Each of the items in the title are titles for show episodes dating all the way back to the beginning of 2020. They have made the top 10 playbacks for all time. I sit down with Chad Holstead of the BKS Team to talk through current trends and challenges related to these five.
[00:00:06] [SPEAKER_00]: Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity
[00:00:13] [SPEAKER_00]: challenges, solutions, a journey together, not alone.
[00:00:22] [SPEAKER_00]: Welcome everybody to another episode of MSP 1337. I'm joined this week by Chad Holstead
[00:00:29] [SPEAKER_00]: of BKS. Chad, welcome to the show.
[00:00:32] [SPEAKER_00]: Thanks, Chris. Appreciate it. I was your one.
[00:00:35] [SPEAKER_00]: The weekend was long. I noticed a weather change. I don't know about you, but like we went from
[00:00:42] [SPEAKER_00]: like it being scorchingly hot to the morning is if I literally had a sweatshirt on yesterday morning
[00:00:49] [SPEAKER_00]: because it was like 50 degrees instead of 80. Yeah, same gear. So we've just rolled through episode 200 last
[00:00:58] [SPEAKER_00]: and I thought it'd be kind of cool to take a minute episode 211 and do kind of a look back
[00:01:06] [SPEAKER_00]: at some of the most popular episodes not so much from the recording itself, but the topic
[00:01:12] [SPEAKER_00]: that was used to potentially the titles themselves are what drove the listeners. Right? So
[00:01:21] [SPEAKER_00]: we'll reserve the highest ranking one to last, but we're kind of I'm going to cherry pick some
[00:01:27] [SPEAKER_00]: that made the top 10, which means they had somewhere between 125 and 150 playbacks or more. So just
[00:01:36] [SPEAKER_00]: I didn't put them in any sequence order, but then the the highest grossing one that will tackle
[00:01:41] [SPEAKER_00]: last is a suspect by the end of the year we'll have gone well past 200 playbacks. So without further
[00:01:47] [SPEAKER_00]: ado, I'm going to start with this one and I believe I had Sarah Goughman on for this one. It was
[00:01:54] [SPEAKER_00]: too small for a firewall. Okay, so so take that one for just like I think of this through two lenses
[00:02:05] [SPEAKER_00]: and I'd love to get your perspective on it. We use frameworks like CES, Top 18 we see
[00:02:11] [SPEAKER_00]: SOC 2 we see so many other ones they all have some guidance around the necessity around firewall.
[00:02:17] [SPEAKER_00]: But in most cases it's tied to a legacy infrastructure right? So have a firewall in the
[00:02:24] [SPEAKER_00]: walls of your brick building because that's what you should do. The spirit of the control obviously
[00:02:30] [SPEAKER_00]: is to firewall the host firewall, the server, the built-in the blank firewall something add a layer
[00:02:37] [SPEAKER_00]: of protection. And so I can see how someone who has you know two or three employees they all work
[00:02:43] [SPEAKER_00]: from home and they just kind of say I'm too small for a firewall or they have the physical infrastructure
[00:02:49] [SPEAKER_00]: it's still only two or three people. They had the router installed by their service provider,
[00:02:55] [SPEAKER_00]: their internet service provider and so they've kind of said well isn't that enough? So curious
[00:03:00] [SPEAKER_00]: what your perspective is on that because I think this is a good one just in general.
[00:03:08] [SPEAKER_01]: So I will say that even us and we're not a small MSP we have a brick and mortar but we're still
[00:03:21] [SPEAKER_01]: internally a lot. All right because what is the you're right defined for me what I'm
[00:03:30] [SPEAKER_01]: securing that's than the biggest struggle because our data is not here.
[00:03:36] [SPEAKER_00]: Literally our data is not here anymore. Well I think that's kind of loosely defined because
[00:03:42] [SPEAKER_00]: your asset that you use when you're in the office has no data on it.
[00:03:49] [SPEAKER_00]: Shouldn't but I'm with you. Okay okay so that's that's fair so I think that comes back to the
[00:03:54] [SPEAKER_00]: point of it's not so much the asset being protected and I think we did a poor job over the years
[00:04:02] [SPEAKER_00]: of saying like we must protect the asset without really explaining to the client or even to ourselves
[00:04:08] [SPEAKER_00]: what exactly were trying to protect because it wasn't so much the device that itself it was
[00:04:14] [SPEAKER_00]: the contents of the device and I think we had a lot of tools that did a very poor job of identifying
[00:04:22] [SPEAKER_00]: the type of data that might reside on the device for us to make better decisions or even
[00:04:26] [SPEAKER_00]: provide good policy we just didn't do it to say hey that shall not store sensitive data on this
[00:04:33] [SPEAKER_00]: drive or this asset or in this you know on your desktop there was lots of places right
[00:04:39] [SPEAKER_00]: would that be fair like that's where we got ourselves in trouble? I think so too but I also
[00:04:43] [SPEAKER_01]: think that MSPs in general are struggling going from the macro to the micro. So let me take
[00:04:52] [SPEAKER_00]: this on the end point protection versus the container as multiple end points.
