I just wish something would be done. Hey,

Shiva Maharaj:

I got a question for you. Since you had to bring up the crawl, walk run bullshit. How's that CMMC thing you're doing overpack say, you guys still crawling you walk in? Are you running yet?

Eric Taylor:

I'm not sure what I'm able to talk about.

Shiva Maharaj:

Because I guarantee you I started that thing. And I left that thing just as quick.

Eric Taylor:

I mean there. There's movement going on. I think with all the disasters that's been going on, and the everything that's going around CMMC it's definitely come to a halt. You know there. There are people that are going through the see through To write a thesis, right? I always think of Star Wars, Star Wars and freakin I'm looking for our 2d to start talking about this, but they like, um, it's not as far as I wanted to be in any stretch of the imagination, but even businesses, you know, msps and everything, at least being in that facet, it just least makes me feel good that people actually give a shit.

Shiva Maharaj:

Yeah. Okay, but let's take what you just mentioned, and take that out to clients, there's always a reason not to go get finished your compliance here security, just as you said, major incidents are happening. How do we get around that excuse? How do we get people to stop making those excuses and do what they say they're going to do?

Eric Taylor:

I think it goes back to what we've said before, and I think Scott's even been on this. And, you know, we really hammered it. This is really why I wanted him on here. Because I'm with COVID. Everybody's kind of pushed security off to the side. I think from a business standpoint, you and I have talked about this many times shivah that we thought maybe insurance would be the driving force to some of these things. But as your as companies keep getting popped,

Shiva Maharaj:

you know, they're the most secure. What are you talking about?

Eric Taylor:

Yeah, that's why I have two of them in my pipeline today from lock bet. 2.0. Because they have already p enabled.

Shiva Maharaj:

Yeah, but anyway, ransomware deployment protocol, it works. 100% of the time,

Scott R. Davis:

I was gonna say they're using for 3390. That makes insecure. Yeah,

Eric Taylor:

they just wouldn't want it pass all scanners that they don't know what that means at all. Um, but yeah, it's, I think when you go to get a business license, or renew your business license, there's gonna be some sort of framework put together. So you can actually say, Okay, I am adhering to certain standards, I'm Airi to certain things. So I can that I can operate a business. I mean, I know there's some countries out there that are doing that garbage. Because

Shiva Maharaj:

for it, that's difficult, though, because tech changes so quickly. vectors change so quickly, it's really hard. I've always been vocal about making it like the America like the medical boards, you specialize, you get a certification, you're good, you're good to go. But then the more I dug into it, the threats we face today are vastly different from what we faced a year ago, or even six months ago. And how do you wrap a security framework around all that? Yes, there are a few certain basic things you can do that would decrease your surface area for attack. But I think what we need is a rating system, like CMMC, with the levels, whether you call it whatever the hell you want to call it, and let that rate you, you rate your risk based on that. And that's how you get your cyber insurance. And I think if you can't get cyber insurance, you should probably should not be able to be an IT person. MSSP or what have

Eric Taylor:

you. So what is going to be the driving force to mandate that implement gait and mobilization? So what milestone is going to say, okay, have you got to here yet?

Scott R. Davis:

So I think I think there's two pieces to here, I think you're going in between, you know, a government setting a standard for all businesses to, you know, do business, and I think that can be accomplished, you know, with make sure you're patching, make sure you're doing X, Y and Z Make sure your cybersecurity training is so we're a part of your stat, then the other part of the conversation is we're almost going more towards, you know, to become an MSP or to become an MSSP. And what certification process or a reading system or process that's tied into that? Is that kind of, you know, or which track are we kind of going down?

