Listen to "All Things MSP" on Your IT Podcasts!
[00:00:09] We got an interesting ticket like this morning. It came in from, you know, person at domain.com, which is a client who we take care of. However, they must have typed their own email address wrong because in Halo it auto pulls up what client they're supposed to be a part of, like what parent organization and it didn't.
[00:00:34] They typed in, because they're a nonprofit, they typed in dot, dot, dot, instead of O-R-G, zero R-G. They wrote in third person and they left it with please text to help third person. So like, let's say it was like, like, so let's say it was you sending in the ticket and it was like, Eric's computer keeps freezing up. Please text Eric to help me.
[00:01:03] And every bell and whistle went off.
[00:01:05] Oh, of course.
[00:01:06] Hold on.
[00:01:08] Wait, wait, wait a second.
[00:01:12] So I had my team reach out to the point of contact at the client. And yes, this person is real. And yes, they don't know how to use a computer. And yes, they wrote in third person because that's how they write. And I was like, okay, we'll reach out to them.
[00:01:25] Um, but like my dear one tech was like, is this real? And I was like, looks weird. And so like, I had like three other people on my team look at it and we all like notice little things. And then I was like, you know what? Just call the champion over the client and be like, is this real? And see what they say. And if they say it's okay to go. Yep. As they say, see ya.
[00:02:22] And I'm like, I don't know.
[00:02:23] I don't know.
[00:02:24] I don't know.
[00:02:28] I don't know.
[00:02:46] I don't know.
[00:02:49] Sorry. Sorry. If you're driving a Miata. Um, these things are great. Uh, uh, I have a client we're doing an install on Monday. Um, and we ordered them for them, but I guarantee you they're not making that we ordered and shipped everything to our old office and they're moving to a new office.
[00:03:06] We guarantee that this is not making to the new office because they also sent me paperwork from the building that have like, I had to fill in like a COI for like installation thing. I'm like, we're not installing anything. We're not doing anything that the building should care about or even know about. Um, and these things are great. Cause like it's a one you we bought, these are the Rex, the duos. They're one you, this squeezy part just clips right into the square.
[00:03:29] And then you have the two bars that stick out and you have these little, these little caps that screw on and these things are great and they're amazing. And they save so many fingertips and issues when it comes to, uh, is it an M five screws and an M six screw? Is it a whatever? Um, I love those things. I have them. The only reason I want to talk about them because they're on my desk. So I remember to bring them on my day. Hey, I've heard a lot of people say really good things about them. It speeds things up. Just makes it easier. Again, you don't have to worry about the
[00:03:59] screw thread or size, you know, all that stuff. I don't like, I have their singles, right? The regular rack screw, uh, studs. And I don't really like the singles as much because they're a little bit more of a pain in the butt to get in because you have to get this like red one, like through in a certain way. And the problem is that they have multiple sizes of this one, which is weird. Did they get this through? And then you have to get this yellow cap, which you can't really see on camera, like on it.
[00:04:29] To clip it in. And then you put the screw cap on. But like, I like the duos. The only problem with the duos is that they're only one new. I would love to see racks. Let's make a two you unit. Um, which I understand would be scientifically speaking complex. Um, you know, because it's plastic, but I would love to see like a two unit come out of them for things, especially because like we do so much unify.
[00:04:56] The, the power distribution unit is a two you unit. Everything else is one you write switch firewall, one you NVR, one you whatever. But the, uh, the PDU is a two unit unit. So I would love, I would love to see them come out with some sort of two unit device. Um, that's all I got. Okay.
[00:05:20] If you're struggling with the complexity of Microsoft 365 deployment management and automation, it's time to check out core view created by MSPs for MSPs.
[00:05:31] And, uh, they, they help you with the end to end Microsoft 365 administration from the moment you set up a new tenant. Packed with things like unified visibility and control of all your tenants from a single UI to powerful, no code automation engine, baseline tenant configurations, drift remediation, and much more.
[00:05:50] You can supercharge your productivity and do even the most time consuming tasks with just one click work effortlessly and deliver best practices to your customers today with core view.
[00:06:03] To learn more, visit atmsp.link forward slash core view.
[00:06:08] What's up everybody.
[00:06:09] Welcome to the all things MSP podcast.
[00:06:11] I'm your host, Justin Oscar with me always is my good friend podcast producer extraordinaire man with a plan pirate Mr. Eric Anthony.
[00:06:20] What's up dude.
[00:06:21] I'll just, uh, getting ready for a weekend.
[00:06:25] Yeah.
[00:06:26] Uh, any plans?
[00:06:28] Yeah.
[00:06:29] We're going to a, uh, a wedding reception.
[00:06:32] Not just not the wedding, just the reception.
[00:06:35] Well, so the wedding already happened.
[00:06:37] It was in Scotland a couple of weeks ago.
[00:06:39] Oh, okay.
[00:06:41] And then, uh, there, they came back cause they're, one of them is from here, you know, from the U S one of them is from Scotland.
[00:06:49] And they got married.
[00:06:51] And so in order to have a party for their friends over here, they decided to have a reception.
[00:06:58] So we're, uh, actually, as soon as this recording is done, uh, we are hopping in the car and heading to Virginia.
[00:07:04] Oh, nice.
[00:07:06] Um, I, uh, my weekend is going to be video games with Roman.
[00:07:12] That's it.
[00:07:13] Sounds like fun.
[00:07:14] Sometimes you just need that.
[00:07:15] You know, you need a day.
[00:07:16] Like you got to take time off yourself, little mental, little mental readjustment.
[00:07:21] Uh, it's tough when there's, um, it's tough when, you know, being the owner of the company, right?
[00:07:27] Like the weakest is, uh, it spends you out, right?
[00:07:31] A little bit.
[00:07:32] Um, and, uh, as everybody knows, we record this on Fridays.
