Cybersecurity Insights: Policy, Identity Management and CMMC with Jon Murchison

[00:00:02] Dave Stubble here at IT Nation Connect. I'm sitting with Jon Murchison, CEO of BlackPoint Cyber. Jon, thanks for joining me.

[00:00:09] Yeah, thanks for the invite.

[00:00:10] You're a big leader in this space and I really value your insight on a couple of the pieces that you work on it.

[00:00:15] And I'm going to start with some policy stuff because I think it's worth talking about.

[00:00:18] Sys has, of course, been leaning into their secure by design and secure by default initiatives.

[00:00:23] They've got the pledge, the initiative and a bunch of stuff they put forth.

[00:00:26] Give me your sense of how well that resonates and what a difference it will make.

[00:00:32] I think, first off, it's definitely kind of the right path and push for them.

[00:00:36] I think when you get on the ground level and see kind of how specifically managed IT service providers have to implement,

[00:00:42] you know, kind of zero trust authentication, network design, app control,

[00:00:46] I think this is where it starts veering off course a bit.

[00:00:49] Okay.

[00:00:50] You know, if you think about a company that has to manage 40, 50, 100 different networks,

[00:00:55] you have, I think a dentist's office is old school legacy software has to run on prem.

[00:01:00] A lot of this design stuff is very idealistic and not implementable in practice.

[00:01:05] And so I think it's good.

[00:01:08] I think it's well intentioned.

[00:01:09] I don't think it's having much of an impact just yet on the ground level.

[00:01:12] You know, if regulation comes in the future, maybe it will, not that I'm voting for or against it.

[00:01:17] Yeah.

[00:01:17] But I think it will have, right now I'm not seeing a big impact.

[00:01:22] I think an area our industry is probably not paying enough attention to is really the management of village identities

[00:01:30] and to be able to put what they're doing in context.

[00:01:32] I think that is, if you can do that, whether it's on prem, lateral movement or cloud attacks, which are really prevalent right now,

[00:01:41] I think you can kind of thread the needle and not creating a bad end user experience.

[00:01:46] I mean, specifically, I think sometimes when you get into sort of zero trust application control,

[00:01:50] the vast majority of all the things getting blocked are not threats and impact the productivity of your end user.

[00:01:57] Right.

[00:01:57] So I think in some cases this feels really good on paper, but I'm not sure a lot of it's been written by practitioners.

[00:02:04] Well, that's true.

[00:02:05] And I view it as more of a long-term investment in having a different conversation about software liability and responsibility.

[00:02:11] Yeah.

[00:02:12] I'm hopeful.

[00:02:12] I'm going to observe it.

[00:02:13] I'd love to get a little bit of your reaction to this.

[00:02:15] It's my observation, you know, as somebody who's not a cybersecurity practitioner, but more in general,

[00:02:20] is that cybersecurity is one of those spaces where we've got a lot of tools, we've got a lot of methodology,

[00:02:26] but we actually also have a lot of handing off of responsibility.

[00:02:31] Right.

[00:02:31] If I was very simplistic in an analysis, trying not to be, but let's use it for a point,

[00:02:37] the cybersecurity vendors themselves that are delivering software have a pretty strong liability shield

[00:02:42] from actual responsibility when something goes wrong.

[00:02:45] For sure.

[00:02:45] Right.

[00:02:46] That doesn't actually put them invested in the same way as say a service provider who ends up

[00:02:51] sued their pants off.

[00:02:52] Right.

[00:02:52] Right.

[00:02:53] For a violation, they're not invested in the same way.

[00:02:55] Right.

[00:02:55] Give me a little bit of a sense of like the where you think about that dynamic because it's probably off right now.

[00:03:02] Yeah.

[00:03:02] It's in your favor as an off off offender, but that's probably not the best thing for all clients.

[00:03:06] Give me a sense of how you think about that balance.

[00:03:08] Yeah.

[00:03:08] I mean, the way I think about it is first off, there's no silver bullet in security.

[00:03:12] You can look at warfare over hundreds of years and realize, imagine if you're holding each unit liable for failing to detect or respond to some attack perfectly.

[00:03:20] Right.

[00:03:20] I mean, this is a hard target.

[00:03:22] It's a moving game.

[00:03:23] It's more akin to a battle or a skirmish.