Shiva Maharaj:

I'd go with, I don't want government telling us what to do. I agree, because it works, it works really well with it, that works really well with seizures so much. So they're worth looking. Yep. Right? I want us to be a self regulate habit, I want us to create a self regulating organization that we all buy into. And we have a group of idiots that come up with our framework of how we operate. But at the same time, if you have, you know, controls one through 20, in place your level 121 through 40, or level two, and based on your level, that's your risk profile. And based on that, that could set how much you pay for tools, how much you pay for your insurance, how much you pay for this, how would you pay for that? And also what you can do and what you cannot do all too often msps in this space, they'll go get a line guard subscription, they'll get a purchase subscription, blackpoint cyber Huntress or any one of those guys, and now they go from being an MSP to an MSSP Oh God,

Scott R. Davis:

or even worse. I mean, there's some that just come out and just say they're an MSSP because hey, I did cybersecurity for a couple years.

Shiva Maharaj:

Now screw that. It's because they bought Webroot.

Scott R. Davis:

Yeah, so I get that and almost like a cybersecurity scorecard or almost like a credit score for a business but on cybersecurity aspect, um, you know, I think getting something adopted i think is the real challenge with that, um, and then even the by I mean, you look at the state of Louisiana has one of the harshest things because the They're making msps registered with the state. And that opens up the doors to regulations and things like that.

Shiva Maharaj:

But that's just registered, you're already. here's, here's my heart on for that, right? You're already registered with the state, right? When you incorporate a company, you're either a general purpose business or you're some form of tech company. It's nothing new. It's lipstick on a pig.

Eric Taylor:

But best, but see, like, even in my state of South Carolina, you have Yo, I'm registered as a tech company, but there's no granularity. I could be a software company. You know, I could be freakin doing IoT devices

Shiva Maharaj:

to take a dog that's China, or that's China. And to you, they have a monopoly on that. Let's not try to get their market share here. I think we need to come together as an industry and break down the walls between msps and regular var consultants. Anyone who fixes computers, for lack of better words should fall under this and get a self regulated certification by us. And the only way I see buying with this is if you get enough critical mass to start doing this to raise the bar, some would say, where clients start asking, Hey, are you willing to go way back in the day since we're all in this for about 20 years? Are you mcsc? certified? Or some version of that shit? Yep.

Eric Taylor:

Is that what pal? Chuck is doing out there? California right now?

Shiva Maharaj:

Do you think I have no idea, I don't know what he's doing.

Eric Taylor:

I know, he's out there doing like Biden and meet with some of the big waves trying to do some sort of policy or something like that. So I haven't really heard a whole lot coming out. Have you, Scott,

Scott R. Davis:

um, I think each state is kind of separate on its own. Because right now, you're not getting that direction. You're not getting that leadership, from the national organizations. And it may be that they don't know how to, you know, start the conversation, or whatnot. I know they're in that model right now of there, there is an issue that's just dump a whole lot of money into it. And, you know, try to secure everyone by dumping all this money into it. And, you know, like I said earlier, that doesn't solve anything, because you can throw you know, a million dollars and be less secure than the guy that's spending $10,000 on security. I do know, I've had conversations here in the state in the state of PA, Pennsylvania, on cybersecurity. Pennsylvania has one of the oldest Breach Notification laws in the nation, not a fact that I am proud of. How do they define breach very, very loosely, and it doesn't require you to report it anywhere.

Shiva Maharaj:

And that in of itself is one of the main problems that's endemic across the entire country,

Scott R. Davis:

I think. But states like California, New York with the New York shield act ccpa have really an it's not enforced,

Shiva Maharaj:

but it's not enforced. Eric and I know someone Yeah.

Scott R. Davis:

Chris Henry's certainly be placed on businesses that aren't reporting and aren't doing that I find more about breaches coming out of California that impact Pennsylvania than I do from the news or anything else that your VA because businesses are starting to say, hey, so we don't really do it. But there is now penalties are associated with not disclosing breaches.

Shiva Maharaj:

Are they like, are they like HIPAA penalties where you can just appeal them? And they go away? Probably. Right. And that's, that's the problem, right? Like, everyone wants to talk to talk and say, we're doing this, we're doing that. But no one's actually following up on any of this stuff. You know, New York has basically unauthorized access is what constitutes a breach here in New York City, which is great. But every major company that I've seen not incorporated in New York, because they're all probably Delaware, LLC, or what have you, anyway, there's no indication that data has been exfiltrated. So therefore, it's not a breach. And then you have the narrative. Let's start calling things incidents. Let's not say hacked yet. First. First, it was Let's not say hack, let's say breach. Let's, let's not say breach, let's say incident. What's next unicorns and rainbows?

