Zach Kromkowski of Senteon

[00:00:01] Hello ladies and gentlemen We're at the end of May and welcome to the MSP Initiative MSP talk. Well, you got like the rest of this week close it up close out the month

[00:00:15] Summertime at least for everybody on this side of the planet. Sorry for you guys down in, you know, Australia and Zealand I know it's reversed in the toilet flushes the other way and all that good stuff But cross folks on this side

[00:00:28] Summertime and you know what that means Lot of road trips lot of flights You know, like everybody's trying to go to Europe right now and you walk following social media like Cheap cheap cheap right get it in. Okay sounds good. Let's get into the goods

[00:00:43] Let's get into the housekeeping and then we'll get into the good stuff as usual So MSP initiative Com you know how to spell initiative Google will fix it for you When you get to this page you will see sessions this session for example

[00:00:57] This is being recorded. We're gonna post it on our podcatchers and your YouTube page and the sessions tab here under MSP initiative Com however you choose to consume like share subscribe forward

[00:01:10] Got some good stuff that we cut me up bring you twice a week. So please keep keep dialed in Then at MSP initiative comm you have another tab called community minds We did MSP community minds last year and again this year

[00:01:23] What yeah was in Nashville a completely educational event with MSP panels and workshops. What does that mean? We know we used to have this postable post the new ones, but effectively

[00:01:36] MSP panels we have MSPs from the trenches where you're probably coming from getting in and talking about real life world experiences I don't care how you learn my opinion

[00:01:48] That is the best possible way because like then it's real right? It's not conceptual like actually happening to someone you learn from other people that is Can't stress enough that I you know advocate for that to The workshops are designed to give you not just up

[00:02:06] Hey, let's talk about a topic and let me give you the reasons why you should care about the topic And by the way we're gonna cut it short unless you go to you know WWW dot and subscribe and buy right no no no no no no no

[00:02:19] We're gonna give you at least a two hour workshop And we're gonna actually show you how to get through the topic and how to actually functionally get to a Working part at the end of that so whether it's

[00:02:31] You know prospecting legal security and there were a bunch of other topics I mean it goes all over the place. That is the format of this So yes, we have vendors co-sponsoring this you can see there's a few already listed here

[00:02:45] None of them are pitching you anything in a session They're just you know, it's a community vibe. That's what we're trying to do and by the way Other than getting to this next one here in Denver between September 25th 26th

[00:03:01] We're not actually charging you as an MSP to come think about that There's no 999 conference registration fee. No like please come and learn. This is for you. I Don't know. I don't know what better offer I can make but I'd say that's a pretty good one

[00:03:17] Then we have our community block parties and this is probably what we're better well known for Multiple between now and then the air but the two that are coming Literally next like two weeks from now. We have the packs eight beyond

[00:03:32] Denver block party that'll be on June 10th. So if you're going to pack state beyond I hope you are It's gonna be pretty cool event Packs a beyond comms. You don't know what it is On the night of the 10th We're holding a block party

[00:03:48] Absolutely free if you're an MSP to come and join us check it out click on this button Register that we don't have to do it like standing at the door or This other event that's happening couple days like literally a couple days later in the same week, right?

[00:04:01] So on the 12 if you're going to Dublin for Datto con or can say that icon Dublin We're doing a block party there as well. We did this last year was awesome. We're doing again this year Come out join us again

[00:04:15] Doesn't cost you a dime. You drink it on you know some nice food and beverages Networking with the crowd. I mean, isn't that what you want from every conference? I think so So check those out make sure to click on these it takes you to landing pages

[00:04:29] you'll see details and Make sure you register ahead of time. It'll save you a bunch of time Lastly, if some community offers is just deals from some of the companies around the sandbox that you may or may not want to take advantage of

[00:04:42] Awesome, if you can and then lastly is the industry calendar where we're trying to keep track of I don't know all the hundreds of events that are happening You know every day every week every month for you so that you can figure out what's going on

[00:04:53] That is all at MSP initiative calm That is the housekeeping back into the closet and here we go So first time ever ever ever that we've had our guests who's gonna be on the show today come on or anyone from his company

[00:05:12] So we're gonna be learning a lot today. So Zach go ahead Intro yourself and your company. Well George absolutely killer housekeeping you rolled right into that I mean, we didn't even really say hi before the show. You just zoom awesome. Well done

[00:05:27] So I'm Zach co-founder to sentian managed endpoint hardening meh is what we're trying to get out there into the acronym world a beautiful one, right? But I want to I want to shout out a little bit of your housekeeping, right?

[00:05:42] So I was introduced to you guys. I remembered while you were giving the presentation By probably our mutual friend CJ from CompTIA. So yeah some had nods He was actually Chris Johnson was actually on a few weeks back on on on this very show

[00:06:00] He also you know works very closely with Matt Lee over a PAX eight and he did do two workshops at MSP community minds in Nashville One of them he brought donuts. So that was always a hit But man, he is a really smart guy and by the way

[00:06:15] Every time I'm gonna ask you this question to in a second every time somebody comes on here I always say like hey, how did you even like get here? Right? What was your past?