[00:03:25] Right?

[00:03:25] Yep.

[00:03:26] And I think if you start putting the liability so hard on the security providers, so first off, I think the liability should be there for secure code design.

[00:03:36] Okay.

[00:03:37] Cool.

[00:03:37] I think there should be mandates to do application penetration testing on a regular basis.

[00:03:41] I don't think the vast majority of this market is actually doing it.

[00:03:44] Okay.

[00:03:44] I think a lot of the security providers are, but I don't think a lot of the other vendors

[00:03:47] are.

[00:03:48] But when it comes to actually, I think we have the best track record in the world at what

[00:03:52] we do.

[00:03:52] But when it actually comes to, you know, first off, there's a lot of gray areas on like someone

[00:03:58] gets in a network, they're moving around, they haven't stole data yet, they haven't encrypted.

[00:04:02] Am I liable?

[00:04:03] Right.

[00:04:03] I don't know.

[00:04:05] Yeah.

[00:04:05] I don't think there's enough experience.

[00:04:07] I don't think there's enough legal precedence to know where to draw the line.

[00:04:11] You know, if you can just look at maybe outcomes where IR and breach insurance has to get involved,

[00:04:16] you know, maybe that's a line.

[00:04:18] I just think it will be, listen, we have to innovate.

[00:04:22] We have to try new techniques.

[00:04:24] You know, you try and lock it down.

[00:04:25] Everyone's going to play it safe, which means you're going to get smashed.

[00:04:27] Well, you've highlighted something that I think is really important there because in a way the

[00:04:31] customers don't know, you know, I'm going to pick on them because it's an incredibly easy,

[00:04:36] not involving a criminal example.

[00:04:39] We'll talk about cyber, CrowdStrike for a moment, right?

[00:04:41] CrowdStrike had a failure.

[00:04:42] Right.

[00:04:42] We have a sense of that it was a quality control failure because we know it wasn't cyber criminals.

[00:04:47] Correct.

[00:04:47] Which actually means it's a unique ability to talk about a cybersecurity product, not in the context of a bad actor.

[00:04:53] No.

[00:04:54] Because by the way, well, it's actually useful to talk about because we want to start with the blame starts with the criminals.

[00:05:01] Right.

[00:05:01] We have to start with that.

[00:05:03] Sure.

[00:05:03] Right?

[00:05:03] So we need to fund law enforcement.

[00:05:05] We need to go after them.

[00:05:07] Now in with our own house, we actually have to have some responsibility over doing it right.

[00:05:11] Correct.

[00:05:11] Right.

[00:05:12] And my example here is when CrowdStrike has sort of zero responsibility to the clients.

[00:05:16] Now this may shake out in the cases.

[00:05:19] We'll see.

[00:05:20] I'm skeptical based on precedent.

[00:05:22] But I appreciate your perspective because it gives me a little bit of a sense of the balance there.

[00:05:27] I think that's the right word.

[00:05:28] Yeah.

[00:05:29] There has to be a balance.

[00:05:30] And if you go too hard, I worry what comes out the other side.

[00:05:34] I think we can agree that the balance isn't there yet.

[00:05:35] Yeah.

[00:05:36] So we have to experiment with some other balances to find the right one.

[00:05:39] I want to move on a little bit from that to some of the stuff we're seeing with CMMC.

[00:05:43] Right.

[00:05:44] I think nothing's a silver bullet.

[00:05:46] Right.

[00:05:46] But I'd like to get your take on a premise that has been offered to me and I think you'd

[00:05:51] have some really good insights to it.

[00:05:52] CMMC, particularly the 2.0 version, pretty reasonably well thought out.

[00:05:57] Right.

[00:05:57] Has levels that allow for some auditing and some actual investigation to it.

[00:06:03] We're going to see how it roll out.

[00:06:05] This is going to slow, painful process.

[00:06:07] Right.

[00:06:07] But if we're talking about this kind of directionally, how do you think about like a certification like CMMC as a more broad standard that might be able to be applied in more places?

[00:06:18] So this is where I'm going to be controversial.

[00:06:20] Cool.

[00:06:20] Which you'll probably like.

[00:06:21] But you can have an opinion.

[00:06:23] Yeah.

