M&A Integration Challenges & Alert Fatigue: MSSP Strategies for Client Escalation - Jim Broome - CFH #26

[00:00:00] M&A Madness, Overcoming MSSP Integration Challenges following an acquisition, and avoiding security monitoring alert fatigue, when do you escalate to your client? That, in the latest news and trends in the managed security space coming right up, on Cyber For Hire.

[00:00:21] Building bridges between managed security providers and their clients, it's the podcast where MSSP's VCCSOs and end users take a united stand against Cyber Crime. This is Cyber For Hire. Alright, welcome friends to episode number 26 of Cyber For Hire.

[00:00:40] How's everybody doing today? I'm Bradley Barth with SC Media in New York. Joining me today, just a 4.5 hour drive away on i95 is my guest co-host for the day Bill Brenner with a brand new title since the last time he appeared.

[00:00:54] Senior Vice President of Audience Content Strategy at Cyber Risk Alliance, congratulations to you on that bill. Yeah, absolutely. Now when this episode airs on Tuesday it will be the 4th of July, so also happy birthday to the USA.

[00:01:12] Any fun plans, Bill, or you a barbecue and fireworks kind of guy on the 4th of July? I will be blowing stuff up with my kids, and we're having a good time doing it. Awesome. That sounds good.

[00:01:31] I don't personally too much mess with fireworks because I always have these memories as a kid of having that uncle who did in the backyard and then resulting in people's clothes basically being, you know, cinched. I am that uncle. You are that uncle. Okay. I'm that uncle.

[00:01:54] There you go. Yeah, I just think of you remember a time seeing like rockets call basically go like flying towards people into the seats and narrowly missing them.

[00:02:04] So I've I've lived those days and at this point I'm just happy to sit back and watch one of those, you know, grucci fireworks displays from from afar.

[00:02:15] But alright, more, more banter on that later. But first, some news just can't wait, which is why we want to share what's top of mind today. So here's your headline courtesy of SC media and its parent company Cyberrisca Lyons in conjunction with SC media's June 2023 vulnerability.

[00:02:35] Some at virtual conference, the CRA released the results of an online survey of security and IT professionals on the topic of vulnerability management. Among the chief obstacles in peating effective vulnerability management are old legacy systems, the inability to automate and lack of complete visibility of all IT assets.

[00:02:58] Only 51% of respondents approved of the way that their organization has decommissioned legacy IT in order to ensure proper patch management. That was based on a rating scale of 1-7, we're only the numbers 5-7 are considered positive scores.

[00:03:14] Bill, why in your mind is this report top of mind and can you relay a couple of best practices or key takeaways that came out of the research? Yeah, I think vulnerability management is as old as cybersecurity itself.

[00:03:32] So people who are in the profession are dealing with the same challenges that they've always dealt with. So around prioritizing around automation, automation is this holy grail that nobody ever quite seems to be able to get their hands on despite what's on the market.

[00:04:07] We look at the last three years where companies dramatically increased the business that they do in the cloud. That is just created a threat landscape that's just so much bigger. And so it's the question is how do you improve your volumantagement game to keep up?

[00:04:37] And that's the big challenge. We had respondents who said that they continue to have trouble getting budgetary buy-in from the top to do what they need to do.

[00:04:54] The ability has become so much harder because companies that are doing business in the cloud are carrying around so many third party applications. So there's just so much out there.

[00:05:13] In terms of what to do about that, we actually did interview a series of C-SOS and other respondents about the path forward. And some of the lessons learned that respondents talked to us about was for starters tying vulnerability management to the business.

[00:05:44] You know, stressing visibility and ownership across the business. Continuing to advocate for the availability of services. I'm going to read a quote actually from one respondent because we just get so many useful comments.

[00:06:06] But one response and said, you know, vulnerability management should be lumped in the bucket of keep the lights on. As operational support for the availability of your products with customers. That's the way we've approached it from day one.