[00:04:56] [SPEAKER_01]: For pre-COVID it was you put a firewall in Cisco Maraki I don't care rapid around your four
[00:05:02] [SPEAKER_01]: walls throw a VPN on it and BingBang Zoom you're done. Now we have to drive from the macro
[00:05:10] [SPEAKER_01]: look at the building to look at what we're protecting are we protecting the end point are we protecting
[00:05:17] [SPEAKER_01]: the the building the infrastructure of the building are we protecting an access access a
[00:05:22] [SPEAKER_01]: an access list or us we've decided to virtualize our firewall and went with a sassy solution
[00:05:30] [SPEAKER_01]: because we wanted the bigger security that says hey I want it also locked down that you can't get
[00:05:36] [SPEAKER_01]: to my RMM agent unless you're gone side inside my approved network which is now a virtual network
[00:05:42] [SPEAKER_00]: effectively. Is that a song I'm sassy and I know don't ask me what it stands for I just know
[00:05:49] [SPEAKER_00]: that's what we do. So that's it's really interesting that you say that because I think we could
[00:05:56] [SPEAKER_00]: probably go down a path with regards to firewall that kind of goes what is a firewall anymore so I
[00:06:04] [SPEAKER_00]: think about vendor products like huntrists and crowd strike and you know Sentinel one and the
[00:06:10] [SPEAKER_00]: list is really in we could go on all day just listing off vendors that are kind of in this space
[00:06:16] [SPEAKER_00]: you know another one would be like Cisco umbrella like it is containerizing my traffic to your point
[00:06:23] [SPEAKER_00]: your firewall in the cloud if you will it's containerizing your traffic right so like previously
[00:06:30] [SPEAKER_00]: your exposure was immediately as soon as you hit the internet right and now you're you're
[00:06:36] [SPEAKER_00]: containing that traffic which further out in fact you're probably going so far as to say these things
[00:06:40] [SPEAKER_00]: that are external to my asset or my organization are actually still containerized behind
[00:06:46] [SPEAKER_00]: said firewall we're getting into this elastic world of it doesn't matter where my device has moved
[00:06:51] [SPEAKER_00]: into I'm still firewalling it even if it's not at the end point I'm putting up perimeter
[00:06:58] [SPEAKER_00]: densely relatively big sphere around the asset this is as long as it stays inside this circle
[00:07:03] [SPEAKER_01]: it's being protected by the firewall and that's exactly it and we couldn't get there personally
[00:07:12] [SPEAKER_01]: until we went down to the service and device level sure what service are we trying to protect
[00:07:20] [SPEAKER_01]: office 365 one drive yeah data waterman what service are we trying to protect and how is the
[00:07:27] [SPEAKER_01]: endpoint secure getting to that and you know that you start out with conditional access
[00:07:33] [SPEAKER_01]: okay great how might an approved conditional access when I'm sitting in Colorado one vacation
[00:07:39] [SPEAKER_01]: right can okay so if I'm going to be if I have to use the word VPN I have to have something on
[00:07:47] [SPEAKER_01]: you're going to be painting too right now I have the firewall am I putting a sonic wall
[00:07:54] [SPEAKER_01]: in my building here or am I putting up some type of sassy environment but you bring up a good
[00:07:59] [SPEAKER_00]: point with VPN I was actually going to bring VPN up so so I think everybody knows what of
[00:08:05] [SPEAKER_00]: VPN virtual private tunnel or virtual private network because it's tunneled right you're
[00:08:12] [SPEAKER_00]: calling to it but you know something that came to mind with me when I was thinking about that is
[00:08:17] [SPEAKER_00]: once upon a time we did a lot of VPNing where the goal of the VPN was to get to said destination
[00:08:25] [SPEAKER_00]: securely but only for what was at that destination right so we we definitely did things where
[00:08:31] [SPEAKER_00]: we did split tunneling was very common we didn't want to route all of our traffic through that one tunnel
[00:08:35] [SPEAKER_00]: because it would obviously bogway down and you know no one would be able to get any work done
[00:08:40] [SPEAKER_00]: but I think the world has shifted to where we don't want any split tunneling anymore of
[00:08:46] [SPEAKER_00]: we're encapsulating traffic through a VPN of some kind we want all of that traffic so that we can
[00:08:52] [SPEAKER_00]: you know log it report on it make decisions based on you know why it's doing what it's doing
[00:08:59] [SPEAKER_00]: do you think that we still have a challenge with recognizing you know the use or the necessity
[00:09:06] [SPEAKER_00]: I'll just call it VPN I think there are other ways to solve that model that VPN goal but
[00:09:12] [SPEAKER_00]: are we still seeing challenges with that where people or organizations are just not recognizing
[00:09:16] [SPEAKER_01]: the importance of that. I personally believe that organizations aren't doing a good job
[00:09:25] [SPEAKER_01]: of recognizing their risk of the services that they access so are specifically applications.
[00:09:33] [SPEAKER_01]: Correct the RMM's our biggest tool right by far any MSP out there there are RMM is probably
[00:09:39] [SPEAKER_01]: their biggest risky end of base tool. Sure how are you accessing it and how are you protecting it
[00:09:47] [SPEAKER_01]: and if you're not answering that question how are you proving it I mean in the to your point okay
[00:09:56] [SPEAKER_01]: and my doing split tunneling if I'm doing split tunneling am I really securing my access to the RMM
[00:10:02] [SPEAKER_01]: what is my risk if I have two clients on RMM maybe my risk isn't as big but you know the
[00:10:09] [SPEAKER_00]: KS manages 3000 endpoints in RMM right so I think so just to clarify here because I think what
[00:10:16] [SPEAKER_00]: this this could actually button this this episode up is that firewall on VPN in the context of an MSP
[00:10:25] [SPEAKER_00]: is looking at what is my overall organizational exposure on my critical apps that are
[00:10:32] [SPEAKER_00]: essentially the whole premise of behind me being able to deliver services to my clients.
