Last week we talked about playbooks and runbooks... This week we are back in the CIS Top 18 controls, #17 and while the timing might be coincidental it is a perfect fit. What we have learned going through the first 16 controls to get to here. Listen to Matt Lee of Pax8 unpack the safeguards and perhaps here a bit of a tussle as we grapple with Yellow Brick Road or Wizard of OZ... you decide!
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:23] Welcome everybody to another episode of MSP 1337. It's the third Tuesday of the month, which means I'm joined by Matt Lee of PAX8. Matt, welcome to the show.
[00:00:34] Matt Lee, Ph.D.: Man, I appreciate you. We're almost 18, which means after 18, nobody has to listen to me again, right? Is that essentially, or is it time to do the 8.1 refresh?
[00:00:46] Matt Lee, Ph.D.: We can do two things. So I think 8.1 refresh, at least part of it for me would be to really articulate the changes that have been made around assets, like understanding documentation as an asset.
[00:00:59] Matt Lee, Ph.D.: As an asset, you know that gets me going.
[00:01:00] Matt Lee, Ph.D.: Yeah, I got some stickers here that I should put on that I think Mark Vinzi's made me take home.
[00:01:05] Matt Lee, Ph.D.: The second one is we didn't capture the categories that come up with the trust mark that I think are important and I think they're important not just because I like to talk about the trust mark, not biased or anything, but along the lines of things around governance, physical and environmental, those are two categories in the trust mark that I don't know that very many frameworks have done a good job of articulating the value governance plays.
[00:01:30] Matt Lee, Ph.D.: And the role of adopting a framework.
[00:01:33] Matt Lee, Ph.D.: Just as an industry, though, I don't think we've done a good job.
[00:01:36] Matt Lee, Ph.D.: Oh, 100%.
[00:01:36] Matt Lee, Ph.D.: There's a reason NIST CSF just now has it. There's a reason that CIS 8.1 just now has it. It's really this recognition. And I like to talk about it this way, which you'd know if you'd been in the room, but instead you decided to go bolt for all important people like Mark
[00:02:00] Matt Lee, Ph.D.: You can hit me in two different places.
[00:02:02] Matt Lee, Ph.D.: Yeah, but still, it's true, actually. But no, the point is that when I talk about what is governance, we should definitely have a branch off of that. You can tell my mind thinks a branch off of that for us to discuss.
[00:02:17] Matt Lee, Ph.D.: But it was really just if you are a manager of an office and you say no smoking in the break room, what is governance? Governance is ensuring nobody's smoking in the break room. If you just let everybody keep smoking in the break room, you are not making a governance and enforcing the policies and things you've set forth as a company. And I like to call it the will of the company.
[00:02:38] Matt Lee, Ph.D.: And to be fair, I was in the room for that because you used AI to generate that picture.
[00:02:44] Matt Lee, Ph.D.: I withdraw my snarky stuff.
[00:02:46] Matt Lee, Ph.D.: Yes, that was awesome because it literally said no smoking and everybody in the room is like, it's not just smoking. We have an ashtray that's full of cigarettes. They're just getting warmed up.
[00:02:55] Matt Lee, Ph.D.: Yeah, thank you, AI teams.
[00:02:57] Matt Lee, Ph.D.: Anyways, I digress. Back to Control 17.
[00:03:00] Matt Lee, Ph.D.: So we are on Control 17. Control 17 is all about incident management, right? It's all about the incident response management.
[00:03:09] Matt Lee, Ph.D.: Yeah.
[00:03:10] Matt Lee, Ph.D.: And it's ironic that we're on this because this is the third Tuesday of the month.
[00:03:15] Matt Lee, Ph.D.: And last week I did an episode on runbooks and the difference between runbooks and playbooks and how they work together.
[00:03:23] Matt Lee, Ph.D.: But the reason we did this episode on runbooks was tied to two MSPs at their MSP Ignite peer group in person. And they got to talking about like what if, you know, Imja RMM were to just like go away.
[00:03:40] Matt Lee, Ph.D.: Sure.
[00:03:41] Matt Lee, Ph.D.: And they're like, oh, well, you know, products tend to go offline. It happens. We've seen it with, you know, NotSoSoft and other vendor products. They go offline and then they come back, right?
[00:03:51] Matt Lee, Ph.D.: And the response was, no, no, no. It went offline and it's never coming back.
[00:03:56] Matt Lee, Ph.D.: Let's talk through that. And it is the concept of vendor lock in and how you respond to that. Do you have redundancy and resiliency?
[00:04:03] Matt Lee, Ph.D.: Sure.
[00:04:03] Matt Lee, Ph.D.: But I think what's interesting about this is we can go back in time to things like what it means to do audit logs. Why audit logs are important. What do you do?
[00:04:11] Matt Lee, Ph.D.: Oh, wait, audit logging could actually be part of a runbook. It could be a runbook in and of itself. It doesn't say, Chris, you need to review the audit logs tomorrow. It could be like there's an auto log review process that happens. It might be automated. It could be handled by a third party.
[00:04:27] Matt Lee, Ph.D.: And I think the challenge here is, is that I think we're at a point now, a tipping point with MSPs recognizing the value of frameworks, the value of the trust mark, and they're starting to go, wait a second, I need to do things like risk management.
[00:04:40] Matt Lee, Ph.D.: I need to do things like business impact analysis. I need to understand what can I live without for how long? And if I know that it's not going to come back, how much time do I have to make a decision to move to something else?
[00:04:55] Matt Lee, Ph.D.: Yeah.
[00:04:55] Matt Lee, Ph.D.: And to what degree will it come online and be capable of enabling me to be successful?
[00:05:01] Matt Lee, Ph.D.: Well, and haven't you really identified how broad the reality of what is an incident actually is? Right now, granted, cybersecurity incident is predominantly the focus of Control 17. If you read the overview, and I'll start with that.
[00:05:17] Matt Lee, Ph.D.: Please do.
[00:05:18] Matt Lee, Ph.D.: Establish a program to develop and maintain an incident response capability, e.g., policies, plans, procedures, defined roles, training, communications, to your point, runbooks, playbooks, things that are in that extensible nature, to prepare, comma space, detect, comma space, and quickly respond to an attack. So we're in the DNR. We're now in that detect and respond world. 13 led us here.
[00:05:43] Matt Lee, Ph.D.: I was just gonna say, we've already been here before, Matt.