[00:06:24] What was your journey every time I learned all the different angles people make it into what I call the MSP sandbox? All right, it's like we're sub industry of the greater technology kind of bubble And like nobody hears from Facebook and Google and all those other cool companies

[00:06:37] But like you still do a pretty important, you know work downstairs at our level So what yeah, so number one will definitely send CJ message. Thanks for connecting the dots buddy But number two. Yeah, let's hear your journey man

[00:06:50] Let's hear how you like went from wherever you started from to this founder of a company and by the way I haven't heard your story yet, but that's hard. I know everybody out here who listens, right? Maybe started MSP IT company marketing company, whatever

[00:07:07] You know, it's always harder once you're in the chair, right? Because all the stuff that you never realized is like has to happen is now your job and like the 800 hats We all hear about every single day in small business. That's real

[00:07:20] Company handbooks have different laws per state and Yeah, I've learned a little bit more than I care to admit at this point about running a company It is Yeah, as much as you know in MSP land, you're like hey outsource your technology to us

[00:07:36] We'll take care of it like you need to realize what you can and cannot do and The quicker you come to that determination and you find a place to send that traffic to The better off you're gonna be because I agree company handbooks. That's not my job

[00:07:51] You do not want me even trying to write a company handbook at all. No, no none of it's interesting And funny bringing up Matt Lee in the workshops. I imagine were they talking about the

[00:08:01] CIS working group how controls feed into other other controls is that by chance what it was? A little bit If Matt didn't make it he's gonna make the next one I believe but he's heavy into like the CIS control mapping as a whole project

[00:08:13] I think he just posted online on his website cyber Matt Lee but CJ touched on that and then he kind of like took a more practical approach to hey, how do you

[00:08:24] Along you know select the stack to align to what you're trying to accomplish like like the whole best Yeah I don't want to steal his message because he did it much better than I'll ever do So go back and rewind on that session step MSP initiative calm

[00:08:37] But he's like hey listen the whole best in class thing. I know it's a little cliche. It's fine Just follow me for a second like that may not be what you're delivering and it may not be what you need right now

[00:08:49] Like good is also acceptable, right? And like as you your MSP IT services organization matures You you're gonna switch some of these things, right? You're gonna change like the cat the vendors in each category and the solutions in each category get a change but like I

[00:09:07] Guess you need to work backwards from your clientele, right? And like that's got to really dictate What you are going to have to do With them or for them and so that's gonna kind of change your direction. I think yeah

[00:09:21] I mean that so I was part of that working group. That's why I asked I didn't know if that was what the presentation was on but that was absolutely wild So a little bit more background on sentient and I'll get to the origin story here in a minute

[00:09:32] But we very much built our company a hundred percent on CIS standards, right? That that was the challenge we saw MSPs today not really today I should say a few years ago didn't really have a security framework

[00:09:45] You know, they didn't choose one to align with or they chose aspects of many there wasn't really this Just one golden answer and I'm not here to say CIS is the only golden answer I'm here to advocate that it should be and every MSP should follow it

[00:09:58] But um, that's where we built our company. So when Matt put that working group together I messaged him right away and and wanted to get involved because like you said and you hinted at this

[00:10:09] Having to work almost backwards with your client to know what they need where they need to align But you also said vendors Where does a vendor fit into these CIS controls and I can define CIS controls if you want me to go into that

[00:10:22] But um, like where do they fit? How do you keep up with vendor innovation? This new feature that this vendor releases maps back to this now I can get rid of this tool now

[00:10:31] I can add this tool. I mean y'all MSPs you have a lot to do across many clients and it's I Imagine it's fun. It's never the same day twice

[00:10:42] But it's a lot of work and hopefully some of us vendors better align and make it a little bit easier for you I I mean I would argue that

[00:10:51] It's pretty poorly done meaning yeah, bunch of people buy stuff they put stuff in and then they stop paying attention Things change until there's a break That's when they're paying attention again because like I know there's companies that popped up to like oh

[00:11:08] We're gonna track all your vendor alerts in one place. I don't even think that's working The MSPs like just a little bit too in the business not on the business probably the best way for me to come out line it like

[00:11:22] Really until you get to a certain size Once you get to a certain size a little bit different story because you have more resources and you can actually Pay attention and do something about it, right?

[00:11:33] Yeah, I mean you get around that usually around that size like they also have a better process of Evaluating vendors and testing. You know the criteria and all that jazz but yeah to your point

[00:11:45] I think a lot of MSPs out there when I've said it a million times Here's million one, you know credit card swiping fatigue, right? They'll go to a show. I think you said you're an MSP geek last week Yep, they'll say hey that looks really cool

[00:11:57] Six months later. It didn't even start mean dust that off and try and put it in place yet And so I think a lot of that stuff. Yeah, I definitely agree with that And I mean it's also hard to kind of peel through all the marketing noise

[00:12:12] So really just admiration for what Matt Lee is trying to do with mapping vendors to CIS And and hopefully that shift happens and you just said, you know It's easy for an MSP to be so close to the business, right?

[00:12:23] It's until you mature enough and have the resources to really branch out. I mean even as a vendor, right? MSPs vendor owners like we're also owners just like you it wasn't until I yeah I mean it very much is so easy to get close to the business

[00:12:38] I think either last yeah last week I talked to Joe alipat at Lion Guard and I haven't given him enough praise I've posted about a few times, but he helped me take a step back and realize the messaging of what sentian does because at this point

[00:12:52] You know, I was brought on for go-to-market sales marketing whatever that is right and I became so close to the tech I lost my rudimentary sales pitch I immediately just go straight to the technical now and and that's what happens right?

[00:13:08] You're a small team. You have to know every aspect just when you're an MSP owner with a small team You're not just an owner. You're the engineer your help desk sometimes you're definitely sales And that's that's this the line between early vendors and MSPs, right?

[00:13:25] We as much as vendors will probably tell you they get it Only the ones who are at this stage truly get it because we are stretched just as thin as you Funny I Was going through the Instagram feed over the weekend and one of them

[00:13:40] I'm not even a huge mark Cuban fan other than you know, he's on Shark Tank and everybody knows about shark tanks, but show Yeah, it was like a small clip and he's like I don't care what size business you are

[00:13:51] I don't care for just starting out on care for your you know mega corporation like Sales solves a lot of things right and I guess let me revert that to another industry in any sports league winning

[00:14:02] Solves a lot of things right anybody who tells you oh, let's build something and like we'll figure out sales later No, no, no, no, no, no, no flip that around you need to figure out how to sell how this is gonna sell

[00:14:14] And like we'll work on this as well, but like that is just as important So I agree with that. There's yeah, I don't know if I agree with everything Mark Cuban puts out there

[00:14:24] But that was absolutely on point. I think we feel the same about good old mark from your insinuations I mean he's successful. There's no question about it. I mean I was funny I