[00:10:38] [SPEAKER_01]: Correct and well how am I going to protect it you need to answer that question for yourself as an MSP
[00:10:44] [SPEAKER_00]: and we're not advocating that it has to be done through quote firewall we're just saying that
[00:10:48] [SPEAKER_00]: you should be thinking about whether it's firewall in VPN or combination there in or some other
[00:10:53] [SPEAKER_00]: model that allows you to achieve that obviously there's things like zero trust and you know
[00:10:58] [SPEAKER_00]: geo-fensing and of course there's flaws in some if not all of those but yeah the premise here is
[00:11:03] [SPEAKER_00]: that no one's too small for firewall no one is too small for putting me proper protections in place
[00:11:10] [SPEAKER_00]: so that brings me to the second one that was in the top five and that was I did a fireside chat
[00:11:18] [SPEAKER_00]: obviously we do every third Tuesday of the month as fireside chat with Matt Lee where we explore
[00:11:24] [SPEAKER_00]: CIS topic team and CIS control one asset inventory is at the top of that stack and I got me thinking
[00:11:34] [SPEAKER_00]: well we're right back you know I almost could have done it in a different order we could have
[00:11:38] [SPEAKER_00]: talked about asset inventory first but you know this one perhaps is the most difficult
[00:11:47] [SPEAKER_00]: control to as an MSP that engineering mindset I can't move on until I get this 100%
[00:11:54] [SPEAKER_00]: what does that look like for you I know you've gone through CIS topic team several times over with me
[00:11:59] [SPEAKER_00]: you're pursuing the the trust mark and I think largely with your engagement with your client
[00:12:06] [SPEAKER_00]: base you've gone through more than one framework at least for your clients
[00:12:10] [SPEAKER_00]: how are you seeing asset inventory as an impact both from a managing it yourself and as well as
[00:12:18] [SPEAKER_01]: the conversation you have with your clients I will say that at BKS we are probably going to be
[00:12:26] [SPEAKER_01]: much more granular about our asset inventory than even our own customers demand
[00:12:35] [SPEAKER_01]: because you know to go back to the conversation about access to RMM I take access to
[00:12:42] [SPEAKER_01]: my customer systems to be my highest level of security so if I'm going to have an RMM
[00:12:52] [SPEAKER_01]: I've got to make sure that every device connecting to that RMM is secure
[00:12:56] [SPEAKER_01]: and in order to do that I mean the in my opinion the
[00:13:03] [SPEAKER_01]: reason for control one is you cannot secure something you don't know you have what
[00:13:11] [SPEAKER_00]: right maybe we should talk about pen fasting I mean I feel like that's I don't know how many times
[00:13:15] [SPEAKER_00]: I've done a survey asking the priorities for CIS topic team and pen testing comes up as the number one
[00:13:22] [SPEAKER_00]: thing that they want to do and I'm like that seems like I understand the logic
[00:13:28] [SPEAKER_00]: but it's flawed in the sense that the importance of a pen test is only going to be as good as
[00:13:33] [SPEAKER_01]: the assets you include include in the pen test. Correct but to get back to like the control one
[00:13:43] [SPEAKER_01]: I see so many MSP struggle with it because they take kind of go back against what
[00:13:50] [SPEAKER_01]: they get so far into the weeds what about my voice over IP phone what do I do because
[00:13:56] [SPEAKER_01]: you take you can answer you can probably sit there and by the time you're done with control one
[00:14:01] [SPEAKER_01]: have touched something in all 18 BYUD pen testing right vulnerability scanning okay great you
[00:14:08] [SPEAKER_01]: now got some type of system as monitoring for new devices that also could be doing vulnerability
[00:14:13] [SPEAKER_01]: management however you're doing for BYUD you've touched a lot of things by just doing control one
[00:14:20] [SPEAKER_01]: but to get back to even the firewall conversation take your come devices that you want to be allowed
[00:14:28] [SPEAKER_01]: access to things and then put them in a network that you control manager, mount monitor and manage
[00:14:36] [SPEAKER_01]: yep you know we made a conscious effort here that we don't want to really monitor and maintain
[00:14:43] [SPEAKER_01]: our void phones right we'll get to our freedom so we throw them in a secure v-land
[00:14:49] [SPEAKER_00]: they're out there they're all right yeah if they're compromised outside of someone's voice
[00:14:54] [SPEAKER_00]: me on getting hacked much and theory doesn't have any messages in it so let me ask you a
[00:15:00] [SPEAKER_00]: question because I think I think this is an interesting one with regards to you know the
[00:15:05] [SPEAKER_00]: know your assets and how exhaustive that needs to be because we see a lot of MSPs you know I've
[00:15:10] [SPEAKER_00]: had this conversation before where they just get hung up on well I'm at 65% or 75% you know when to move on
[00:15:17] [SPEAKER_00]: I had this thought you know I've been doing this risk management workshop for the trust mark
[00:15:22] [SPEAKER_00]: and one of the things that it has you do is it takes your asset inventory and says okay
[00:15:28] [SPEAKER_00]: you know what your assets are where are you storing extensive data is it on all of those assets
[00:15:34] [SPEAKER_00]: is it on some of those assets is it on other those assets because if it is somewhere in the
[00:15:40] [SPEAKER_00]: middle which is the reality then it's not necessarily about making sure that you've got all of
[00:15:45] [SPEAKER_00]: assets dialed in and you're in your inventory sheet but really it's about the inventory of those
[00:15:51] [SPEAKER_00]: assets containing sensitive data well through all of the things we've talked about in CIS
[00:15:57] [SPEAKER_00]: topic 18 and others you can mitigate just like you described with the phones I can reduce the