[00:07:37] So this is what is funny is that we record this on a Friday afternoon and they still get
[00:07:42] like this version of me.
[00:07:44] Like, I'm wondering if we ever moved a question to the listeners.
[00:07:47] Can you tell when we record not on Fridays other than the times that we've said it's not
[00:07:50] a Friday, just based on this stuff I talk about.
[00:07:53] It's possible.
[00:07:57] Justin sounds smarter today.
[00:07:58] Must be Tuesday.
[00:07:59] Um, speaking of smart people, we have a lot of smart people in our Facebook group, facebook.com
[00:08:05] slash group slash all things MSP, which means it's time for from the group this week.
[00:08:18] Trey Ward.
[00:08:19] Hey, Trey.
[00:08:19] Right.
[00:08:20] I'm an IT specialist and videographer starting a video production company to help MSPs build
[00:08:24] trust and credibility with their clients.
[00:08:27] What problems do you think videos can help solve in your business?
[00:08:30] I like this question a lot because I think a lot of people have talked about this.
[00:08:33] Uh, Gary Vaynerchuk has talked about video for the last, I don't know, insert amount of
[00:08:38] years.
[00:08:38] Gary Vaynerchuk's been in business just on different platforms.
[00:08:42] And I think not enough people take advantage of this.
[00:08:47] I would say that, uh, a lot of people have attempted YouTube channels, including Virtua and have
[00:08:59] failed at it just because of the amount of time it takes.
[00:09:02] And a lot of people don't want to pay someone else to do the work.
[00:09:06] So their niece, like I have yet to find the balance point between the two, but I can tell
[00:09:11] you that the number one video we have has like 70,000 views.
[00:09:16] And like the number two video has like 500 views.
[00:09:19] It's because of what the content is more than anything else.
[00:09:23] And the number one video we have wasn't even content we wrote.
[00:09:27] It was syndicated content that I just turned into a video.
[00:09:29] Like I literally read the syndicated content and my video at the time, make a really awesome
[00:09:34] video.
[00:09:34] And the funny thing is I have friends who have the same syndicated content, have the same
[00:09:38] video and ours beats theirs.
[00:09:41] Well, it just goes to show you that execution matters.
[00:09:44] Right.
[00:09:45] And you know, video is one of those things that some people like it.
[00:09:48] Some people don't.
[00:09:49] Yeah.
[00:09:49] And I do think that video has a place in every marketing arena in this particular question,
[00:09:58] though, in terms of how videos can help specifically in the MSP business.
[00:10:03] I think there's a lot of knowledge share that needs to happen between the MSP and the clients
[00:10:10] or prospective clients.
[00:10:12] And video gives you the opportunity to do that.
[00:10:15] And more specifically, I think because a lot of us, you know, have lived the last four
[00:10:22] or five years on Zoom, right?
[00:10:24] We, and even longer for people who work remotely, that it's an easy format to do a podcast like
[00:10:33] we're doing.
[00:10:34] Yeah.
[00:10:34] Right.
[00:10:35] And so you can do a podcast, you have plenty of topics, and you could just do a half hour
[00:10:41] podcast a month.
[00:10:42] You don't have to torture yourselves like Justin and I do.
[00:10:45] It's by trying to do one every single week.
[00:10:47] But here's my point.
[00:10:50] You do one podcast a month, 30 minutes long.
[00:10:55] You can use a program like Opus Clips to get a whole bunch of little Facebook reels,
[00:11:03] YouTube shorts, whatever you want to call it.
[00:11:06] And now you've got extra video content based on the original recording.
[00:11:10] But now you've got other little pieces of content to post across social media for the rest of
[00:11:16] the month.
[00:11:17] You can also take, because a lot of these software applications like StreamYard, which is what
[00:11:22] we use, will actually do a transcript for you of the podcast or whatever the video recording
[00:11:31] is you're doing.
[00:11:32] And then you can take that transcript, run it through something like ChatGPT and have it create
[00:11:39] a blog article for you or create short form posts on social media.
[00:11:45] So from one piece of work, you can create a whole bunch of derivative works by which you
[00:11:52] can inform your client base, inform your prospect base, get you more well known in those communities
[00:11:59] like Chamber of Commerce, Facebook groups, LinkedIn groups, stuff like that.
[00:12:04] And so I think it's very useful in terms of doing that kind of thing.
[00:12:09] What's funny is, as you were talking about this, it reminded me about something going
[00:12:12] back to Vaynerchuk for just for a second.
[00:12:14] He, I looked at it, this is from 2019.
[00:12:17] So this is even before the pandemic.
[00:12:19] It's actually November of 2019.
[00:12:20] So weirdly right around the time.
[00:12:22] How to make 64 pieces of content in a day.
[00:12:25] And literally he wrote a 270 page deck with how to take one big piece of content and break
[00:12:33] it up into 64 things or how to buy and making some things screenshot your Twitter interactions,
[00:12:41] post it on Instagram, screenshot, you know, the notes app when you write instructions, put
[00:12:47] all these things together.
[00:12:48] And, and, and basically it's like his, I think he has another one called the dollar 80 strategy.
[00:12:52] Yep.
[00:12:53] It's the same thing, right?
[00:12:54] You could do a podcast like this where you're interviewing other people.
[00:12:59] You could be just interviewing your staff.
[00:13:01] You can do podcast style.
[00:13:02] And the number one rule is video isn't for everybody.
[00:13:06] Audio isn't for everybody.
[00:13:07] Text isn't for everybody.
[00:13:08] So you just take one video and you output the audio, you output the text, and now you've
[00:13:14] created a much bigger thing.
[00:13:15] So to, I want to, let's bring this back around here, right?
[00:13:18] Because the original question was like, what problems do you think videos can help solve?
[00:13:22] The answer is all of them.
