Listen to "All Things MSP" on Your IT Podcasts!
Eric Anthony:
Joker
Justin Esgar:
Venom. We're not going down that path again.
Eric Anthony:
No,
Justin Esgar:
No. Are we going to have something funny in the beginning of this one? Or is literally me saying, are we going to have something funny in the beginning of this one being the funny thing in the beginning? I think
Eric Anthony:
That'll be the fun. It works for me.
Justin Esgar:
Works for me. What's up everybody? Welcome to the All Things MSP podcast. I'm your host Justin Esgar, and with me always is my good friend and podcast host, extraordinaire, producer extraordinaire. Good friend and pirate. Eric, Anthony. Eric. What's up buddy?
Eric Anthony:
That's right. Pirates everywhere. That's why we call it the all Things MSP Crew, right? Is just because of my affinity for pirates. I'm doing well. Excited about this topic this week. It's been a hot minute since we had a guest. So if you're looking to be on a podcast, please look us up. Atsp link slash podcast. You fill out the form, we make you a guest. It's easy,
Justin Esgar:
Easy peasy, lemon, greasy. Yeah, we do have a guest coming up today. I'm very excited. Why don't we bring them up? Mr. Gene Reich from Traceless. What's up buddy?
Gene Reich:
Good to see you both.
Justin Esgar:
So real quick before we tell everybody why you're here, why don't we tell everybody who you are, Jean, give everybody a two minute rundown on who you are, what is Traceless, and also how many cups of coffee have you had yet today?
Gene Reich:
Okay, good question as I'm drinking one right now. So we've got some fractional cups in the equation. So yeah, so Justin, you and I know each other. We both have Apple focused MSPs. So that's where I started my career in this kind of industry in 2005, right? So own and operate an Apple focused MSP. And then in 2019, after getting completely freaked out about a vector in my MSP, I started Traceless with my wonderful co-founder Peter Segerstrom, who doesn't get a lot of podcast and webinar time, but is a wonderful, brilliant conversationalist and a good engineer. A great engineer. So that's me.
Eric Anthony:
Great
Justin Esgar:
Engineers
Eric Anthony:
Run the world.
Justin Esgar:
Yeah. Oh, that's true. Engineers do around the world. Tell everybody a little bit real quick in one sentence, what is traceless?
Gene Reich:
So traceless is advanced threat protection for modern communication
Justin Esgar:
And for those who want to speak English about it, what do they do? What's
Gene Reich:
It core function? So if you look at the way that we're changing our style of communication in the business world, it's really drastically moved away from email, fax and phone and moved towards more digital and new, not necessarily new, but people are using ticketing and chat a lot more than they used to carry on critical conversations pertaining to their business internally and pertaining to their relationships and collaboration with vendors that they might be engaging or supporting business with. And I brought up facts. It's actually pretty funny. I had to get a copy of a document and it was urgent and the guy at the I R S was like, yeah, I can fax it to you.
Justin Esgar:
I was
Gene Reich:
Like, okay, you have
Justin Esgar:
Email? Yeah, well no, but doctors still use faxes. It's HIPAA compliant. So real quick, the reason we wanted to bring you on Jean, and I'm going to let Eric explain this one better. He knows the details was the other week Eric and I were talking about the MG M breach and we had talked about security and I immediately was like, I need to call Jean, have him come on the show and talk about his product because I think he could have solved the M G M thing for them before it happened. So Eric, give us the rundown on the M G M breach.
Eric Anthony:
Well, from the stuff that I've read and collected, basically what the bad actors did is they impersonated an employee of M G M. They actually looked up the employee's information on LinkedIn and that's the information that they used to impersonate that individual. Then they called into MGMs IT help desk. And in a call that was only about 10 minutes long, they secured the necessary credentials to access enough of their systems to infect them and eventually end up with Okta credentials and I believe administrator access to their Azure tenant. And so with a 10 minute phone call, these people brought down a 33 billion company, basically it's a big deal. This is, yes, the dollar value is astronomical and the effect on M G M is huge just because they're a large company. But this same level of effect, I mean a complete blackout of somebody's systems could happen to a small business because of this exact same problem.
And because I was in MSP a long time ago, this is back when you knew who you were picking up the phone with, you didn't need to have these verifications. But now you don't know all your clients, you don't know all the employees at your clients personally. And so you have to have something in place now that we'll deal with something like this. So this is why we brought Jean on because I noticed some social media that you guys were posting about the M G M breach and some of the things that Traceless does to prevent those types of things. So Jean, can you give us a little more explanation of your understanding of how the M G M breach happened, and then let's talk about some of the things that your standard MSP can do to prevent that type of invasion.