[00:06:22] The DevOps team and the software engineering and IT teams are really good at keeping customer facing services up to date or in minus one. And that same process supports patches and updates. So that, you know, that is one perspective.

[00:06:44] Another perspective is around changing behavior where another response said the hardest thing is in helping folks change their behavior to think about what could be built into their automation templates. So other lessons learned we had respondents talking about their journey to being able to better prioritize vulnerabilities.

[00:07:19] You know, learning to translate the impact of risk exposure better. Having more agreement across the organization on priorities. So, which items are your crown jewels that you have to prioritize at all costs. But what are the things that can be lower in the priority chain?

[00:07:42] And that's hard because especially now that we're doing so much in the cloud and there are so many third party applications in the mix.

[00:07:56] So, prioritizing is hard. But it starts with really identifying which systems in your business are the most critical and dedicated the bulk of your efforts towards finding vulnerabilities there and remediating them.

[00:08:20] And then in terms of some more basic best practices. Things we've heard from respondents starting with known at start with the known knowns.

[00:08:35] Don't worry about what's happened in the past identify your knowns build processes for them and then figure out what you can improve going forward and once you've developed that solid workable process.

[00:08:50] That meets some of your minimum viable product characteristics. You get folks you start preparing folks getting them comfortable and the other thing was going big on zero trust.

[00:09:08] Which has been a challenge in and of itself for a lot of organizations because zero trust isn't this one size fits all solution on a box.

[00:09:22] Basically a collection it's it's a philosophy really that has several pillars attached to it so it's really figuring those out because when you're in better it when you're more control of who has access to what.

[00:09:45] You can maintain the range of vulnerabilities that are that you have to watch out on. Other tips included include objectives that raise awareness of your VM policy. Making quantitative based decisions and being realistic about what you can and can't control and that goes back to the point about.

[00:10:16] What of the key systems that your business relies on and putting most your efforts there. All right great excellent stuff particularly interesting to always hear some of those quotes and commentaries from.

[00:10:35] The IT and security professionals themselves I appreciate you sharing some of those insights today bill and that's going to be our top of mine hot take for the day. But now it's time to move on to our MSSP industry trends topic of the week presenting our big idea.

[00:10:51] In business M&A madness overcoming MSSP integration challenges following an acquisition. Last year channel E to E listed more than a thousand merger and acquisition deals involving MSPs and other similar service provider organizations.

[00:11:10] Typically when any M&A deal occurs there are bound to be redundant season overlaps in services tools and personnel. For MSSP's that find themselves in the situation it's important to consolidate and integrate the best of their assets across multiple entities while maintaining operational consistency.

[00:11:29] This is no small task but this segment will offer examples and tips to help move in the right direction. Leading us through this discussion today as our special guest Jim broom president and chief technology officer at direct events.

[00:11:44] Jim is a seasoned IT veteran with more than 20 years of information security experience in both consultative and operational roles at direct defense he is responsible for the day to day management of the company as well as providing guidance and direction for service offerings.

[00:12:01] Previously Jim was a director with active in labs and before that principal security consulted with internet security systems and their ex force penetration testing team.

[00:12:12] All right, well thank you Jim so much for being with us today and as always we're going to jump right into things and I thought a good place to start might actually be for you to recount a little bit of your own personal mergers and acquisition experience that you went through to help illustrate your point and to show what.

[00:12:30] Some of the challenges can be tell me a little bit about some of your personal experiences in that area and then as we go through some of the additional questions.

[00:12:40] I'm sure that experience will factor into some of the various answers that you'll be giving us as we seek additional perspectives. Sure no problem and thanks for having me on today guys.

[00:12:50] So yeah I mean you've starting with a tagline of season professional hashtag I'm old so the great here's real it's not a die job.

[00:12:58] So in my case, literally goes back to some of the early days in the industry for myself which is back in the 90s with going from a company called netrix we were actually when the first reseller is a checkpoint far about one in the industry.