[00:13:24] And I think Trey, if you're going to try to produce a solution for MSP owners, you can probably
[00:13:32] standardize a little bit of their things.
[00:13:33] Here's how you onboard with MSP.
[00:13:37] How do we get, how do we get started with you?
[00:13:39] Here's what a normal bill looks like.
[00:13:42] Here's the kind of tools that we use for protection as of 2024, right?
[00:13:46] Because you're going to update that one every year.
[00:13:48] Here's what it means to, when we say send a ticket, what does that mean?
[00:13:52] You know, you can do a pretty generic concept that every MSP is going to need to have, record
[00:14:00] those stylings with every MSP and let those MSPs break them up and do so.
[00:14:03] So there's a lot to be said the way that that works.
[00:14:07] Yeah.
[00:14:07] And along that vein, training is a great way to use video, right?
[00:14:12] It's obviously video you're not going to release to anybody.
[00:14:14] You're still going to use it internally.
[00:14:16] But there's a book, and I forget the author, called Buy Back Your Time.
[00:14:20] And one of his hacks is when he's doing something, he records it on video so that he can give that
[00:14:28] video to somebody to train them on how to do what he just did.
[00:14:33] And as you evolve, you can actually do that where you hand it over to somebody who's in
[00:14:38] charge of the processes in your business, and then they take that video, edit it, you
[00:14:43] know, get all the fluff out.
[00:14:45] So it's just the pieces that need to be in there.
[00:14:48] And it's a great way to make sure that you're capturing exactly how you do something when
[00:14:54] you do it, whether it's a business process or a technical process, and be able to communicate
[00:14:59] it to other people.
[00:15:00] Yeah.
[00:15:00] So videos are great, but also don't leave out other methods.
[00:15:04] Trey, that's a great question.
[00:15:06] Thanks for asking.
[00:15:07] If you want to be from the group or have us read your question on this amazing show, both
[00:15:11] video and podcast form, and I think Eric makes these into text, and uses Opus AI and cut
[00:15:16] this up.
[00:15:16] See, it's all about experience, folks.
[00:15:18] Go to facebook.com slash group slash all things MSP, ask your question, and one day
[00:15:23] Eric and I will be doing our research for the next episode and go, hey, that's a pretty
[00:15:26] good question, and we're going to do that from the group.
[00:15:51] You know, we always talk about this.
[00:15:57] It's like, it's Friday, and it's Friday afternoon.
[00:16:00] We don't want to say in the cold open, right?
[00:16:01] That like, it's Friday afternoon, and I'm not always there.
[00:16:04] And you know what really helps?
[00:16:07] It really helps in situations like that?
[00:16:09] When I don't have to do all the talking, because we have a guest, and I love it when we have
[00:16:12] a guest.
[00:16:12] And even better than that, we have two guests.
[00:16:14] Let's bring them up.
[00:16:15] We have Adam Bennett, CEO of Crosshair Cyber, and Eric Weiss, CEO of ECW Cloud Solutions,
[00:16:22] not to be confused with ECW Wrestling.
[00:16:25] Welcome, gentlemen.
[00:16:26] Thanks for being here.
[00:16:27] Adam, why don't you go first?
[00:16:28] Why don't you just give everybody a quick minute?
[00:16:30] Who are you, and what is Crosshair Cyber?
[00:16:34] And then Eric will come to you.
[00:16:35] Great.
[00:16:36] Thanks, Justin.
[00:16:37] Great to be here.
[00:16:38] So I'm Adam Bennett, Crosshair Cyber CEO.
[00:16:41] And we do cybersecurity professional services.
[00:16:45] So everything from VCSO to pen testing, incident response, forensics, compliance work.
[00:16:53] I've been in the industry 20 plus years.
[00:16:56] I ran another cybersecurity services company for about 13 years and exited that.
[00:17:01] That was mostly government, whereas Crosshair is the opposite, mostly commercial, a little
[00:17:06] bit of government.
[00:17:07] That's awesome.
[00:17:09] And Eric, go ahead, introduce yourself and tell everybody who's your favorite ECW wrestler.
[00:17:14] It's me.
[00:17:16] You know, we're always kind of wrestling.
[00:17:19] You know, we're kind of the firefighters, you know, that are out there, kind of new team,
[00:17:25] you know, side of the house in terms of cybersecurity.
[00:17:29] So, you know, we develop kind of more of the, you know, the defense of solutions and strategies.
[00:17:36] You know, so we're a managed security provider or not a managed, managed services provider,
[00:17:42] rather.
[00:17:44] And, you know, we kind of, you know, our mantra is basically cloud first, security first.
[00:17:53] And, you know, we, you know, we are good enough at the defensive solutions.
[00:18:01] But we're, you know, we don't like to kind of falsely advertise that we're like experts
[00:18:06] in cybersecurity.
[00:18:09] So that's kind of where we partner up and leverage the experts like Adam and Steve.
[00:18:14] Awesome.
[00:18:15] Well, thank you both for being here.
[00:18:17] So let's just jump right into some stuff here, right?
[00:18:19] Because obviously, as always, cyber is a hot button topic in our industry.
[00:18:24] And it will be until the day the industry goes away and we're all replaced with robots.
[00:18:30] Adam, for you, what do you see is one of the biggest things that MSPs who don't do full boat
[00:18:40] cyber themselves, I'm talking about like the smaller MSPs, can't afford that expertise or
[00:18:44] can't afford to have that, or at least internally.
[00:18:47] What do you see as one of the biggest components that an MSP should be leveraging out of Crosshair?
[00:18:54] Yeah, it's a good question.
[00:18:56] And first of all, I'd just like to say, even, you know, I think there obviously there are
[00:19:03] MSPs and, you know, they got all kinds of names for themselves today.
[00:19:07] And you have MSPs.
[00:19:10] I do, I've always been a believer in separation of duties.