[00:14:40] Took my very young children out for a Mother's Day shopping and we ended up you know because it was a smiley face They picked the scrub daddy as one of the things that threw in the car. I was like, I remember this shark tank

[00:14:51] Yep, very very much and and this aspect of winning and sales first like that's honestly advice that I Think is so hard for an entrepreneur who doesn't have a product yet to hear like that just doesn't make sense

[00:15:04] How am I gonna sell something if I don't have something to sell yet? Right and that was one of the challenges that we really had over at since yon because when I when I tell you more about

[00:15:14] What we do right changing configurations and hardening and baselining assets like That all of those buzzwords or words that I said aren't really talked about They're not things that are highly prioritized at least the MSP level, you know

[00:15:29] I don't really work with enterprise but even at the enterprise level. I've heard from my either MSP partners or vars That they have the same challenges so as this company who is building something and

[00:15:42] Wasn't selling before there was a product. I'm realizing I had the opportunity to lifetime to just full-on hone in on my pitch create marketing material create lead demand Gen

[00:15:54] And I didn't do any of that. I'm just now starting to do that now that we actually have you know, you know For the last year or so like revenue generating proper mature

[00:16:03] Platform at this point, but now I'm trying to do actual sales and demand Gen when realistically that engine should have been built before the product I and by the way this topic Now we're talking on vendor side of train tracks here, but MSP, right?

[00:16:21] Same challenge same issue. I mean, how many times will last I don't know 20 years have we been saying sales and marketing or like top three still in Issues that MSPs are digging into here's the reality, right? I'm not quite saying fake it. Do you make it because

[00:16:36] There's a fine line there too. Don't misrepresent what you can do But sure Brad grosses somewhere out in the ether listening Like you do need to like technology such a wide landscape, right? It's a big word and like when I was going back to school

[00:16:52] They're like, oh, there's eight disciplines of technology that are cracks that get you to a diploma and I'm like eight I'm sure there's way more now, right in 2024 that being said as an MSP. Like what are you doing? Everything for everybody is not the answer

[00:17:07] Because that's not scalable right so you need to hone in on what you do or you plan to offer and then like fine-tune your messaging that being said the better you Define it and

[00:17:21] Actually shrink it, right? I think sometimes you like oh, I want to do oh, I heard so-and-so is doing that I want to do that. It's like dude Outsource it that like maybe that's not something you do internally, but I digress that being said fine tune your message

[00:17:35] Can't stress that enough which is why and I'm going a little bit off track here, but I'm gonna finish with this thought Outsourcing the message creation for you to a third party usually doesn't work

[00:17:49] I'm not saying there's not a lot of good sales marketing PR people out there. There are but You can't tell your message. Why are you expecting somebody else to create it for you?

[00:18:00] Like you need to define what your message is and if they can fine-tune it that that's where they should come in Shouldn't be the opposite way around so if you don't control your story somebody else is gonna control for you and I promise you

[00:18:12] Somebody else control your story You can be very unhappy with the results and then you're gonna be another person that comes and says I dropped tens of thousands of dollars You know whatever year later 15 18 24 months later, and you're like I spent 60 80 hundred thousand dollars and like

[00:18:27] Nothing came from it. It's like who created your your story. Oh they said they were gonna do it all for me I was like But what if that's just a template for everybody?

[00:18:40] That I think is not good anyway back to Zach story go for well template for everybody is actually exactly what we're against Oh funny saying you mentioned that and hang on one Sorry phone was ringing on the soft phone ringing in my ear so fix that

[00:19:01] Template not the template for everyone so that's actually exactly what we as a company said is the issue with configuring and Baselining and hardening is everyone just wants. Oh here's a template. I'm gonna roll it out over group policy

[00:19:18] Here's the CIS template. Yeah, they need CIS roll it out the issues with templates you said it I'll say it again. They're not for everyone everyone has their own exceptions

[00:19:29] Everyone has their own unique needs and there need it to be an innovation to this which is exactly what we developed to say Hey, here's a hundred percent of best practice standards in a perfect world. Yes apply all

[00:19:42] Reality is is this middle ground you need tier three engineers? Extremely seasoned people who understand individual settings on whether an OS or a browser or whatever Application to know all of these settings and then determine which ones within the template you can or can't handle well

[00:20:01] Who what MSP has an engineer who only wants to look at configurations and learn thousands of settings inside and out? I can't imagine there's a single MSP out there with an engineer who wants to do that

[00:20:13] So what our whole innovation is is the fact that we have a learning mode to say hey These are the settings that you should put but here's the ones that Won't break anything. Here's the ones that probably will break something and now your engineers have a much

[00:20:31] smaller in scope list of the settings to review either to leave it the way it is to maintain operational or Change it anyway, but at least now you know the setting that might break something Hmm. So let me rewind Templates

[00:20:50] What are you solving for you're saying hardening right? Yeah, I to me that's Said earlier and I said again. That's usually a problem you tackle after you've had a problem Sure There is an incident there is an issue. There is a vulnerability

[00:21:10] That was you know, you know the door for somebody walk in create a problem Like every time everybody's ever you know wired money because they got an email, you know saying oh We've changed your account and then realized that somebody stole that

[00:21:24] That's when they're like, oh well, that wasn't good. How do we prevent this from happening again? So that's what I'm thinking in my head right hardening so we can flip this around proactive versus reactive long long tail

[00:21:35] That's been told for many years. So your your position is hey You probably don't have it you're probably not doing a great job of hardening Endpoints right so we're not talking about the 1800 security products. You can put on a computer to catch something

[00:21:51] You're talking about so configure those but that is not the scope. I'm talking about here Okay, all right just wanted to find this so it makes perfect sense

[00:21:58] That is still hardening though those applications and setting those settings that is very much still hardening as that's part of it Mm-hmm, but there's a bigger picture of here are the known areas that if you know

[00:22:10] You're just leaving your front door open your window open somebody just walks through well Like you didn't stop them right you didn't make it any difficult any harder for them to just

[00:22:19] Walk right in and do whatever they're gonna do right so like the alarm system in first kind of thing before you know Somebody tries to steal your stuff from your house, right?