[00:13:09] Actually my wife and I were actually the ones that you know primary authors on this replication program and traveling the world.

[00:13:15] But we were actually one of the very first managed service providers back in the day when it was just managed firewalls and building those models and we ultimately got a choir by a company called Internet Security Systems.

[00:13:25] And that company was one of the first you know vulnerability scanners on the market when the first commercial IDS IPS is on the market.

[00:13:32] So not only were they a product vendor but also had a service line and ultimately you know tongue and cheek IBM acquired them for the manager service offering.

[00:13:40] That became global networking services so I kind of have the career you know completely on the service side may maybe more offensive sometimes more defenses sometimes.

[00:13:50] But I've gone through several acquisitions being in poe as well as helping organizations when I was at Akima actually acquiring and building new service offerings with them and trying to go to market with those new services as well.

[00:14:03] And most recently we direct defense once we started the company for ourselves so we want to talk about testing model manager services model management models. We can definitely go down the weeds and each and every one so it's a little bit of 20 interesting right.

[00:14:18] I feel the last 20 years flashing before me exactly. Yeah, I just I so clearly remember all of that when IBM moved in and yeah just though. Yeah very much I mean tent can't really.

[00:14:41] I like to like to coin that time frame you know directly to the today's theme and topic is.

[00:14:47] The major challenges and hurdles when you go through acquisition number one is going to be culture always will be and you know you've got to be prepared for that as a been the son or a business decision maker.

[00:14:56] Trying to merge to organizations that have in some cases diametrically opposed. You know for seizures and trying to come up with a common blend all the way up to your service delivery model I mean you kind of hit the nail in the headbally with.

[00:15:09] You may do this tool this way you wait and you may have done it that way so like today in the market space there's a lot of. Challenges if you will.

[00:15:19] At I tease today's you know term mdr managed to take to responses the new dlp you go to 20 different vendors you're going to get 20 different answers.

[00:15:27] And you know one of the things is already let's double set we acquired or you know if you're the acquire or they're acquire. There was an acquisition based on something either it was headcount you know intellectual property good a market strategy or augmentation of your service offerings.

[00:15:43] So you need to number one identify culture and how you're going to start you know really starting to merge those organizations. But number two understand what is what is the in gold here is an intellectual property acquisition is it a good a market strategy acquisition.

[00:15:57] And then start you know if you kind of sitting down and level setting with a team of how are we going to do this what's our time frame. In the market space and how we actually continue maintaining our customers before we merge our customers.

[00:16:09] Yeah all those come into play and in an ideal real do you hope you're on the six to 12 months cycles sometimes is even longer.

[00:16:15] Well I'm glad you brought up the question of what is the nature of the acquisition because that was something I even wanted to ask you about because really there are different types of.

[00:16:24] M&A transactions that we could be talking about here this could be the case of to MSSP type organizations merging it could be an MSP acquiring and MSSP to get those security services in its support folio.

[00:16:41] You could be an MSSP taking on a consulting organization or solution provider to give it more internal capabilities are there certain M&A scenarios that pose more challenges than or or more complex. Then others to execute in terms of getting aligned with the culture.

[00:17:00] Honestly it's really going to be what is your differentiator how you perceive yourself different from the other folks and what is your go to market strategy if you take.

[00:17:08] The traditional MDR players that came out in the market in the first couple years they were really all geared around endpoint. We're going to manage your crowd strike we're going to manage your you know set the one whatever you know end point you know platform because.

[00:17:21] Honestly that's where a lot of bad things happen and it's the first point of visibility for many security organizations that are struggling to get visibility. Eventually those have adopted a matured and you still see you know again going to market against other competitors up there.

[00:17:37] That's their entry level service and so when you start qualifying your customer and talking about your customer base. You know we have this but that's really not the enterprise service thing the enterprise service is this.