[00:16:03] [SPEAKER_00]: probability that there's an asset storing sensitive data therefore the criticality of me including
[00:16:08] [SPEAKER_00]: that in my brewed asset list starts to go down very quickly and now my asset inventory is approaching
[00:16:17] [SPEAKER_00]: a hundred percent of where sensitive data stored as opposed to I think that device is ours
[00:16:23] [SPEAKER_01]: and I'm pretty sure I know what's on it. I will agree with you a hundred percent if we weren't an MSP
[00:16:32] [SPEAKER_01]: because as an MSP it's not just where we store data it's what sensitive systems do we have access to
[00:16:41] [SPEAKER_00]: because you mean you're asset having access to sensitive data on another essentially being a jumpbox
[00:16:47] [SPEAKER_01]: to sensitive data and our sensitive systems right you know my my box gets corrupted and can jump
[00:16:54] [SPEAKER_01]: over through RMM to another client right I know I'm playing worst case because we've got two
[00:17:02] [SPEAKER_01]: effect we got all kinds of other controls in place right but you cannot can yes where the sensitive
[00:17:09] [SPEAKER_01]: data's at hundred percent but also where it what can or can't access right so so taking it
[00:17:18] [SPEAKER_00]: to step further is to say an asset whether it stores processes or has access to is the premise of
[00:17:25] [SPEAKER_00]: control one but to your point this gets into where I so so the the point I was trying to make is
[00:17:32] [SPEAKER_00]: to say like no one's gonna have a perfect inventory and I think if you focus on the sensitive data
[00:17:39] [SPEAKER_00]: component rather than this is an asset that can store data have access to data or process data
[00:17:44] [SPEAKER_00]: well now you're getting into let's let's solve that as part of this in goal but not wait until I
[00:17:52] [SPEAKER_00]: have a hundred percent to keep moving through this exercise no you are I do agree with that hundred
[00:17:58] [SPEAKER_01]: percent I mean at some point you gotta go okay I have 12 employees I got 12 devices okay
[00:18:04] [SPEAKER_01]: those numbers match up yeah fine right kind of thing all right so moving on to the next one
[00:18:13] [SPEAKER_00]: this one's kind of fun this one isn't laughable but it's somewhat laughable password manager or
[00:18:18] [SPEAKER_00]: nothing I'll throw this out there because I just saw this in a recent framework release SMB1111 for
[00:18:28] [SPEAKER_00]: the Australia small-to-medium business space I want to say it's in the first 10 safe guards
[00:18:35] [SPEAKER_00]: it has one that says have a password manager and then the more advanced or higher or the more
[00:18:44] [SPEAKER_00]: heavy lift or that your IG2 if you will was to have it centrally managed so not just have a password
[00:18:50] [SPEAKER_00]: manager make sure that it's centrally managed so at least Australia thinks that it's important
[00:18:58] [SPEAKER_00]: to have a password manager what are your thoughts and where does one go from password manager to
[00:19:04] [SPEAKER_00]: nothing how can there be nothing from like can you remember all of your passwords?
[00:19:10] [SPEAKER_01]: still is so cringe because I'll ask my wife on something and she's like oh you know that password
[00:19:17] [SPEAKER_01]: I'm like babe you know what I do for a living right can you put a password manager in place please
[00:19:22] [SPEAKER_01]: because I've I've already believed in it I even forget my password manager password once in a while
[00:19:28] [SPEAKER_00]: yep fair that's where SISO comes into play right like so instead of having a password manager
[00:19:34] [SPEAKER_00]: password and your SSO password you just have one you have to worry about so I'm a big believer in
[00:19:42] [SPEAKER_01]: password managers I know that a lot of my team isn't mostly because there were big fans of SSO
[00:19:57] [SPEAKER_01]: pastkeys and you know password less and I think that's where we're going eventually
[00:20:00] [SPEAKER_00]: and that's not to say that you're not managing passwords you're using a tool this is not you
[00:20:05] [SPEAKER_00]: don't have a passphrase or a pass key sorry not passphrase you don't have a pass key in your
[00:20:11] [SPEAKER_00]: right like there's some sort of token app or otherwise it's allowing you to authenticate
[00:20:17] [SPEAKER_01]: without using your traditional credentials what we're struggling heavily the width is
[00:20:23] [SPEAKER_01]: both internally and even at our customer level is the BYOD portion of passwords
[00:20:30] [SPEAKER_01]: so with 2FA you need to have some type of authenticator on your laptop on your device right
[00:20:36] [SPEAKER_01]: so oh a BYOD app for password yes so you still have like I use keeper right so I still need to
[00:20:45] [SPEAKER_01]: use keeper for 2FA you know even on my mobile device if we're gonna go with past keys or
[00:20:52] [SPEAKER_01]: password lists or SSO we still need to use mobile devices and employees are like no no no no no no
[00:20:58] [SPEAKER_01]: my device you can't put more stuff on my device unless you're gonna pay for my bill and I tell my
[00:21:05] [SPEAKER_01]: boy I at because said yes I will pay your bill or I'll get you a second phone you choose
[00:21:13] [SPEAKER_01]: yeah the but we're getting a lot of pushback on having to put applications on people's mobile
[00:21:21] [SPEAKER_01]: devices to help manage in monitoring passwords into a way so you have to ask this question how many
[00:21:28] [SPEAKER_00]: of those same employees say no to putting their work mail on their phone so that's actually
[00:21:35] [SPEAKER_01]: where this all started as part of our job description of requirement is that you must have access
[00:21:40] [SPEAKER_01]: to teams in email I know we're we could be a little bubble over the top on this but
[00:21:47] [SPEAKER_01]: you have to access email and teams when you're not in the office okay that's a requirement
