Listen to "All Things MSP" on Your IT Podcasts!
[00:00:00] Data migrations are complex and irritating, creating days of frustration from setup to cutover. Movebot was built from the ground up to fix that. Movebot is the simplest, fastest tool for moving files and emails that there is.
[00:00:21] Fully hosted with no infrastructure, no virtual machines, none of that craziness, sign up, connect, scan, and you'll be moving data in minutes. Move data like a pro at atmsp.link forward slash movebot. Why would Alan's pool catering want to join the All Things MSP Facebook group? Al-L-E-N? Yes.
[00:00:46] Swimming pool cleaners. Is it like a cactus doing this? They want to join because somebody is managing their social media and is searching for large groups to join so they can come in and blast their wares.
[00:01:01] There's some somehow or other I got on a list being like, hi, we see you're a dentist. Have you ever been an MSP for a dentist? Yeah, I have actually. They actually just closed up shop but the weird thing is they were on a very prominent
[00:01:16] block in Manhattan. I feel like they didn't care about HIPAA. I think I still have a dentist client that owes me money but after 11 years, I don't think I'm collecting. What's up, everybody? Welcome to the All Things MSP podcast. My name is Justin Oskar.
[00:01:38] With me always is my AI friend, robot Eric Anthony. Marmar. Beep boop. Shout out to our friends over the Command Control Power podcast. I was listening last night. I found out that they did an ACES recap episode which if you haven't gone is great
[00:01:55] because basically, because there's three hosts for that show and one of the guys that had come and basically the entire hour was them going, Jerry, stop trying to get us to give you the information that came at ACES for free. You didn't come. We're doing this great.
[00:02:13] And this week has been crazy. We're still doing our audits at Virtua. I know everybody really cares to see what we're up to. We've made some major headway and we have run into so many walls doing this which it's
[00:02:27] funny because when we originally created the list of audits, things that we needed to check on, there were like 15, 20 things that we had just top of head when we made our list. The director has made our list.
[00:02:40] And as we got through it, we're up to 50 or 60 items now because you dig into something and you realize that underneath that is more skeletons in the closet, kind of stuff where you just keep digging and digging and digging. One great example is we wanted to audit...
[00:03:05] What was it? It was like we wanted to audit something with what clients had synologies. Right? Well, we did that based on a list that we had. But then someone was like, well, we have this other list over here.
[00:03:21] So we looked at that other list and we're like, how come these guys aren't on this list? We had to audit that. Then we had to get into each one of them and make sure we had an account with two FA. So we had to audit that.
[00:03:29] Then we had to get into them again and make sure that we have notifications set up properly because depending on when that synology was set up and those things always set it and forget it, where it was set up along the history of Virtua, notifications were
[00:03:43] set up differently because they were set up differently at Virtua than they were at the company in Iowa that they were acquired, than they were in the company in Missouri that we acquired. Right? So like that turned into another...
[00:03:52] So this one thing which was just put into Halo who has a Synology turned into a multi-day, multi-level project. And it's really... I'm finding this interesting because the skeptic in me is like you did something wrong by not doing this stuff as it came in.
[00:04:14] And I can't believe you let this go. But like I'm only human. I'm not like you, you're a robot. Beep, beep, burp. It's time for From the Group! All right, this week Tommy Cox writes, what's everybody's go to for reselling of an MFA solution that he post edited?
[00:04:40] Duo is not an option looking for other solutions. The answer is one password. Very good. Thanks Tommy. From the group. No, I'm kidding. Look, there's a lot of different ways you can do MFA. What we do at Virtua, we do one password.
[00:04:53] We try to sell our clients one password. One password has a great reseller program. They have a new MSP program, things like that. But if you really want to go top notch Tommy, and I think I have one in here, I just got to find it.
[00:05:03] Oh no, I hit my lights. Turn back on. I have... I don't have any... I just have the base. The Ubiko keys, this is just the case for it. Get a Ubiko key for two factor authentication.
[00:05:18] I apologize if you're watching on YouTube.com and I look weird because my lights just turned off when I was looking for my Ubiko. So the only problem with that though is that... And by the way, I'm a firm believer in Ubiko keys. I use them myself.
[00:05:31] But that doesn't actually solve the SSO problem which I suspect has more to do with this question than just MFA. Sure. But that's something to ask about. So I'm going to go face level with this one.