[00:19:14] And so I know that there are some MSPs that are on the larger side that are doing some cyber
[00:19:20] work.
[00:19:21] But I think from what I've seen, it's a little better to separate those things out, or at
[00:19:25] least have clear delineation.
[00:19:27] So for, I think the biggest thing, you know, in working with the small to midsize MSPs, what
[00:19:35] they could work with a provider like Crosshair for would be penetration testing, vulnerability
[00:19:42] management and scanning of their own infrastructure.
[00:19:45] And, you know, they're protecting all these different customers, but they got to make sure their own
[00:19:50] house is in order as well.
[00:19:52] So also, you know, some compliance frameworks like maybe Trustmark.
[00:19:57] We can help with those things.
[00:20:00] And as Eric knows, when the you know what hits the fan, having a provider that's really very
[00:20:08] well qualified to do incident response and to help you out.
[00:20:12] I mean, Eric knows he can call me in the middle of the night.
[00:20:14] I'm not going to charge him anything.
[00:20:16] We've worked forever together.
[00:20:18] And we'll get into that stuff later, how we work together.
[00:20:21] But I think those are the big areas.
[00:20:23] IR, pen testing, some compliance and certifications.
[00:20:29] And for their own things as well as their customers.
[00:20:31] You say something, it's an interesting point, because a couple of episodes ago, we had Wayne
[00:20:36] Silk from the community, I can never get the full title, right?
[00:20:43] It's Comp TAA Securities Community.
[00:20:47] I'm sorry, Wayne.
[00:20:48] We all know where you're from.
[00:20:50] Anyway, but he said something then, which Adam, you're repeating, which is a very interesting
[00:20:54] point, which is like, get your own house in order first, right?
[00:20:58] Which a lot of MSPs, I think, don't in any way, shape or form, right?
[00:21:04] Even, you know, Wayne tried to rip me on getting SOC2 compliant.
[00:21:07] The fact of the matter is like, even doing something like that to get my own building set up in
[00:21:12] such a way to be able to sell it to other people.
[00:21:13] All right.
[00:21:14] So now this is going to be confusing with two, Eric.
[00:21:16] So we'll just pretend that Eric Anthony isn't here tonight.
[00:21:19] All right.
[00:21:19] So now, I'm just kidding, kidding, kidding.
[00:21:22] All right.
[00:21:22] So we'll have a wrestling match to see who's the best.
[00:21:26] This episode is now called All Things MSP, Hell in a Cell, Eric on Eric.
[00:21:33] By the way, just during our cold open, we were talking about what we're doing this weekend,
[00:21:36] and I said that I'm going to play video games with my son, Roman.
[00:21:38] We got the WWE 2K24 video game.
[00:21:42] So that's why this is all top of mind to me right in this decade.
[00:21:45] So I apologize.
[00:21:46] All right.
[00:21:47] You can just call me Producer Eric for this show, Justin.
[00:21:49] All right.
[00:21:49] Okay.
[00:21:49] So non-producer Eric, just to make it a word.
[00:21:54] What have you been doing with Crosshair internally?
[00:22:00] And let's get into a little more specifics here.
[00:22:02] Like, what are you doing internally and why?
[00:22:06] Well, so, you know, when we started hearing, you know, five, you know, four or five years
[00:22:14] ago that, like, you know, MSPs themselves were being targeted, you know, not just the
[00:22:20] customers, you know, we really kind of like, you know, kind of had an eye opener that, hey,
[00:22:26] you know, we need to, you know, recalibrate and, you know, kind of, you know, get our
[00:22:32] house in order.
[00:22:34] Not that it was in disarray or anything, but, you know, really kind of adopt more of the,
[00:22:40] you know, kind of the enterprise grade, you know, solutions that we recommend, you know,
[00:22:45] to our customers.
[00:22:46] And, you know, it's not, you know, we've always had, you know, an EDR and everybody can, you
[00:22:51] know, feel good about that, you know, maybe six or seven years ago, you know, that was
[00:22:55] an accomplishment.
[00:22:56] But, you know, things really kind of got complicated when we started getting targeted.
[00:23:01] And, you know, we kind of took a serious look at that.
[00:23:07] And, you know, we were concerned, you know, some of these things were like extinction level
[00:23:13] events for MSPs, you know, where you'd see kind of like, you know, those stories of like
[00:23:19] the Kaseya, you know, hack and all that stuff.
[00:23:22] But there were, you know, there were, you know, basically, I think it was like, you know,
[00:23:26] something like 80 MSPs that were kind of in the mix of that.
[00:23:30] And so we'd start adding that up.
[00:23:32] That's, you know, tens of thousands of people who were impacted by this.
[00:23:38] So what we kind of did on our journey with this is, you know, we had a lot of these security
[00:23:44] tools already, you know, but we didn't really, we didn't really know how to really navigate,
[00:23:51] you know, the process.
[00:23:52] You know, so we're kind of faced at a crossroads in that direction, at that situation.
[00:23:57] It's like, do we, you know, do we develop this stuff fully in house or, you know, and
[00:24:04] invent our own wheel, you know, or do we partner up with an expert who's going to, you know,
[00:24:10] kind of get our maturity level higher, you know, and that's, you know, that's largely
[00:24:15] to do with, you know, these testing, you know, the testing, the auditing, you know, and,
[00:24:22] you know, when you kind of think about it, like, you know, a lot of people are trying to
[00:24:27] kind of bring this in house and there's automated, like pen testing solutions and all that stuff.
[00:24:32] But like, I really wouldn't be able to say with a straight face that we pen tested ourselves
[00:24:38] and everything's great, you know?