[00:17:48] So when you talk about the M&A process like right what was you know the acquire or process what is the acquire is process.

[00:17:56] And then what is the time frame you know it's really to kind of start mapping out of when are we going to merge this as unified service offering when are we all supposed to be wearing the same t-shirt.

[00:18:05] In the building and really going to market to our customers together. We've seen this I think the last truly visible one in my experiences was both the trust way of in secure works when they started going to enterprise in DR, EDR or XDR whatever DR.

[00:18:22] You want to apply to it in their service lines that you literally saw some of their acquisitions kind of step forward and like here's the old traditional stuff we've been doing but we're going to put this team forward.

[00:18:31] And that was the quickest way to get the market is we believe this team already has a maturity model to deliver.

[00:18:36] We know what the the inflection of the pain points are going to be to get them to a volume that we expect in the be at over 12 to 36 months.

[00:18:44] And that's the investment that the business is making that decision on and how to accelerate that or get the market as fast as possible. With something that could be perceived as a very viable service opposed to what they've been doing.

[00:18:54] So you know the old adage we see this time in time again in the vendor space it's easier to acquire than innovate right. So in most cases you know at least monetarily.

[00:19:03] So you know in this case it's easier to find you know a service group that's right on that cost maybe you have a wealth of cash or a PE or you know venture capitalist behind you to help you acquire.

[00:19:13] Someone that's bigger or prepared to make a bigger jump in your and then allows you to join that force and augment that service.

[00:19:19] If you take a look at the the OT space we saw a lot of that in the last few years from organizations like Accenture that went on a rapid hiring spree for OT not only security professionals but OT sock offerings as well.

[00:19:36] In the market space so it's you can definitely kind of know like competitor and know what the market strategy is to when you start talking about the M&A of are we trying to accelerate what is the what is the end game.

[00:19:45] And that really helps you build your decision models from there. I would be curious to ask you Jim what are what redundancies since we talked about sort of pairing down and consolidating those. What in your mind are some of the most common ones to crop up.

[00:20:02] And and and and and then once we identify those and maybe we can talk a little bit about what the step by step process is or best practices for pairing those down. And consolidating those services.

[00:20:16] Sure let's take the biggest ones in the most painful ones first which is as a service delivery model when you talk about MDR MSSP. You really got three major things you have to deal with case management so you're intake of whatever you're managing.

[00:20:31] Number two is going to be taking management and how you're actually interacting not only through your case management process but back to your customer and finally reporting.

[00:20:38] So in most cases that's really a technology standpoint you're going to look between the two organizations which ones doing it right at each phase.

[00:20:45] So which one can we optimize to adopt whatever their model was and try to find a way to merge those sources and that honestly I can tell you.

[00:20:53] You know through collective friends and everything that is the biggest challenge across the board if there's going to be a perceived fail. Merger between you know two entities it's right there it's how they go to market into the river services.

[00:21:06] You know honestly you know without to the neural horn we decided to build some intellectual property for my company to kind of take on that challenge for ourselves.

[00:21:14] But taking that out of the equation is just basically sitting down and trying to level set on how you're going to actually merge our US service now company and that's your primary portal for the first for case management of this or did you build something great how busted is it.

[00:21:27] You know and then what you'll find is someone either slapped a geera ticketing system in the middle of it or service now ticketing system or something else.

[00:21:35] But then they've got that case management front end of the old custom built for themselves and again your your service model may be 100% throughout hunting your service model may be more compliance worrying and bigger picture items.

[00:21:48] How do we get those new ticket types into that system and you try to logically flow that out I mean honestly the good news is is I've done at testing I have some really excellent you know app testers that I work with day and day and so night's under 10 we still do sit down and do diagrams of just how was how was data flowing in the other system how is the architecture of this going to work before even add the human element into it.

[00:22:09] And once you can figure out there you can find figure out ways to optimize and get the market faster with those problems.