Scott R. Davis:

Well, I mean, that's just for the media aspect of that, you know, the conversation of you know, hat became the negative connotation of don't do business with this company, because they're not protecting, then it became breach your data has been breached. Honestly, I think all three are still usable terms. And I think it's just really about how it's being defined by, you know, the mass, you know, an incident is, you know, that situation that something came up, but we're not really sure the full outcome of it, then you get into that breach where information or data actually was exfiltrated from the network. That's how I classify a breach. And hacked would be that, you know, your entire network was taken down data was breached everything you know, is that, you know, epitone of everything has happened here, type situation,

Shiva Maharaj:

where Yorick How would you define a breach incident or whatever,

Eric Taylor:

any sort of unauthorized access to any corporate owned equipment?

Shiva Maharaj:

That's, that's where I'd like to see it, because that takes out a lot of the interpretation, which is what lawyers are paid to do, right, is to thread that needle. There's no

Eric Taylor:

you don't, I mean, just from an IR standpoint, and you know, a pen tester nerd like that. Yeah, I mean, if somebody gets access to a firewall, that's unauthorized access. If you for some

Shiva Maharaj:

reason For that, it's not like something like a Ford net firewall has a VPN RC that allows people to pull username and passwords. I mean, that shit just doesn't happen. Come on in now, especially when it's three years old and people aren't updating their shit or that will never happen. But hey, Scott, does Lion Guard tell me that? Do you guys have any type of integration with firewalls in general, and if you don't, and you put this in, I expect that 30% royalty, whereby you guys are pulling the firmware version, and comparing it against the up to date version that's released by the platform, say, hey, you're way behind, or Hey, idiot, you are behind.

Scott R. Davis:

So Lion Guard pulls data of what is currently out on that device. So we will give you the firmware version will give you the user names will tell you have to have phase enabled, you know, depending on the device, there's different metrics, devices, like your sonicwall, your Cisco aasa, is we're actually pulling complete backups of those files and the running config, the startup config. So really, every time Lion Guard runs an inspection, you're getting a full backup and everything that's going on with that device, what we currently do not do is we're not comparing that to what the current firmware is now, or you should already royalty. If you're a smart vcio. If you're a smart sales guy, you know what that firmware is? You are not smart. We're MSSP. So I feel like I wasn't MSSP and I did this with DOD smart,

Shiva Maharaj:

are the dumbest of the dumb fact,

Scott R. Davis:

I would look I say, Okay, here's where your firmwares are, okay, here's where you should be exchange guarantee, if you have an exchange server in house nine times out of 10, that's out of date. And that was a homerun, for me to secure that deal. Switches nine times out of 10, I can go to the website, I can pull the firmware version. And I can tell you that that's out of date. You know, the entry point that I had for sales was so easy because I focused on what the current vendor or hurt it person wasn't doing. And it was the simple stuff.

Shiva Maharaj:

Well, that goes back to my premise of it providers, right, there are a bunch of basic things you have to do really well over and over and your you and your clients will be in a better position. There's a question back line guard, when you pull that firmware version on there. Are you also telling the client or the MSP when it was installed? Or is it purely a version number? Depending on the device, some devices, we will show the install date? Yes. Okay. Because I mean, that's a nice, quick way to say, hey, this was installed in 2018. I'm pretty sure there was an update now that we're in 2021.

