Balancing Dark Web Threat Intel: Fair Attention for MSSPs - Alex Holden - CFH #28

[00:00:00] Petrolling the Dark Web, the Challenges and Opportunities of outsourced Threat Intelligence And Equal Time, ensuring each MSSP client gets their fair share of attention. That in the latest news and trends in the managed security space coming right up, on Cyber For Hire.

[00:00:20] Building bridges between managed security providers and their clients, it's the podcast where MSSP's VC-Sos and end users take a united stand against Cyber Crime. This is Cyber For Hire. All right, welcome friends to episode number 28 of Cyber For Hire.

[00:00:41] How's everybody doing today? I'm Bradley Barth with SC Media in New York. And joining me today just a four and a half hour drive away on I-95 is my guest co-host for the day. Bill Brenner, Senior Vice President of Audience Content Strategy at Cyber Risk Alliance.

[00:00:59] Bill, it's been a very busy summer so far this past weekend. I went to Saratoga Springs for the horse races. I'm pretty bad at picking horses overall. I don't really know what I'm doing for the most part.

[00:01:11] I had one big win in my lifetime and that's about it. But I do really enjoy the horse names. It reminds me very much of all the strange names that they give to APTs, vulnerabilities in malware like Thrainbury Cat or Lemon Dr. Kozibare.

[00:01:27] Some of my favorites from the races on the day I was there were things like fluffy socks, bomb digity and of course, Nade Jude. Nade Jude. Sometimes there's a temptation to bet on some of these horses even when the odds are bad.

[00:01:43] Just so if they win it's a good funny story. But I'm wondering what do you think would be a good cybersecurity inspired name for a racehorse? So when I saw this question, I said to myself, I have no idea and then I decided just for

[00:02:01] amusement to ask Chatche PT. So here's what Chatche PT says to that question. Good cybersecurity inspired name for a racehorse could be zero day blitz. This name, this is the best part. This name combines the concept of a zero day vulnerability in unknown software flaw

[00:02:24] with the agility and speed of a blitz attack both of which are relevant in the cybersecurity domain. I like it. I like it a lot. You can it's getting really easy to tell when something is written by Chatche PT.

[00:02:43] Well, you know what though? I will say that like I think I could actually give Chatche PT a run for its money here because I did think of one. I was thinking brute force.

[00:02:54] You know, or it could be brute force attack but I just like plain old brute force. I think that would be a pretty good horse racing name as well. So I would say, you know, I will say I like that too.

[00:03:10] All right. Well, more banter later but first there's some news that just can't wait which is why we want to share what's top of mind today. So here's your headline courtesy of SC Media. In last week's episode we noted how in APT group exfiltrated organizations exchange online

[00:03:29] outlook data by leveraging forged authentication tokens in order to access users email via an acquired Microsoft account consumer signing key. Well, since that attack went public, Microsoft came under criticism because certain victims of the attack

[00:03:47] lacked the proper visibility to catch the malicious campaign in the first place or even after the fact as the logging tools needed to observe the activity, that was a those logging tools were a premium Microsoft account offering that not all companies have been willing to pay for

[00:04:08] Senator Ron Wyden of Oregon even said in the statement that the extra costs were akin to selling a car and then charging extra for seat belts and airbags. So in response to this criticism Microsoft will now offer expanded logging services to everyone for free.

[00:04:23] This is the latest chapter in the pay to play security debate. There was also the recent case of Twitter and meta charging for user authentication or verification services respectively. So perhaps this is a warning to MSSP's with various tiered service levels to be mindful about

[00:04:42] charging their own clients for some for basic services. So Bill why should this be top of mind for our audience? Well, you know because their customers aren't going to and I can stand for it really. The economies in a tricky place budgets are under strain

[00:05:04] and yeah companies that charge for basic security in this fashion they're going to get shredded in the cybersecurity court of public opinion. I'm actually surprised you know Microsoft has suffered a lot of painful lessons at the hands of the security community in

[00:05:22] the last 20 years and I'm surprised that they didn't see this reaction coming. I think they've done the right thing in response but you know it's not a good look there they're going to be

[00:05:40] taking a ribbon for a while. If you're offering additional more complex security solutions on top of the basics, by all means I mean your business you charge for that but the very basics which

[00:05:57] I think this covers you know that should be a given at this point in our history. Yeah absolutely it's one of those things where you know you really have to get basic level cybersecurity protections should be a benefit to all and not something that