[00:22:27] So like what are the other than CIS which I think people are aware that CIS is a thing But maybe haven't really investigated much time into it What are the main areas of this hardening that you're solving? So

[00:22:43] Specifically what we're doing is the hardening of the OS so the operating system and then the browser So this could be the workstation OS the server OS or you know mobile devices OS, right? And it's funny the age old tail reactive versus proactive

[00:22:57] I actually stay away from that battle because these settings when we talk about hardening Let me let me put it this way so everyone knows about vulnerability management everyone knows about patch management Hardening is kind of this middle ground hardening management. It doesn't even sound good

[00:23:14] But um, it sits in this middle ground because these settings that I'm talking about with you today is is settings that are Available on every single workstation every single browser there they're there and they're not secure by default Why are they not not secure by default?

[00:23:31] Windows said so they prioritize usability. Maybe there could be some arguments But even the chrome browser, right? There's a lot of settings that you could change to increase security that are not in place by default because it's an extra Layer of friction but between adoption, right? So

[00:23:49] Vulnerabilities can be new come zero day whatever that is patches Come as software advances hardening our settings that are there that you can do that We just choose not to so why I was saying we kind of stay away from the proactive reactive argument

[00:24:05] Yes, you're proactively changing settings, but these are all preventative security measures So I think even further left. You're not proactively reacting to something you are All of these exist all of these are there today on all the listeners devices on my device right all these settings exist

[00:24:22] You have to take the proactive step to become preventative What why have this fancy edr? Why have this fancy ring fence all these? extremely incredible and fancy solutions built on top of something that isn't configured that That's the piece that confuses me the most

[00:24:42] Hmm. Well number one to your point even enterprises do a really bad job at this That everybody just buys more and more products That's true. Yes to the point where these products overlap and then we get into the whole problem of well

[00:24:57] administering these products on a regular starting become cumbersome I digress um Even companies have popped up. We've had some on this very show who are like, hey We have all 14 things right one platform you have to buy separate products and separate vendors

[00:25:10] I'm like wow, okay, um, I don't know if I agree with that single point of failure methodology, but alright Hey That being said Yeah, the same apply like let me let me just use an example because I know it just happened

[00:25:26] I saw last week Microsoft is finally getting enforced MFA to log into Azure control pen. Sure, and I'm like dude, it's 2024 we've been talking about MFA for at least five years and I think Microsoft hasn't been really enforcing MFA

[00:25:42] On standard office 365 accounts until like the last year ago, I think it was a year. Yeah, it wasn't that long ago So like that's an example of like hey the default is off

[00:25:54] Right, like they're like hey you have to configure this to fit your customer your environment and like 400 checkboxes later. It could be a thousand different permutations that being said Give me an example of how

[00:26:09] The MSP you said there's like how does this get deployed right? So you said there's listener mode. That's really cool because You know, I can't tell how many times you were like, well, I didn't know that or they didn't tell me that or we didn't spend enough time

[00:26:21] Investigating their environment every time I've heard that every single time but that being said like People looking at your solution would say how does this look end-to-end? I have a prospect that I want to try this on to the running their functioning

[00:26:33] I'm managing it walk us through that journey. Sure. So talking about sentience specific not the traditional way of manually doing this Yeah, okay So you have a new prospect you're looking at it a typically today

[00:26:45] You might show them, you know, whether it's a scan which scan vulnerability scans extremely valuable show the broader picture Right with hardening you can do the same type of thing You may already have a scanning tool within your stack that gives you a scan of the configurations

[00:27:00] Where sentience takes it a little bit further in as a note This is kind of our gift to the MSP space any podcast I go on to your viewers are welcome to get free assessments internal and external So there's the little plug for you guys completely free

[00:27:15] deploy the reports get your assessments so For perspective on sentience so The first piece is to actually run this assessment This will show you all the existing configurations versus security best practices whether these are from CIS NIST or Microsoft standards whatever that is and this will

[00:27:36] Basically present to you something interesting that a lot of scanning tools don't show you so because we're the Because we're not leveraging group policy. We're not leveraging in tune We're looking directly at the reg keys sec pull audit pull we're looking at where these individual settings live

[00:27:56] Sometimes our results may differ from the traditional scanning tools That's because we're looking at the source of truth as opposed to just trusting Microsoft. I mean I Would ask the audience in George I don't know your background if you've been an engineer

[00:28:08] But you ever change an in tune policy or deploy a PowerShell script and just trust without doubt it was successful. I Can tell you a lot of people do I mean at the end of the day

[00:28:19] Here's what it maybe was successful on nine out of ten and you didn't realize number ten was a problem until you're too late, right? That's right. It happens all the time and quite frankly I Think that most RMMs like If you're not coding for the chat

[00:28:34] Yes, they the script ran successfully cool Well, I'm on you know that it actually the fact the script ran was great But did it complete and did it return it okay?

[00:28:45] It did get completed on this machine this machine like that you have to actually go a step further to get there And and take it even even further than that step. What about ten minutes later? Did it stay so that change state or did it change right?