Gene Reich:
To go back to an earlier question's just shy of five cups of coffee today, I guess it's not helping. I forgot to answer that question, but yeah. And Eric, I don't know if you specified this, but it was an MSP who was doing help desk that,
Eric Anthony:
Oh, I did not see that in my research
Gene Reich:
As far as I understand. I mean it's probably not going to get a hundred percent who and whatever, but it's really tough. I mean this is when one of us as a company type gets hit, it's bad for all of us.
And this is actually the impetus for starting Traceless was hearing about vectors that MSPs were experiencing in very sophisticated attacks. And I think all of the attacks that cause great amounts of damage are a real combination of simple walking in open doors or knocking the right door for it to be open and then piecing together complex information. And we as MSPs hold a very fundamental and important part of these keys to castles for all of our customers. And so that was in 2019 we started TRACELESS to have an easy way to send or receive sensitive information without leaving it at rest. Another huge breach this year was the move it breach. I dunno, have you guys talked about that at all?
Eric Anthony:
No, but I did hear about it.
Gene Reich:
It's a total cluster. I mean it's bad, it's bad. It's hundreds of really big enterprise customers, some government customers and their paradigm is securely storing sensitive information. And our paradigm is not storing sensitive information. It's kind of like we're at this place of zero trust everything. Hearing zero trust at an IT conference is almost like hearing generative AI at a developer conference. It's kind annoying to that extent. So we're going to take it there today and say top desk and zero trust sensitive information.
Justin Esgar:
We,
I find it funny, I suffer for this as an MSP when I need to share a password with somebody and there's so many tools there out there we have IT glue, we have one password, and I sometimes have just resorted to texting somebody and I realize that if I've never texted them before, I will cue them up to be like, you're going to get a text message from a phone number with this area code. And then I text them and I say, hi, it's Justin. And they say, hi, it's Eric. And I say, for security purposes, what company do you work for? That's not a security question in any way, shape or form, but part of me is like that's good enough for me to recognize that I'm at least texting the right person and I didn't mistype their phone number and therefore I know it's them and I can give them the password, but it's not the most secure thing in any way, shape or form. And I know there's a lot of people who, a lot of MSPs, what's that website? One-time secret, but in order to access one-time secret, you're sending them a link with a password to the link to the one time secret. So it's just like a catalyst on top of one another. You're not actually protecting any data that's all smoke and mirrors.
The MSPs aren't doing anything actually to help. And I kind of feel like what your product is doing is fixing that problem.
Gene Reich:
We're trying to offer an easy way for people working to make better security decisions. So at the same time, a lot of security is annoying. It's expensive and annoying selling to MSPs is the same as an MSP selling to their customer, right?
Not everyone wants to do the hard work. It's costly. Humans are really tough to manage. If you're a person listening to this, you are in this boat of people are hard to manage. So we try to make it easy for people to make the right decision and give them a tool that also provides a very seamless customer experience. And I think that even when you start talking about deeper forthcoming breaches, a lot of verification is being handled on static information. Read me your badge number, tell me the phone number, tell me your cell phone number, tell me your birthday, whatever it is. And I don't think that that's good enough. I mean the craziest one that we heard of was probably, it's a decent sized mid-market company, three to 5,000 employees are, and they were having people email their driver's license in to verify the identity before being able to do stuff. And the IT department was kind of laughing when we were telling 'em about our paradigms around leaving sensitive information at rest and we're like, gee, this is bad people trying. So shout out to them for trying something, right? But there are better ways.
Eric Anthony:
That's the thing that makes Traceless really interesting to me because I was talking to a chief governance officer probably about three or four months ago, and we were having this conversation about how important it is not to hold on to data that you don't need. And that's exactly from what it sounds like. What you guys are doing is the data only exists for as long as it needs to fulfill its purpose
Gene Reich:
And then it's removed from the internet permanently.
Eric Anthony:
See, I like that part.
Gene Reich:
It's counter to the way that we think about architecture from where we are today. Redundancy everywhere. You want email on 20 servers so that in case five of them go down, you could still email people stuff, but that means your data is replicated to that level and that's a problem for some classifications of data.
Eric Anthony:
Exactly. Exactly. So how does the MSP use traceless? Are you integrating with certain PSAs? Is it a standalone thing? How do we get to that level of better protecting ourselves?