[00:05:48] I know a lot of people like Duo, but it was weird when he said Duo is not an option. I would like to figure out why Duo is not an option. But one password, keeper, things like that. The Microsoft Authenticator... I mean there's a lot of companies.
[00:06:07] There are a lot of companies who produce code generator TOTP systems. The Microsoft Authenticator, Google, Facebook has their own. You can get a third party one. The reason I like the one password one is that one password will auto fill in your username password and your 2FA.
[00:06:25] Except for with alternative payments.io. So I'm going to call you guys out because I sign in with Google and it still forces a one-time password afterwards. One password can't handle that because it just goes signs in with Google.
[00:06:37] So there shouldn't be a TOTP for whatever reason there is. But 24 Commons is getting up there and this was just posted yesterday. But that's why I like one password. I think for the more secure stuff, a Ubico with a touch, with a capacitive touch, that's
[00:06:59] where the trick is. Let us know in the Facebook group if you meant SSO or if you truly meant an MFA method because they are very different. Well, Tommy, thanks so much for participating in the group and you got a shout out good for you man.
[00:07:16] And that has been from the group in less than a minute. Or less than three but we're not counting. Listen mom. Elevate your IT managed service provider business with SuperOps, the all in one platform that integrates RMM and PSA.
[00:07:36] Powered by AI driven insights and automation, SuperOps helps you stay ahead, streamline operations and boost efficiency. Are you ready for operational excellence? Find out more at atmsp.link forward slash SuperOps. Oh it's been such a week. But dude, we have a guest today.
[00:07:53] I love it when we have a guest and yes I love saying that all the time also. Today we have Frank Ramundi, VP of channel Alliance and Partnerships over at IGI, owners of Nodeware. Frank, how are you? I'm doing great. Thanks Jason. Just whatever your name is.
[00:08:10] Yeah, true story. True story. I work for a summer camp for seven years. The old man who ran that place never called me by my proper name called me Josh, called me Jason. Last day I worked there.
[00:08:20] I went up to him and I said, you know, seven years. You know you, my name is Joseph Ryan. He goes, yes, but you never corrected me. And I was like, were you teaching me a lesson for the last seven years?
[00:08:30] Neither one of you though will ever understand having two first names for both your first and last names. Oh yeah, I pity the fool. I feel sorry for your parents. Yeah, and middle name by the way. You have three first names? Oh, yes.
[00:08:46] And actually, and two last names. All right, we're going to unpack it on a different episode because right now we have Frank. For those who don't know you and are still here, why did you give everybody like a two minute spiel? Who are you? What is IGI?
[00:09:01] What is nowhere? And you know, look, I know you're big golfer. What's your handicap? 19. So it's, you know, it's been as low as 17, but I don't play quite that enough to get it much lower than that. So tell everybody who you are and what's IGI and nowhere.
[00:09:19] Yeah, great. Thanks. Thanks. And thanks for having me on guys. So Frank Ramondi, I work with IGI also the owner of Nodeware, a couple security products. I very focused long term business. They've been in cybersecurity and lots of activities around it for the last 15, 20 years.
[00:09:40] So my role here is working primarily on distribution as well as sort of alliances and partnerships. And a lot of my passion and industry sort of experience and interest is on building, you know, good partnerships between, you know, the one company I might be working for
[00:09:58] and the others or kind of the whole community, the ecosystem. I worked many years, almost 20 years at Intel Corporation. And my biggest claim to fame there was building a whole channel alliance program from scratch
[00:10:12] where we were, you know, the microprocessor, but, you know, in the system builder days, if you recall that, if you're old enough to remember those, you know, there is, you had the CPU, but that was all we did. Right.
[00:10:23] So we needed the motherboards, we needed the chassis, we needed the software, we needed the storage, blah, blah, blah, blah. And so I built sort of a program and an alliance activity around that to bring
[00:10:36] all these guys together, kind of rise the tide if you will for all boats. And so that's kind of carried through to what I'm doing today with Nodeware and with IGI, which is our cybersecurity services world and kind of will lead into the topic today.
[00:10:51] So the interesting thing, two interesting things. One, I speak Norwegian, if anybody cares, I speak Norwegian fluently, we can go into that at the end if we need to. And two, I bet, you know, from Intel, prior to that, I worked at Apple Computer, I've worked at Cinex.