[00:28:59] So anyway, what I'm getting at here is is our reports look at the source of truth Which might differ from a group policy report because we're looking at this source What the most interesting thing we found is when we onboard

[00:29:11] partners who maybe have a completely in tune environment in tune Joined environment I go hey give me ten endpoints deploy sent on ten machines and Believe it or not. We find differences. So part of this free offering that that we have is

[00:29:28] Basically a sales presentation. So yes, you get your your grade you get your configuration score against CIS or regulatory frameworks PCI What whatever you want right you get that score But the second panel of the sales report shows you how many different

[00:29:42] Combinations of settings there are across your entire client So if it's a hundred percent in tune joined it should only be one only one configuration set But if you want to put it to the test, you know give me ten machines

[00:29:55] I would be inclined to believe there's at least three different combinations And I'd be even further to believe your engineer doesn't know why each machine is different. That's that's just what we've seen Yeah

[00:30:07] I'm not I wouldn't even make that bet. I'm gonna say it's gonna be absolutely gonna happen like you know On a different context The content, you know the comment is made one

[00:30:22] Put all your eggs in the Microsoft basket what happens with Microsoft doesn't do what it's supposed to do that happens That's happened. You don't want to get many vendors including myself have companies because of that And number two

[00:30:34] How many times have you heard well Microsoft keeps us all in business so that is a fact, okay? MSP vendor or like whatever That being said I probably believe what you're saying right combination things the software the role of the person using the computer

[00:30:49] The manufacturer when it was purchased like all of these things differ on Many right why these settings would be slightly different and you would think with in tune Which is like based in group policy right and it's history you would think there'd be like a

[00:31:05] Standards enforcement right and like that's how it's designed to work but yeah, so the interesting thing about group policy and we actually When we were building our tool we kind of learned this just from getting this deep into the internals

[00:31:18] Is that group policy and in tune can only push? Yeah, there's no verification. There's no pull So when sentience making these changes we actually have to notify like hey guys Woo-hoo. We did some things down here. You guys want to know about it change management. Yeah

[00:31:34] Yeah, so we had to build that additional piece. Um, but yeah talking about like MSP to prospect and how sentient fit so it's it's that sales report first It's it's educating um not only the end client but the msp that their existing configurations are not standardized

[00:31:48] So that's the first piece of value add again completely free We map that then back to the mitre attack chain And we show a very beautiful Heat map on which mitre attack piece of that chain you're most vulnerable to depending on your configuration state so all of that

[00:32:05] You can show the client educate them a little bit more and start to bridge that higher Elevated conversation because I hear msp's all the time my client doesn't want to understand this They don't they don't care about this right?

[00:32:17] I I push back a little bit. There's definitely those clients out there, but if you show them a report That's truly unique of their environment I've heard feedback from my partners that they actually care and they want to understand a little bit more

[00:32:31] Maybe that's a one-off. Maybe my my my user base is uh Is working with a subset of people, but I do believe with the right report. They'll start to care more I mean bottom line is

[00:32:42] Things are always changing in technology land actually that's part of the reason why I kind of think it's fun, but I digress um If I have a known set of things and i'm testing your environment against and it's like hey, look here all the things that need help

[00:32:56] Again, you know if I don't know I can't do anything about it, right? It's the knowledge part That's the first part. So that's cool. By the way, where do people go and get this free

[00:33:04] Analysis testing tool. Well, I will need so on our website. Um sentian.co. I believe it's slash contact There will be a form and there's a message box. Um if you just toss in msp initiative

[00:33:16] I'll be happy to include that as you guys so anything where I come and talk I'm always happy to give some type of free perk like that. So Well, Jen keep a note. We're at 137 That's the that's what'll go out with this message that that offer so um

[00:33:34] All right, so you run this analysis your report comes back with the heat map. You're like, all right guys We're green green green yellow yellow yellow red red red, right? I mean we got problems. We need to fix this now

[00:33:46] So now this step two so you effectively at this point you've ran the learning mode You've gained your assessment now you need to set your goals So we've worked with tens of thousands of machines and we've ultimately identified for you out of these thousands of settings um

[00:34:01] A select subset that one we can't gather enough telemetry on but two They are known to the end client Noticable so this is an example like a message log on text, you know warning private device um xyz right you have to click okay on that message or

[00:34:22] Control alt delete right so we've broken up. Um a small section to say hey these are company decisions You need to tell us what you want and what you can handle So you set your goals that's step three once you set your goals

[00:34:36] And we we already have the telemetry you set your goals now you say sentient take all that telemetry and compare it to this This is your golden image And now in finalization you can actually see before changing any setting

[00:34:52] What sentient thinks will break and that's the meat of our solution We show you what we think will break something before changing it and you can go through that entire piece um as an engineer to learn About risk you've been accepting without necessarily realizing it. Um

[00:35:11] Some very interesting ones is when um certain applications will call it video editing software We'll create its own um user rights assignment to lock pages in memory, right? So that can doce your device. Um

[00:35:22] There's certain findings like smb1 where people don't even know that's still there and we'll say hey this was used last week, right? There's um, I mean user rights assignments are probably the funniest findings. Um, I say funny. That's a rude way to put it but um

[00:35:38] Apps and updates just put things in places without notifying you. Um, and that's not funny. Um, it's just unfortunate that there's no Easy way to find it until we built this thing

[00:35:49] So um, that's where you get to review everything and you can either make the decisions you say Um, you know, I I as a company. I don't know why this is here but I I can't

[00:36:03] Figure out if I can change it or not because I don't want to cause disruption So you say sentient for now Leave it the way you found it and then you can actually document why you accepted that risk So then it generates in your follow-up reports

[00:36:16] Alternatively sentient say hey, this is risky because of this finding to change to your operational workflow You can say well I now know which device this is risky on

[00:36:26] Again, this may only be one of those 10 machines because this one machine had something unique the rest in it. Um And then they call that individual right? Hey, do you need a linux subsystem on your endpoint on your windows workstation?