[00:21:52] [SPEAKER_01]: we're at 24-7 shot now we're getting to the point where if you want access to teams in email
[00:21:59] [SPEAKER_01]: we need your device to have in tune and you need to have all of these password management solutions
[00:22:05] [SPEAKER_01]: in there too the into and one is what all of a sudden flip the trigger because now we're monitoring
[00:22:11] [SPEAKER_00]: right well surprise if they put outlook on their phone you can they authenticate it's already doing
[00:22:18] [SPEAKER_00]: that which is kind of ironic that now you add the next layer and now they get squeamish about
[00:22:24] [SPEAKER_01]: some of you already said yes to but the the we're getting a lot of pushback across the board
[00:22:30] [SPEAKER_01]: from both internally and even customers I don't want anything on my personal phone
[00:22:35] [SPEAKER_01]: and one of our customers had fun then we are completely putting they went out of
[00:22:42] [SPEAKER_01]: the wrong with a full VPN solution they they're buying you they bought 180 new phones for
[00:22:47] [SPEAKER_01]: their employees and gave everybody a phone said you know what here you go I would love to have been
[00:22:53] [SPEAKER_01]: responsible for that commission check yeah okay but at the end of the day
[00:23:01] [SPEAKER_01]: I'm a firm believer in password managers the implementation of them takes a little time
[00:23:07] [SPEAKER_00]: well and I think that's you know that's what I liked about the SMB 2001 is it articulates
[00:23:13] [SPEAKER_00]: that you're probably not going to do this well without engaging an MSP or some sort of IT
[00:23:20] [SPEAKER_00]: person that has some understanding and how to implement things like SSO and you know obviously
[00:23:26] [SPEAKER_00]: this sort of gets into dictating whether or not you're using the consumer grade password manager
[00:23:32] [SPEAKER_00]: versus one that supports more of a centralized management the ability to watch for things like
[00:23:37] [SPEAKER_00]: no you've got repeat passwords you're still so the you know the point of password manager isn't
[00:23:41] [SPEAKER_00]: that you have all of your sites in there with the same password it's a two four and I saw
[00:23:49] [SPEAKER_00]: a vendor product the other day they're still in beta but they do auto password rotation
[00:23:55] [SPEAKER_00]: you can set the cadence for how often it rotates passwords with the sites that it's been connected
[00:24:02] [SPEAKER_00]: so that's a big change right from what we get today which is click on the link go to the site
[00:24:07] [SPEAKER_00]: log-in change the password this is an automated changes the password you don't have to worry about it anymore
[00:24:13] [SPEAKER_00]: so I think that evolution is one of the areas where password managers are still largely lacking
[00:24:18] [SPEAKER_00]: but yeah I agree I don't think even browsers that have the capability to manage passwords have
[00:24:24] [SPEAKER_00]: come a long way from you know when the browser is opened assuming you just opened it you can
[00:24:30] [SPEAKER_00]: actually set some rules and there says the access to those passwords is also encrypted versus
[00:24:37] [SPEAKER_00]: it's just a plain text file that's been properly structured to make it easy to find in the password
[00:24:43] [SPEAKER_00]: so all right password managers cross that bridge all right this one's close to the top of the list
[00:24:51] [SPEAKER_00]: this one was business continuity and disaster recovery so obviously we'd get at in things like
[00:24:56] [SPEAKER_00]: no we talked about on that episode instead of response and and since that episode which I think it was
[00:25:02] [SPEAKER_00]: recorded all the way back in 2021 so it's been out for a while one of the things that we've started
[00:25:09] [SPEAKER_00]: talking about since then which you know three years is business disruption planning and you know what
[00:25:15] [SPEAKER_00]: happens if we saw this with CrowdStrike what happens if I now have to go sit in front of every
[00:25:22] [SPEAKER_00]: endpoint under management what does that do to my organization and how do you plan for that
[00:25:27] [SPEAKER_00]: going forward you know we talked about work from home and remote employees like this just
[00:25:33] [SPEAKER_00]: animalifies that right if you had to go sit in front of the blue screen and not at every office
[00:25:39] [SPEAKER_00]: with say 35 work stations that you can wander around and get well you know done and say the
[00:25:44] [SPEAKER_00]: course of a day this is going to every single employees location to get access to the asset to do that
[00:25:51] [SPEAKER_00]: you know recent so I just curious what your the thoughts are I know you've gone through this quite
[00:25:56] [SPEAKER_00]: extensively I can see why this one's so high on the ranking you know business continuity is a
[00:26:02] [SPEAKER_00]: tough one and we often lose sight that disaster recovery of incident response don't work very
[00:26:08] [SPEAKER_00]: well if you haven't planned for business disruption and business continuity. I agree with that but
[00:26:15] [SPEAKER_01]: I will also say that I think people overthink this one absolutely like for a great example here
[00:26:25] [SPEAKER_01]: we don't have a server in our office okay all of our data is either in the in share point or
[00:26:33] [SPEAKER_01]: in IT effectively few more other places but not sure of it and at the end of the day
[00:26:43] [SPEAKER_01]: we've planned for and we've tested our SharePoint backups
[00:26:47] [SPEAKER_01]: and our other systems backups to make sure that we can restore from them. Our biggest worry on a disaster in our scenario is
[00:27:00] [SPEAKER_01]: is usually going to be environmental. Internet's out. Power is a storm that kind of stuff
[00:27:07] [SPEAKER_01]: our our initial disaster recovery is everybody has to leave with your laptop every night.