[00:06:21] you have to pay for. So it's something to just keep in mind in terms of some of our audience that might be listening out there today in terms of just understanding what really should be considered

[00:06:33] part of the package and what would really truly be a premium service. All right well that's going to be our top of mine headline for the day but now it's time to move on for our to our

[00:06:44] info sect topic of the week presenting our big idea in security patrolling the dark web, the challenges and opportunities of outsourced threat intel. Our guests for the segment spends his days where others dare not tread the deep dark web. Here he collects information on cyber criminal activity that

[00:07:06] could be a precursor to a major attack or evidence that one has already occurred for companies that can't or won't conduct dark web recon for themselves outsourcing this threat intelligence service is a valuable option. Still this kind of contracted services relationship works only

[00:07:25] if the provider keeps its intel reports relevant, customized and timely. So this discussion will cover how to make the most out of such an arrangement as well as some of the more prevalent threats

[00:07:38] swirling around the corners of the dark web today. So leading us through this discussion is our special guest Alex Holden founder and chief information security officer at info sect and threat intelligence services firm hold security llc under Alex's leadership hold security is played play

[00:07:57] a pivotal role in information security and threat intelligence becoming one of the most recognizable names in the field Alex researchers the minds and techniques of cyber criminals and help society to build better defenses against their attacks. Alex thank you so very much for joining us always

[00:08:15] great to speak with you and as always you're going to jump right into the heart of the matter. So first question for you I would imagine that one of the biggest challenges and one of the the biggest

[00:08:28] prerequisites to being able to conduct cyber threat intelligence for any kind of a managed services client is really understanding who your client is and that could be anything from understanding what types of data they regularly dealing in what types of sensitive information what sector

[00:08:49] they operate within because the threat intelligence that you're providing may be you want to make sure it's as relevant as possible based on what the biggest risks are to the particular organizations

[00:09:01] of the bread and thank you for having me here understanding who you're doing with on a corporate side who you're trying to defend is the key in threat intelligence and dark web monitoring. The

[00:09:13] idea of finding information that has been stolen from a company is not as simple as it would sound. The bad guys don't go out on the dark web saying hey we stole this data from this company

[00:09:26] or we are going to attack something like this they are forsaken information the are forsaken information in me other ways and also the vectors of attacks always unknown. So if we don't understand who we're trying to defend we're going to be not doing a great job and providing

[00:09:45] a valuable service it can be generic and sometimes it will hit and get results but if we are able to contextualize information that the company holds have an idea how to identify that information

[00:10:00] not only within the company but also within the supply chain which is a key term right now as we are seeing that data is being breached everywhere not only within your perimeter but within the partner

[00:10:12] networks as well. If you have all that information including the tactical data including the know how to identify this data in the hands of bad guys not only directly but also by inference

[00:10:25] this is where we have the highest chances of success and ability not only to identify this data once it's already stolen but also get an idea over per cursive which is the big component of

[00:10:38] dark web monitoring to prevent a breach from happening in the first place. Is that something in terms of being able to customize your reports and the intelligence you provide to your customers? Is that something you want to sit down in advance with your various customers clients to discuss

[00:10:59] what's important to them? What you think should be important to them? What's some of the communication that goes on between provider and client to make sure that you're on the same page

[00:11:11] with threat and tell you? It happens with every single level from our endless going out and the learning from a client maybe about the product, about the service not only reading the website but also getting a user experience not only asking client what are your brand names or

[00:11:28] the main names but understanding every single IP address naming conventions internal configuration components that would be indicative to the clients stolen data. We even were able to identify certain components on such low-level as MAC address so more we know more likely we can connect

[00:11:49] these two components and in me cases when the incident happens and the everybody asked how did we miss this it gets down to a simple couple pieces of information that we didn't

[00:12:01] know about it. Not only that it's also important to understand what the bedguides may know about the company. The bedguides not going to look read through your public reports or even like that. They

[00:12:14] go going to go on internet on the certain services that would have descriptions about the company and they go to grab information from there before posting some of their statements. So we are

[00:12:26] learning from the company what we know need to know about them but we also learn from the internet what the internet would tell somebody who just inquiry what the company is, how would they be

[00:12:38] describing? And this is not always factual but this is what the bedguides may be talking about because of their frame of knowledge. Yeah for sure. In terms of a value proposition for customers