[00:05:46] Matt Lee, Ph.D.: Well, we've kind of touched on it here. We got to find that stuff and make sure that stuff's valid. We got to that point in 13.
[00:05:53] Matt Lee, Ph.D.: Right.
[00:05:53] Matt Lee, Ph.D.: We haven't got what the hell to do with it yet. And that's where we are right now. And we've seen touches of this in the MSP land before, right? We've seen touches of this in the sense of the understanding of having a disaster recovery plan.
[00:06:07] Matt Lee, Ph.D.: We've seen it in the understanding of maybe extensibility into a COOP or a continuity of operations plan. We've seen those kind of things that start to, to your point, take a business impact analysis, hopefully, and define how long can I be down and how much data can I be resilient to losing?
[00:06:24] Matt Lee, Ph.D.: Like what is that return restore time objective? What is that restore point objective that I need to know? But sometimes when you think about it, there might be this definition of what happens if it is not ever viable again? Is there a play for me to do something about that? Back to your point of like, if this went away right now, do you already have a printout of all your clients somewhere?
[00:06:43] Matt Lee, Ph.D.: Right.
[00:06:43] Matt Lee, Ph.D.: Do you have some backup in some normalized format that's usable?
[00:06:46] Matt Lee, Ph.D.: And that's largely why I brought this up. I wasn't trying to say like, hey, I want you to go back and listen. I think you should. I think you should listen to all of them because if Matt's on it.
[00:06:54] Matt Lee, Ph.D.: Yeah.
[00:06:55] Matt Lee, Ph.D.: But what I'm, what I'm getting at here is like, because you have a runbook because you have playbooks because you've done control 13, you're not coming into this control and going, Hmm, I don't quite grasp what they're asking of me. All they've done is shift it to say now you have to apply.
[00:07:14] Matt Lee, Ph.D.: Yeah, because in 13, you've defined a couple of things that will help you there. Now we need to apply a process, a process. It doesn't say perfect. It doesn't say you'll be great at this. It just means,
[00:07:24] Matt Lee, Ph.D.: Start with a process. In fact, I'll tell them myself, myself, myself,
[00:07:29] Matt Lee, Ph.D.: And this is not a technical control, Matt. This is a, this is an emphasis on designating personnel. This gets into the, like, not to jump ahead on what safeguards are, but like, go ahead. I want you to tell the story. But like, I think this is really different for those listening of like, we've been talking about technical stuff.
[00:07:50] Matt Lee, Ph.D.: No, it's all process. In fact, I know now process. Yeah, yeah, yeah. Two points. So, okay. So the point of the story was when we were a larger MSP, we were 28 million. We had just gotten punched in the face really, really hard. And we decided, you know what? We're going to pay a company to come in here that does this type of consulting and help us figure out what our incident response plan should be. We paid $45,000 for someone to come in and do that work with us for a period of a weekend with all of our executives and their team to define out and print out.
[00:08:20] Matt Lee, Ph.D.: A few hundred page response, incident response playbook and run book and all of the things, right? Instant response plan. How much, Chris, do you think of that first perfect that we poked at was accurate when we went through incidents?
[00:08:36] I'm going to go with not very.
[00:08:38] It was not very.
[00:08:39] And I don't mean, let me rewind that. That was not an attack on the maturity of a company.
[00:08:44] I think the reality is in watching what's played out and what we saw last week at Channel Con or the week before or whatever week it was, was something really interesting.
[00:08:55] People were having conversations around things that I've not heard them talk about.
[00:08:59] Risk, business impact analysis, how to have playbooks and run books, how to do tabletop exercises.
[00:09:05] And fast forward to this control and it's like, we're now being forced to execute some things that actually take the screws and tighten them even more than this being just a conversation.
[00:09:16] Because now I'm saying, hey, if you haven't already, who are you going to designate to be responsible?
[00:09:21] Yeah, let's get right into it, right?
[00:09:22] I mean, obviously we beat around the bush on this, but the first safeguard is designate personnel.
[00:09:28] That's it.
[00:09:28] Just genuinely like pick the idiot.
[00:09:31] In most cases, I was the idiot.
[00:09:33] Right, Chris?
[00:09:34] I don't know if that was your case.
[00:09:34] Yeah, you didn't step back when everybody else did.
[00:09:37] So thanks for volunteering.
[00:09:38] Slow not backing up.
[00:09:39] That's all it really is.
[00:09:40] Right, right.
[00:09:41] To your point.
[00:09:42] But the point I'm making is like designate personnel to manage incident handling.
[00:09:46] Now it goes into a lot more than that.
[00:09:48] Says at least one key person, one backup.
[00:09:51] All this really is, is a codification of what Sunil Yu has put forth from the very beginning,
[00:09:56] which is things that are right of boom are significantly more people and process oriented.
[00:10:03] And in lieu of process, great people will eat process for lunch every day initially, right?
[00:10:09] That's kind of like a drugger statement too.
[00:10:12] Okay, fair, fair.
[00:10:13] Yeah, fair.
[00:10:13] But I think we should rewind a second because you said this and you're better at comma space than I am,
[00:10:19] but you missed one.
[00:10:20] I think that's important here.
[00:10:21] It literally says designate one person, one key person.
[00:10:28] Then it says, I don't care how many backups you have, but first part is designate one key person.
[00:10:34] And I bring that up because when we talk about the trust mark, people get off in the weeds like,
[00:10:38] well, I'm the business owner, so I should probably be the...
[00:10:40] And I'm like, no, no, no, that may be true in your company.
[00:10:43] It may be true, but like, no, this isn't about like putting someone in this like leadership authoritarian role.
[00:10:51] This is about saying, I have someone that's keeping this organization accountable to being successful with our incident response plan.
[00:10:59] Yeah.
[00:11:00] And I will talk about this a little bit.
[00:11:02] You know, mine shifted depending on where the incident was coming from.
[00:11:05] We might have different people identified based on different scenario as those owners.
[00:11:09] But as we go forward, we'll chat about that maybe.
[00:11:12] Management personnel are responsible for the coordination and documentation of the incident response.
[00:11:17] So when we're talking about this, we're saying, what are they responsible for?
[00:11:20] This key person.
[00:11:21] I've now assigned CJ is now responsible for our incident response.
[00:11:24] And some other sucker named Matt is responsible as a failover.
[00:11:27] Well, what are they responsible for?
[00:11:29] They're responsible for initially the coordination, documentation of incident response and recovery efforts.
[00:11:35] Meaning like, what did I do and when and how?