Scott R. Davis:

There's been conversations. The problem is there's not one universal API out there that says this is the latest API everything. Right? So you're going to, you know, in line guards case, we have 67, in production inspectors and more in the pipeline. You know, it's going through 67 systems, almost saying, okay, what's the latest firmware on this? What's the latest firmware on this and, you know, to maintain that list, you know, sometimes is out of scope and out of reach. But being able to have that information, being able to quickly generate a report for all of your customers, and saying, Okay, this is the firmware version of all of my sonicwall devices, being able to do that can quickly tell me, Hey, this is what's going what, or setting an alert to say, hey, if a new administrative account was set up on this random server, or this firewall or this switch, I want a notification,

Shiva Maharaj:

you guys are pulling that we are okay. And are you integrating with any sense? Seems as not.

Scott R. Davis:

But we do have an open API. So realistically, a conversation with them into us. We've seen a couple of vcio tools on Narmada. And what is it, it's, um, lifecycle insights are now pulling data from us into their platforms. So you know, when you have the right data coming in, and you have almost that good standard, or that gold standard of data, and an API to fall into, it's a homerun for so many aspects in place,

Shiva Maharaj:

how often is the data updated?

Scott R. Davis:

By default, we pull inspections once a day, the vast majority of inspectors were on once every eight hours.

Shiva Maharaj:

Okay, and where are you dumping those data that sits in Amazon data centers across the globe? Oh, sorry, not you guys. So you pull the data because, correct me if I'm wrong here, you guys are a intermediary collector. So you'll collect it from the endpoint, the web or wherever it sits and you're dumping it into it glue or Voodoo or whatever documentation platform, is that correct? Well, we

Scott R. Davis:

pull it into our platform, our platform, obviously line guard calm, but from there, you know, with integrations that can go into it, glue Kudu lifecycle insights and Armada bright gauge power VI. Okay,

Eric Taylor:

so you guys are not a replacement for it glue or who are in fact that right?

Scott R. Davis:

No, I mean it glue has a lot of purpose. I loved it. Lou, when I was at the MSP. We're not a documentation tool. We're an automated data collector. And you know, we have the power of taking your configurations or taking your flexible assets and making sure those are constantly current and constantly up to date with like active directory information, server information, etc.

Shiva Maharaj:

So how Are you enriching the data that's already taken by an RMM agent into it blue, or a PSA integration inside Ziegler.

Scott R. Davis:

So I think the best way that I describe it when comparing an RMM to what Lion Guard does is that RMM is almost like a heartbeat monitor, you know, it's constantly checking in, it's, you know, every couple of minutes, it's saying, yes, you're still alive. Now, let's pull in some, some insights and things like that Lion Guard really is an MRI machine where it's going through and it's doing a deep diagnostic deep dive, I'm going to tell you, not just how much data store you have, but what shares you have, who has access to those shares, what permissions are associated with them, or the firewall and for that entire configuration down,

Shiva Maharaj:

and you're dumping that into it glue? And the reason I ask it, well, it's, it's what I use. So it's all I care about, we can switch it right over and it glue, or another tool or any plans to bring that into the autotask PSA documentation platform.

Scott R. Davis:

I believe there's conversations about it, I'm not on the depth side, you have ideas that line guard calm, which is really what I'd say is where Deb gets all the brilliant ideas,

Shiva Maharaj:

is it as, as forward moving as it glues must

Scott R. Davis:

be no line guard is actively in development. Every month, we have new inspectors coming out, we have security improvements, we have enhancements coming, we are constantly building and expanding what Lion Guard delivers. I can speak you know, on the ideas portal with Lion Guard that I see movement on the ideas that I upload and the ideas that you know, I place it in to the portal itself to get movement.

Shiva Maharaj:

How do you well, how's the Lion Guard been able to quantify the impact it's made on its partners?

Scott R. Davis:

Oh, absolutely. We have a number of use cases, testimonials. There's a whole series of how Lion Guard can help you actually 10x your T. You know, personally speaking, Lion Guard was the one tool that I deployed at MSP that actually gave me time back in the day, you know, metric and way. So what I say is, you know, I was going through regularly and trying to do you know, my analyzing checks, it's like, okay, is intrusion prevention still turn on my Meraki firewall is this still here is this still here? What Lion Guard was able to do is come in and really be a, what's the configuration draft manager and tell me when one of those configurations changed. Because Because Lion Guard is bringing all this data in dropping into a JSON format. We use genes path queries to pull certain metrics out of it. So you can write your own James path query and say this is the metrics that matter to me, these are the best practices that matter to me. And then from there, you can now create alerts for it, you can do change management going back over a year in history. And that's I think, is the real power of what Lion Guard can do?