[00:11:10] In all my times, most of my career has been around hardware business and sort of the system builder slash reseller bar. And so the last four or five years kind of getting more and more engaged on the software and the MSP world.
[00:11:24] So it kind of, you know, the old dog can learn some new tricks on the on the hands. What was your Apple employee number? Oh, God. I'll make it easier for you. Was it a three-digit number or a four-digit number? It was a four-digit one.
[00:11:41] I was there from 88 to 93. So the Nodewa years. They call it the dark times. It was good for a while and then it not so much. Do you want to sell, what did Jobs say to Scully?
[00:11:55] Do you want to just sell sugar water the rest of your life or do you want to make it? Yeah. He's like, I'll make a difference and then he fired him. Well, thanks so much for being here, Frank. So let's get into this little bit.
[00:12:08] You know, Eric was giving me some cliff notes before the show and stuff like that. And we started talking a little bit about vulnerability assessment versus pen testing. And I have funny stories about pen testing.
[00:12:19] I have a friend who works securities for the government and I will not tell those stories on air. I'll tell you those after. But like for me, I always thought the two were the same. Right?
[00:12:29] I think a lot of people, especially those who are not well versed enough in the security arena. And yes, that is a, you know, the security arena is hotness right now, especially for MSPs. So like what's the, let's start with some basics, right? What's the breakdown?
[00:12:48] What's the difference between a pen test, which I always thought was just physical, but I guess I'm wrong, like a pen test versus a vulnerability assessment. Yeah. No, it's, it is a lot of, there is a lot of confusion still.
[00:13:02] And you know, if you was, whether it was a compliance issue in the past or just as, you know, an insurance of some sort, right? There was always just to check, you know, I need to do a vulnerability assessment, right?
[00:13:13] It was a once a year thing, which kind of parallels to what most pen tests usually are, right? A once a year thing that means, as it said, sort of the difference today really is, is that if you think of a vulnerability assessment or vulnerability management,
[00:13:27] it's again, proactively looking internally, right? You're controlling what you're seeing, how you're looking at it, how often it looks at it in the case of nowhere, right? We look on a daily basis, every device, every asset is re-scanned for known vulnerabilities that come down the line.
[00:13:42] So you're always looking, you're always able to proactively look and improve, you know, you find a vulnerability on the Windows server, right? You don't want to wait six months, right? You want to do that now. And so that's really what is the need, that's what vulnerability management is,
[00:13:56] is looking ahead, looking at the environment, looking at everything that can have an attack surface and minimize any open ports, if you will, or other vulnerabilities that are discovered. So, so again, looking at it, you know, what do I got here? What am I, what are my situations?
[00:14:13] What do I need to improve? Penetration test on the other hand is a, you know, it's an attack, right? It's an authorized attack, right? It's our pen testers coming in and they work with the end user, so they know that this is
[00:14:27] going to happen and they have to provide some level of access and liability release. That little thing. But they have to, you know, they come in and they're simulating the bad guys, right? They are physically, sometimes physically, right, there are physical penetration tests,
[00:14:46] you know, the access code coming in, right? You know, we've gone on site and, you know, broken into a location because they've simulated little of the cards, right? And you kind of can make it work and fool the system and get in, right? That's a physical penetration test.
[00:15:03] So think of that physical play in the same way from an electronic way or from somebody coming in from Russia, China, you know, Illinois, right? Wherever they may be coming in from. So it's kind of the, if you think about it, it's a little bit from the internal,
[00:15:19] is it vulnerability assessment and management? And the external is the penetration test, right? And you can do one or the other and ideally in a really good environment, you should be doing both and we can talk about timing and sequence and all that.
[00:15:33] But that's kind of the basic definitions. So Frank, would it be safe to say that the pen testing is kind of offensive and the vulnerability management is defensive? Yeah, that's a good way to put it.
[00:15:50] The other model we kind of look at is, let's go into the military, right? So when you're building up military or you're building up your troops, you're putting, you know, you're simulating what things are going to go where.
[00:16:05] You know, I got 100 troops here, I got this technical expertise over there, I've got these people here. Okay, let's assess that. Let's look at where we are. What do we, you know, if we were to get hit from that side, we would need 150 people, not 100.