[00:11:38] That's what I'm responsible for initially.
[00:11:40] And should I do this or not?
[00:11:42] Hey, CJ, can we reboot this machine?
[00:11:44] It's the one with that ransomware screen up.
[00:11:46] Do you mind if I reboot this real quick so we can get it back?
[00:11:47] Hey, you know what?
[00:11:48] I'm just going to reload it.
[00:11:49] Do you mind if we reload it?
[00:11:50] I think you should just unplug it.
[00:11:51] Jesus.
[00:11:52] That's terrifying, right?
[00:11:53] So the point is, is that we have to have someone coordinating and being responsible for it and documenting what happened.
[00:11:58] So at the very beginning, everybody that I ask out there in the crowd when I ask this, and I've asked it for hundreds and hundreds of people so far, and said, how many of you have an incident response plan?
[00:12:08] Right?
[00:12:08] And nobody raises their hand.
[00:12:10] It can be just as simple initially as saying, our plan is that we're going to let CJ make executive decisions, document, and manage recovery incidents as we go through, recovery efforts as we go through this incident.
[00:12:21] That could be the initial version of it.
[00:12:22] Now it says, and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach where one has both.
[00:12:32] Right?
[00:12:32] And so if you're using a third-party vendor, does it at least one person internal to the enterprise to oversee?
[00:12:37] So the point is, even still to your point, CJ, you are still not off the hook.
[00:12:41] Even if you have some third-party incident response company, you have to own this as an executive of the company, of management of the company, and or under the auspices of that management authority and governance.
[00:12:52] Right?
[00:12:53] Like to your point of having somebody designate this.
[00:12:55] And I think that's the challenge, right?
[00:12:56] If we look at what we've done up until this point, assuming they've designated things like, I know when it is classified as the B word.
[00:13:06] We're going to get to that later.
[00:13:08] And really, in some ways, that's not for you to ever determine.
[00:13:10] In fact, this is a great talk about this.
[00:13:12] No, but the point is that this is about having an understanding of the work that you've done up until this point to help you make better decisions now that you're here.
[00:13:20] Well, I've been on several calls with MSPs that have been through this that have said to me, no, Matt, we did nothing destructive to the environment.
[00:13:28] And I send them out to an external third-party incident response team that comes back and goes, no, you actually did cause this or did destroy evidence or did blank.
[00:13:36] And so there's just, I would say right now in just 17.1, the biggest gap is having someone that is that note taker that is going to be the executive and manage the incident and document it fully as it starts.
[00:13:48] To your point, as you get more mature, you'll define in later safeguards what's an incident versus an event.
[00:13:53] What is something that goes into that classification of the B word, which does take me to this point of you are not qualified to say the B word.
[00:14:01] Right.
[00:14:01] Right?
[00:14:02] I am not qualified to say the B word.
[00:14:04] You would only be able to say the B word if you have an esquire after your name and are willing to back it up in court.
[00:14:10] That is what this plays out to in my mind.
[00:14:12] I think the other thing that happens here, too, is you say that you've used the phrases of the authority or the, you know, you know, I'm calling the shot.
[00:14:22] And I think this is a perfect control to say if ever there was a set of controls that decided to incorporate humility, it's this one.
[00:14:31] Because this is saying leave the egos and the I'm in charge mentality at the door and saying, no, no, no.
[00:14:40] I don't care how low or high on this totem pole you are.
[00:14:43] When you talk about this control, everybody should be listening because this means that something is happening.
[00:14:49] And then we all better pause and start taking notes.
[00:14:52] Yeah, we absolutely.
[00:14:54] This is a kinetic.
[00:14:56] And that's the point.
[00:14:56] After detection, it means, you know, something's going on.
[00:14:59] There's been something kinetic.
[00:15:00] Right.
[00:15:01] And talk about this.
[00:15:02] What is a threat?
[00:15:03] Well, I like to say a vulnerability is something that you are vulnerable to.
[00:15:08] For example, being a bag of flesh, I am quite ill resilient to bullets.
[00:15:13] I don't do well with bullets.
[00:15:15] When I'm shot with them, I have a real problem.
[00:15:17] I thought you were going to say candy, but that's.
[00:15:19] Maybe candy, too.
[00:15:20] I don't know.
[00:15:21] Some of those.
[00:15:21] I'm actually a fat on steak guy.
[00:15:23] But no, the point is, is that it's not a threat that I'm vulnerable to bullets.
[00:15:29] It's a threat when someone shoots me with a gun.
[00:15:32] Right.
[00:15:32] And so threats are kinetic.
[00:15:34] They're actual actions captured by a threat actor taking advantage of a vulnerability to elicit a malicious outcome.
[00:15:41] And so when you think about what is a threat?
[00:15:42] Well, a threat is now becoming an incident.
[00:15:44] Once I have an incident, I'm trying to determine how far that threat got.
[00:15:48] Was there a threat that was actually kinetic that actually did some damage?
[00:15:51] I'm trying to determine, ultimately, what's the extent?
[00:15:54] Is there a breach?
[00:15:55] What are those things?
[00:15:56] And to your point, that's the B word, right?
[00:15:58] So, okay.
[00:15:59] So back to the point.
[00:16:01] What 17.1 says, have someone that's going to be that executive that represents the will of the company and the interest of shareholders or interest of your individual stakeholders inside the organization.
[00:16:11] And interest of the incident response and legal obligations and regulatory obligations, all of those things.
[00:16:16] All right.
[00:16:17] The next piece in 17.2, which is also an IG.1.
[00:16:19] So our IG.1s right now are 17.1, 17.2, and 17.3.
[00:16:24] So 17.2 says, have a way.
[00:16:27] Establish and maintain contact information for reporting security incidents.
[00:16:32] Right.
[00:16:32] Which means you should have IC3.
[00:16:34] You should have whatever your insurance companies are.
[00:16:37] You should have those regulatory requirements that you have signed off that you are required to.
[00:16:42] For example, if you are in-
[00:16:43] This is your runbook.
[00:16:44] Yeah.
[00:16:44] This is where we're getting down to.
[00:16:46] This comes down to building that.
[00:16:48] And if you think, I mean, 17.3 is going to be the process for reporting incidents.
[00:16:53] We're now going to have to have this information to do so.
[00:16:56] Right.
[00:16:56] And this is becoming more poignant.
[00:16:57] Think about the FTC safeguards.
[00:17:01] Think about extensibility of SEC reporting and 8K regulation requirements.