[00:36:39] Right. Do you use this and if they say no Then you can disable it straight from our software, right? So now you're you get more contextual awareness behind gpo's Behind group policy all the same thing. Anyway, you get more contextual awareness as to

[00:36:55] Why sentient thinks something is safe versus not safe and the engineer can make the decision based on those findings So that's that's really the big meat of the solution Okay, so we run so we run the assessment get the answers

[00:37:10] Then we we figure out what the organizational answers are comes out with the matching, right? This is what you have before this is what did you look after oh and by the way

[00:37:19] Nobody has enough time to do any damn testing because you know past Tuesdays on automatic anyway But let's just understand what's gonna actually break by the way awesome Make somebody look absolutely, you know like rock star rather than the guy who broke something happens all the time

[00:37:34] So that happens in The beginning yep, how do you what happens after that? Is there any continuous thing that keeps going so perfect question So after you finish all that you document your risk you change settings. There's a single button that says activate

[00:37:48] Activate will actually remediate thousands of settings right that's the thing right? We're we're not necessarily a scanning tool of course we scan but that's a feature What we do is we take your scanning reports whether that's you know nexus tenable qualus all those

[00:38:03] Without integration we make those green right If you actually want to fix your vulnerability scans with automation, that's what we do um, so what's what's after activation so This is this is interesting because we built a lot more of these features a little bit

[00:38:20] Sooner than we thought we would have needed to so Applying settings is awesome Um, unfortunately, there's a lot of compliance and reporting that msp's wants after the fix So that's what we prioritized um earlier than we anticipated so this the biggest thing is

[00:38:38] Remediation feedback so there are times where sentian will say hey this setting failed to apply Imagine if group policy told you that right and I will guarantee you

[00:38:50] Group policy will also fail to apply. They just won't tell you so we'll actually tell you when a setting on which device Was not successful Further than that if it's unsuccessful it will try again About I think three to five times

[00:39:04] But at some point it will say hey it failed and if applicable it'll say it failed because of this application It failed because of the domain level it failed because of xyz right so now your engineers know which settings are not applying And they know what's

[00:39:19] Not allowing sentian to do its job So that's probably the coolest piece of it Um on top of that the compliance aspect so we do take every single configuration We leveraged cis and then we crosswalk it to regulatory frameworks. So I said pc i like hip ffic right

[00:39:36] So we have tailored reporting just against regulations And regulations like cmmc and ffic have auditors that say be able to Um show the change history to your baseline right verbatim. That's what they say

[00:39:51] Today without sentian. I don't know how you're doing this. Um, I've heard multiple point in time vulnerability scans is change tracking But um, what happens In between each monthly scan is that really? change tracking point in time

[00:40:11] Comparison I guess right point time comparison so in our view as a company is that's not change tracking That's not exactly what change tracking is so our solution on top of after activation will show you who's making changes What's making changes?

[00:40:24] What's the time stamp it changed out of compliance how long until sentian put it back right so this entire change log Is automatically um saved and done so and then when you have your audit

[00:40:35] Single click excel export boom or you can do pdf or whatever you want right at all i'm talking everything I've said is all exportable to excel That's probably one of the most underappreciated features that we have every single table can be exported

[00:40:50] Yeah, I mean listen that is awesome because What why like you know again age old msp it services industry problems like hey, why did it break? I don't know. I can just fix it all right, I mean

[00:41:04] That's common it's common that's sentence right like yeah who made the check no But we know how to go back and fix it now or I cannot help you get back to running

[00:41:14] Okay, I actually just gave um a presentation at msp geek con last week in my very first slide It's I found it funny, but I said guys I I don't want to give the rest of my presentation if we all can't agree on this one line

[00:41:27] And then I had a slide and said operational does not mean secure No, yeah 100 so no no one disagreed but but in reality All the majority of msp's are living that way because this this aspect we're talking about changing settings and configuring assets

[00:41:45] I've on board tens of thousands of machines and I haven't found I have found one msp that had more than 50 percent of the settings aligned to cis So that was about like 220 settings out of the 500 they recommend only one

[00:41:59] No one's proven me in the msp space or enterprise space in my limited expert expertise But primarily msp has had more than half of this done No, I believe you. I mean at the end of the day here's what it comes down to Nobody's forced them to Yep

[00:42:18] Again the end customer verticals got to dictate a lot of things if there are generalists Right and let's their hand is forced why? Well because it's more secure now, but we haven't had a problem until now until we have a problem, right?

[00:42:32] But like at the end of the day The next step is they don't have the knowledge internal to their company To actually get to the end. Yes. Yes. That's that's the gap. Yes. Hold on. There's another part to it They don't have the time

[00:42:47] To get to the end of that project Right, so they're too busy on the day-to-day help desk ticketing and projects right and like by the way Let's say they didn't have your tool and they wanted to go evaluate a customer's environment

[00:43:00] How long is that going to take them? RK studies have shown quickest eight months. Um, but I've heard time periods up to 15 months to do what we do But who has eight months? No one No, so like

[00:43:12] That's why that that's the main two reasons on the answer of why Do they need it? It would definitely show That they were well way more prepared And doing the and this comes back to mr. Gross over here

[00:43:28] It's like hey the marketing of what your services are and the delivery of it Especially if somebody else wrote the marketing message for you Don't align right so now they come back and they're like but your marketing said this and 24 by 7 and proactive

[00:43:45] And this that any other they're all of a sudden it's like But none of this was done So like very easy for maybe not the smartest attorney in the world to show up and say I don't think these guys knew what they were doing

[00:43:58] I mean we can talk about cyber insurance, which I don't want to go through on that rabbit hole But there is a checkbox today that says do you have a hardened baseline? I believe I've had partners send me that they don't ask for proof

[00:44:09] They don't ask you to attest to it, but they they say checkmark this box. Yes or no Now Bake yeah now now, you know a breach happens and they go hey you checkmark this box. Can you show me your baselines? I would argue to say

[00:44:22] 99 percent of msp's will have if if a windows default baseline is 15 percent, which it is I would argue that no msp Majority of msp's will be less than 20 because there's so many right there's so many so the this goes back to your challenges of time and resources

[00:44:40] msp's can only do The top 10 most important configuration changes top 10 determined by who? I don't know the answer to that internal knowledge right smb1 needs to be disabled Machine and activity timeout needs to be in place. So they'll do those those 10 or the top 20 most important but there's

[00:44:58] 450 settings on a workstation 400 on a server and another 120 ish on a browser Who has time for all that? Nobody back back to So so let me ask you this when you guys decided to get into business