Gene Reich:
Yeah, so on a base level, Traceless has a standalone application anyone can use to send or receive sensitive information. You can get it with a two-factor method with SS M Ss as well. I think one of the nice things about that is maintaining your ability to communicate with people the way that you want to. So if you want send a link through SS M Ss, if you want email them a link, it's fine. Your risk exposure is pretty low. But for MSPs, typically they engage with our integrated product. So like I was saying before, in trying to make it easy for people to make better decisions, the application integrates into ticketing systems. So current integrations are ConnectWise, manage Autotask and ServiceNow. Halo is going to be coming at the end of this year, Justin. So I know we've talked about that. And it takes about 10 minutes to set up integrate, and then you're off to the races.
So from my perspective, that's how most MSPs are using the tool. That's how somebody listening could go and start protecting their help desk and their overall ticketing system. We are very excited for a Slack integration that's coming any day. We're just kind of kitting the last bit of bugs out. It's a really good thing because we're getting into a chat ecosystem, which is a little bit different than the paradigms and ticketing, but we're also really proud of our sensitive data detection application that is coming with that. So very soon, anybody who's Traceless can reduce their exposure to sensitive information being left at rest in these communication platforms, slack teams, ticketing, things like that. So it's pretty fun. We've got a lot of really exciting stuff that we're on the cusp of.
Justin Esgar:
We've talked a little bit the why and stuff like that. So let's walk through this, right? What's going to be the way, I want to send you a piece of sensitive information. I got this really hot ticket item I want to send you. How does TRACELESS differ in the respect? How am I still protecting myself to know that it's you? I understand what your system is doing, I understand it's getting rid of the data when it's done, but even at that, where is the authentication from your side as the recipient of the data? Without going too much into the secret sauce, but how do I know I'm still actually talking to you? What does Traceless require from the end user in this case to prove that they are who they say they are?
Gene Reich:
So we're just doing it. We started in a very simple format with predefined cell phone numbers and SS m s messages. We're moving to deeper authentication application integrations. So we're also very close to launching duo. So if you gate your entire identity ecosystem behind duo, you'll be able to use traceless to send a duo push to verify that person's identity. So that's how it's today. Something to be said though that we haven't even talked about is the future use of voice AI phishing. This is going to be another, all the signs are pointing in MSPs needing to do this work, right? It's annoying, but your access to data for all of your customers, I would argue is as or more valuable than a banking login. So if banks do this, why aren't we?
Eric Anthony:
Right? Because MSPs have access to the banking and then some, yeah, everything you could
Gene Reich:
Ruin a business real quick. Encrypting all devices going in and changing domains email, it is everything. It's the same value that we're selling to our customers. Hey, you use technology every day to run your business. There's not a more critical thing that you could invest in than having that be protected and running smoothly. Hire my MSP. This is the sales pitch, right?
Eric Anthony:
Well, and the interesting thing is, because I've been doing this a long time, I've been doing this so long that back when I started, computers were still a nice to have in the business. They were not a have to have. And so everything didn't revolve around the technology back then. And so it wasn't the risk to the business if the technology suddenly disappeared or was unusable. Today in less than 30 years, that has completely flipped upside down and now a business literally cannot exist without its technology.
Justin Esgar:
I've been thinking as we've been talking about the Smishing, right? SS MSPhishing, smishing, which I've talked about this before. I think we should ban Google Play gift cards from the entire planet. But the amount of people who have gotten that, like hey, they get an email that says, Hey, give me your cell phone number. You give 'em the cell phone number and you're giving your cell phone number to the bad actor. And the bad actor isn't go like, Hey, I'm the C E O, you don't have my number, my secret phone number in your phone book. That's why you don't know this number. I need $1,500 worth of Google Play gift cards. I, I'm thinking about how that whole thing plays out where some person, again, kind of similar to the MGM thing, where they went on LinkedIn, they found out who the people are there, were able to pull names or whatever, but that person who's receiving that text message is blatantly unaware of everyone else in the organization and in some way to authenticate themselves.
Do you see that as the catalyst or do you see that as a place where tracers can stop that from happening? I mean, obviously you can't stop smashing. That's not what the product does. But that whole, the authentication against who, even the C E O is beyond the MSP authenticating for private information. How do we get there and is traceless, I dunno, maybe you are, maybe you're not, I don't know. But how do we get to that point also in terms of providing internal security for clients other than just going over to the intern and being like, no, that's not their phone number.