[00:17:06] I think we should talk about that for a second, Matt.
[00:17:09] So I've had firsthand experience with MSPs that have gone through this.
[00:17:12] They've done a tabletop exercise.
[00:17:14] We're going to execute an exercise that says, an incident has occurred.
[00:17:18] We're going to call our insurance.
[00:17:20] This 17.2 says something that's really important at the end.
[00:17:23] It says, verify contacts annually to ensure the information is up to date.
[00:17:28] I would argue that if it's critical infrastructure, I would probably consider checking more frequently than once a year.
[00:17:34] But to the point, if there's-
[00:17:36] Yeah, agreed.
[00:17:37] But to the point of annually, why annually?
[00:17:38] That's when you're going to renew your insurance.
[00:17:40] Make sure you-
[00:17:40] When you change the insurance-
[00:17:42] So you should be checking on contacts, right?
[00:17:44] Like it's-
[00:17:45] Does your Rolodex have that card in there?
[00:17:47] What is interesting not to get pedantic is this is an example of the syntactical delineations between safeguards.
[00:17:54] Like instead of it saying annually, comma space, or more frequently, this is an interesting space where it just says annually, even though there might not be a reason it's not or more frequently when business changes occur.
[00:18:04] So you see it in other safeguards, but not in this one.
[00:18:06] Well, and let's be honest, when you're getting near the end of your framework and you're like, okay, so we need to do that thing.
[00:18:15] And like, yeah, I just wrote that down.
[00:18:16] Cool.
[00:18:17] Let's move on to the next control.
[00:18:18] It was trying to get done that bad.
[00:18:20] That's right.
[00:18:20] That's right.
[00:18:21] No, I agree.
[00:18:22] I don't think that's true, but yeah.
[00:18:24] Anyways.
[00:18:25] All right.
[00:18:25] So establish-
[00:18:26] 17.3.
[00:18:27] And this is talking, and they get really specific.
[00:18:29] They're like, hey, your cyber insurance provider, your internal staff that you might want to call, like, has that changed?
[00:18:35] Do you have the same people in the same places or same roles?
[00:18:38] Third-party vendors, law enforcement, ISAC, if you're part of information sharing and analysis, right?
[00:18:45] Relevant government agencies, if you happen to be under any type of DIB reporting requirements or critical infrastructure reporting requirements like Xercia, things like that, and other stakeholders as necessary.
[00:18:54] So just understand that when they're talking about this reporting, try to be ahead of time of what you need to report for.
[00:18:59] And then if you're an MSP or a practitioner, holy for God's sakes, what about how your client's data and who all they have to contact?
[00:19:06] What contractual options do they have?
[00:19:08] Like, ah.
[00:19:09] And I think this gets into, like, the importance of how the policy is written because I think this is an area where you can have frequency of change that's different than a lot of other policies because of all of the other factors that work here.
[00:19:21] And so this would be an area where I would potentially consider highlighting roles and responsibilities in third parties where I'm clear about the agencies that we know we have to communicate with rather than getting into, well, I'm going to call Barney 5 because I know Barney 5 is going to pick up the phone.
[00:19:35] He's going to be dope.
[00:19:36] Yeah.
[00:19:36] He comes up going, whoosh, whoosh, whoosh, whoosh, whoosh, or something.
[00:19:40] And that's how you know that he's listening.
[00:19:41] That's how you know Barney.
[00:19:42] That's like his signature authentication.
[00:19:44] That's a AAA authentication.
[00:19:47] It's very much biometric.
[00:19:48] Whistle now.
[00:19:49] He's like, I lost my front teeth.
[00:19:51] Okay, anyways.
[00:19:52] All right.
[00:19:53] So, right.
[00:19:55] Establish and maintain an enterprise process for reporting incidents.
[00:19:58] That's 17.3.
[00:20:05] Like, how long do you have?
[00:20:06] Well, if you're following SEC, you must meet it in this timeframe.
[00:20:09] If you're following SEC, you have this timeframe.
[00:20:11] If you have insurance, it might have its own timeframe.
[00:20:13] Personnel to report to.
[00:20:15] Like, who am I going to call?
[00:20:16] If I find out, it's not Ghostbusters.
[00:20:18] It might be.
[00:20:19] But if I'm going to find out, hey, I found an incident or something happened and I want to report it, what's that mechanism?
[00:20:24] The mechanism for reporting.
[00:20:26] The minimum information to report that one must report.
[00:20:30] It also says-
[00:20:30] You call my attorney and ask.
[00:20:32] Right?
[00:20:32] Not at the time.
[00:20:34] Ensure the process is publicly available to all of the workforce.
[00:20:37] And what's great is in 18.1, they actually do define workforce, which means all employees, but also potentially third parties that provide services inside your organization.
[00:20:48] For sure.
[00:20:49] It says, review annually, comma space.
[00:20:51] Again, here, now they decided to, like, Bill woke back up.
[00:20:54] Right.
[00:20:54] When significant enterprise changes occur, it can impact the safeguard does rear its head in 17.3, while it didn't in 17.2, which I disagree with.
[00:21:01] But the point being-
[00:21:01] Well, we talk about this a lot.
[00:21:03] We talk a lot about review annually.
[00:21:06] That's how frequently we do it.
[00:21:08] And it's like, yeah, but don't forget when something significant changes.
[00:21:11] Yeah.
[00:21:12] Like maybe hiring or firing Fred.
[00:21:14] Or you switched RMM tools.
[00:21:16] Or you did something major in your organization that is a significant change.
[00:21:19] What's interesting is we are one, two, and three, which is establish somebody who's responsible.
[00:21:25] Chris, it's you.
[00:21:26] Yeah.
[00:21:26] Number two, establish a contact list of who Chris needs to call if we have a problem.
[00:21:32] Number three, establish a way for people to report to Chris when they have a problem.
[00:21:37] Right.
[00:21:37] That's three.
[00:21:37] You have not heard anything about incident response process yet.
[00:21:41] You haven't heard anything else other than assign a general.
[00:21:44] That's it.
[00:21:45] And beyond this, we now move into we're no longer in IG1.
[00:21:48] We are at IG2.
[00:21:50] And IG2 is the beginning with 17.4 of establish and maintain an incident response process.
[00:21:54] Here and only here, in this set of safeguards, do you find the process coming in control four or in safeguard four?
[00:22:02] Let me pause for a second.