[00:12:52] that use CTI services you know a lot of times when we talk about managed services we talk about a lot of smaller to medium-sized companies that don't necessarily have the budget to be able to perform certain types of cybersecurity functions themselves they don't have the internal technology

[00:13:12] or resources they don't have the talent necessarily to do so. Threat intelligence is certainly one of the categories of technology services that's most frequently outsourced to another organization is it hard sometimes to make a business case to some of the smaller companies even though

[00:13:34] they may not have the resources to do with themselves they might say something like, well we're not a primary target because we're so small and what kind of intel you really going to find on us in

[00:13:44] the dark web they're probably going after you know really the big boys here and you know we're one of the small fries so you know how much relevant intel you really going to collect on as

[00:13:55] it's going to be truly useful or relevant to us what's your reply if they say something like that to demonstrate the value for a smaller media size business of outsourcing some threat to help. Absolutely every company of any size may benefit from threat intelligence and the bigger

[00:14:17] companies if they experience an event breach they're more likely to walk away from a relatively landscape over the minimum losses compared to their bottom line but if we are going to be talking about smaller companies or midsize companies their entire reputation may be hinged on their ability

[00:14:38] to provide certain services and if they experience a breach they can lose their key customers they can experience this critical component where they can no longer can operate within their market or within the trust that was given to them. So this is the most important component to say

[00:14:59] that we want to protect our reputation we want to protect our cybersecurity and we want to prevent these situations from happening in the first place because to go through an attack like a data breach or rents where attack we are looking at major company changing events in

[00:15:16] some cases with all of them sunset events because they mainly to companies using to operate and the number of examples like that but on average basis we are looking at feasible approaches for companies of all sizes knowing that larger companies would experience breaches or

[00:15:38] incidents much more frequently than small companies so small companies would have much small footprint on the internet and their phone a dark web so less incidents would be happening but these incidents perhaps would be more impactful. If you have a company over 100 people and

[00:15:55] one person gets compromised this getting most likely to compromise of the entire network however into multinational company when one individual gets compromised most likely the bad guys will have hard time getting around your defenses save guards, segmentation and other

[00:16:18] components that would trigger alerts way before a major incident would happen so that's also something on the need to put under consideration. The bottom line is that threatened intelligence becomes not only the insurance policy but a preventative measure that would stop attacks from happening in the

[00:16:38] first place and if there is an incident there is still perhaps time to do remediation. The bad guys no longer going after your top 10 in your industry they go going to go after every single

[00:16:53] company or individual who had the labs in their cybersecurity and when they do so they have different angles that they have different approaches also the amount of ransom being asked would be really difficult to pay or sustain for a small company because it's going to be taking

[00:17:17] a big chunk off of their profitability or even their lifelines. Yeah Alex we talked in a couple of minutes ago about just the idea of really truly knowing who your clients are so that you can better assess the threats that are most of risk to them.

[00:17:39] I would imagine that one of the big challenges these days I know you had mentioned this to me briefly in a previous discussion that we had is the increased focus on supply chain threats. As you look

[00:17:53] further upstream at all the various third party partners and third party software that your clients may be using that also makes them vulnerable to potential threats and so you not only really need to

[00:18:08] know the ins and outs of your client but you need to know as much as you kind about their expanded ecosystem is if you're really going to try to curtail supply chain threats associated with these

[00:18:24] individual clients and feed them intel directly related to what goes on what's in their particular supply chain. So how do you handle that particular topic? We're talking in the virtual companies kind of from cybersecurity perspective long time ago. I started talking about supply chain issues

[00:18:41] back in 2002 when the CIA souls around the table where I was talking turned to me and said we having problems securing our own infrastructure while you talking about somebody else's infrastructure but as these issues become more prevalent we are an ecosystem, we are an expanded network,

[00:19:00] we expanded into cloud, we virtualized a lot of things now we spreading our data across not only enterprises but our ecosystem with our partner networks and our supply chain becoming very, very important to us. We need to look at supply chain as extension of our infrastructure. For some

[00:19:22] of us we are part of somebody else's supply chain for others we are taking supply chain into account for where we are placing data. We do have the responsibility across the board to safeguard our data

[00:19:36] across the Earth data wherever we put them over our customers choose to place their data within our control. So this responsibility does not go away there is more and more regulations or more responsibilities contractual there's responsibilities they come in down the pipe

[00:19:55] in for us to know that a supply chain component been breached is a critical component for remediation. This happens across the board and it's more and more impactful because companies start caring about their supply chain as much as they care about their own infrastructure because at the end

[00:20:18] of the day it's their data. You've told me before Alex that you can divide a lot of your dark web investigations really into two categories. There are two categories of locations that you

[00:20:37] visit and investigate. You can go upstream to the upstream part of the attacker's supply chain to see where various cyber criminals are looking for additional tools that can help them carry out their exploits. They might be looking for an initial access broker they might be looking for a

[00:21:01] post-exploitation tool and from seeing what it is that these various cyber criminals might be trying to purchase or buy you might be able to be glued in on an attack that hasn't happened yet.