[00:45:18] When you went and evaluated the market space to figure out why this was the current condition and state of affairs like There's a lot of tools out there that kind of like a tool like, you know, like touch the border of what you're talking about right? so like

[00:45:34] Why has this not been a focal point then like why did it stop where it is and like now your company exists and effectively in a gap Yeah, I know. I mean it's 100 of gap

[00:45:46] So it's funny. I start so I was actually response solely responsible for market research at sentian and This started was was at the beginning of covet And it was like before

[00:46:00] A lot of these like huge online communities and networking things really started taking off like msp geek is is huge now It was still big then but it wasn't what it was it today um, and I was able to talk to

[00:46:11] Someone like the key people who gave me input was matley for example, um chris lair west spencer like all these people who are very much Day-to-day in it and they were like, oh, this is the best thing ever. This is what msp's need. Yes. Yes. Yes

[00:46:26] But it was very hard for me getting market research with um More traditional msp's and being naive and not familiar with the msp space. I didn't know these guys were mature I just thought every msp was like them

[00:46:41] I'm not that west as an msp is a vendor but um, you know, you get what i'm saying with that aspect Um, dustin bolander was another great great friend to help me out

[00:46:50] But all of these people who I thought was just the norm and they were like, yes. Yes. Yes. What you do we need? turned out not to be the norm so

[00:46:58] What did I really find in the market research? Um, I talked to a very high subset of maturity of msp's who told me this was needed And what I learned after actually building the thing they told me to build

[00:47:11] Is reporting creating better sales presentations and proving and the change track and everything else Is more what the generalist msp was looking for so it wasn't until we added

[00:47:23] Um, the more compliance focused features that we didn't really hit our I guess hockey stick as people talk say right so um It's like made it easier for them to position it. That's what it made it easier to position it and you know, why are these

[00:47:38] They couldn't explain it going into their customer So they're like well if I can't sell it easy that i'm gonna go constrain on something else Yes, and then you came back and basically said here you go. This is

[00:47:47] Take this in your customer now. I've come back and see me and they were like, oh my god This is great Yep, and and one thing you're talking about vendors like coming close to this but not really doing it

[00:47:56] I do believe it's the same thing the same story of windows, right? Vendors don't want to be disruptive and a lot of times these settings will make changes, right? If you don't base your entire company motto and just Mission around not disruptive configuration changes

[00:48:14] You can't do this it takes so much work. We have to develop a whole learning mode around it So to take this a little bit of example, there's a very notable msp vendor out there won't say them by name, but

[00:48:25] They do configure say the windows firewall, right? They make sure it's on the inbound rules xyz, right? Those are cis benchmarks and when we onboarded this Again very mature msp. I think about 8 000 endpoints His internal environment. He's like hey, why does this one machine say say it's off?

[00:48:44] Why why don't you have your firewall on and he's like that's not right? Of course it's on he went to that third party solution which is not a configuration management

[00:48:53] It was just doing it as a side value add just kind of something on top of their main core product And that third party solution said it was on like yep did a fresh scan. Yep all good. Okay, guys

[00:49:06] Here's the reg key or here's what the setting is. Let's check the source of truth on the device itself It was off. We were right So why do other vendors not go down this path? Microsoft is really really really really hard to work with

[00:49:21] And if you trust group policy and you trust in tune You're no better than than that. So the only way to do this correctly is to build an entire System at the registry level and check the sources of truth, which is so much work

[00:49:36] Not say they'll never do it because I do see larger players trying to get to this space But that's one one of the fortunate things we have as our mode is this learning mode because people just It's it's way more complicated than people realize

[00:49:49] This is not this is a many this is everybody's problem really If you have a computer you should you should configure the asset. I mean

[00:50:00] Listen to different people like oh windows defender is pretty good. I was like, but can you you know, it's it's great until somebody shuts it off Yeah, and then can you get feedback when it turns off with traditional group policy?

[00:50:11] You don't even know if that attacker changes a config You will never know unless you have a solution like ours that can tell you in real time And change it back The functionality just didn't exist

[00:50:24] So no shame to any msp out there this this area just lacked innovation And it still lacks innovation. We could probably use some more competitors to get the message out there and that would benefit us but um

[00:50:34] Right now. I mean it's really just us as far as I know on the landscape Wow All right, so you built this company to live in msp land. Yes Yes 100 msp. We do have vars and distributors

[00:50:47] So I do present enterprise on that respect, but um sentian as a company 100 percent that direction So how does the program work? How does the program work? Can you define that question a little bit more right as a partner?

[00:51:02] I sign up. Is there a minimum? Is it per endpoint? Is it per customer like is there a Yeah, so we're um, I've been told very flexible which always makes me feel good We're happy to do a bill on usage model. So

[00:51:15] Our pricing does begin it is scaling pricing right so pricing does begin at the premium of two dollars per endpoint per month Minimum on that is 50 endpoints, right? So you got to buy in at 100 bucks, right? but we have decided as a company that

[00:51:30] This is too hard to um give every msp special pricing because turns out msp's love to negotiate and it became something That made me not want to go to work anymore. I was so sick of it

[00:51:42] MSP's out there. I know I know you got to do your job. I respect your job, but I We as a company I got so tired of I said at 250 endpoints you get it for a dollar There's no more down than that

[00:51:53] I mean if you do have this massive endpoint size and you really need to push me that's fine But as a company, it was too hard to track. It was too hard to manage relationships. So at 250 endpoints It's it's a dollar What what comes with that as well?