[00:22:03] I think this is one of the things that's brilliant about the way CIS has written controls.
[00:22:08] These build on each other.
[00:22:10] Like you can't do four before you do three.
[00:22:14] Sounds like you're preaching almost if one was to listen back to the beginning of this set of series, 18 or so series ago.
[00:22:21] So it's almost like you're preaching the yellow brick road methodology of applying the safeguards, Chris.
[00:22:27] I don't want to call it that guy.
[00:22:28] I'm not going to disagree with that.
[00:22:30] I would argue, though, that it's going to be problematic if you went off into the, you know, what is it, the poppies.
[00:22:37] And you end up falling asleep.
[00:22:38] And when you wake up, you think you can just keep going.
[00:22:40] No problem.
[00:22:41] Ask me how I am.
[00:22:42] That's called shoots and ladders.
[00:22:43] Yeah, true story.
[00:22:44] So fair enough.
[00:22:45] Fair enough.
[00:22:45] We'll play it your way.
[00:22:47] All right.
[00:22:47] That was to maintain a process.
[00:22:48] It really goes on to say that addresses roles.
[00:22:51] Comma Space responsibilities.
[00:22:53] Comma Space compliance requirements.
[00:22:55] Right?
[00:22:56] Comma Space and a communication plan.
[00:22:58] So they tell you to review it annually or when you have big changes like different systems, different stakeholders, different functions, different business lines, things of that nature.
[00:23:06] It's actually to the safeguard, though, right?
[00:23:07] Like this isn't saying just because.
[00:23:09] Yeah, true story.
[00:23:10] But as they impact.
[00:23:11] That's right.
[00:23:12] On the incident response process, that could be major systems that are really critical or different BIA changes, things of that nature.
[00:23:18] Right.
[00:23:18] But that said, it really just says to have the ability to deal with whatever compliance or contractual requirements you've got.
[00:23:25] That's what we talked about earlier with that person being assigned to manage that in the contact list.
[00:23:30] So you now have a reason to make a contact list.
[00:23:34] You have a communication plan.
[00:24:02] So to get clarity when we go into 17.5, and I think it's important, we rewind back to 17.2 when it's talking about the contact list.
[00:24:16] Or even the first one where it talks about the personnel, it says have a primary and a secondary.
[00:24:21] And now we're saying, okay, that's not enough.
[00:24:23] Now we're saying delineate roles and responsibilities for this.
[00:24:28] And how they might change.
[00:24:29] I'll give you a great example.
[00:24:31] So in our case, we used to be in orgs of state as a major org, right?
[00:24:36] And then in that would be a parent company.
[00:24:39] So if we had a belief that our company caused an incident, then our CEO was going to be the incident owner or incident commander.
[00:24:48] Our VP of sales was going to be the comms leader.
[00:24:51] Our technology lead and director was going to be myself as director of technology.
[00:24:56] Our operations lead was going to be the incident lead for the actual on-ground incident response.
[00:25:01] That was our team.
[00:25:02] Our, we had that, but if it turned out it was going to be one client that caused it themselves or some other ancillary aspect not caused, you know, believably caused by us.
[00:25:10] And that Occam's razor statement, then we would have that be the general manager was the incident lead.
[00:25:16] And the service manager was the technical lead that owned that.
[00:25:19] And I didn't have near as complex of a construct of somebody representing company interest versus operational interest.
[00:25:24] It was going to be-
[00:25:25] So let's take assumptions out.
[00:25:26] We take assumptions out, I think about 17.5 and 6.
[00:25:29] And it's like, this is the premise around how you navigate a tabletop exercise.
[00:25:35] Yeah.
[00:25:35] These two areas are critical to having a tabletop actually work.
[00:25:41] Well, especially if you're going after, and we're going to get to this, actually.
[00:25:44] We'll just, we'll define it when we get there.
[00:25:46] Let's tap our elbow right before we jump in the ring.
[00:25:48] Okay.
[00:25:48] All right.
[00:25:49] Okay.
[00:25:49] So we got to have the process that covers-
[00:25:51] Thanks, Randy Dog Savage.
[00:25:52] You're welcome, buddy.
[00:25:53] I knew you'd get it.
[00:25:55] Now we have those roles defined in 17.4, which is your incident response process.
[00:26:01] Right.
[00:26:01] But one of the things you'll notice if you're following my visuals is that 17.5 builds on 17.4.
[00:26:06] 17.6 builds on 17.4.
[00:26:08] 17.7 builds on 17.4.
[00:26:11] 17.8 builds on 17.4.
[00:26:12] 17.9 builds on 17.4.
[00:26:13] So all of these things build upon your process and further shape it.
[00:26:16] You see this thematically throughout all of the items, if you haven't noticed all the way playing along.
[00:26:21] I say that to say 17.5 says assign key roles and responsibilities.
[00:26:26] Well, but the plan told me to have roles.
[00:26:28] Well, guess what, bro?
[00:26:29] This helps you define it.
[00:26:31] Yeah.
[00:26:31] It says, including staff from legal.
[00:26:34] Why?
[00:26:34] Because I want legal privilege over the things we're doing.
[00:26:37] If we're going to say a word, we need to have them articulate that yes, it's okay.
[00:26:41] And we want them on the call so they can actually be establishing that legal privilege and protection.
[00:26:46] That's right.
[00:26:46] That's right.
[00:26:46] No question.
[00:26:47] Information security.
[00:26:49] Right?
[00:26:49] We want our IS teams involved.
[00:26:51] Now it could be in-house or outsourced.
[00:26:52] Why would we do that?
[00:26:53] Because we're going to have it on our contact list.
[00:26:55] Right.
[00:26:55] It's going to be those ones we talked about earlier in 17.2.
[00:26:59] All right.
[00:27:00] Facilities.
[00:27:01] Public relations.
[00:27:02] Why might we want facilities?
[00:27:03] Because maybe a certain company named Macebook might have gotten locked out of their facility because their ADFS was under some kind of DDoS, if I remember, and they couldn't badge into the doors.
[00:27:12] Anyways.
[00:27:12] I think this is what I'm going to say to that.
[00:27:15] That's a great example.
[00:27:16] But I've seen it in the K-12 space and elsewhere.
[00:27:19] Don't assume that you can get away with not having all parties present at the table.
[00:27:25] Yeah.
[00:27:25] So facilities.
[00:27:27] Public relations where people are going to speak towards that extensible messaging externally.
[00:27:32] Human resources.