[00:16:19] So let's load that up now, right? Think of it that way. That's the assessment and the management, right? You're continually looking for things and where there might be shortages and they simulate in a sort of modeled way.
[00:16:31] Penetration test is we're going to do a joint exercise with France, you know, trying to attack, you know, or redo the, any kind of attack, right? Just a simulation of a penetration or trying to get onto the beach. That's good. Right?
[00:16:48] So you're going to go in and, you know, we're going to roll up with our boats and they're going to roll up, oh shoot, we've got too many here. We can't get through. There's a clog here, right? But on the other sides, shoot, we're open.
[00:16:58] We're, you know, somebody could come in and attack us from the side. So that's, I mean, very sort of, you know, militaristic way to think about it, but that's a pretty straightforward way. Yeah, I know. I like that.
[00:17:08] And it does clear things up a lot because like we're talking about the difference between a practice move where you're actually doing something versus like the management of it. So let me ask you a question and this is going to sound super dumb,
[00:17:21] but everybody who listens to the show knows I don't know what I'm talking about. For vulnerability assessment, right? Your goal with that is to look for open issues. You're looking for the vulnerabilities within the software that's on the computer somewhere.
[00:17:36] But if you're a good MSP and you're running patches like you're supposed to do, and you have all of your computers in RMM and MDM and all those other TLAs we love, and those computers are up to date and, you know, Chrome, I mean,
[00:17:51] Chrome updates every other day at this point, but like, where is the, where's the break line there? Right? Is it that like, hey, you need to know about this, even though your computer is up to date, you need to know about this new vulnerability that was found,
[00:18:06] even though you can't do anything about it? Or is it more like a slap in the face like, hey, you haven't actually run your patches in seven years on that Windows 2012 RS2 server. Like get your butt, get moving on it. Like where's that, where does that bring people?
[00:18:22] It's kind of a bit of both, right? Right? You could be doing the best patching on your Windows systems, but you forgot about your printers and you forgot about, you know, your firewalls and everything else, right?
[00:18:35] I mean, that's one of the beauties of Node where I got to go to commercial, right? We capture every device, every IP address on an enterprise. If it's on-prem, off-prem or cloud, right? So we're, you know, a patching isn't going to help,
[00:18:50] you know, to check on that printer. Maybe it does, but that's, you know, you got to go to HP and do their stuff, right? Or go to whoever. So if you're really looking at it holistically, it's, it's, it's, it's, you got to look holistically, right?
[00:19:06] You can't just look at what one tool might do. And that's where, you know, a lot of, to your point though, right, a lot of patching does take care of known vulnerabilities, but how often are you doing them, right?
[00:19:18] Are you dealing with, you know, Patch Tuesday from Microsoft? And we just, you know, beautifully, we just ladded, ladded three weeks ago a new patching function within, within Nodeware. So even if you're not, if you're out of mate and you're doing all the things
[00:19:35] you need to be doing as much as you can, as regular as you can, you can still also use Nodeware to, to just check your work, if nothing else, right? Just make sure and just say, oh, you know, we, yeah, we've got the June release is available,
[00:19:48] but we're on May right now. Let's wait on that. Okay, good. We're good. You know, so you're kind of doing a little validation of your, I like that Microsoft has patch Tuesday and Google Chrome has patch Monday, Tuesday, Wednesday, Thursday, Friday.
[00:20:00] So seriously, because we put up a prompt on our, our clients computers with like, Hey, Chrome, these are we updated, please quick quit. And the panel of people are like again, we're like, yeah, it's not our fault, man. But I like that idea of like being,
[00:20:18] because I do think that there's, there's not enough tools that checks our work, right? As an MSP owner. I think, I think there's a lot of tools out there that help us do our job.
[00:20:29] But I do like the idea of yourself, we're helping us check to because like, I'll be honest, we're not the greatest at patching. We're pushing everybody up as far as we can. We're stuck against some physical limitations. Maybe a computer can't get any further in terms of the,
[00:20:44] because that's one of the things at least on the max item windows, it's not so much, but on the max side, like Apple turns off the ability for like an iMac 2017 to get the latest OS. Well, if you're on two OS is back as an example, right?
