Jason Miller of BitLyft Cybersecurity

[00:00:00] Welcome to the SMB Community Podcast with hosts Amy Babinchek, James Kernan and Karl Palachek. Produced by Kernan Consulting and for the international MSB community. We are dedicated to making every IT professional a successful IT professional. Hey everybody, welcome back to the SMB Community Podcast.

[00:00:27] Yes, this is James Kernan with Kernan Consulting and I am here with a industry veteran security guru Mr. Jason Miller, the founder and CEO of BitLyft Security. Hey Jason, welcome to the program. Hey, thanks a lot James. Always good to join you on the program.

[00:00:46] Yeah, you got it. You got it. Good to see you again. I've known Jason for a few years now and really excited to get him back on the to talk a little bit more about BitLyft and how you guys have really grown as an organization

[00:01:00] and what you're doing. So I wanted to get a little bit more into the specifics but just at a high level for those of you who haven't heard of BitLyft yet, could you give us a little background on the company and what exactly do you do? Yeah, absolutely.

[00:01:16] So I founded the company in 2016. We're a managed detection and response company performing log management, 24-7 SOC services and really making sure that the environment that we are taking care of and looking after is safe and secured.

[00:01:39] Not a small project but a lot of fun and in a lot of ways we build a ton of software at the same time to help make our SOC services automated. Yeah, yeah. So you mentioned a couple things that I see as big challenges for MSPs today.

[00:01:58] I guess the first one that you said that I took note of was log management. Could you elaborate a little bit on that because that's an area of weakness I think a lot of MSPs have of dealing with the enormous amount of logs and just tracking that.

[00:02:17] Yeah, so log management today is becoming pretty much a staple. You have to have good log management practices inside of not only you as an MSP because you're part of the supply chain now but also your customers' environments. Whether they're regulated environments or they're non-regulated environments.

[00:02:38] What I say is the proof is in the pudding and that the pudding happens to be the logs in this case. Everything that happens inside of the environment from firewalls to cloud to Azure to AD, everything that's going on on the endpoint servers and the infrastructure is producing

[00:02:57] logs. That is the fingerprint of what is taking place in the environment. Through that fingerprint, we can do threat detection and we can do response really well. I remember going back some days when people were turning off the logs. Things weren't very secure.

[00:03:23] Moving forward now, everybody is super focused on log management or should be. It should be considered a critical component of your security strategy and your execution inside of your environment. You brought up managed detection and managed response.

[00:03:45] Elaborate a little bit more on the managed response because again that's an area of weakness that most MSPs have. Don't take this the wrong way but there's a gazillion security tools out there.

[00:04:00] I talk to MSPs every single day and it's kind of like, oh all these tools are a dime a dozen. I know you're not but elaborate a little bit on the response part because I see a

[00:04:11] lot of people they have a bad customer service experience with a tool. They'll just move on to the next vendor. I know that it's not a problem for you guys but could you elaborate on that? This is a lot like I'd say, I'm not a mechanic.

[00:04:30] I would go drop my car off at the mechanic shop and they are delivering a managed service. I don't care what necessarily tools they use. I just care about the end result. The end result is that the problem is taken care of and cleaned up and I can

[00:04:42] drive the car down the road. That is a lot like how I look at the managed response portion of what we do. We use a plethora of tools that our security team has deemed good and useful and valuable

[00:04:56] and it delivers the outcomes and results that our customers want and demand from us. How we come up with the end result isn't really necessarily always the focus but yet that we do come up with a good end result that meets the customer's needs.

[00:05:14] The response oftentimes is the most important when you're dealing with an incident because it is going to deliver the information that you need to know who was in your environment, what they were doing, what they were after.

[00:05:28] Were they able to exfiltrate any data out of your environment and then what are the behaviors and things that you should do after the incident, the postmortem? What are we going to secure? How are we going to secure it differently? Where did we maybe fail?

[00:05:45] Where did we have gaps and then how are we closing that gap and preventing it from happening again in the future? All of that being managed means our team comes alongside of the MSP and the customer and helps them through the entire process as a subject matter expert.