[00:06:24] Listen, I've read the NIST frameworks, ISO, SOC2, CMMC.

[00:06:32] Here's the challenge.

[00:06:33] By the time you're done writing a lot of these frameworks, and don't get me wrong, I think a lot of the foundations in there, if you follow that as a company, it's raising awareness, it's raising the bar, you're becoming a more mature organization.

[00:06:47] But there's not a threat actor in the world who cares if you're CMMC, ISO compliant, they care if you've missed a patch on your firewall, if you have creds leaking everywhere.

[00:06:57] And so I think for me, I would like to see these frameworks look more like CIS.

[00:07:03] Okay.

[00:07:03] That are prescriptive, that tell you how to harden, not just say you have to have the ability to detect malware and you have to have logs for X amount of time.

[00:07:10] Because here's the reality, every major company you've seen breached has run a SIEM-based platform for threat detection.

[00:07:17] The track record over the past 10 years is abysmal.

[00:07:20] It's expensive, it takes forever to roll out.

[00:07:23] You have this huge integration tax of data.

[00:07:26] And then, oh, by the way, when you're trying to sort things out right in the middle of a fire, you may have to jump to other platforms to take a response.

[00:07:34] They're too slow.

[00:07:35] I think we saw this with MGM.

[00:07:37] And I think for me, what I'd like to see from CMMC is them to catch up a little bit on what the state of the art of threat detection really looks like today.

[00:07:47] Okay.

[00:07:47] Being able to put identity in context, having integrated and orchestrated anti-malware detection, being able to actually enrich and determine malicious cloud logins and follow on activity.

[00:07:59] I think it's still written using that old school traditional stack and they're still looking for an old school kind of log dumpster for everything to be put into.

[00:08:06] And I just don't think it's that effective.

[00:08:08] And at the end of the day, CMMC was built to protect our defense industrial base.

[00:08:12] Right.

[00:08:13] That has to be built on hardcore practitioner.

[00:08:16] And what I see is you tend to, it's all well-intentioned.

[00:08:20] I want to be clear.

[00:08:21] Yeah.

[00:08:21] And I like a lot of it.

[00:08:23] But I think the problem is it's missing that last 15% of nuance that it's a difference between you getting hacked or not.

[00:08:29] So would it be fair to assess sort of like you think good start, we've got more work to go beyond that?

[00:08:34] Good, great start.

[00:08:35] Let's get practical guidelines and hardening into it instead of all this kind of in theory hand wavy stuff that I see.

[00:08:42] I think all the different, I don't know, modules probably not the right term, but I think all the different sections to focus on for hardening, whether it's identity or anti-malware stuff or secure network design, I think it's great.

[00:08:53] Okay.

[00:08:54] But what people on the ground level struggle with is like what settings do I have to configure in conditional access?

[00:09:00] Right.

[00:09:00] That's what we need as an industry.

[00:09:02] At the end of the day, security is all the devils in the details and it's about rolling around those details and understanding them.

[00:09:08] And when it's too high level and broad, it's hard to implement and it turns very quickly into a checkbox exercise.

[00:09:13] Makes sense.

[00:09:14] Now I want to pivot a little bit in that because you brought it up twice now in what you've said and I'm curious your take on it.

[00:09:19] Identity.

[00:09:19] Yeah.

[00:09:20] And it's a conversation I'm feeling I'm having increasingly with people in the security space and I'm wrestling with it a little bit because I'm trying to define exactly what we mean about what we're solving.

[00:09:30] And I also want to put that in the context of we haven't actually caught like a national privacy law.

[00:09:36] So we're then talking about capturing identity without a framework of understanding what the protections are.

[00:09:40] So give me a little bit of your sense about like what the problem we're trying to solve with identity is and how the best way to approach it.

[00:09:47] Yeah, I'll lay out real simply and I'll use some real world examples.

[00:09:50] Please.

[00:09:51] So you think about the black cat ransomware group.

[00:09:54] What did they do different?

[00:09:55] So about three years ago, I think I did or two years ago presentation on them.

[00:09:58] I read a boom.

[00:10:00] It used to be all malware malware malware malware malware malware.

[00:10:03] They get in however they get in and then these custom tool sets that can evade EDRs or sometimes get caught.

[00:10:08] They realized, you know what, it's a lot easier to hide in plain sight.