[00:24:41] And so there's, you know, to some degree, like separating this stuff, there's, you know,
[00:24:45] there's, you know, you're kind of like following a good code of ethics here, you know, and really
[00:24:51] kind of like, you know, presenting yourself with, you know, the clients with kind of the
[00:24:56] honest truth, you know, because while, you know, I can call Adam in the middle of the
[00:25:01] night, you know, I mean, sometimes by, you know, when we're doing a pen test, our security
[00:25:07] companies call us in the middle of the night, because, you know, they're rattling around,
[00:25:11] you know, and, and, and, you know, doing things.
[00:25:15] And, you know, they, you know, even though, you know, even though we're, you know, we're
[00:25:21] friends and we've been working together for a while, they don't take it easy on us, you
[00:25:26] know?
[00:25:26] And so, you know, we, we kind of both have the ethics that, you know, the truth is the
[00:25:31] truth, you know, and if it's on the report, you know, don't try to cover it up.
[00:25:37] And, you know, hide it, like just address the problem.
[00:25:40] And then, you know, if you do that, you're going to have, you know, much better trust
[00:25:45] level with your customer, you know, where, you know, you're actually going to like, you
[00:25:50] know, like if we just made our own report and whatever, just so somebody can file it in a
[00:25:57] drawer, it's meaningless.
[00:25:58] And having kind of that separation of duties, it helps keep us honest in our practice.
[00:26:04] And I think that, you know, kind of by doing that, we're also building trust with our clients.
[00:26:11] So let me, I'm going to go a little deeper on this one.
[00:26:14] So before you started working with Adam, you were in a situation, right?
[00:26:19] You had your business.
[00:26:20] You started working with Adam.
[00:26:21] He's starting to find stuff out about you.
[00:26:22] What do you think was like the number one face palm-ish thing that like Adam was like,
[00:26:30] Eric, this is, this is, you have this major gaping hole that you need to fix.
[00:26:34] Like what were some of those things that you, when you went through the process of doing
[00:26:38] it internally?
[00:26:39] Because, you know, for clients, it's one thing, right?
[00:26:41] Like if we're going to go pen test a graphic design firm, like they're going to be a mess
[00:26:45] because they're a graphic design firm.
[00:26:46] But like us internally, we all think we're impermeable.
[00:26:49] So what was something that like you did?
[00:26:51] Because you're using Adam for internally, for internal processes, sorry.
[00:26:55] What is something that like popped up on the radar that you were like, oh man, really?
[00:27:01] Yeah.
[00:27:03] So, you know, there's, you know, first of all, there's been a number of those things.
[00:27:09] And, you know, that's also because we, you know, we don't stop the process.
[00:27:15] And so every pen test is, you know, and every kind of testing of our technology controls
[00:27:23] is kind of different, you know, year over year, you know.
[00:27:26] And, you know, I'd say that one of the biggest, you know, kind of like eye openers for us was,
[00:27:35] you know, we had an, you know, an on-premise file server.
[00:27:41] Well, it wasn't on-premise.
[00:27:42] It was hosted in Azure, but it was sort of like a stateful file server.
[00:27:48] And, you know, there's different types of pen tests that you can do, right?
[00:27:52] You can do an external pen test and feel great about yourself because everything shows up
[00:27:59] green if you pass, you know, a few vulnerabilities.
[00:28:01] But external pen tests, you know, by themselves are kind of meaningless.
[00:28:07] You know, it's basically the equivalent of like, you know, doing, you know, a vulnerability scan,
[00:28:13] you know, and, you know, running, you know, some password sprays or exploiting a vulnerability
[00:28:19] that exists.
[00:28:20] But, like, if you don't have external vulnerabilities, like a test like that is not going to be a true test,
[00:28:28] you know, once you've kind of passed that mark, right?
[00:28:31] And, I mean, if people have external vulnerabilities, yeah, you know, they're getting in, you know,
[00:28:36] but we kind of got to a point where, you know, we're, you know, we're pretty comfortable and confident
[00:28:42] in saying like, hey, our, you know, our external vulnerabilities are, you know, are green,
[00:28:48] you know, and we also kind of reduce, you know, the external attack surface area, you know,
[00:28:54] open as little ports as possible, you know.
[00:28:57] So once you kind of like reach that level, you know, then you go with, you know, kind of
[00:29:02] the black box, you know, pen testing where, you know, they'll park like an appliance, you know,
[00:29:10] kind of at your location or you can spin up a virtual appliance in the cloud like AWS or Azure.
[00:29:17] And that's, you know, that's something that, you know, that was kind of eye-opening for us
[00:29:22] once we kind of reached that milestone is we, you know, we didn't really realize that all of the broadcast
[00:29:30] protocols that we had, you know, kind of open, you know, you have NetBIOS, LL, MNR,
[00:29:38] you know, basically any, anything that broadcasts is vulnerable.
[00:29:43] And, you know, especially if you're not like doing like, you know, digital file signing,
[00:29:49] you know, with your file servers, you know, because that's not enabled by default, but that,
[00:29:53] you know, that one was eye-opening, you know, for us is, you know, what can be done, you know,
[00:29:59] to, you know, to basically capture credentials and stuff with man in the middle attacks.
[00:30:04] You know, the bottom line is like, if you're not kind of like encrypting, you know,
[00:30:09] the traffic, you know, basically anybody can, you know, anybody with a black box can kind of hijack
[00:30:17] anything on the network and you'd be surprised at what they can get, like domain admin pass orders,
[00:30:22] you know, just the replay type of attacks.
[00:30:28] But the real eye-opener for us was, you know, when we started kind of, you know,
[00:30:34] we graduated that level and then we started doing authenticated pen tests with crosshair.
[00:30:40] And that's, you know, that's truly kind of where, you know, the bodies are buried basically,
[00:30:47] you know, that'll tell you about, you know, your, your actual, you know, real risk, you know,
[00:30:54] and, you know, everybody talks about insider risk, like, you know, hey, it's, you know,
[00:31:00] the North Korean that know before hires, right. But real insider risk is actually when an endpoint
[00:31:07] itself gets compromised. And, you know, that's basically, you know, that's also what the
[00:31:15] authenticated attacks demonstrate is that you have your, your employees, you know, behind the computer.