Eric Taylor:

Well, this conversation has taken a complete left turn that what I've ever anticipated to go today. I was not expecting that. Like I feel we're

Shiva Maharaj:

a little eclectic here from Nashville for add, because we just hopped the fuck around.

Eric Taylor:

We do. But what I mean, it's definitely interesting conversation. So you get a partner, take Lion Guard and match it to a framework that we've been talking about today. So like, if we're going down CMMC, if we're going down the CIS top 20, or anything like that, and we say, Hey, we need to map to this does landlord help that

Scott R. Davis:

it does with the sheer fact that we have the data means that we can do a lot of things with that data. We do have the power of creating reports I've gone through and I've created a report for Australia's essential eight, for example, now does it capture every aspect of everything that you know, essential eight is looking forward now? Because lion guards not designed to do everything? You know,

Shiva Maharaj:

it doesn't capture everything that Lion Guard would do for that essentially? Yes. Okay. So I mean, that's where the benefit is, right? That's the benefit, because we help them a lot of the boxes. And compliance is more than just it compliance is more than just it. Right? And are these reports readily available on the platform? Or is this something everyone has to build out? Or hit you up? and say, Hey, Scott, can you send me that good report ship,

Scott R. Davis:

they are super easy to build. It's really it's just going through selecting what metrics you want to see when the report and dropping it in. There's also multiple ways to view the data inside of line guard. And with the API, and integration into Power BI and bright gauge, you can get that data right into other reporting tools that you're using to that,

Shiva Maharaj:

can you give us a sample report for the Australian eight that we can add to the show notes so people can see what we're talking about doesn't have to be now because we're on a demo thing, but just we can share it out with them so you guys can see what Lion Guard and Scott can do for you guys should be able to put something together for you. Cool. Now circling back to COVID How do you think COVID has affected cybersecurity because I know that's something Eric is very much interested in and so am I

Scott R. Davis:

yeah, I mean COVID I think a woke A giant in cybersecurity and technology as a whole. I mean, we've gone through, you know, hundreds of years of, you know, business as normal, as you go to the office, you work your eight hours a day, you take a lunch in there. So you're there for nine hours, and you turn around and go home. And, you know, COVID, when it first happened, and there was this massive shutdown of going into the office, and you know, no longer, you know, you know, being in that office space, you know, IT departments were forced to quickly adapt or really shutter their business, we saw many, many msps that had tremendous growth during COVID. Because it departments that were small, IT departments couldn't handle that transition in a secure fashion. So I think the beginning stages of COVID, you know, I think it was great for it, then you have Okay, COVID now, and, you know, COVID was such in the news, that it was easy for the cybercriminals to create phishing campaigns around COVID information, because everyone was so desperate and had to know what the latest counts were what this was, was that was, it was super successful to create a fox news headline and put out latest numbers based on your state link. And people were clicking or at it at record paces, because the need to know what was going on outweighed the risk of cybersecurity. And you saw phishing campaigns ransomware, you know, these techniques that weren't new when COVID started, but really took a new height in measure. It was, you know, 2019 that the first ransomware variant actually started extorting information and saying, hey, if you don't pay the ransom, we're going to share your information. You know, that wasn't new with COVID, it was already there. But the success of it ru dramatically, simply due to the fact that now it people were coming together for their meetings, they weren't coming together in an office space, they were sometimes so busy adapting teams to departments that, you know, didn't have the capacity to do it. Or pushing out all these new it policies or just collecting laptops and getting them out to people that all I had was desktops, cybersecurity, fell down to a second measure, but then really started picking up after, you know, things started settling down on that front. So I think COVID is always going to remember, as you know, both good and bad in the IT industry for those two things. One this year breach of breaches of information that have occurred, since it has happened, but also in how technology has has advanced to what is becoming really this modern workforce, because many businesses are never going to go back to 100%. In the office. Yeah, so