[00:10:11] So what I'd like to do is like to exploit a firewall.

[00:10:14] All right.

[00:10:14] There's a seen all the patches on them.

[00:10:16] It's pretty obvious.

[00:10:17] Then what am I doing?

[00:10:18] We point that to active directory.

[00:10:20] Right.

[00:10:21] Right.

[00:10:21] So now we grab a privileged credential.

[00:10:23] That's what we're talking about.

[00:10:24] I don't think there's a big privacy issue here.

[00:10:26] We're talking about a username and a password.

[00:10:28] Okay.

[00:10:29] And a way to auth.

[00:10:30] Your VPN in, and now you're putting MSP tools down in the network.

[00:10:33] Okay.

[00:10:34] Right?

[00:10:35] You know, Splashtop, Atera, you know, you name it.

[00:10:38] Total software deployment.

[00:10:39] Those are signed.

[00:10:40] They're legitimate.

[00:10:41] They're not malware, but they allow you to move around, hook the boxes and execute your ransomware

[00:10:45] and steal data very easily without being detected.

[00:10:48] So if you can't as a cybersecurity practitioner see when a privileged, high consequence identity is used from one machine to another

[00:10:55] and put in context what they're doing, you're missing most of the observables in the attack.

[00:11:00] And because the decision tree becomes very simple.

[00:11:02] It's a threat actor, or it's legit IT.

[00:11:05] Period.

[00:11:06] There's really nothing in the middle.

[00:11:07] Okay.

[00:11:08] And so now you take a look at our trends.

[00:11:10] Automation.

[00:11:11] I love it.

[00:11:11] I think every MSP should have an automation person or team.

[00:11:15] Right?

[00:11:15] Leveraging AI, co-pilot, being AI ready.

[00:11:18] So you start getting all these efficiencies in your cloud infrastructure.

[00:11:22] Well, guess where identity authorization and authentication has moved to?

[00:11:26] The cloud.

[00:11:27] Okay.

[00:11:27] Right?

[00:11:27] For a lot of places.

[00:11:29] You breach that identity.

[00:11:31] Now you can take down every MSP product.

[00:11:34] Cool.

[00:11:34] This is what we're talking about identity.

[00:11:36] You have to be able to put in context identity to know if it's legit IT or not.

[00:11:40] Okay.

[00:11:40] And there's too much focus on exploits and malware because that's sexy and it feels like hacking.

[00:11:45] But the reality is, you know, I spent 12 years as an offensive cyber guy.

[00:11:49] Trust me.

[00:11:49] Identity is the most important thing to steal.

[00:11:52] Right.

[00:11:53] Well, I say this as a bit of a quip.

[00:11:55] Yeah.

[00:11:56] The interesting stuff is oftentimes not sexy.

[00:11:58] Yeah.

[00:11:58] Like the boring execution bit is where it actually matters and sometimes it's not really sexy.

[00:12:03] I'm going to completely switch periods here.

[00:12:06] Okay.

[00:12:06] So, we can use it in the context of security but I'm actually asking this intentionally

[00:12:10] to be larger.

[00:12:11] You're a leader of a larger organization up and growing.

[00:12:14] I like to really get a sense of how you put your organization together to particularly

[00:12:19] the people that surround you so that you can get good insights and information.

[00:12:24] Like I want to sort of get a sense of that first.

[00:12:26] Like kind of how we run like the operating system for our business?

[00:12:29] In a way.

[00:12:30] In a way.

[00:12:31] I actually think about it like how do you surround yourself with good information in your organization?

[00:12:36] Oh, yeah.

[00:12:37] Okay.

[00:12:37] Several ways.

[00:12:38] So, first off we implemented something we call an operating system.

[00:12:42] Okay.

[00:12:43] This is a structured reporting format when we're doing updates from different leadership

[00:12:49] groups because as you get larger you can't talk to everyone on the ground.

[00:12:52] Right.

[00:12:53] So, that's one thing.

[00:12:54] So, we have a structured formatted thing that we can actually do analytics on.

[00:12:59] We leverage co-pilot heavily so that we can summarize meetings.

[00:13:03] You can even ask co-pilot like tell me if there are disagreements in this meeting I couldn't

[00:13:07] make.

[00:13:07] Right?

[00:13:07] Right.