[00:21:14] Then there's also the places you can go like maybe a cyber criminal forum that's selling exfiltrated information that is indicative of an attack that has already happened and perhaps one of your clients has had data stolen that's now on the black market. In a situation where you

[00:21:33] have discovered an attack that has taken place or perhaps one that is very imminent. There's a lot of urgency in a situation like that. In those special urgent scenarios, how do you make sure that you are able to deliver that very timely critical intel

[00:21:57] to the right person in some kind of inefficient way that it gets acted upon? So, tell us a little bit, it's one thing when it's more of a threat intelligence support of here's something to keep an eye out for and what a threat intelligence support where you're basically

[00:22:11] saying the damage has already started to you know, you need to act very quickly. What do you do in those imminent scenarios to make sure that that message gets across quickly and acted upon quick? You don't always rely on technology to the right critical message. If they deliver

[00:22:30] three p.i. if they deliver the throw and email notification, if it's deliver a throw portal, that was a way to get information but we don't always know how closely some clients

[00:22:44] monitor some things. If there is a red flag in a panel you hoping that's suck with the catch it and contextualizes stuff like that. But even with all that information you're not sure, 100%, that there can be an action taken. I find myself every week in a situation where

[00:23:04] our key folks on customer projects picking up a phone and calling a customer through escalation procedures that are previously defined through connections and even connecting with business focusing that we need to talk to somebody within this group. There are search situations

[00:23:25] that have given us minutes to react, not even hours or days and in these cases we are contextualizing intelligence much better by as a human to human rather than technology. Technology, technology, technology, technology sometimes would raise a flag, sometimes it will make a key decision to

[00:23:47] certain technology as a collection of passwords or securing a port. But in me cases when there is context, when you say the bad guys inside of your infrastructure, here is a proof but we don't know

[00:24:01] where they are. We know that steps they taken. This is where you need to rally folks on the client side to make the necessary steps. And if we just spoke about supply chain, when this

[00:24:17] breach happens on supply chain side, our clients now need to find the right folks within their vendor environment to make that notification. We've been extremely successful in certain cases and in other cases unfortunately we saw that even a couple hours of indecision can lead the client

[00:24:40] to lose that window of opportunity and from the notification about impending breach we are dealing with data exploitation or full scale. That's already had commenced into the blackmail part. Yeah. All right Alex, can you give us a little bit of a current snapshot of some of the biggest

[00:25:06] most prominent threats that you are repeatedly encountering through your dark web investigations right now? What's the number of different things that the emerging over past couple years? Ransomere is still number one being of our existence and really the flag of the modern times in the

[00:25:27] cyberspace. The bad guys are trying to not only encrypt the data but now exorcreate and blackmail companies over this data. In the blackmail it's not only limited to a single entire network, sometimes it's single server, sometimes it's set of data. Sometimes it's cloud

[00:25:47] application such as CRM client list or additional information that sits in different repositories. We've seen blackmail attempts over a contents of email or anything else that would be viable. And the bad guys are getting very inventive into tightening screws to get the victims to pay by embarrassing

[00:26:12] by contacting lies. By even suggesting that the company is engaged in illegal activities, that way the victim is more likely to negotiate. With all this said and done we are seeing that being escalated. How other things are happening? Well there is a huge market of

[00:26:33] botanical data for example, over compromised credentials and additional information around it, allowing bad guys to disguise themselves behind the real identities of individuals who's had their accounts compromised and they're not only accounts from our employees, for example in United

[00:26:54] States but they can be contractors can be foreign employees who are currently less likely to have better defenses. With remote access we are seeing also this disparity between in folks within your infrastructure that are better defended than remote folks. In last thing that we

[00:27:19] seeing is this more or less in this criminal detective's attacks from APT's from nation-state groups and also activists' collective says that coming out from Russia for example, that are trying to inflict damage by any means necessary in many cases without financial motivation and with high