[00:20:59] And I say to you, hey, listen, that computer needs to be replaced. It's on Mac OS 12 or on 14. That may not be good enough to convince the owner of the company, because like that's money. But if we do something with nodeware, nowhere can spit out all the vulnerabilities
[00:21:11] that have come out since that computer can't get updated. Now I have hardline data to give to that owner to get them to swap it out, right? Well, and the beauty kind of back to the one two punch, right? Of penetration test or vulnerability.
[00:21:25] It's like, no, it's not one or the other. The way that it works best together is, I mean, ideally in a dire deal world, you would start with your vulnerability management, kind of get an idea of how bad it is, right?
[00:21:37] Because you don't want to do a pen test if in an unknown environment, right? I mean, at least if you're not the MSP, you want to get it fixed so that the report shows good. So rent your vulnerability management,
[00:21:49] get some improvements to track your work, check things out. If you don't do that, but let's say you do start with a pen test first, right? Or the requirement for the company needing a new cyber policy insurance policy or their HIPAA compliance,
[00:22:02] or name your three or four letter acronym compliance framework. If you do the pen test first, right? Pen test does its work, right? It spits out a report, right? In our case, it's a very human fact of the report.
[00:22:15] So if not just an automated, here's 100 pages of things that we found, right? It kind of prioritizes and does some analysis of it. But that report, that pen test output is going to give you, again, maybe it's five priorities, 10 secondary priorities.
[00:22:31] That's your worksheet, your list of things to do. And so, but again, if you're doing it once a year, okay, that's a long list of things to do and what you work on. So you need to be making progress.
[00:22:43] Oh, but in the meantime, as you said, new vulnerabilities are coming down every day, right? I mean, they're literally from whether it's Microsoft, Cisco, Adobe, you know, name your vendor. Google Chrome. Yeah, Google Chrome. You know, all those are coming all the time.
[00:23:03] So if you're just working on the pen test list. You're missing out. Okay, great. One, you need to check that work that you did, that those vulnerabilities that the pen test report said are there are being taken care of and aren't showing up anymore.
[00:23:16] But again, then new things are coming down the line. So you can't let up on one or two. I do find it funny because I have a client who, their insurance, they're a nonprofit, and their insurance provider gives them a vulnerability
[00:23:34] scan, you know, every quarter or something like that because they're using it to weigh their insurance requirements and something like that. Are they weighing it for the future policy or are they maintaining their I think they're maintaining their insurability, which they're fine. Don't get me wrong.
[00:23:55] Like this stuff that we're getting is a no, but I remember on one of the times because we have to fight with them all the time about some BS because one of the times they got a report back and the ones that were marked as critical were CVEs,
[00:24:09] which a common vulnerability exploit, something like that, right? CVEs for autodiscover.domain.com, link.discover.com, and msoffice.discover. I'm like, and we went back to them. We're like, we don't actually maintain those. Those are owned by Microsoft. What do you want us to do about it?
[00:24:32] And then we're like, well, you have to fix it. We're like, you don't seem to understand what we're saying to you right now. I don't have whoever was in charge of Microsoft anymore. I don't have CDM is a phone number to get that fixed.
[00:24:47] This needs to come off of our bill. But like it was really interesting that like their vulnerability test, and I'm assuming yours does the same thing, right? It reads all of it, which is, I think, a big piece too many MSPs.
[00:25:01] This goes back to an argument Eric and I were having earlier about being an MSP versus an IT MSP versus break fix, right? An MSP, like if you ask any generic MSP, like I take care of anything that's on the network.
[00:25:15] What about the stuff that's not on the network that's also part of the organization, right? The website, the VoIP system, all the third party stuff. Because like, if you do have a client that has to have some sort of compliance regulatory, right?
[00:25:31] And their VoIP system, which is tapped into their, which is tied into their Microsoft Teams, just tied into their address book with all of their patients in it or whatever, has a leak or has a couple of exploits. You need to go through and deal with that.
[00:25:46] Maybe that Yee-Link phone on your desk needs a firmware update. Maybe that piece of networking needs something. Like there's so much here that I don't even think about. My head is spinning right now, Frank. Because I'm like, I mean, like I make a joke.