Shiva Maharaj:

me, good. So speaking of that, Microsoft just I don't want say released or announced, apparently Microsoft is decided to stop forecasting, one COVID is going to be done to the point where they can send their workers back into the office, and they're just taking it a as a month to month basis, which I think is all you can do because we've had these cyclical waves for the last 1617 months. How do you see that impacting security? And the reason? And the reason I asked this is because when COVID started, every it practitioner started talking about regrets securing the perimeter, we have to secure the identity. Then in the last few months, we had a few CVE ease that are remote code execution that led to privilege escalation. So now it's no longer now I just don't think it's secure the identity now I think it's secure everything, which is what it should have been all the time. What are your takes on the not knowing where we're going? Or when we're going back to the office?

Scott R. Davis:

Let's be honest, you know, none of us are fortune tellers. None of us can tell you what tomorrow brings,

Shiva Maharaj:

Fred McCall has to say is,

Scott R. Davis:

okay, well, that's awesome for him. I think it comes down to having great, you didn't buy procedures, I did not play. I think it's great to have, you know, great policies and procedures. And it's not about COVID. It's not about the flu. It's not about this. The one thing that I talked to people about right when it was happening is they're like, this is a great opportunity for you to update your infectious disease policy. What happens if an infection breaks out, and it could be the flu, it could be 10 years from now, and it's something completely new, but having that policy and what thresholds set for when you put a mask on? Or when you say Okay, guys, everyone's working remotely for two weeks. And what are the feedbacks? Or what are the metrics that determine when you go back to that normal state when everyone's coming back? I think the big issue is right now is the lack of communication of what that endpoint looks like. You're not getting it from government. You're not getting it from the States. You're not getting it from businesses because no one really knows what the answer is. I think an infectious disease policy should be one that's when everyone in a in business continuity plan, you know, having those baseline policies that we talked about so many times there, you know, if you don't document it, you don't know how you're going to react if it happens, but you know, COVID is not going away. And I think it's tough to say that but the reality is, you know, I'm hearing about the new moon Varian, or this variant, or that variant, like COVID itself is not going away. I remember looking at the spray cans of Lysol when COVID-19 first hit, and it said right on there that it can prevent against COVID. But it wasn't that it can prevent against COVID-19 it could prevent against further older streets of Kodak, it is almost like the flu, but it is more severe and more damaging, you know, potentially to some classifications of human beings. So there are differences. I'm not saying it's not a serious threat, because it is anything that can kill people when mass is a serious threat to you know, the population, but we can't think of it as Oh COVID is going to be over and 2021 or COVID is going to be over in 2022. Or by November 14, you know, everything is going to be better in the world, there is no return to normalcy, you know, it's live your life the way you want to live it. You know, if you want to live your life in fear of you know, something you can't see, leave your life in fear of something you can't see, if you're afraid of driving, don't try have a car, if you're afraid of flying, don't fly an airplane, you know, there's so many fears in the world, you know, pick and choose the ones that matter to you. But at the same token, don't give up living your life to you know, be run by that. And, you know, I'm not trying to turn into a COVID conversation. It's just the same thing of cybersecurity, you know, find what fears matter to you. And you can do it either by guessing or having good data to back up what you're putting your money into.