[00:27:45] level of malevolence and intent to harm. So Alex with thank you for that snapshot and with we got a couple of minutes left now that we've talked about some of the most prevalent threats

[00:28:01] that you've been seeing recently on the dark web and you've also talked about some of the just various challenges associated with delivering timely and relevant threat intelligence to diverse array of different clients. Can we end this discussion with maybe an example of one

[00:28:20] of your favorite recent success stories where you were able to really do just that? Identify a relevant threat to a specific client and perhaps nip some kind of an attack in the bud, demonstrating some of the various you know points and recommendations that we just talked about

[00:28:45] over the course of the last one. From all perspective because we are defending not a single company but a number of clients in different industries we have visibility to great mini events. In the recent

[00:29:00] memory in 2023 we had one threat actor suggesting that he had access to very valuable resource. He was extremely vague and he was very paranoid about threat intelligence professionals, researchers approaching him. So as researchers we approach him and we obviously need to play a different role.

[00:29:22] We played the role correctly. We referred them to another person and then from that person to another person but he really lost a count and thought process about good guys, so bad guys. He was at the

[00:29:37] end asking us for advice and when he was asking us for advice we asked him well what he worked with and he was willing to completely disclose the information that he obtained. He lost

[00:29:52] that safeguard that was in front of his mind and he was talking about others who approached him in a different way. He shared everything with us which allowed us to go into our client and contextualize

[00:30:09] the threat was actually not to our client only but to entire supply chain of that particular resource that was compromised. This was a given ability to work with Rowan the Isaac to give the notification as well as safeguard all the hundreds of clients from that particular solution

[00:30:34] provider that we were able to identify. So this really piece in the preventative site because at the end of the understanding what the threat is, contextualizing it and making sure that we are not creating a marketplace for it but rather discouraging the bad guys from doing this again

[00:30:54] is a part of the dark web monitoring and threat intelligence services. Yeah absolutely yeah that's great Alex. I think that perfectly encapsulates and illustrates what we've been talking about today so really appreciate that example and with that as we are

[00:31:12] down to just the last minute or two of this half of the program we want to transition to the spooky little segment that we do on a semi-weekly basis that we like to call what scares you.

[00:31:30] Now as we've mentioned on the show before the cyber security world is full of chicken little out there who are constantly warning us that the sky is falling when in reality some threats

[00:31:43] are over exaggerated but then there are times where the danger is very real. So this bit is an opportunity for us to gather around the virtual campfire Alex and hear from experts like you on

[00:31:57] what keeps them up at night what gets their spidey senses tingling. You tell us you know what what is something to be concerned about versus you know maybe something that's that's not

[00:32:09] such a big deal and obviously with with your finger on the pulse of threat intelligence I'm sure you're going to have a great answer for us on this one Alex so I ask you what scares you.

[00:32:19] These are the tips to give because I've seen a lot of different things from my career and over time we've seen a lot of things change. I think this curious thing for me is apathy. We are exhausted from hearing about breaches and different expectations.

[00:32:39] And we actually go into waves from being highly aware based on certain events and then kind of going and sitting back to say well breaches happen it's just a matter of time of us for us

[00:32:52] have a breach. It's like driving car and seeing a near accident and then drive around and say hey you know I'm gonna get in an accident someday you know kind of I give up but what scares me is that

[00:33:07] apathy or helplessness feeling of helplessness that coming from certain individuals companies or overall the community. I'm extremely optimistic and hopeful that we are getting better and even though threats are scaling up we are scaling up in our defenses. If we start giving up

[00:33:29] on our defenses saying that hey we're going to be breached anyways I think that would stop us from striving forward being better and then fortunately I see this happening a lot with individuals being burnout companies or even the whole industry saying hey these things happen.

[00:33:48] So that scares me but I'm an optimist by nature. Well I'm glad to hear that you're optimistic about these things is there a good technique for kind of restoring hope to some of these organizations that make them feel like you know that it's still worth fighting for that

[00:34:10] you may not be able to stop everything but you can still potentially save yourself a lot of damage a lot of trouble a lot of cost finances reputation loss by putting in an effort and certainly not

[00:34:23] being apathetic so how do you do that? Do you do that through successful case study examples through statistics through ROI? How do you get the message across? Great many different techniques.