[00:22:15] Yeah and you just mentioned the human element so I mean that actually was going to be my follow up which is we just talked a little bit about how to handle redundancies and overlaps and tools and processes but you're also inheriting people when you acquire another company and then you want to make sure that basically.

[00:22:33] All of your employees that now that fall under the banner of your organization are all performing within the expectations that you set forth as an organization and that's going to maybe now affect the way that.

[00:22:49] Some of these new people that are coming in interact with your client base so how do you again make sure that you stay on the same page in terms of making sure that.

[00:22:59] All employees are following the same basic guidelines for how how you expect customer interactions to go forward. Yeah exactly and then directly it kind of goes to when you go through an acquisition your acquiring team doesn't matter if it's consultants or analysts it's human.

[00:23:15] So sitting down and taking your most senior talent and honestly this is how we've been doing it how do you guys do it just literally just be that transparent with everybody like what is your interaction what is your touching points for their customers.

[00:23:26] I know I use it as a sales tactic when I'm competing against other people on the sales side of you know hey you hardly yet you know like most common stories I never heard from that company so like how do I get that out of the culture.

[00:23:37] Because we're hiding you know my my process is highly touching you know touching to the customer making sure that they have a constant communication point and so if that's not the you know the the process that team has been aware of or used to.

[00:23:50] You're probably going to find some skillsets deficiencies in there as well that you need to go bolster and nine and nine and about a ten it's all soft skills it's not technical it's like hey can you can you talk.

[00:24:00] Are you okay being in front of a room for the people and actually you know being the authoritative version in the room to in those conversations all the way down to how well do you write.

[00:24:08] And so honestly I can tell you I spend quite a bit of time just in my own organization just showing them how to use office. You know just basic you know office communication to those because unfortunately the current generations all about Google Docs and that's a different rant.

[00:24:20] But you know just showing them how to communicate how to how to orchestrate. And the more importantly be open to one of being open to what you've done before is not necessarily what you're going to be doing tomorrow.

[00:24:33] I'm always been a big advocate of you know hey I probably built it for you here you go here's the owner's manual from this point for its yours.

[00:24:43] So this doesn't work for you this was you know the process by me this needs to be the process by y'all by the rest of the organization to actually establish how you want to go to market together and as effectively as possible.

[00:24:56] So again it's a lot of collaboration and really just kind of sitting down on the human factor. Yeah eventually you're going to identify some redundancies and you know that is unfortunately a byproduct of just the entire process that may have to be resolved.

[00:25:10] The good news is is also you know I have three other lines of business so you know that's open for that talent to look to see if they want to progress to a different line of business like maybe they want to be a pencester.

[00:25:19] Maybe they want to be in compliance maybe they want to specialize in OT security.

[00:25:23] So again it's kind of being open to what are the acquisition models what are the what are the what is the career path and just being very very transparent you know to employees I found today especially the current.

[00:25:34] And then you know I'm really on you know understand that transparency of hey this is a business but at the same time when trying to make sure you guys have a successful career moving forward. The so Jim just continuing on here I know that you know from a.

[00:25:55] When when when an emerging acquisition does happen we've been talking up to this point about. And then the customer facing systems and services that you inherit you also as an organization of course end up inheriting internal systems as well.

[00:26:15] From whatever this new company is that you're merging with or acquiring you know everything from you know. HR systems to just really any kind of really internal business function.

[00:26:29] So can you apply the same principles to consolidating internally your systems as you can to the customer facing ones can that at least for efficiencies purposes. I'm definitely good advocate advocated for yes you can.

[00:26:45] Again the acquisitions I've seen to be the most successful is again a whole lot of transparency sitting down and like all right.

[00:26:53] You know maybe you guys are using a PEO maybe you you're big enough you've brought the task of HR management in house what is your plans what is your. You know procedures around employee vetting you know because.