[00:31:23] And, you know, we have EDR and all these things that kind of like prevent, you know, the malware
[00:31:29] and stuff. But if they get like token phished or something like that, you know, that's basically
[00:31:37] your insider threat at that point. And that, you know, that not a person with bad intentions,
[00:31:42] you know, it's just, you know, they accidentally blew up the network by, you know, clicking the wrong
[00:31:49] link or answering the wrong phone call or something. Yeah. And so the real eye opener for us is like
[00:31:55] kind of when we graduated to like, third level, and you know, this was something that, you know,
[00:32:00] Crosshair suggested was that, you know, we do an authenticated pen test. And kind of the real eye
[00:32:10] opener was like, what they could do to the actual, you know, by kind of sniffing the actual contents
[00:32:16] of like, you know, supposedly protected file shares and, and those types of things, you know,
[00:32:22] when, you know, a lot of the time, like, you know, you can find the unencrypted information at rest,
[00:32:29] you know, by having an authenticated account. You can also, you know, you can also use an old piece
[00:32:39] of software, you know, not be an admin at all, use an old piece of software, and then make yourself a
[00:32:47] domain admin through a vulnerable file service path. That was kind of like, the real eye opener is that,
[00:32:54] oh, my God, like, you know, we really have to be paying attention to the internal vulnerabilities too.
[00:33:02] And, you know, we would just kind of, you know, I guess everybody knows, like, hey, you should patch
[00:33:08] vulnerable software. But we really kind of like, found out at that point, that we really need to
[00:33:16] patch, you know, vulnerable software. So that was, you know, those two things is like, you know,
[00:33:22] examining, you know, they go deeper and examine, you know, kind of the contents of the file server,
[00:33:28] you know, see what files are kind of lingering out there on the network, if anybody's storing passwords
[00:33:34] in plain text, those types of things. And then, you know, vulnerable file service paths are a real
[00:33:41] thing, you know, so if you have like, you know, a version of QuickBooks from, you know, 2013 or
[00:33:47] something that the owner doesn't want to upgrade, right? Like, ordinarily, you know, most MSPs would be
[00:33:53] like, oh, that guy's just cheap, right? Not going to upgrade. But if you can demonstrate to them that,
[00:34:01] like, if you don't keep up with this stuff, and not just like Windows and SQL versions and stuff like
[00:34:09] that, but if you don't keep up with like, your line of business applications, you know, and those types
[00:34:15] of things, like, you're really putting yourself at risk, like, I've really, really seen them elevate
[00:34:20] that to domain admin, you know, so those are kind of the, you know, there's several eye openers,
[00:34:26] basically, like, there's not one eureka moment. Well, I mean, on all of that, it seems like your
[00:34:32] eyes have been so wide open at this point, that if you if you even try to sleep, it's unkind of.
[00:34:37] So Adam found all of this. I can't. I can't. I can't sleep. That's right. All right. So Adam,
[00:34:43] let's go to you, right? Like, you found all of these problems, right? Eric? Yeah, we found,
[00:34:47] we found a number. And so just to be clear, we're not just pen testing their stuff, we're pen testing
[00:34:52] their customer stuff as well. Right. So yeah, yeah. So we definitely recommended the doing that
[00:34:58] we call it assumed breach, right? So because it all it takes is one user to click something.
[00:35:03] And so yeah, we found all these things we and he referenced one, sometimes it sometimes it's over
[00:35:09] real quick. Right? It's like sometimes, sometimes we find something like an old piece of software,
[00:35:14] software, and we see a batch script. Oh, I wonder if this actually could be something that would
[00:35:20] elevate me reset the admin password. Oh, it is game over in like, less than an hour. But it's not in
[00:35:26] it. But I think I really want to hit on something Eric's Eric we said, it's nothing to be ashamed of.
[00:35:32] They are first of all, let me just say, they are very security conscious MSP, because I've talked
[00:35:37] with a lot of MSPs. And I go around to conferences and speaking engagements and have other we have other
[00:35:43] partners. They're very conscious of security, but they it just, they have the job of keeping
[00:35:51] the systems running, and then doing all these upgrades and doing, you know, just keeping up
[00:35:58] with technology. So it's just very, very, very hard to keep on top of all these things. But the other
[00:36:03] thing that really is really important here is that all of these things that we found,
[00:36:09] um, are lessons learned, and they then up their game, right? So then when our testers go in next
[00:36:16] time, it's like, all right, well, they, they caught us doing this. And now we got to figure
[00:36:19] it's a cat and mouse game, just like it is with, you know, the bad guys. Um, and so it's just that
[00:36:25] we're not gonna harm, we're helping rather than harming. And so by doing these tests, that elevates the
[00:36:30] game of all of the, all of their customers. Yeah. So let's, let's talk about this then from
[00:36:36] a customer's perspective, right? Uh, Adam, you've helped Eric get to this next level,
[00:36:44] but what do you do? Like, how are you presenting this to customers? Because like,
[00:36:50] granted Eric and I don't play in the same sandbox when it comes to customers, but Eric can go to a
[00:36:54] customer and say, like, we're really secure. And I can go to a customer and say, we're really secure.
[00:36:58] What are you, what are some ways that an MSP who would be benefiting from working with a cyber
[00:37:03] company like, like crosshair, how are you, how do you present that to a customer? How do you present
[00:37:08] to the customer? I can take care of your stuff because I can prove that I take care of mine.
[00:37:13] Like, where's that proof that you're taking care of yours? You mean crosshair or, or the MSP?