[00:13:08] So, we have a structured kind of reporting template and format there.

[00:13:11] Second, we have a very structured set of meetings.

[00:13:14] We have weekly executive leadership team meetings.

[00:13:16] We have intentional skip level meetings where we bring several people from different orgs

[00:13:21] for a meeting with me or other C-suite executives to bring one good thing we're doing really

[00:13:26] well that we should do more of and things that are blocking them that they think would

[00:13:29] be in the interest of the company.

[00:13:30] So, that's a source of intelligence, ground level intelligence to kind of feel like the

[00:13:35] good things and the pain for our ground level folks.

[00:13:38] We run surveys in the organization.

[00:13:41] And then we're putting in a much increased focus on regular in-person meetings and team

[00:13:48] building and some social kind of activities after that to make sure everyone's communicating

[00:13:53] because I think even we got too stuck in not evolving out of the COVID era.

[00:13:58] Right.

[00:13:58] Fast enough where we're too remote.

[00:14:00] That's why we opened a new headquarters in Denver and a new office in Maryland.

[00:14:03] Gotcha.

[00:14:04] Okay, now you open it up and I'm dying to hear a little bit more.

[00:14:06] Tell me a little bit about how you've implemented co-pilot in the organization and like what

[00:14:10] it's doing for you and where you're finding it's effective.

[00:14:12] Yeah, I think we're at the early stages of co-pilot to be clear.

[00:14:16] Fair, but you're the first person to bring it up to me in this context.

[00:14:19] I'd like to hear a little more.

[00:14:20] Yeah, so step one, I think in July I was home two weeks, two contiguous weeks, first

[00:14:27] ones in two and a half years.

[00:14:28] Okay.

[00:14:28] Right, so the pace on the road that we've been running has been almost too much, which

[00:14:33] means you can't always be back in every single meeting.

[00:14:37] But, you know, we have a lot of experience.

[00:14:39] We built this company, we know this MSP space, and we've hired so many people, a lot of which

[00:14:45] need to be trained up and learn the customer base where we're going to.

[00:14:48] I find co-pilot great for, one for me personally, summarize my most important emails for the

[00:14:56] last week and summarize any action items I have on it to make sure I don't drop the ball.

[00:15:00] Okay.

[00:15:00] The second one, when I'm missing meetings, I find it incredibly important that I can ask

[00:15:07] questions of the meeting because I don't have 60 minutes to go back through the whole meeting.

[00:15:12] Right.

[00:15:12] And so the transcripting, the summarization, the key outcomes, the action items, and this

[00:15:18] allows me to be a lot more efficient.

[00:15:20] Now, I think co-pilot's kind of interesting because if you rolled it out everywhere and

[00:15:25] every meeting was recorded, it'd probably be too big brother and people need freedom to,

[00:15:29] you know, they need freedom to air their grievances about their boss or whatever without punishment

[00:15:34] or something like that.

[00:15:35] So, I don't know, we're trying to find the balance on it, but so far I absolutely love

[00:15:41] it.

[00:15:41] Okay.

[00:15:41] I am addicted to it.

[00:15:42] So, very small short question.

[00:15:45] Yes.

[00:15:45] Are you paying for it yet?

[00:15:46] Yes.

[00:15:47] Okay, cool.

[00:15:47] That's important because some people are piloting some people.

[00:15:50] So that's great.

[00:15:50] We're absolutely paying for it.

[00:15:51] Awesome.

[00:15:52] Cool.

[00:15:52] Yeah.

[00:15:52] Now, so, sort of last question and I think it'll help me get it because you're a guy

[00:15:56] who has to make a bunch of decisions on a rapid basis.

[00:15:58] And a lot of them are critical, right?

[00:16:01] In terms of like, you know, involvement in product or involvement in vision.

[00:16:04] Give me a little bit of your framework for decisions.

[00:16:06] Like how do you think about how you make decisions?

[00:16:10] Yeah.

[00:16:10] I mean, at the end of the day, our decisions, you know, people is first, right?

[00:16:16] I think we've even run through challenges in the org, hiring too fast.

[00:16:21] We have an elite chief people officer now, which has really, really helped.

[00:16:25] His name's Andy Burnett.

[00:16:26] I think for us, we look at it this way.