[00:27:14] [SPEAKER_01]: If I have a storm you can work from home kind of thing right?
[00:27:18] [SPEAKER_00]: No and I think that's really interesting that you say that because
[00:27:23] [SPEAKER_00]: infrastructure is going to go down it might not be your infrastructure but someone's infrastructure is
[00:27:27] [SPEAKER_00]: going to go down we've seen this with regional outages with Microsoft we've seen it with data centers
[00:27:31] [SPEAKER_00]: getting hit by natural disaster I actually was part of one going way back where the data center we were in
[00:27:40] [SPEAKER_00]: the redundancy was okay but what we ran into is they couldn't get the fuel trucks to load the
[00:27:46] [SPEAKER_00]: generators and eventually the generators went down so even though we had all the redundancies we
[00:27:52] [SPEAKER_00]: needed no one had ever planned for well what if they can't get down the highway because it's missing
[00:27:59] [SPEAKER_00]: so yeah and then I think you know you got to be careful with planning for every scenario too
[00:28:04] [SPEAKER_00]: right so if you have a scenario there should be like that fill in the blank scenario but largely
[00:28:10] [SPEAKER_00]: your processes are going to be very similar if not the same first check see if all of our employees
[00:28:16] [SPEAKER_00]: are okay you know second you know fill in the blank as you go however I think when we get to things like
[00:28:24] [SPEAKER_00]: the incident response side of this we immediately go down a terrible rabbit hole where we
[00:28:32] [SPEAKER_00]: start talking about the worst case scenario rather than a how do we minimize this what's the
[00:28:38] [SPEAKER_00]: responsibility matrix look like or we get carried away with like that employees gone too it's like
[00:28:44] [SPEAKER_00]: well let's work through one scenario at a time before we get to you know all of C sweet's gone
[00:28:50] [SPEAKER_00]: and we're just left with department head or whatever it is right like I think we we've turned
[00:28:56] [SPEAKER_00]: we've turned disaster recovery are sorry incident response tabletop exercises in the like
[00:29:02] [SPEAKER_00]: the most hardcore D&D game where we just added a third die into the equation because we want to
[00:29:09] [SPEAKER_00]: make some complexities with regards to who can do spells and how much points it takes off that are
[00:29:14] [SPEAKER_00]: not real not real world probable scenarios to ever take place no and I think an MSP should
[00:29:22] [SPEAKER_01]: be looking at once again I mean this all of these conversations go right back to have you looked at
[00:29:29] [SPEAKER_01]: your risks where is the biggest risk well okay so for BKS all of our data is in SharePoint
[00:29:37] [SPEAKER_01]: yeah God forbid somehow our SharePoint data gets ransomed yep all right
[00:29:44] [SPEAKER_01]: now we kick in our incident response plan right and we start following through the checklist
[00:29:51] [SPEAKER_01]: and the first checklist pieces get the locks right then you go I don't know I know my guys
[00:29:58] [SPEAKER_01]: table top to cross-track here they have to do a pretty good job of table topping the cross-track
[00:30:03] [SPEAKER_01]: and what would happen from the first pieces is communication for that one yeah right it's that
[00:30:11] [SPEAKER_01]: aware of it you're moving forward um you can't plan for every scenario but you can throw a couple
[00:30:19] [SPEAKER_01]: plans out there so that your team knows how to respond to them and well that's it this is just
[00:30:25] [SPEAKER_00]: a great way to say if your team knows how to respond then the fear factor goes away right now
[00:30:32] [SPEAKER_00]: we know what to do we're not knee-jerk panic attack making decisions that are counter-intuitive
[00:30:39] [SPEAKER_01]: destructive to anything that's going to come next I think the bigger piece of this and this is my own
[00:30:44] [SPEAKER_01]: personal feeling too and I have this it's the anxiety of something happening sure you know
[00:30:52] [SPEAKER_01]: is it my fault did we let this in did we do our job are the customers going to be pissed at us
[00:30:59] [SPEAKER_01]: our reference mad at us right but that's an anxiety that every human is going to feel um
[00:31:05] [SPEAKER_00]: have you concerned if you didn't have that feeling right so your clients should be having those
[00:31:11] [SPEAKER_00]: feelings too not because you are going to fail them or their employees you're going to fail them but just
[00:31:15] [SPEAKER_00]: the reality of the fact that every element to this equation involves people correct but the bigger
[00:31:22] [SPEAKER_01]: that we the more we work with our own team the more we have conversations with clients the more you
[00:31:28] [SPEAKER_01]: build up relationships when something is hitting the fan people are working to resolve it I had
[00:31:36] [SPEAKER_01]: a friend of mine who was actually kind of interesting we had a client that was having a lot of
[00:31:42] [SPEAKER_01]: problems with servers and it was presenting as a some type of attack we just could not figure it out
[00:31:52] [SPEAKER_01]: and we just happen to have a friend of mine that is a pretty intelligent person as far as
[00:31:58] [SPEAKER_01]: it comes to cybersecurity and IT infrastructure and he was in our office working on a project with