[00:37:22] Either like, how can crosshair help the MSP prove their security to get more
[00:37:27] customers? So one, one, as you mentioned the, the, and I mentioned it earlier, the trust mark. So
[00:37:32] we're helping ECW get their trust mark, basically prepare for that audit. And I think they're
[00:37:38] about there. Um, because we, we do, we do a lot of compliance work as well. So I don't know if I
[00:37:44] want to call that compliance because I, I view that as proof, right? It's a certification that,
[00:37:50] um, and you, you know, that shows you have a, you meet a minimum bar from a security perspective. And
[00:37:55] from everything I've seen and our team has seen, uh, that particular certification is pretty decent.
[00:38:02] There are others you can go for like ISO 27,001 and, you know, SOC 2, I think for MSPs,
[00:38:08] it doesn't make a ton of sense, but could, could be. Um, so I think we can help the MSP prepare.
[00:38:16] So like we just call it audit readiness support, basically. Um, we can help them get ready for that.
[00:38:21] And some of that includes, you know, some, not just like looking at documentation,
[00:38:26] but also some testing as, as well. Um, so getting them ready for, for that kind of a thing.
[00:38:32] And you were talking about the con TIA, uh, cybersecurity trust mark, right?
[00:38:37] That's one. Yeah. Yeah. There's others. Again, some may want ISO, some may want SOC 2 or other things.
[00:38:45] So if I'm looking at this from the outside, right. And obviously I don't own an MSP anymore. Uh, but
[00:38:52] you know, I, I do a lot in this space and I'm kind of looking at crosshair as somebody,
[00:39:00] a, who's going to come in and validate my defensibility, right? That's kind of what the
[00:39:07] pen testing and the crawling around, um, somebody's environment is going to do for an MSP.
[00:39:12] And obviously that translates down to the clients as well. Then you're also providing the expertise
[00:39:21] on how they should do things, how their processes should be set up to manage the cybersecurity stack
[00:39:29] that they're managing for their clients. So that's the second kind of, I'm going to say legs to a
[00:39:34] stool, right? Because that expertise is something that's very hard. We know we have a lack of employees
[00:39:42] who can do this available employees to do this. And they're also very expensive. And so for the average
[00:39:49] MSP, that's probably pretty hard. And then the third leg of the stool that I would call it is the, um,
[00:39:58] I just lost it. Uh, so we went through defensibility, the expertise. Oh, and again, it's kind of
[00:40:04] expertise, but it's, there's things that happen very rarely for an individual MSP like incident response.
[00:40:12] You know, most MSPs are only going to have a very few handful of incident response situations
[00:40:19] in their lifetime. And I also think in my mind, and Adam, if you could confirm this,
[00:40:24] does it work better to have a third party incident response rather than having the MSP who's managing
[00:40:32] the day-to-day cyber be involved? Does that make sense?
[00:40:37] Yes. And it's not, and I would say, um, not just an MSP. Um, we've also been called into other
[00:40:44] organizations, um, to do IR where they didn't, they didn't have an MSP. They had some internal
[00:40:50] IT. Um, and yes, it does because, you know, honestly, we've been through dozens and dozens of them.
[00:40:56] Um, we have the technical experience and the, you know, the, the mindset to do it. Um, and we,
[00:41:06] we do a lot of, um, preparatory work with our clients, especially our VC. So clients where we'll
[00:41:12] do, uh, IR tabletops and DR tabletops. And those things really help because, um, we've had cases where
[00:41:20] we literally just did a tabletop and like a month later that, that actual scenario happened.
[00:41:26] And you know, hurricane, right? Yeah. No, no, it wasn't a hurricane. No, it was, it was a cyber.
[00:41:30] No, it was two hurricanes. It was the, no one ever, no one ever expected it.
[00:41:36] Well, we, we, you know, we don't say clients names or anything, but we did a tabletop with crosshair
[00:41:42] about how their operation would work in a hurricane. And then like literally two weeks later,
[00:41:48] they were shut down by a hurricane and they, but they were ready to deal with that. So they
[00:41:55] like had, they had that fresh in their mind. Like this is the playbook on how to respond.
[00:42:01] Yeah. And there's another one, it's just kind of ironic. It's like, you know,
[00:42:04] as soon as you talk about something, you know, you're not on wood, right?
[00:42:08] Yeah. And there was another one with another customer. It was a cyber incident. And that
[00:42:11] thing we shut down, like everybody's like, okay, we know what to do. Um, so yeah, those,
[00:42:17] those things, I think you, you hit it right. Uh, Eric Anthony, um, there's, you know, maybe even
[00:42:21] three or four legs there. Yeah. Well, hopefully it's four legs. If three legged stool fall, um,
[00:42:28] it's extra. I don't know. Eric, you got anything? Uh, yeah, no. So I mean, you know,
[00:42:36] what crosshair kind of does, or I'm sorry, which Eric? Not you. That's fine. Okay. I won the
[00:42:42] wrestling match this time. Well, I didn't take producer Eric. So, okay. All right. Just making
[00:42:47] sure I've been practicing. Um, so like, um, you know, it's really kind of about the lessons learned
[00:42:55] and kind of year, year over year, you know, um, kind of learning new lessons, you know? And so like,
[00:43:02] I kind of view it like it's a partnership, right? It's Adam's job to open my eyes, right? It's my
[00:43:09] job to make his life more difficult every single year, every time he does a pen test. Um, because
[00:43:18] what we do is when we learn these lessons, we do legitimately replicate them everywhere. Right? So,
[00:43:26] you know, we've made kind of like, uh, various hardening, you know, uh, policies and those types
[00:43:34] of things. And so like where we learn something, you know, we kind of have like, you know, we call
[00:43:39] it the repository, you know? And so like, where we kind of learn one thing from one pen test, we're like,
[00:43:44] hey, let's just add it to the repository. That script runs every day and hardens our workstations.