[00:26:01] All my clients just want to smoke weed and draw pictures, right? Because they're Mac users. They don't care. But I'm thinking to myself, like if I really sat down and thought about the things that even at my company,
[00:26:13] we're not checking on the regular, that a tool like yours would. Yep. Mine, Bob. No, it's actually fascinating in the range of things. I'm kind of going back to the patching tool. If MSP is doing a good job of patching, that's patching the OS.
[00:26:33] But one of the things that we do with a credential scan or an agent-based scan is that we look at the applications on that device as well. So we can look at Microsoft Word vulnerability if there is one.
[00:26:45] Or Adobe tends to be the one that has a lot of things. And you think about it, right? That connection from my system, well, I've updated, I'm on June that patch already. Well, okay, what about your applications? What about the applications that are connected to a third party?
[00:27:06] What about the fourth party, if you will, right between the data connection and the flow and the tie-in? So if you can get into one, then you can get to the other. And oh, by the way, now I can see that data that you produced that report on.
[00:27:18] I mean, it's scary. It's scary. Yes, I wish you'd have a less. Especially because you bring up Adobe, and I was thinking about this because I was talking to somebody yesterday. As an MSP, we can't manage Adobe for our clients, right?
[00:27:34] Because we can install the Adobe Creative Cloud tool, but the apps that they install, we have no... Without having... Adobe has their own built-in thing that we don't have access to. They're like, keep those things updated. And our client doesn't have the keep my software updated.
[00:27:45] They could be running Adobe CC from three years ago that's vulnerable. Now, the question always comes down to, like, what's your comfortability with risk? And if your data does leak, is it going to cause irreparable damage or whatever, which everybody would always say yes
[00:28:04] because that play that I've been working on for the last 10 years, if that got out there, it wouldn't ruin me. But those kinds of things... All right, so there's obviously a hole here for the need that you guys are feeling with this need.
[00:28:18] What I'm really thinking about now also is, like... Especially for myself, because as everyone knows from the listens, I only care about me. Implementation. How would... I don't mean how an MSP can implement it. That part's easy, right? You sign up for your software, install it, done. Cool.
[00:28:38] Yeah. How does an MSP sell it on a customer, especially if that customer is not held to any sort of, like, compliance regulatory? Like, regulatory. Yeah. No, great question. And it comes up a lot in my colleague Matthew Konev,
[00:28:57] who was on the show some few weeks ago, I think. Always talks about that if an MSP can sell NodeWare just on its own or sell vulnerability management just on its own, they're doing a disservice, right, to themselves and to their customer
[00:29:12] because it's really part of a stack, right? It shouldn't be an isolated piece. If they've already got MFA and they've got a great email security and they've got security awareness training, okay, good. Then add it on to that, right? But to kind of just lead with vulnerability management
[00:29:29] is a little bit harder in the case. That said, the real play here is... I think then the most thing that most people can understand is to go back to hygiene, right? It's cyber hygiene practice, right? You know, what's your daily routine?
[00:29:48] You shower, you brush your teeth, you wash your hair. Well, if those I have here... You want to see me getting upset by this? Go to youtube.com.com. I'm sorry, I can tell you. But there are things that you have to do, right?
[00:30:04] Or that most people do. And it's kind of... So if you think about it, right, from a proactive and the MSP positioning this to their end user, it says, yeah, you've got lots of systems. Do you want to keep healthy?
[00:30:19] Right, do you want to keep your systems healthy? And you can only really do that by looking... Well, there's different ways, but a primary way that I think that it can be done is through vulnerability management. Right, you have to know...
[00:30:31] First off, you have to know what's in the environment. That's actually one of the biggest surprises that the customer and or the MSP gets. We've got 50 employees, we've got 75 devices. You know, all told, no, you're going to have 100 to 150, right?
[00:30:46] Because we're looking at all the different IP addresses and things that have connections up. So that's going to dispel the first myth and sort of get the corrections. Oh, I didn't realize I had that many. Are those... Oh, we saw a score here of 200 when it,
[00:30:58] you know, below 850 is danger zone. Right, so okay, we got devices on this that need to be looked at and fixed. So that continuous process and that level of improvement identified, right? You can go to the doctor and they tell you, you know what, eat less, exercise more.