[00:16:29] What can we spend money on that makes our customer experience better?

[00:16:32] Right.

[00:16:33] And any sort of friction less whether it's a billing or anything else.

[00:16:36] Two, what can we spend money on that keeps us a multi-step lead against our competition

[00:16:42] from a technology standpoint?

[00:16:44] Three, it's strategic sort of initiatives.

[00:16:47] I can tell you the one, I've mentioned it lightly, but we've kind of secretly for the past year

[00:16:52] had a massive investment in AI internally under our innovation office.

[00:16:56] It's kind of like a little skunk works office.

[00:16:58] These are things where we're making a few moves on the chess board knowing we think we know where the market's going

[00:17:05] to the point where we have a complete AI powered tech ops platform.

[00:17:09] If you look in the market, that is driving a lot of interest, valuations, you name it.

[00:17:15] And then the last part is really the nuts and bolts of the go-to-market machine that's kind of marketing and sales

[00:17:20] and events like IT Nation that we're at here.

[00:17:23] So to me, we kind of break it down like people investments, product investments to clean up tech debt and come out with new features,

[00:17:33] strategic product investments, customer success type investments.

[00:17:37] And then finally, we're still not known enough in this space.

[00:17:41] I don't think Blackpoint's brand is as known as other brands.

[00:17:45] And that's an area we have to invest more in.

[00:17:47] Gotcha. So, so last question to wrap it up here.

[00:17:50] We're rounding out 2024 here.

[00:17:52] We've all got that eye to 2025.

[00:17:54] What's like the one thing you're looking for?

[00:17:57] Like, is it a tipping point, something to happen?

[00:18:01] Like what's that thing that you're keeping an eye on most as we go into 2025?

[00:18:05] I'm keeping an eye a lot on the evolution of posture management.

[00:18:11] Okay.

[00:18:11] All right. So I think we, listen, the hacks on on-prem are still probably more costly, right?

[00:18:16] The ransomware.

[00:18:18] Right.

[00:18:18] Huge focus has moved to the cloud.

[00:18:20] There's a lot of things you can take advantage of in the cloud infrastructure that I think even a lot of the threat actors don't know about yet.

[00:18:29] And so what we need as an industry, we don't have an easy way to interrogate, say, our 365 in Azure settings,

[00:18:36] get a baseline next to best practices automatically, deploy hardening templates, alert on drift.

[00:18:41] I think this is going to be a really hot space.

[00:18:44] So that's one area.

[00:18:45] And I know you asked for one, but the second area is, is really how is the security around automation going to evolve?

[00:18:53] Okay.

[00:18:54] I think this is an area that we all need the automation.

[00:18:57] We all need the efficiencies.

[00:18:58] We got to, we got to protect the hell out of it because you know, once you connect something to everything,

[00:19:03] it's going to be a natural targeting point for threat actors.

[00:19:06] Well, I always leave these conversations slightly scared, but always a little comforting that guys like you are working on it.

[00:19:10] John, thanks for joining me today.

[00:19:12] Thank you very much.

[00:19:14] Today's episode is supported by CoreView.

[00:19:17] Your customers need your Microsoft 365 expertise and CoreView has the only M365 management platform designed for MSPs.

[00:19:27] Manage hundreds of tenants, automate manual tasks and monitor compliance, all while intelligently comparing to the baseline.

[00:19:33] With a no code control approach, CoreView revolutionizes your Microsoft 365 administration.

[00:19:39] This powerful platform enables automatic reporting and remediation, ensuring optimal performance and security.

[00:19:47] The best part?

[00:19:48] You achieve this high level of service without the need for a large workforce, allowing you to focus on growing your business through efficiency.

[00:19:56] Want to know more?

[00:19:57] Visit coreview.com slash MSP and find out more.

[00:20:04] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:20:12] If you like the content, please make sure to hit that like button and follow or subscribe.

[00:20:17] It's free and easy and the best way to support the show and help us grow.

[00:20:21] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio or buy our Why Do We Care merch at businessof.tech.

[00:20:34] Finally, if you're interested in advertising on this show, visit MSP radio.com slash engage.

[00:20:41] Once again, thanks for listening to me.

[00:20:44] I will talk to you again on our next episode of the Business of Tech.

[00:20:51] Part of the MSP radio network.