[00:34:34] I'm big student of history and looking at where we were and how far we came is an important reminder that we are able to succeed and the other component is also monitoring our successes. In

[00:34:48] many cases your lack of breaches is not an indicator of success but we can build a case for our companies who are in charge of companies or in charge of our budget saying that our investments

[00:35:03] in cybersecurity and threat intelligence and other components been successful so we stopped that many attacks. We stopped these incidents and even when incidents occur in a past they were disastrous not only was an hour in first lecture but in the news saying hey this when it happened

[00:35:21] two years ago it caused that much when it happened today we were able to remediate this result in major losses. If we look at history and how far we came it gives us a lot of

[00:35:33] optimists because this is where we are striving to be better not be perfect because you know perfection is unachievable today but getting better is part of success and the integration. Yeah absolutely I think that's a great attitude and we certainly need more people like you

[00:35:55] in this cybersecurity space so that we can certainly keep hope alive against what sometimes feels like this overwhelming dark cloud of cyber crime but I appreciate you spending some time with

[00:36:08] us today Alex and talking to us really always a pleasure speaking with you so thanks for being here that's going to wrap up the first half of our show but please return everyone to the second

[00:36:19] half of our episode featuring our big idea in business which is ensuring each MSP MSSP client gets their fair share of attention that and more coming right up so we will see you in a moment

[00:36:32] on the other side struggling to monitor the growing threat landscape pressure to reduce costs security skill gaps facing compliance issues these issues can translate to operational financial regulatory and reputational risks to your business check point can help check point combines an MSSP

[00:36:56] enablement program cloud delivered multi-tenant management, sock platform and superior threat intelligence capabilities to give MSSPs the confidence to grow profitably out of reduced risk check point is 100% channel driven we partner to deliver the best security everywhere

[00:37:16] visit MSSP alert dot com slash checkpoint all right welcome back to cyber for higher the managed security podcast once again i'm Bradley Barth with SC media in the first half of our show we talked with Alex Holden at Hold Security about dark web threat intelligence right now I'd

[00:37:37] like to welcome back my cohost for the day buildbremor because it's time for us to examine our MSSP industry strategy topic of the week presenting our big idea in business equal time ensuring each

[00:37:53] MSSP client gets their fair share of attention every MSSP customer is different in its own way but they all deserve to remain secure from attacks and so it's important that managed services providers

[00:38:08] don't play favorites to the point where certain clients eat up a disproportionate amount of time and resources MSSPs must ensure that they are fairly and proportionally allocating their account reps technicians support specialists consultants security analyst pen testers and a host of other employees

[00:38:27] across their entire customer base this segment will examine recommendations on how to better accomplish this objective now build there could be a couple of reasons why certain clients take up more resources and attention than others it could be that they're a troubled organization

[00:38:47] that needs extra help it could be that they are a deep pocketed organization that an MSSP wants to show extra love and attention to either way explain to our listeners our viewers why in the long term

[00:39:00] this can be problematic well i mean you certainly want to prioritize your biggest customers i don't i don't think there's anything befuddling about that you know those customers who have the

[00:39:15] most at stake where um you know if you failed them as an MSSP and you lose them as a result it can be a financial body blow you know you you have to make sure you're getting them what they need

[00:39:33] it's true in the end that you get what you pay for right i mean we see it every day even outside security that that that how big you are as a customer how much you've bought is really

[00:39:52] going to factor in to what comes back to you that said and this is hard you know if you're an MSSP a lot of your clients are these smaller folks who have come to you because they have no internal

[00:40:10] resources and so i feel like you need to have if you're an MSSP you need to have very well defined rules of engagement in place and specific team members dedicated to here are the folks who deal

[00:40:34] with the bigger customers with the bigger infrastructures here are the folks who deal who at the same time keep things running and secure for the smaller folks so um you know the smaller clients

[00:40:51] have a lot of stake MSSPs have the basic responsibility to provide protection and um you know you really if you're an MSSP have to be prepared to give everybody the right amount of time

[00:41:09] based on what they are asking of you and what they're paying for from you now build that absolutely makes sense what you're saying you have to find a way to properly allocate uh your resources

[00:41:23] amongst multiple clients uh because not that it necessarily has to be 100% equal but like I said it does have to be at least proportional so that if you have a client that maybe has been expecting

[00:41:36] for example like an on-site visit uh there isn't a scenario where they just can't get anything on the calendar because you because all of your your your best people your best staff as an MSSP

[00:41:48] is constantly uh off dealing with other clients that are uh higher up on the totem pole and so if you're gonna be one of these uh companies that are not getting proper attention they ultimately