[00:27:33] Like, you know, we talk about this in our incident response plan.
[00:27:35] Maybe there's things where there's an internal threat or insider actor, and you may have to deal with those things as well.
[00:27:41] Incident responders.
[00:27:41] Like, people to actually respond, you know.
[00:27:44] Right.
[00:27:45] Internal.
[00:27:46] Right.
[00:27:47] And analysts, right?
[00:27:47] People are going to do the D for the digital forensics and incident response side of the digital forensics part.
[00:27:53] As applicable.
[00:27:55] Meaning depending on the nature of the incident.
[00:27:56] And that's why if it's not a physical incident in my building, it may not involve the facilities person, right?
[00:28:01] But to your point, you have to be careful of how you decide who's in or who out.
[00:28:05] Sure.
[00:28:06] Review annually or significantly when significant enterprise changes occur.
[00:28:09] So 17.5 says assign roles and responsibilities.
[00:28:12] This is where I had multiple role delineation that would happen based on the incident type, which we need a minute.
[00:28:18] But it does give you the categories of who needs to be there, and it's a great starting point.
[00:28:22] Now, 17.6, another IG2 goes on to say define mechanisms for communicating during an incident response.
[00:28:30] Right?
[00:28:30] Like, how are we going to talk?
[00:28:32] I want to think about a primary and a secondary.
[00:28:34] I want to be able to communicate and report.
[00:28:36] I need phone calls or emails or letters.
[00:28:38] Like, how are we going to use those?
[00:28:39] And I'll tell you ours.
[00:28:40] Our primary, at the time, we were using Teams as our primary phone system.
[00:28:45] So Teams was our primary phone system.
[00:28:47] We were going to use that as both Teams for internal and Teams on the – or the –
[00:28:52] How does that work when you're encrypted?
[00:28:55] PSTN side.
[00:28:56] So we were going to use Teams – use PSTN extensibility.
[00:28:59] Got it.
[00:28:59] Yeah, but the point is, is that we were going to use that.
[00:29:02] The second method was going to be taking Zoom at X number of days, to my brilliant friend CJ's point, and carving off the SSO infrastructure to allow us to have an out-of-band set of communications tied to another domain.
[00:29:16] Yeah.
[00:29:16] That allowed us to bring that out.
[00:29:17] So that was second point that allowed us to give that kind of comms a secondary point.
[00:29:21] But as a tertiary comms method, each major geo happened to have a ham radio operator that worked there.
[00:29:26] And so we defined, already ahead of time, a procedure in which we might enact ham radio.
[00:29:31] Think hurricane.
[00:29:32] Times when something's down, and we just need easy power transmission of something.
[00:29:36] Very easy transmission of data.
[00:29:37] I mean, there's so many examples.
[00:29:38] I think of, like, do you have aerial fiber or burial fiber?
[00:29:41] What does it take to have both?
[00:29:42] Like, so that they're not the same thing coming into the same DMARC.
[00:29:46] Different buildings.
[00:29:47] Like, we're thinking about resilient things or different sides of buildings.
[00:29:49] Or as an MSP, this would be a perfect example of I might not use the same technology that we implement for our clients.
[00:29:57] Because what happens if the vendor we use of choice?
[00:30:01] And we didn't.
[00:30:01] Right?
[00:30:02] We didn't put our RMM agents on our endpoints.
[00:30:05] We didn't use an RMM.
[00:30:06] Sure.
[00:30:06] And there's plenty of ways to justify, and I think this is one of the things I've heard many times where my clients are like, well, why aren't you using what you want to put in our environment?
[00:30:13] It's like, hey, we use the exact same thing we put in your environment.
[00:30:17] Just say, like, we're the same as you because we're not.
[00:30:19] But, like, for completely different reasons.
[00:30:21] Yeah, it's different to protect both of us.
[00:30:23] Different accounts or different methods or different whatever it may be.
[00:30:26] For sure.
[00:30:26] But the point is, is that this control basically just says have ways that you're going to communicate.
[00:30:31] But when you think and dig into it, it also could mean a lot of times you don't always want to assume that the communication channel you're on is not compromised.
[00:30:39] Right?
[00:30:43] I would.
[00:30:44] I'd be like, listen, just don't worry about it.
[00:30:46] Can you make everything green?
[00:30:48] Yes.
[00:30:49] But the communication isn't always free of threat actors.
[00:30:53] In fact, there's many examples where threat actors are making fun of incident responders during an incident with their own comms channels going, I don't know how to get in.
[00:31:00] Neither do we, bro.
[00:31:01] We just took a picture of your shot or your screenshot.
[00:31:03] Yeah.
[00:31:04] So the point is, is that you want to be maybe cognizant that as you do mature in this, you have external means of communication.
[00:31:11] Like at ERT, we use exigence, right?
[00:31:13] Is our methodology.
[00:31:15] Yes.
[00:31:15] It establishes communications paths and ephemeral Zoom meetings that are not tied to an account and things of that nature that allow us to function.
[00:31:23] Anyways, but the point being, easy way to just have a method of communication.
[00:31:26] So we're running out of time a little bit.
[00:31:29] We've got three safeguards left.
[00:31:30] And I think there's a little bit of a tipping point here with regards to Control 17.
[00:31:35] You know, so the statement here is like up until this point, we're communicating that we've got a problem and it's impacting potentially a lot of our organization or even everybody.
[00:31:46] But now we're moving into what does it mean to recover from said incident?
[00:31:51] Well, kind of.
[00:31:52] We're at least setting up a process for how one's going to do that, how we're going to speak.
[00:31:57] And then as we get into 17.7, we're actually saying, go practice, bro.
[00:32:01] Yeah.
[00:32:01] If you've never played Dragon's, go actually let yourself pretend like you're an orc or whatever the hell it may be.
[00:32:08] Tabletop exercise the heck out of this.
[00:32:10] Yeah.
[00:32:11] I may have totally bastardized D&D there, but that's okay.
[00:32:13] A little bit.
[00:32:15] We'll put a disclaimer out there that says, sorry, we weren't trying to say you can't use it.
[00:32:19] Yeah, yeah, yeah.
[00:32:21] Oh, I lost you.
[00:32:26] Can you hear me?
[00:32:30] I had an audio malfunction.
[00:32:31] You did.
[00:32:32] All right, cool.
[00:32:33] But the point is 17.7 says go practice.
[00:32:35] And it doesn't mean you have to be perfect.