[00:43:51] So it also hardens Adam's life, right? And his pen testers. And it's, you know, it's, um, but it is
[00:44:01] kind of like a, it is a unique, you know, kind of partnership for us because year over year, we're
[00:44:06] kind of like challenging each other. Um, and so it's, you know, it's like a good, you know, it's a
[00:44:12] good game, but it's, it's challenging and, you know, kind of aspects where like, you know, it's
[00:44:17] constructive, you know, challenging, you know? And so it, it legitimately helps us to be challenged,
[00:44:24] you know, and, um, you know, by doing this, you know, we've definitely reduced, you know,
[00:44:32] everybody's getting risk assessed or vulnerability scanned or pen tested, you know, whether, you know,
[00:44:39] whether it's somebody who, you know, we work with Adam or let's say the, the parent company,
[00:44:44] right. Of our client says, Hey, this is our mandated pen tester. And, um, you know, we're able
[00:44:53] to, you know, by, by learning these lessons, adding that stuff to the, the repository and continually
[00:44:59] hardening systems, we're making those vulnerability and remediation efforts a lot shorter where,
[00:45:07] you know, we get pen tests back from clients now, you know, kind of after, you know, year five,
[00:45:13] like the it director, like they don't believe us. They're like, the list is too short, you know,
[00:45:19] but it's actually, you know, they're like, I was expecting us to be working on this for six months,
[00:45:25] but we're able to like, you know, use the lessons that we learned here to really shorten,
[00:45:29] you know, our remediation cycles, not just for the pen tests that we're involved with, but all of our
[00:45:35] clients as a whole. It's good to be able to take that, that knowledge and disseminate it across the
[00:45:41] board, which, you know, that, that's something we should all be doing in general. It's like,
[00:45:46] if you get a piece of info, like anytime a client tells me something that I'm like,
[00:45:50] Oh, I didn't know that piece of information. I'm immediately telling every other client about
[00:45:53] that information. That's one of the games of how we stay on top of stuff, because we just want to
[00:45:57] keep clients and Googling the answer. That's what they pay us for. They pay us for the answers.
[00:46:01] No way they don't have to Google it. Um, well, look, this guy, we're getting a little close in time.
[00:46:07] Um, this all sounds wonderful. Uh, Eric, not producer Eric, regular Eric, uh, where can people
[00:46:14] find you online? And then Adam comes to you with one last piece, but Eric, where can people find
[00:46:18] you online and find out more about you and ECW? Yeah. Yeah. So, um, they can, you know, our,
[00:46:24] our website, you know, we, we've been around for about 21 years, you know, so our, our website domain
[00:46:30] is ECW computers.com. Um, but it, you know, in that time we're, you know, we're looking to,
[00:46:37] you know, to kind of evolve like our, our branding to be a bit more modern book right now. Uh, we have
[00:46:42] two different, you know, kind of points of presence, um, in terms of our business verticals. So we have
[00:46:49] ECW computers.com. Um, and then we also have rxcloud.org. So that's rx, like the prescription
[00:46:58] cloud.org. And, um, the ECW computers side of the house is, you know, basically our managed services,
[00:47:07] infrastructure, cloud solution, you know, the, the, the security services that we offer. Um,
[00:47:13] and then rxcloud is kind of a more, uh, specialty unique, um, niche that we've launched. Uh, we're,
[00:47:20] we're hosting a lot of, um, healthcare, uh, providers, um, and pharmacies, you know, in, uh,
[00:47:27] in Microsoft Azure and kind of, you know, leveraging, uh, Azure virtual desktop and those types of things.
[00:47:34] So those are kind of the two places, you know, um, to find us. Awesome. And then Adam,
[00:47:40] where can people find out about Crosshair Cyber?
[00:47:42] Yeah. So our website's crosshaircyber.com. We're also on LinkedIn. You can find, we have a company
[00:47:49] page and my pages out there as well. So yeah. Uh, producer Eric, any final words?
[00:47:55] Yeah. You know, I think this is a different model than a lot of MSPs use to approach cyber security,
[00:48:02] but I think it is definitely one that will work for specific MSPs who a want to kind of up their game
[00:48:09] and get that third party validation from a trusted cyber security vendor and be able to have their,
[00:48:18] their systems tested on a regular basis. And again, also make use of that expertise,
[00:48:25] especially, you know, incident response again, is just one of those things that
[00:48:29] is very tricky. And if you don't do them all the time, it's really easy to mess up.
[00:48:34] Yeah. Leverage the leverage the expertise out there in the market. That's what that,
[00:48:38] that, that, that's what makes us better entrepreneurs and better business owners
[00:48:42] is by realizing what we can't do ourselves and getting someone in who can do it for us,
[00:48:48] whether that's marketing sales or in this case, even cyber. Uh, well, thanks Eric and Adam for being
[00:48:54] here. Follow us along at facebook.com slash group slash all things MSP. See all of this in high
[00:48:59] depth glory over at youtube.com slash at all things MSP. Follow us on all of your favorite
[00:49:04] podcasting tools, which you're using to listen to this episode anyway. And don't forget to leave
[00:49:09] us a review. That's producer Eric. I am not producer Justin. Bye. Thanks for listening.
[00:49:15] And don't forget to subscribe to us on your favorite podcast platform. You can also follow
[00:49:21] us on Facebook, but better yet, go ahead and join the Facebook group. You can also follow us on
[00:49:26] Instagram if that's your thing and make sure you subscribe to our YouTube channel at all things MSP
[00:49:33] to catch us in all of our video glory. And last, but certainly not least, if LinkedIn is your thing,
[00:49:39] you can follow us there as well. And a special thank you to our premier sponsors,
[00:49:44] super ops, move bot, goes into easy d mark and contact.
[00:49:51] And we also want to thank our vendor sponsors. The all things MSP podcast is a biz pow LLC production.