[00:31:17] But if you do it, great, you're going to see some progress. If you don't... Yeah, thanks for the advice. I'm not going to listen to you. Yeah, I'm not listening to you like that. Yeah. But again, when an MSP is trying to relay this
[00:31:30] to their customer that, you know, catch, it's another tool. I'm going to have to pay another, you know, $2, $3, whatever they want to charge per user per month. Why is that worth it? Well, because we want to get you healthy one.
[00:31:43] We want to keep you healthy once we get you there, right? If you're not doing... If you're only doing this check once a year or once every quarter, you know, you're out of luck. Now related to that, though,
[00:31:54] you kind of were mentioning something that I wanted to bring up. A lot of our MSPs that have started with vulnerability management, right? They might start because one of their customers has to do it, right? It's their HIPAA requirement or it's their, you know,
[00:32:05] whatever they need to do from a compliance standpoint. And they roll out the node where and it's easy to roll out and they get all this data and they're like, oh my gosh, there's so much here, right? There's... We found so much.
[00:32:17] Why am I finding all these things? I've been taking care of this account for so long. And so one of the things that sort of is a bit overwhelming to them, I guess, is that there is a lot of data, right? We find maybe there's 10 critical vulnerabilities
[00:32:33] in their environment, right? And there may be 30 high priority, high level vulnerabilities. And that's a lot of stuff, right? That's a lot of work they got to get through. And so what we tried to say, okay, take a breath, right? You know more than you did yesterday.
[00:32:49] So let's go with that. Let's prioritize, right? Let's get these first, you know, okay, look at those 10 top 10 high critical vulnerabilities. Let's get the first five and figure out, okay? Now we've learned that. Let's go to the next five and sort of chunk away at it, right?
[00:33:03] Because one of the things kind of coming back to insurance and compliance and sort of showing that you're doing something, right? Rather than just sticking your head in the sand and hoping that things improve. Is that if you show, here's where we started. Here's our plan.
[00:33:20] Here's our progress, right? And whether it's to the end user themselves or God forbid something happens and they need to show that you were doing some work and progress along the way, you're doing that work. So it's kind of like, yeah,
[00:33:32] you're gonna get a lot of data, right? But it's the data you need and it's the data your customers need. So don't be afraid of it. Just plan for it. And if you can't do it all yourself, then we've got a new resource coming on
[00:33:44] that will help a third party that can help you address those things. But patching is gonna resolve a great number of those vulnerabilities. Not all of them, right? Clearly, but a good number of them can be, if you're keeping up on your patching windows particular,
[00:34:00] then you're making great progress. So it's kind of, if that makes sense, right? It's kind of, you're not gonna tackle all on the day one, but you need to start tackling. You don't know me well enough, Frank. I'm gonna install it on 250 endpoints.
[00:34:12] I'm gonna have it all done 24 hours. Let me know how that goes. We're out of case study so that you can show them. Imagine this like a Truman Show style, like just a video. I like the idea that you're right.
[00:34:26] And this is a big piece, which is like, we talk about a lot of different products. We talk about a lot of different methodologies on this show. No one product should be sold on its own. You as the MSP should not be selling vulnerability
[00:34:43] assessment and pen testing as its own thing. It should be part of this menu of offerings that you give to your client. For us at Virtua, and I'm thinking, I'm gonna talk to you guys as a show. I'm thinking about maybe including this.
[00:34:58] We were thinking about our five point compliance where we're including like NIST management for the computers and we're thinking about doing Abenon for email and we're gonna do Ignite for Protect for anyone who has or secure governance for whoever has that. And then in our list,
[00:35:12] we have some sort of vulnerability and pen testing for the network and the computers. And so that is our package. We're selling that as our, you're buying the bundle, right? You're getting the Disney Hulu ESPN whether you want it or not.
[00:35:28] And it's one, it's a little bit of an easier pill for your clients to swallow because you're like, I'm taking care of your computers, your email, your network, your website, your patching and your file share all in one move.
[00:35:46] And I'm gonna sell it to you for X price, $30 a month or whatever per device or whatever it is. It makes it a lot easier. It also makes you as the MSP look like you're on top of the game across the board
[00:35:59] because I do really, I do feel like the MSPs who sell it in piecemeal are always just like, oh, so this is vulnerability assessments, the new Chronaut, like people want it today and they're gonna move on with it. You know what I mean?