[00:32:37] In fact, if you read 17.7, it says conduct incident, routine incident response, exercises and scenarios.
[00:32:42] Like come up with, hey, your server's down, your screen connect instance down, and so is your RMM.
[00:32:47] Let's talk about what we're going to do.
[00:32:48] Why is it?
[00:32:49] Let's investigate.
[00:32:49] What are our next steps?
[00:32:50] How are we going to move forward?
[00:32:56] 17.4, 17.3.
[00:32:59] Follow the sequence.
[00:33:00] Those people follow the sequence.
[00:33:02] Right?
[00:33:02] To prepare for responding to real-world incidents.
[00:33:05] It doesn't mean that those preparations always have to be, I'm going to test to see if Matt knows this next.
[00:33:10] There are people that will argue that.
[00:33:11] It's not an attempt to fail somebody.
[00:33:14] Yeah.
[00:33:14] There is definitely an argument, though, that my point is it's not necessarily just we're going to test exactly what we're going to do in an incident.
[00:33:20] There are other ways that this helps you.
[00:33:21] You could do like what we've done in the game where it's very preparatory and helping people at least think and getting them in a pressure situation.
[00:33:28] You can do things like what Sarah walked people through of actually prepping and walking through a scenario, making decisions on what you're going to do, and using that as a decision-making.
[00:33:36] And what was that game that you played?
[00:33:37] Because I've gotten a lot of feedback about it that was very insightful.
[00:33:40] And the thing that kept coming up is you can play games where you roll dice and you get cards that flip over.
[00:33:47] But when you add the elements like you did of the time is ticking, there's only two minutes, and you have to make a decision, what I took away from that is it's teaching me how to not panic and make knee-jerk reaction decisions under pressure.
[00:34:01] That's the goal.
[00:34:02] Yeah.
[00:34:02] And that's what I mean is there's different things you're teaching.
[00:34:04] Yeah.
[00:34:05] And we did.
[00:34:05] We made two-minute rounds very rapidly.
[00:34:07] I intentionally cut people off.
[00:34:09] I intentionally distracted people.
[00:34:10] Yes.
[00:34:11] And intentionally made them hate me about the way the game mechanics sucked just to make them feel pressure.
[00:34:15] In fact, one of the people that I trust a lot, Alex, said to me, Matt, my ring was going off that I was stressed for two and a half hours.
[00:34:22] I'm like, success.
[00:34:23] Right?
[00:34:24] That was the intention.
[00:34:25] It's funny you say that because I had feedback from some other people along the same lines.
[00:34:28] They're like, I really didn't like it.
[00:34:30] And I'm like, well, why not?
[00:34:30] They're like, well, I felt like I was being rushed to make decisions.
[00:34:33] I go, do you know what happens when there's ransomware on your assets?
[00:34:37] I go, you're going to have to make some decisions.
[00:34:40] I don't know.
[00:34:41] Like, knee-jerk reaction seems like a bad idea.
[00:34:43] And they're like, well, in that case, that was a really cool game to play.
[00:34:47] Yeah, that's the intention.
[00:34:48] And it's kind of a slow play for some people.
[00:34:51] Definitely.
[00:34:51] Definitely well done from what I heard.
[00:34:53] Thank you, man.
[00:34:54] And decision-making and workflows.
[00:34:56] So the intention is to try to do things that help you test that.
[00:34:58] It doesn't mean you have to be perfect.
[00:34:59] In fact, don't let perfect be the enemy of good.
[00:35:01] Because when you can't.
[00:35:02] Okay is often the best thing you can do.
[00:35:04] Yeah.
[00:35:05] Like, come up with a scenario, walk through it, and then go, I don't know.
[00:35:07] Well, damn, we need to learn.
[00:35:07] We didn't know.
[00:35:08] I didn't know how to communicate.
[00:35:09] I didn't know the next communication channel.
[00:35:11] We didn't talk about that ham radio backup.
[00:35:13] We didn't.
[00:35:13] Everybody wasn't aware of those things.
[00:35:15] Like, that's what you're testing.
[00:35:16] Right.
[00:35:16] Next, conduct 17.8 IG2.
[00:35:19] Conduct post-incident reviews.
[00:35:20] Why?
[00:35:21] Because if you're not looking after the incident to see what you sucked at, you're never going
[00:35:23] to get better.
[00:35:24] You know, and Sarah brought this up.
[00:35:26] Damn fox keep eating chickens.
[00:35:27] Well, maybe close off the chicken coop.
[00:35:29] Right.
[00:35:30] Well, and Sarah talked about this a lot.
[00:35:32] And this is something that I think is important to bring up.
[00:35:34] One of the things she talks about is it doesn't – you've got all the people that are
[00:35:36] participating in a tabletop exercise.
[00:35:38] What about your observers?
[00:35:40] And I think this is really important to highlight is that when you're done with an exercise,
[00:35:44] one of the most important things you can do is highlight, like, hey, we observed this.
[00:35:49] We observed the challenges that you were – or the stress that you were under.
[00:35:53] Like, you needed to take a break.
[00:35:55] All those things.
[00:35:56] That's what helps you be successful at this going forward is that you've learned from
[00:36:00] it, even if it was someone observing that's making the notes that says, hey, take away.
[00:36:05] Plug this in.
[00:36:06] And in this case, I think it applies what you're saying of a post-incident tabletop review.
[00:36:12] But in this case, it's also saying do a post-incident review of real incidents.
[00:36:16] Absolutely.
[00:36:17] And what we used to do at Iconic was we would do our incidents recording, and we would record
[00:36:22] them by quarter, and then we would deal with having a meeting at each different site,
[00:36:27] so one each org, to review the incidents that happened over the whole org, the major corporate
[00:36:35] org.
[00:36:36] We would do that once every month.
[00:36:37] We'd go through and review those quarterlies and try to say, for a site, what could we
[00:36:41] have done better?
[00:36:42] What did we miss?
[00:36:43] How could we have detected faster?
[00:36:45] How could we have responded better?
[00:36:46] How could we have recovered better?
[00:36:47] Which allows you to get into, did I protect well enough?
[00:36:50] Did I identify?
[00:36:51] You're looking at the same things, and that's how I would do it.
[00:36:53] Identify, protect, detect, respond, recover.
[00:36:55] Like, what did I not do while identifying?
[00:36:57] Oh, man, I didn't know that was an asset that somebody was running Plex on.
[00:37:00] I didn't do, you know, protecting.
[00:37:02] I didn't patch it.