[00:42:01] may seek out a different solution somebody a service provider who's going to show them a little more uh time and respect so it is a little bit of a balancing act so with that said bill let's

[00:42:13] establish where some of the biggest inequities are that can crop up among clients you know it's probably not gonna happen in quite as much with things like the processing of sock data and alerts

[00:42:24] but in terms of actual face time site visits like I mentioned consultations check ins troubleshooting that might be some of the things where certain client organizations end up taking up more time than others I'd be curious to hear your thoughts about that. Yeah you know again I think

[00:42:45] it's about you have here list of you have here entire client base you need a system to prioritize them um you know there has to be very specific rules of engagement in place for you know who gets

[00:43:03] site visits who gets X amount of phone calls you know so to me there's not a whole lot to add than that it's it's really if you're an MSSP your responsibility is to meet the needs of all

[00:43:23] of your clients and sure you know it's it's um it's true that if you have a big client with a lot of needs you have to spend that time with them but you need to find ways to keep making sure

[00:43:40] everybody else is getting what they need and if you can't do that then I think um you know my suggestion would be to look at your entire um strategy for how you service customers of different sizes

[00:44:01] and what the incident response programming is and you know maybe you need to redeploy people maybe you need to make some hires that's not something MSSP is always want to hear

[00:44:17] um but it's I mean it's just the simple you know as John Adams once said facts are stubborn things no very true and uh no I mean that that's what it may come down to that it may come down to

[00:44:34] even as an MSSP you know you're you're gonna have to you know you always talk about the the clients struggling with the number of resources that they have you as the MSSP may need to potentially

[00:44:49] bolster your resources um if if you're maybe taking on you know more than you can chew that that is a decision at some point or a reality that you may have to face that there might be a reason

[00:45:01] if some of your clients are our lower priority and they feel like you're not giving them the time at all maybe that is an indicator of the fact that uh you are a little bit overburdened and you know

[00:45:15] maybe that's a sign that you know you don't have the capacity at this point to take on additional clients also and I think that's you know an important point to keep in mind that you know there's

[00:45:25] always this desire to grow and of course taking more clients and taking more revenue but if you're already struggling then you know it might be good to just take a step back and recognize your

[00:45:36] already struggling with the current number of clients that you have now so it's certainly a challenge like we said it's a balancing act but hopefully just from this discussion that we had on today

[00:45:50] this will certainly inspire some of our audience with some ideas about how to manage some of these trickier aspects of the MSSP client relationship so that's gonna do it for our big idea in business

[00:46:04] bill but uh next up is a segment that we like to call dear cyber for hire and this is an advice column segment where we get to play marriage counselor between MSSP's and their clients to help

[00:46:17] mend fences when their relationship goes awry the following letter has been dramatized and anonymized to protect the innocent but the conflict represented here has a very real problem that company's face so bill it's time to immerse ourselves in some juicy MSSP melodrama

[00:46:37] and this complaint comes from the client side of the relationship so fellas cue the music dear cyber for hire I'm all for a little healthy competition in a relationship but lately my partner

[00:46:52] seems to be well a really bad sport and taginistic even they need to win at everything and I need to lose and I am I'm losing my mind my patience and maybe even my reasons for being in this

[00:47:09] partnership you see my company entered into a contracted relationship with an offensive security firm specializing in red teaming their jobs to find the gaps in our defenses laid out by my security team and they're doing a good job too good my internal security team has become frustrated

[00:47:31] disappeared and embarrassed they claim the red team is going out of scope and that they're not communicating their findings in a way that's helping the defense truly get better are we just being

[00:47:44] bad sports here and is it possible to get an external red team and an internal blue team to put their heads together and purple team sincerely disgustedly displeased with degrading defensive defeats in Dayton so bill you know other than bringing your red team in house as well

[00:48:06] so that your blue team and your red team are internal which may not be impossible for everyone you know that's why we have these matter services in the first place what can the client do

[00:48:17] to improve this red team blue team clash of egos right now yeah I think um and on the one hand this is a good topic because it is a problem this clash between red team and blue team but at the same

[00:48:35] time you know the clash is by design the problem is when there's the clash what you do with that and that's you know I think the part that needs working on to me what matters is bringing all

[00:48:49] the stakeholders into the security process and making them own pieces of you know what what all of these teams are doing so you know HR has a stake legal has a stake finance has a stake