[00:06:03] This way here, you're never left alone, turning wrenches all on your own. Yeah. I know you've got your 24 by 7 socks so that response is available all the time You're exactly right, Jason. I think the response is the most critical part and I tell you it's lonely when you're

[00:06:20] in the trenches and you're in the foxhole and you're in the middle of dealing with issues. You want experts on your side. You started elaborating on this but I think also, correct me if I'm wrong, you guys

[00:06:33] can actually help determine how the issue happened in the first place because that's half the time we're responding on security issues. You don't even know how it happened. You're just guessing, right? Yeah. You guys can determine how it happened and more importantly, are they out of there?

[00:06:49] Are they glowing? Exactly. We can determine through the investigation process, again looking at the logs and making sure that we understand who got in, where they came from, what they were doing, what data did they touch, what data did they not touch, write it all up in

[00:07:08] and provide that. That is the forensic investigation to ensure do we have a big problem or a small problem and then how are we going to address it? All of that information can be found utilizing log management and collection of logs, searching

[00:07:28] through logs and making sure that that information is collected and held. This is the other biggest thing when you're doing log management. You really need to hold your logs for at least 365 days. If you're only holding your logs for 30 days or 60 days, the problem is a lot of

[00:07:46] the attacks that we have seen, the initial trigger or the initial dropper was done 30, 60, 90 days ago. Criminals are patient because they know at the end of it there's a big payout potentially. They're becoming more and more sophisticated.

[00:08:05] The bad guys are using more and more of technology against us like AI tools. I think you've seen that as well on your side. How are you guys trying to remedy that of the criminals, the bad guys using AI for bad? That's a good point.

[00:08:26] Just two weeks ago we seen one of our own customers experience an account that was compromised. It was improperly configured. We notified the customer of this, but we seen the account compromised and the automated tooling running on the criminal's activity. I'm just trying to be perfectly clear here.

[00:08:50] The criminal got into the environment, got control over an account, and then immediately they had their tools ready to go. They started running automated PowerShell and Python scripts in the environment collecting information from the other servers in Active Directory.

[00:09:08] They were able to do some data exfiltration, and then we were able to tell them what data was exfilled. We were on the phone working with a customer within minutes of seeing this activity and it killed the account.

[00:09:24] Then we were able to explain everything that just took place. I want people to know that AI and automation is being used by the criminals right now today, more now than ever. You don't have to think of are they possibly using AI or automation? They absolutely are.

[00:09:46] We're seeing this just two weeks ago. Are you seeing the end users that are being attacked, are you seeing more and more smaller ones being attacked, or is it just the big sexy logos that we all hear about on social media or the newspaper? Yeah.

[00:10:06] We're seeing a lot smaller companies these days. We're seeing companies of 10 people, 15 people, 20 people in size because they know that they can't defend themselves. They don't have an IT person typically full time on staff. They don't have the budget. And so they're right for the pickings.

[00:10:26] And so if thought is, if I can ransom them or a criminal can ransom them, they're much more likely to pay. And if I can expel their data out of the environment, then they're even likely to pay that. It's called double exfiltration or double extortion.

[00:10:52] Meaning that if you don't pay, I'm going to post your data online. And if you don't pay, I'm still going to ransom your environment. And we are seeing these threats because ultimately the criminal wants to get paid. Yeah. We're seeing the same thing.

[00:11:12] It's the smaller companies are just easier targets. They're easier targets. Completely. And frequently we, as I'm just talking on behalf of the MSPs, a lot of our smaller customers are like, oh, we're too small to get hacked. You hear that all the time.

[00:11:29] And that's not the case anymore. You know, the bad actors out there, you know, the single hacker in a third world country, their average salary per year is five grand, maybe 10 grand if they're lucky. You know, the average ransom for these small accounts are 50 grand, 100 grand.

[00:11:48] You know, it might sound like chump change compared to some of the things you read in the newspaper today here in the States, but that's a game changer for someone who's making five grand a year. They get 50 grand or 100 grand. That's a life changing event for them.

[00:12:02] They just get one hack and they're in business. So everybody needs to protect themselves, right? 100%. Yeah, absolutely. Awesome. So any other, without maybe naming names, I know you work with small companies because your tool scales and your service scales, which is awesome.

[00:12:23] It's an enterprise tool at affordable small business prices, but I know you work with large and small entities, but maybe like a bigger entity without naming names. Is there any other incident that you could share or a case study that you

[00:12:37] guys have helped maybe walk through an example of that? Yeah, I mean, a prime example is large company. There's I think about 2500, 2600 employees. They're both seasonal and non-seasonal company. And, you know, they had a VPN appliance, but they were they had their environment.