Eric Taylor:

Yeah, that's always what like one of the freshmen I'm not doing an incident response case, and I'm coming in and, you know, they want to talk about cybersecurity. My one of my first questions are is, what is it about your network that scares the hell out of you? You just told friggin No, um, and I think COVID really escalated people's lack of policy creation and putting things together. So you know, it really was, you know, that we didn't have a certain policy to do X, Y, or Z. So we just did it all over the place, you know, and massive numbers now. And it really, I think, made us more insecure, as a company, because now you have a deal. Let's just say, you know, apple, for instance, I don't know what they're doing over there. But you I know, for a fact, they probably have at least half of their workforce coming home. But are they using company devices? Are they? You know, are those endpoints protected? Are they managed by Apple Inc, itself? You know, he damages us as a brand example, he'll insert company name years that of Apple, you know, if that one employee gets popped, you're potentially able to go read across the VPN, some users are even storing their VPN credentials, because it's not LDAP and integrated or MFA aid. So I think this really makes us more insecure, and really needs more of a security framework to be implemented going forward. Cuz, you know, they, again, we're not trying to get massive vo COVID. But I think it's getting there a little bit, and we'll definitely stay politically out of that. Um, because, you know, Eric, we can all have different opinions. Right. So, you know, the whole two weeks to flatten the curve was never really two weeks, you know, clearly we're this far into it. Yeah. There, we're clearly going to be with COVID for quite some time. And it clearly seems now that we're getting closer to fall, if history shows us anything over previous infections that, you know, come out, you know, with, you know, SARS, and smallpox and everything, you know, the colder weather is definitely make it more rapid. So, are we about to go potentially into more of a remote workforce again? Absolutely. You know, whether we do lock downs, or whatever is a different discussion. We're not getting into that. But, you know, he booked more and more in a remote workforce situation, I think is going to be a lot more prevalent in this time moving forward. So what do you think is going to help businesses that take msps out of the equation, but if you're Jo mama plumbing company, you know, what is what would you say will make businesses more secure, so you know, they feel a little bit better protected because you every day literally love I shouldn't say every day, but every time I get in, it's a response. I feel bad. I do. Because it is they feel as a business owner, they are under attack. They have personally been violated and I get it. So what would you think businesses should do as a minimum to start having these conversations with msps with their, quote unquote, technology

Scott R. Davis:

Well, when I would say if your provider that you trust to secure your network is having conversations with you about security, then it's probably time to shop around and look for someone that will have that conversation with you. And it may not be removing them from the picture, it may be adding an MSSP just to handle the security stack, and leaving the MSP, that you may really like to handle that day to day stuff that they're doing well for you. Um, it's, you know, making sure that you're having those conversations, at the end of the day, you're the business owner. And at the end of the day, your business hinges on the decisions you make to keep it afloat. If you choose to do nothing with cybersecurity and you're attacked, then you're attacked. And that's 100%. The choices that you make, it'd be the same thing, if you choose not to get insurance on your car, and you're in a car accident, you have to, you know, cover all that expenses of you and whatever damage caused to others out there, it's making sure that you understand the risk that you're under, at the end of the day, you're already under attack, you know, it's not you haven't been attacked yet, it's that an attacker either hasn't gotten through, or you just don't know that an attacker has already gotten through, because at the end of the day, most of the times, it can be months, until a small business understands the fact that they were under an attack ransomware made that almost instantaneous, because hey, my goal was to put this ransomware on you and get a payday. So it kind of highlighted that, hey, it happened sooner. But even more ransomware variants are taking more time. And when they put that ransom script in play, they're sitting on your network, they're collecting information, they're building the puzzle of who you are oftentimes unnoticed. So I think the core pieces, I think you need cybersecurity education for all of your staff, from the janitor that has the username to track his time the whole way up to the CEO. If not everyone is on board, understanding cybersecurity is important, then your policy is going to fall apart and fail. Especially if you don't have buy in from the management team on why they need to do cybersecurity, you're going to have issues getting this team and the staff members to follow suit, you need to make sure you're patching your your Windows systems, the software in place. firmware versions, you know, across the line, if it's a piece of hardware, IoT device, whatever on the network, you need to make sure that it being patched and updated. Next, you need strong policies. When you see people coming back into the office, you're going to see an influx of new devices appearing on your network, people that comfortable working from home with their electronic photos, you know, that photo frame that IoT device, they may try to bring into their Amazon Echo or their Amazon device, you're gonna see smartwatches you're gonna see phones, you know, I remember when I got into tech, one IP address was really one person, because that's what they had. That's what money could afford you to add. today that average user is probably using between four and six IP addresses. When I look at just my office space here, I have three computers, my apple, watch my phone, my iPad, you know, I'm up to seven IP addresses. And that's not even counting the IoT devices that are v land out that are doing my home automation. So it's looking at security in a different way. But making sure you have policies and procedures in place and the end users know that don't bring in your personal photograph your your picture frames your electronic picture frame, like no IoT devices on the corporate network, or set up a VLAN network. That's just an internet connection, slower speed for those IoT devices. So we have cybersecurity training, policies and procedures updated, making sure that you're patching, updating your devices. I would say I think that last point that you know, I would probably hint on is just making sure everyone understands that cybersecurity is their responsibility. And it's not just company information that you're protecting, but it's also that HR drive has their information it so if the company's breached, their data is breached with it. And I have found in messaging that to end users sometimes that resonates because now it's not a wall doing is protecting the company it's protecting yourself to