[00:49:09] this is why I'm a big fan by the way of purple teaming because you know with purple teaming you have both teams collaborating instead of this you know there's the competition sure but

[00:49:23] there it goes beyond that and how you work together to fix the issues that come up so purple teaming you have both teams collaborating closely sharing information in insights the blue team blurns from the red teams attack techniques uses that knowledge to improve

[00:49:47] their defense strategies and incident response capabilities and then you know conversely the red team benefits from understanding the defensive measures and the organization strength which you know they can use to refine their attack methods so it's really I think the

[00:50:08] heart of the problem is it can't just be blue team fighting red team it has to be about what you do with the results of that work yeah absolutely it always sounds like from you know various

[00:50:24] experts that I've talked to one this particular topic related to offensive security the best red team blue team exercises or ones that ultimately are collaborative in nature where both sides can ultimately learn from each other if it's just a game of gacha then it ultimately sometimes

[00:50:46] just results in some some hard feelings and there may be some lessons learned but you're not really getting the true collaboration that can you know benefit your organization if the red and the blue

[00:50:59] were truly becoming this united purple front so that's what your hopefully should be trying to shoot for as an organization even if the red team might be coming from an external source so great advice they are bill another relationship saved hopefully our listeners have learned from

[00:51:20] this and don't make the same mistake and remember if you've been struggling with your managed security services relationship whether you're the user or the provider we want to hear from you so please write to us at cyber for hire at cyberriscalion.com and we might use your letter

[00:51:36] in a future episode all right well it's almost time to wrap things up but before we go it's time for us to get a little random as we share with you drum roll please our irrelevant news of the week

[00:51:50] this is a real news pitch that I've received in my inbox for reasons that are entirely inexplicable to me so are you ready to get random bill I suppose so okay well then let's do it

[00:52:07] for upcoming stories please consider arcade beverages shaking up the liquor market and revolutionizing the way we drink by inventing the first alcohol free formula that smells and tastes like liquor but without the hangover after seeing his son come home drunk one night creator runalt video

[00:52:28] gratogliano spent the next three years researching the concoction after discovering the molecule that carries the alcohol profile without the actual spirit his team of scientists in a Swiss lab created entirely new molecule with zero percent alcohol that sends stimuli to the brain

[00:52:47] where the mucus membranes of smell and taste saturate and make the consumer believe that he or she is drinking alcohol. Bill I think they're still missing the point as to why most people including the creators son probably was drinking the booze in the first place.

[00:53:06] you know I honestly don't know what to say about this. I mean people are drinking what I mean when I look at all the problems in the world that we have to solve when I look at all the

[00:53:23] problems in the security world that need to be dealt with and I see something like this I'm just like you know how did we get to this place? Well I think there are probably some

[00:53:39] people after a hard day at the cyber security office need a good drink and they're not probably not looking for something that tastes like alcohol but doesn't actually have any of the effects

[00:53:51] of alcohol. Yeah people need to unwind yeah and but that said as the commercials always say drink responsibly. Absolutely well that is for sure I mean it certainly you know maybe this

[00:54:09] is a good you know you've had like one or two real drinks and then you know maybe if you know you just kind of want to still stay in the spirit of that but without actually you know

[00:54:22] feeling the the physical effects anymore I don't know then like you know maybe you switch over to this other beverage instead but from like from my perspective as somebody who really particularly

[00:54:34] doesn't enjoy most alcohols and most of the time on that a function I'm the guy like that's ordering the coke. I don't personally see the the immense pleasure in drinking something that

[00:54:48] that tastes like some kind of a you know fiery acidic alcohol if it's not going to actually you know make you feel good in any way so I'm not quite sure but you know there's there's probably

[00:55:02] a market out there for who knows. Anyway that's that's our that's our randomness for the week bill you never quite know right what's going to what's going to pop up in your inbox and this was

[00:55:17] certainly a curious one so with that though we're going to end it there because we're out of time but fret not because we will be back again next week with episode number 29 so one last thank you to

[00:55:33] Bill Brenner for filling in again as a guest co host much appreciated as always. Thanks for happy yeah yeah meanwhile feel free to check out even more cybersecurity podcast content on the

[00:55:47] SC media MSSP alert and channel E to E websites until next time I'm Bradley Bar please reach out to us via our show page with your comments questions and insights about the business of cybersecurity

[00:56:00] we'll keep the conversation going on the next episode of cyber for hire your inside source for cyber outsourcing.