[00:37:03] I didn't know that was there.
[00:37:04] I didn't, oh, that might be a real incident.
[00:37:06] Have you ever done a maturity assessment against what you just said?
[00:37:09] So using the NIST model, do the maturity assessment, and you find out they're like,
[00:37:12] oh, they're really good at responding to the assets they know about.
[00:37:16] Yeah, exactly.
[00:37:17] Exactly.
[00:37:17] Yeah.
[00:37:18] They're really good at this response of the six out of 1,000 assets that are up on
[00:37:22] the ground.
[00:37:23] Oh, gosh, that's a real problem.
[00:37:24] And you know, what's funny is I see this a lot more with the clients of MSPs, where
[00:37:28] the client grows really, really fast, and they're not keeping up with, you know,
[00:37:32] RMM deployment and MDR deployment, right?
[00:37:35] Oh, 100%.
[00:37:35] Yeah, this is a great example.
[00:37:37] Or they have an AD deployment and everybody was remote, and they didn't know they weren't
[00:37:39] getting those hardware calls.
[00:37:40] They're not checking it anymore since like 1999.
[00:37:43] They're fine.
[00:37:43] They're fine.
[00:37:44] They get the patches.
[00:37:45] All right.
[00:37:45] Last safeguard.
[00:37:46] This is the only IG3.
[00:37:47] This is it.
[00:37:48] After we've gone through and said, what did I not do well?
[00:37:50] What could I have done better, right?
[00:37:52] The effective morbidity and mortality clinics of our response tables.
[00:37:56] We now need to get into what actually sounds like the easiest, but is probably the hardest,
[00:38:01] which is when is it an incident?
[00:38:04] Like, what is that threshold?
[00:38:05] Like, the definition is establish and maintain security incident thresholds.
[00:38:09] And it says, including at a minimum, differencing between incident and event.
[00:38:13] Wait, wait, Matt, what?
[00:38:15] This is the first time you're saying to me event.
[00:38:17] What the hell are you even talking about, bro?
[00:38:20] Yeah.
[00:38:20] Yes, there are things that might just be an event, an abnormal activity, security vulnerability,
[00:38:26] a weakness, a data breach is going to be on a different classification.
[00:38:30] A privacy incident might be a different classification.
[00:38:34] And the safeguard goes on to say review annually or when significant changes occur.
[00:38:37] The point is, is that what this is really saying is just like in 13, in the last safeguard
[00:38:42] in 13, here we find ourselves now establishing a clipping level for when do we mobilize the war
[00:38:47] room and when do we not?
[00:38:49] When is it just something we want to track and document so we have information about this
[00:38:53] and maybe something we can review to go, you know what?
[00:38:56] The reason that vulnerability was there because our patch system didn't work or client didn't
[00:38:59] give us a patching window or blank.
[00:39:02] And this often gets glazed over.
[00:39:04] How many times have we said like, hey, you know what?
[00:39:06] That's those three servers didn't patch on this patch cycle.
[00:39:09] It's fine.
[00:39:10] They'll catch it on the next one.
[00:39:11] Yeah.
[00:39:11] And then you're like, hey, so.
[00:39:13] Or an incident.
[00:39:14] Or you realize there's something corrupt on the system.
[00:39:18] I mean, heaven forbid natural things happen with technology.
[00:39:20] I mean, I'm pretty sure that one something strike company was not a malicious attack on,
[00:39:26] you know, Melta Airlines, right?
[00:39:29] Like there's some things here that people are not.
[00:39:32] We in the MSP space, I think we often glaze over some of the little things because like,
[00:39:37] oh, our tools work great.
[00:39:38] They'll catch this next time.
[00:39:40] And I think to your point, some of these areas of like, no, no, no.
[00:39:43] If every employee has an understanding of how we approach some of this, those are less
[00:39:49] likely to happen going forward.
[00:39:51] But for this, it specifically is talking about, in my opinion, like making sure that we know
[00:39:57] what those levels are where we take a response.
[00:40:00] But if you don't educate the staff on those things, you end up with the, oh yeah,
[00:40:05] it's just a patch problem.
[00:40:06] Oh, how do you know that?
[00:40:06] What was the determining factor that you used on your own?
[00:40:10] Once they have to file an event report and then it becomes part of that incident review.
[00:40:15] And you're like, why do we have this five patches in a way?
[00:40:18] And again, it goes back to knowing yourself well enough to know what is atypical, right?
[00:40:22] That is the point of what is an event.
[00:40:24] You have to teach that, right?
[00:40:25] I don't think employees just know these things because you hired them and they're good
[00:40:30] at, you know, Azure AD deployments.
[00:40:32] Yeah.
[00:40:33] But I will say this is where I will also make a comparison to the DIKW pyramid, right?
[00:40:38] DIK pyramid is data, information, knowledge, wisdom, wisdom at the top, data at the very
[00:40:43] bottom.
[00:40:43] And to bring people back to that focus, data would be like Matt's heart rate is 98.
[00:40:48] Yeah.
[00:40:48] Information is 98 is fairly hard.
[00:40:51] It's fairly high, right?
[00:40:52] Wisdom says, or knowledge says, if you stay that high, you're going to die.
[00:40:56] Wisdom says Matt needs to get in shape.
[00:40:58] So this heart rate will drop, right?
[00:41:00] Matt just needs to cut out the monster energy drinks.
[00:41:02] It might be like in a four hour period.
[00:41:04] I get those coffees, bro.
[00:41:06] But anyways, but the point being is that is the way this works where when you think about
[00:41:11] an event, an incident, an event might be something lower, no impact, less correlation in context
[00:41:18] where an incident is, oh shit, I've got three things happening or kinetic now and I know something's
[00:41:23] actually happened.
[00:41:24] So just the point is that you can use those earlier events to track incidents and show
[00:41:28] that smoke before the fire that should have been caught so that you can back in 17.6,
[00:41:34] look at the incident afterwards and go, man, I should have caught it when it was just an
[00:41:37] event.
[00:41:38] Right, right.
[00:41:39] To your point.
[00:41:40] Well, I think on that, I think we should just kill this episode.
[00:41:43] This is episode 199, which means next week's episode will be the big tipping point for
[00:41:51] the podcast to say we made it four years in.
[00:41:55] Episode 200 will be the last Tuesday of August.
[00:41:59] So for those of you listening, this has been an episode of MSP 1337.
[00:42:03] Thanks and have a great week.