Eric Taylor:

the biggest thing I can always stress out is if you don't know ask questions, if you're not getting the answers that make you feel all warm and fuzzy and happy like a carebear start talking to somebody else. Yeah, right. Because I mean, you are trusting people with your business, your livelihood, you know, even so if you're a business owner, you you way you lay awake, making sure you can make payroll. What if your network is taking off so you can't make payroll process? You've got so many lives dependent on you. While you're you know, just leaving the back door open.

Shiva Maharaj:

I think that's because A lot of business owners don't know what to ask. They don't know what to look for. That's why they're hiring outsourced it, so they don't know what they don't know. And usually it's too late when they find out

Eric Taylor:

Yeah, you got anything else Mr. Shiva?

Shiva Maharaj:

Yeah, that's it for me, Scott, I hear you have a podcast What is it and how do we get to it? Wow, I

Scott R. Davis:

have a I have a whole sorts of things. So obviously check out Lion Guard comm if you're an MSP, if you're struggling with documentation, if you're looking for a way to really analyze those best practices across your entire stack, check out lion guard.com definitely reach out to me, Scott Davis at Lion Guard comm if you have questions as well, but outside of that I do when when time permits, I do have a vlog, it's called the morning breach the morning breach calm. I also mean founding the cybersecurity association of Pennsylvania. So a lot of my time has been going into that nonprofit. And, you know, doing that kind of up in conversations with what's going on in the industry with lobbyists and legislators here in the state of Pennsylvania. I also teach so I'm actively teaching. Again, that's at Harrisburg University.

Unknown:

You know,

Scott R. Davis:

the end of the day, I'm involved in the cyber security community from the moment I wake up to, you know, the middle of the night as I'm dreaming about it. You know, my wife and kids, they're great. They're tremendous supporters of everything I do everything I promote. They do so much with me and you know, I wouldn't be able to do what I do in the community, if not for their support. So, as I'm sure you both can attest to this, just another

Eric Taylor:

prime example. If you don't love your work and cybersecurity, you don't wake up dreaming about this and wanting to do it please for the love of God. Don't get into it.

Shiva Maharaj:

Ted, everyone's a cybersecurity expert. Just go on to clubhouse and you will see how many of them there are a week we went down that whole rabbit hole that was a man that's what started this thing. So

Eric Taylor:

he's not lying either.

Shiva Maharaj:

We started up VSA sarb rooms and clubhouse record them throw them on here and hey, we got a podcast because you know we want to be the next Joe Rogan though we all know that guy can dream What can I say? secure

Unknown:

yeah

Eric Taylor:

all right. Well ladies and gentlemen, thanks so much for tuning in. Thanks again Scott for joining us it's been an interesting conversation you know we have like I said we had a topic that was going to go and like normal we go ADHD you know this show goes on If you enjoyed it please share it out please. If you go to amplify the testify comm subscribe to the audio version, go to YouTube dot barricade cyber comm for the YouTube version. And if you have any questions or anything you want to talk about, please email us at info at amplified and intensified.com and until next time, take care buddy