[00:36:15] Any things that would be, all right. So before we finish up. Now, just a comment on that point, right? You know, it's almost, it's simplistically, it's somewhat of the good, better, best model, right? So have that good package. That's what you talked about.
[00:36:28] And one of our larger national partners does that. They have a kind of architecture structure. And then, you know, this is what we're gonna do. If you want to add vulnerability management and, you know, MDR, then, you know, here's the better model
[00:36:41] and here's, you know, PEN test included is the best model, right? So that it's all wrapped together. So it's really, yeah, because if you line list too many things, that's just easy to cross out a lot. Yeah, yeah. Right? And then you're, pertain yourself
[00:36:54] and you're potentially hurting the customer by not really giving them what they need. What should be written on your invoice is a whole other topic. Um, so before we go, Fred, I want to ask you a question, right? So the software sounds great. It does what it was...
[00:37:04] What does it work on? Windows and Mac, yes? Yep, across, but it's, um, we have virtual sensors so you can deploy for the network. Again, the broad fishing net. We have a Windows sensor and then a VM where in vSphere, so whatever kind of environment
[00:37:19] you want to run. Then it doesn't require dedicated equipment. It can run on existing infrastructure. What about like, I know a lot of Mac people like Synology still. What about Synologies? Uh, I'm not sure about Synology, but it'll pick it up.
[00:37:35] I mean, we don't have a specific sensor for that, right? So you could... I was waiting for you to tell me no. No, I'm going to... Or you can always put a physical little Windows box on the... That's what gets me.
[00:37:45] And we're going to fight about this after the show is that the amount of... Like, this is the... And we do Mac thing that I get mad about. I said, we don't prefer that. That's just an option. There's your competitors.
[00:37:54] I know some of your competitors in the like, in order to run our stuff where you need to put a Windows computer on the network. And I'm like, that alone is the vulnerability on an all-back network. All right, friends, where can people find out
[00:38:05] more about you and Nodeware online? So start with LinkedIn. Got my name there. You can find me. I'm thinking about the only one there. Nodeware.com, N-O-D-E-W-A-R-E.com covers all the products there or the product there. And again, we just announced the patching
[00:38:23] which I wanted to kind of call out a little bit. If you're interested in the penetration tests and we have other services around that like a new third party risk manager, right? Which is another probably a whole different topic for you guys to bring on.
[00:38:36] But we've got a new service there to manage that and CISO team is a service. So those are all customized. So it's really based on volume there and size of the engagement, custom statement of work each time. But for that, you can look at igicybersecurity.com
[00:38:55] as the easiest player. Again, F-R-A-I-M and winDI at igius.com is probably the easiest way. Feel free to reach out. We'd love to have a discussion and go from there. Awesome. Frank, thanks so much for being here on All Things Amazon Podcast.
[00:39:11] Eric, any final words before we say goodbye to our avid listeners and my mom? No, I just think this was a great podcast because the whole pen testing versus vulnerability assessment versus vulnerability management causes a lot of confusion out there.
[00:39:26] And I think, Frank, you did an excellent job of clarifying that for our listeners today and I really do appreciate it. That's been my pleasure. Awesome. Well, that's Eric. I'm Justin. Follow us on all of your favorite podcasting platforms. Head over to our Facebook group, facebook.com,
[00:39:42] slash group slash all things MSP. Join the group. Get a welcome, welcome, welcome for me if you do. And then post in there because maybe you'll be from the group. Thanks to Tommy Cox for posting about the... The MFA thing.
[00:39:54] I was going to say duo, but it's not duo. The MFA question that he posted earlier. YouTube.com slash add all things MSP. Check out our Patreon. All those things. Listen, you've heard this before. You know what I'm talking about. That's it. I'm done. Bye. Thanks for listening.
[00:40:08] And don't forget to subscribe to us on your favorite podcast platform. You can also follow us on Facebook, but better yet, go ahead and join the Facebook group. You can also follow us on Instagram if that's your thing. And make sure you subscribe to our YouTube channel
[00:40:24] at all things MSP to catch us in all of our video glory. And last, but certainly not least, if LinkedIn is your thing, you can follow us there as well. And a special thank you to our premier sponsors, Super Ops, MoveBot, Gozinta, EasyDMark and Comtech.
[00:40:44] And we also want to thank our vendor sponsors. The All Things MSP Podcast is a BizPow LLC production.