Gene Reich:
Yeah, I mean, think that again, when we think about protecting communication, it's a pretty deep thought. The opportunity is great, and there are a lot of exchanges that happen that should be underprivileged privileged access to that person, whether it's a personal identifier or a peer-to-peer thing. I mean, I think it's definitely is, sorry, I'm kind of ranting, but it's like we say, and not everyone agrees with this. That identity today is not a hundred percent solved. And I think we're seeing the evolution of identity on the internet and that has a lot of different meanings, but identity and access and the application of that in systems and society is in its early days. So I think that there's a lot to explore in what you're talking about. I wouldn't say it's probably our top thing, but complex methods for identity verification that involve more than just a push or it's definitely on our roadmap and I think it's, we're going to get there. It's going to get annoying for people. It's unfortunate, but this is how it is, I guess.
Justin Esgar:
I mean security, that's where the worst part of security is, right? Because annoying for people and nobody wants to deal with it, and nobody wants to have to put up with it in order to protect themselves from being secure. All I think about is that intro from the original Get smart TV show where he walked through the 45 doors. Nobody wants to do that to be able to go Google what the meaning of eat your own dog food is. Well, the best intros to a TV show ever, by the way. No, no, honey. P Honey, P Jean. Where can people find out more about traceless Online and sign off for your product?
Gene Reich:
So we are going to be moving fully over to traceless.com. So previously in all the existence, it's been traceless.io, but you can find us today@traceless.com and get in touch. Hit me up on LinkedIn. I mean, this was, again, going back to where we started this conversation is an MSP got hit, one of ours got taken down. This is a problem. We are passionate about the MSP space and helping protect MSPs. That is why I started Traceless with Peter. So if something jived with you, reach out. Let's talk and no one's perfect. Also, I mean, one of the things I didn't add is that when I started Traceless, we were emailing passwords. So I'm happy to admit that a practice that we had started 10 years before that never got evaluated. But the second I realized how dumb that was, I was petrified. And that was coincided with how do you know who's calling? Because this was starting to happen in 2019, right? So everyone's on their own evolution, and so I'd just like to encourage people to do their best. It's hard owning a business. It's hard owning an MSP. There's support in the community, so reach out and we could work together to improve the overall posture for us as MSPs.
Justin Esgar:
That's awesome. And maybe we can do an additional office hours episode where you could actually take people through a demo of Traceless. That sounds fun. Sometime in the next couple of weeks.
Gene Reich:
Yeah, it's a warm circle here between the two of you. So I just appreciate you having myself and letting me talk a little bit about Traceless and some of the challenges that we're all facing as MSPs, especially after this breach. I mean, again, this was one of the top breaches of 2023. It's not over yet, but it's at the top, so it'll probably be top five. So we all need to think about what that means.
Justin Esgar:
Yeah. Well that's awesome. Thanks so much, man, for being here, and I'm excited to see what comes with Traceless in the future. I mean, Eric, real quick, between just you and me, I've seen the modality here. Something happens and someone comes up with a product that solves it, which is amazing. I mean, trace, this was around before the M G M breach, but it was based on those kinds of processes. I've seen things, I dunno if you remember, Richard Branson had an island, Necker Island. There was a fire there, and he lost all of his data. And a friend of, actually Jean and I guy, had a backup company and went and then sold him on all of his backup and took care of Virgin Group. These are the things that we got to do, and this is what you could do as an MSS P.
Also, I know as an mssp, all of us think that our wheelhouse is fixing things, but there's ways to go beyond that, and that's what the All Things MSSP group is all about. So find us more facebook.com/groups/all things msp. Go to our YouTubes, it's youtube.com/at all things ssp, follow us on all your favorite podcasting apps, even though you're probably using that to listen to this one unless you're on YouTube, and then you can follow us on podcasts. It's very recursion. That's it for us this week. I'm Justin, that's Eric. That was our guest Gene. Thanks for listening. Bye. What's up everybody? Welcome to the All Things MSP podcast. I'm your host Justin Esker. With me always is my good friend. Podcast pod. Sorry, I usually don't, I'm nervous. I like Gene too much and I'm nervous. I'm getting antsy about him. Alright,
Eric Anthony:
From your host, Justin Esgar and myself, thank you for listening to the All Things MSP podcast. Join the All Things MSP Facebook group or follow us on LinkedIn, Instagram, and YouTube. The All Things MSP podcast is a biz POW L L C production. And even though we drink a lot of it, this podcast is still not sponsored by Liquid Debt.