[00:13:07] They were migrating to a new one, decommissioning the old one. They had actually turned off logging of the old one to us and started logging the new VPN appliance to us. And they also quit updating the old VPN appliance because they thought

[00:13:26] we're going to migrate, we're going to get this moving. Right. And so what ended up happening was is, you know, life happened. They had all the projects come up. They had other things come on their plate, the IT team.

[00:13:37] And so the migration ended up taking like more than six months from this old VPN appliance to a new one. And all while that happened, you introduce six months of time, you forget things that you did five months ago.

[00:13:53] So the VPN appliance had a vulnerability and they quit patching it. The vulnerability ended up getting exploited and the whole VPN appliance was ended up being taken over by the criminal. And the criminal is actually able to use a VPN appliance to eventually

[00:14:14] get usernames, passwords and access to the rest of the network. It eventually led to taking over more admin accounts in the environment. So it's one of the biggest things that we see is sometimes more users in the environment have admin credentials or admin permissions

[00:14:33] and what they need to. Big, big, big no-no. But in this case, their account, their environment was taken over by this criminal because he literally had all of the access that he needed. He had multiple accounts ready to go and not just one account.

[00:14:52] And so we were able to quickly move and we were playing automated whack-a-mole with this guy, this guy or girl, because they were able to move fast as well. We were eventually able to get them out of the environment.

[00:15:09] But the biggest takeaway that I can tell people is that when you launch a project and you know that you're going to be replacing something like a VPN appliance or something else, it's going to be a project, you want to do it methodically and quickly.

[00:15:24] And you also don't want to take your eyes off of, you don't want to take your eyes off the road. You want to make sure that you never stop updating it, that you keep it secure until it is completely unplugged and decommissioned out of the environment.

[00:15:44] In owning and operating BitLift and everything since 2016, I have seen this multiple times where the IT team gets distracted and they had a project and they got moved off of it. And it is that thing that got popped by a criminal in that very

[00:16:05] moment when they were vulnerable. And it could have been prevented. The IT people always say, I wish I would have done this differently. And then that wouldn't have caused me this pain that I'm in right now. Yeah, no, that's a good point.

[00:16:23] You know those migrations always take longer than expected. And the second you let your guard down is when you're vulnerable and that's when the attack happens. So that's a shame. Well, good for you guys for figuring that out and saving the bacon for that large client.

[00:16:42] So I know you have a promotion going on. We're all interested in getting a good deal. We do. And let's talk about the good deal of the summer. So right now in Q3, we are running a 30% off of our partner pricing to the partners.

[00:17:04] It is to help them out so that they can win more deals. They can be more cost competitive in the marketplace, but they can also create more healthy margins inside of their own business as well if they choose to. So that 30% off is good here in Q3 of 2024.

[00:17:24] And who knows? I'm sure we'll run some sort of promotion again in Q4, but we've had success with running this promotion in the past. And so we thought we'd bring it back. And it allows us to bring cybersecurity to some of those

[00:17:41] businesses that couldn't otherwise afford to get it. Yep, yep. All right, well good stuff, good stuff. Well, so for those of you that are analyzing your cybersecurity stack like all of you should be, make sure you take a look at BitLift. These guys offer some unique services and

[00:18:01] it's talking about the best of the best. When an incident happens, you want to be working with the best. You don't want to be working with the worst because it just takes one bad issue and then you're done. So work with the best, check these guys out.

[00:18:14] Jason, how can people get in touch with you? What's the best way for them to reach out? You can reach out to me over email, jason.miller at bitlift.com. You can also go to our website, www.bitlift.com. And then it's spelled with a L-Y-F-T.

[00:18:33] And yeah, we'd love to chat with you. We're very non salesy. How can we help you? What kind of pain are you experiencing? What are your concerns? And we're always just love to give information that we have

[00:18:49] that helps other people out, even if it doesn't yield us a sale at this point. Yeah, good for you. That's one of the things I appreciate about you guys is you're out for the greater good for all. You guys are out there marketing yourselves,

[00:19:05] sharing best practices and sharing information. And helping them regardless if they're a customer or not. So I appreciate that. Thank you. All right, that's all the time we have for today. Until next time, sayonara. And Jason, thanks again for being on the program. We'll see you soon.