[00:32:03] [SPEAKER_01]: us and he lifted me goes to him this is a problem until it's not right because it's not a data breach
[00:32:10] [SPEAKER_01]: it's not an incident it's a it's a technical problem until it's not kind of thing right this
[00:32:17] [SPEAKER_00]: is getting into like to say the B word is out of line with if you don't understand what's causing
[00:32:24] [SPEAKER_00]: the problem that means you've got to do some work until you tell you solve that like what's the
[00:32:29] [SPEAKER_01]: source of what's the root of the problem it was kind of funny because he basically told me because
[00:32:33] [SPEAKER_01]: I was causing anxiety because this was a big customer at the time he's like just go sit in your office
[00:32:39] [SPEAKER_01]: he goes I don't care if you're playing your phone I'll help you guys out here just go sit in your office
[00:32:42] [SPEAKER_00]: you're causing more problems right did you figure not to figure it out yeah I think that's where
[00:32:51] [SPEAKER_01]: when at the end of the day the more practice that we do the more education we make around
[00:32:55] [SPEAKER_01]: checklist and in response the better off we're all going to be kind of thing it's like no one
[00:33:00] [SPEAKER_00]: becomes a detective just because they asked for a badge right like there was a lot of work that went
[00:33:06] [SPEAKER_00]: into the learning how to the psychology of what does it mean to try and figure out and solve
[00:33:13] [SPEAKER_00]: problems that you don't just get me good detectives and bad detectives both exist you know hopefully
[00:33:18] [SPEAKER_00]: whoever's on your case is a good detective and I think the goal with any of your engineers is that
[00:33:23] [SPEAKER_00]: they're essentially becoming good detectives or at least know where their limitations with their skill
[00:33:28] [SPEAKER_00]: set is to bring in someone who is more detective than they are rather than like you said
[00:33:34] [SPEAKER_00]: allow the anxiety to creep in and go well I didn't find it my first Google search so that means
[00:33:39] [SPEAKER_00]: that the solution must be broader than it's a technical problem and now must involve in
[00:33:44] [SPEAKER_00]: now they're spiraling right yeah BCDR incident response business continuity business disruption all
[00:33:52] [SPEAKER_00]: important obviously at twice was in the top five last one and I think people probably listening
[00:33:59] [SPEAKER_00]: would be able to figure this one out zero trust that was the highest crossing will likely hit
[00:34:05] [SPEAKER_00]: 200 plus in between now and the end of the year and probably because we're talking about it right
[00:34:10] [SPEAKER_00]: now be able to go searching for zero trust because they might not have listened to it that one has been
[00:34:15] [SPEAKER_00]: out for actually it's been out quite a while it was actually done in the first year so this was
[00:34:22] [SPEAKER_00]: done in July of 2021 and it's still getting playback which means that there's something to that title
[00:34:27] [SPEAKER_00]: so zero trust where you at with zero trust within BCDRs so good not great that's a good starting
[00:34:38] [SPEAKER_01]: boy okay is better than none we are I think we're doing pretty good zero trust on our network
[00:34:44] [SPEAKER_01]: because of a sassy solution that we've implemented we do not have the a true zero trust
[00:34:53] [SPEAKER_01]: a Pam solution in place but we got one that is better than having none yeah as far as data
[00:35:04] [SPEAKER_01]: access goes that's where we're starting to we don't have a good enough one too much of our data
[00:35:12] [SPEAKER_01]: is wide open and that being said it's mostly rated as non confidential data anyways
[00:35:22] [SPEAKER_00]: but too much of it is wide open so this comes up a lot Pam solutions you know and I know a lot
[00:35:29] [SPEAKER_00]: of MSPs that have implemented one of the handful that we talked about on regular basis
[00:35:33] [SPEAKER_00]: and I think what's interesting is that in many cases even though the zero trust has been
[00:35:38] [SPEAKER_00]: implemented anytime someone asks for the just in time access to install or they've got an
[00:35:44] [SPEAKER_00]: application that they're not quite sure why it's in the environment but they haven't removed it
[00:35:50] [SPEAKER_00]: is that like oh well I needed that for this if it even gets questioned right like so
[00:35:55] [SPEAKER_00]: oh my guys they they only so the just in time is yes approved yes approved yes approved
[00:36:01] [SPEAKER_00]: that's what we're getting back yeah yep you know there are some solutions out there and we
[00:36:08] [SPEAKER_00]: seem this from like PCmatic and threat locker and some of the others is like when you put it
[00:36:13] [SPEAKER_00]: listen only mode and look at what's being used and then narrowed down from there I think you can get
[00:36:19] [SPEAKER_00]: to a true zero trust a whole lot quicker it also identifies the things that you probably have
[00:36:24] [SPEAKER_00]: needed for a long time to remove from the equation and just haven't done it yet and I think
[00:36:29] [SPEAKER_00]: it also puts into motion the opportunity for employees to actually articulate the value of the
[00:36:36] [SPEAKER_00]: things that they're using that other employees don't know about you know I love it when someone says