[00:52:08] Is our entire resource hub? So I man, this is probably one of the most underappreciated things that I've worked on In the msp space, but the vars told me I have one of the best ones which is so kind of them

[00:52:20] But um msp's I have an entire resource hub Dedicated to sales material that you can download into canva toss your own branding And I know your clients don't know what hardening is

[00:52:31] So my favorite piece of this is I related hardening to about a dozen different topics like insider threats fishing right and I created a seven point story Of how hardening mitigates the risk of that activity

[00:52:47] So now i'm trying and it hasn't been I don't think really utilized, but i'm trying to bridge that conversation To help msp's elevate their client conversations So that's something i'm really passionate about because again during market research

[00:53:00] I kept hearing my clients don't care. They don't want to do this. I'm like I don't know man. I'm a business owner and I do care and if there are anything like me They should also care they mustn't have the right pieces in front of them to care

[00:53:13] And that's what i'm really trying to elevate msp's to do is is to bring the technical stuff to them to an extent Not hey, like I said, you can't make it simple enough for the guys at the bottom of the food chain

[00:53:25] They'll never adopt which sounds like you already, you know kind of went back and did that being said It's a pretty affordable price point. I mean we've all spent way more money on way less effective things

[00:53:35] I know I have less than a quarter of a penny per setting if you want to put it in that respect Um That being said, uh, so is there a term or like how does this work? Is it like yeah annual agreements? Yeah

[00:53:52] And we are very flexible to the point where once you hit that 250 minimum We work with you on either a deployment methodology Or if you're just in this special situation and you just need bill on usage

[00:54:04] We do that as well, right? We do try to push for us Do the onboarding for you for example my one of our engineers um will literally Go set up sentient do the learning mode and give you a literal report of what he found and say hey

[00:54:19] Here's what we found here's the decisions. I think you should make if you green light this report I'll click the button for you like literally pay the dollar and you don't even have to sign into sentient Wow So very much um really aggressive just trying trying to yeah

[00:54:35] I mean it we want as little barriers as possible just like microsoft doesn't want barriers to disruption We don't want barriers to adoption So if there's anything we can remove to make this easier I present to msp clients all the time

[00:54:48] If there's anything we can do to eliminate barriers like that's what we're here for we're her to Really bring hardening top of mind And make it done. I mean it this was a funny story from msp geek um I was talking to

[00:55:03] A good friend now. I had just met him into some networking groups with the tech degenerate organization and Um, I asked him, you know, what's the first thing you do when a client comes to you and wants a new application

[00:55:14] And he said I reach out to that vendor Or whatever software owner that is and I learn about it. See if there's mfa and I configure set asset I go okay great And you get a new client and you inherit their existing Assets or os's or browsers

[00:55:31] Why don't you do it then? It wasn't really a good answer Fair point Fair point. I mean again time Time Time so it's always at the base of a lot of this Didn't do didn't think about didn't know time. Yeah for sure for sure so

[00:55:53] Just in case for the people especially who are listening in audio format sention is spelled s e n Te on so that way you didn't come up with some weird spelling So now that we know the spelling

[00:56:07] Zach, where do they go to learn more information and then remind everybody about the offer for the assessment tool. Yep. So sention dot co I believe it's slash contact felt the form but if you go to sention dot co you can easily find that

[00:56:22] You can also actually sign up. We do have a freemium I didn't mention this but we do take all these settings crosswalk them again to the regulated frameworks Whether it's PCI hippo nist whatever you want to look at or mitre

[00:56:34] And that database of all these crosswalks with the pathway. What is this setting x y z completely free forever? That's that's just one of our things right no remediation no reporting, but you get this database of answers, right? So that's completely free

[00:56:48] So you can go there and reach out the other thing I want to know if you do look up sention on our youtube channel We are partnered and sponsors with center for internet security cis and one of the challenges was

[00:57:01] MSPs didn't know what risk was being mitigated by changing a single setting so I actually rewrote I think so far about 600 settings and I hold a weekly webinar series with cis and a special guest which george maybe you should come on

[00:57:15] And we talk about the setting why it's important and if applicable how to talk to your client about it So do that every single week. We've done almost 50 episodes the next season starts june 19th on browser hardening We'll go over all the settings to harden a chrome browser

[00:57:30] um and then that free Um, and then that free offering again. I love coming on these shows. Thank you for having me So I always want to leave a gift um these assessments that I talked about the sales presentation or just the simple

[00:57:43] excel export of your configuration stats for your internal environment or external clients Um, happy to do this completely free for you guys. Um, just toss in msp initiative or george is great

[00:57:54] Into the comment section when you fill out that form and I'd be happy to extend that offer to you guys um So very very much look forward to it and hope you guys do reach out

[00:58:04] So this was really cool. We recorded this whole thing go back rewind this there's a lot of cool nuggets in here But generally speaking

[00:58:12] It's a gap and we all have like I don't know 50 vendors that you bought stuff from but like nobody seems to like actually solve this

[00:58:20] Outcomes a company which by the way is why I love this space because like every like you go out you find you try and find the answer

[00:58:26] And when the answer doesn't exist, it's like let's build something. I think that's what's so cool about the sandbox that we live in um So you find this session shortly under msp initiative dot com under sessions or on our youtube page or on our podcatcher

[00:58:38] However, you consume this it is there look up zack Uh, we didn't even spell zack's last name for people are listening but just sent you on zack. Boom. You'll find him I think there's only one guy there that very active on linkedin and that webinar series

[00:58:51] I talked about is linkedin live, you know free registration You don't even have to you know give me your email to see our content, you know It's it's no

[00:58:58] Buy the money and then you get the full access. It's it's all free education. So I think I said that exactly That's why I said it I'm

[00:59:08] Very happy to meet you finally virtually at least I'm sure I'll run into you out on the road somewhere between now and the end of the year Uh, I'll drop a note to cj. Tom. You know, we yeah, we connected and matley for that matter. Um

[00:59:20] For everyone else, please keep tuning back into these we do these twice a week You know again, these are totally for you, right? Like this wasn't some buy now infomercial

[00:59:29] This was like hey, let's educate you and if this thing is this something that you think you want to learn more about Then go research it. All right. I mean, that's the cool part about these. So jack. Thank you. Thank you. Thank you for your time

[00:59:38] Everyone else. Thanks for listening and we'll catch on the next one. Thank you. Appreciate it