[00:36:41] [SPEAKER_00]: you know we don't I don't use that remote management or that remote access tool going back to the
[00:36:48] [SPEAKER_00]: the screen connect the buckle of like yeah we don't use that and then it's like you scan the
[00:36:53] [SPEAKER_00]: environment it's like hey we only founded on 35 of 75 machines so yeah not bad not bad at all
[00:36:59] [SPEAKER_00]: but that's part of what we deal with all the time and I think that's one of the areas that we're
[00:37:03] [SPEAKER_00]: good at ignoring or or I don't say ignore is probably not the right word but we post
[00:37:10] [SPEAKER_00]: post procrastinate addressing because we don't want to set somebody because they do use it or
[00:37:16] [SPEAKER_00]: they should be using one they're using the other and no one's ever had a conversation as to why
[00:37:20] [SPEAKER_00]: one is of value it needs to be used and not the other I don't know maybe that's no you're
[00:37:26] [SPEAKER_01]: you're exactly right and I think it also boils down to once again asset management yeah so
[00:37:33] [SPEAKER_01]: neutral too yep one of my guys had a request for some virtualization software that he wanted to run
[00:37:42] [SPEAKER_01]: on his laptop right so we approved it without he talked exactly I'm scared you guys it got
[00:37:50] [SPEAKER_01]: approved yeah but more to the point is we never circle back to him and go okay are you done with it
[00:37:59] [SPEAKER_01]: can we remove it right why is it still there do we still trust it do we still trust you
[00:38:08] [SPEAKER_01]: and we don't do a good job because once we approve it it automatically gets added to the
[00:38:13] [SPEAKER_01]: white list and now we just assume it's good we need to go back through that white list
[00:38:17] [SPEAKER_01]: on a regular basis and make sure something didn't get put on that white list that shouldn't be there
[00:38:24] [SPEAKER_01]: right and that's the biggest thing about all this process is you're never done no it's always
[00:38:34] [SPEAKER_00]: constantly improving right yeah I think I think zero trust is is a term that is interpreted
[00:38:42] [SPEAKER_00]: differently by a lot of different organizations but I think the reality the reality is you have to
[00:38:49] [SPEAKER_00]: know what you have to know what you need and once you figure those two things out then I think it's
[00:38:56] [SPEAKER_00]: about how do you reduce your threat surface and that is narrowing like I don't need
[00:39:01] [SPEAKER_00]: four apps that do the same thing I might need two I might need a secondary so in the event
[00:39:07] [SPEAKER_00]: that's something fails I have another path to get there but even that might be a risk not worth
[00:39:14] [SPEAKER_00]: taking like hey if this connect tool allows me to remotely manage that device goes down
[00:39:20] [SPEAKER_00]: maybe that's something we just accept because the reality is of having that secondary tool
[00:39:24] [SPEAKER_00]: is too risky for the organization or I mean yep I mean two different remote moderates software
[00:39:33] [SPEAKER_00]: yeah it was a lot of times the first one will break or they don't see the same things for the
[00:39:40] [SPEAKER_00]: same you know perspective is everything with a lot of these tools right they were built by
[00:39:44] [SPEAKER_00]: different teams if they were built by the same teams that had the same checklist for what
[00:39:47] [SPEAKER_00]: did it go into the tool then we would all use the same one right we're very likely we would
[00:39:51] [SPEAKER_00]: all use close to the same one so with that said we've gone through the five so firewall
[00:40:01] [SPEAKER_00]: we talked about asset inventory we started digging into software safe our software asset inventory
[00:40:05] [SPEAKER_00]: which I think we probably talked about a lot on that call or on that episode anyways we did
[00:40:11] [SPEAKER_00]: password management and the change that we're seeing in the in the space right if we were to do
[00:40:16] [SPEAKER_00]: hyper hygiene we'd probably highlight things like make sure you do SSO and to a fan have a password
[00:40:21] [SPEAKER_00]: manager and and well actually that would be pretty substantially three big things that someone
[00:40:26] [SPEAKER_00]: could do in the organization to reduce the threat surface then we talked about BCDR obviously this
[00:40:33] [SPEAKER_00]: is a one that you brought up a good point of it's over analyzed we tried too hard to do a perfect
[00:40:39] [SPEAKER_00]: scenario and we never actually get a plan in place because we're still working on you know what
[00:40:45] [SPEAKER_00]: to do if Chad's not there and then the final the big one zero trust I think there's a commonality
[00:40:52] [SPEAKER_00]: across all of five of these and I think at the end of the day it all comes down to that
[00:40:58] [SPEAKER_00]: monitoring and in communication that has to happen both internally with your staff and
[00:41:04] [SPEAKER_00]: client facing for any of these to actually truly get enforced. Any last things to share
[00:41:11] [SPEAKER_00]: with the audience as we tackled only five of the many popular episodes my biggest thing is
[00:41:19] [SPEAKER_00]: don't go overwhelmed just get started there you go one step forward is still good progress right
[00:41:26] [SPEAKER_00]: correct all right well for those of you listening this has been an episode of MSP 1337 thanks and have a great week