[00:27:07] You know ironically you know we serve a lot of different verticals so we inherit by proxy a ton of different obligations to work here you know yeah I make the tongue and cheek joke here is yeah I have federal I have financial customers so yes I am a business in Colorado and we distill do drug screening I'm sorry.

[00:27:23] So you know it's a obligation to work here so it's kind of you know interesting to you know kind of see that culture coming in is like no this is a real thing we we still have to actually be you know big boys and girls and actually going to work.

[00:27:35] And and make sure they understand our customers are you know have obligations on us as well and make sure those acquis systems are maintainable and scalable. So for me it's always been the inflection point when you talk about the back and the back house on HR.

[00:27:49] Once you break 100 employees that's really when you just really have to start investing into your own infrastructure so. Having a true HR role having a true operations manager having a true accounts pay a little assistance so you know the money still flows.

[00:28:02] You know no hiccups on cash because I can tell you how many failed ERP implementations I've seen especially in bars.

[00:28:08] And you know just kind of going through that whole process of can we continue to you know send our invoices out I mean I will literally have seen spectacular failures where want to company requires the other things thinks they got it.

[00:28:21] They ultimately term the other organizations accounts pay a little department because they all fought by had it and now they're you know failing to send 30 40% of their and their monthly billing. And then secondarily is you know a failing to acquire the the intake so you know.

[00:28:40] Thankfully a lot of people gone to ACH transfers these day but you know there's still a lot of people use checks and unfortunately you may have terminated the person actually physically goes and checks the mailbox.

[00:28:50] So you know I've heard horror stories of someone finally check the mailbox after two months and there's you know half a million to three million dollars of checks that have been waiting to be cash. Yeah, I mean just thankfully on what details guy.

[00:29:02] But I've seen you know just that's really my biggest thing as a business leader is just sitting down and I'm like alright.

[00:29:08] You know what is your procedures let's document on what if you don't have documentation and just make sure we're covering and checking on the things we can and how do we actually able to me integrate and try to take the best from each side.

[00:29:22] Absolutely and I think a good one last question that I wanted to make sure to ask you was. I think it's good to illustrate for those watching or listening today what the potential consequences or ramifications are if they don't follow some of these best practices.

[00:29:44] If basically they allow some of these inefficiencies and redundancies from these various dealings to to linger. And if really they're not on the same page across the various disparate entities that comprise this increasingly complex organization.

[00:30:04] So for those that don't follow your sage advice today Jim what are potentially the short term and long term consequences down the road. Sure, so you will only. That's.

[00:30:20] You know that's let's take it top down so on the server still oversight yeah, there's a gap there's you know you've missed something miss something critical so there is a by product of you missed you missed the most important check.

[00:30:33] So quality of service quality delivery that's why you ultimately have. You know your KPIs and your procedures to actually see who's working effectively either with the old process or the new process depending on what side of the equation they're on.

[00:30:45] Honestly, my biggest sample said I always go back to is I asked the customers how's their experience been in the last couple weeks. So he actually checking in as a manager as a you know senior person the company of what's the customer experience been.

[00:30:57] Because I'll get answers that not necessarily my sales team or my own every team like everybody thinks they're doing good and you talk to the customers like I really like so and so because it is a personality business as well.

[00:31:07] You know you put this new senior leader on the project and just you know there's not a really good gel that maybe something may maybe a little bit of retraining but honestly sometimes people don't get along hey.

[00:31:18] You know it's it's fine you know maybe you know this person is going to be better with this customer so you do can you can do a tangible swap out that is you know low key for both parties there's no.

[00:31:28] You know harm no files just more of a hey you guys aren't jelly and it's okay it does happen. To you know to you know bills point of yeah you had a technical deficiency now we have a you know. So oh crap moment.

[00:31:41] Working with the customer doesn't you know just transition to an incident response you know that's not going to have to have that myself but I have seen it. Been part of it as the pen tester.

[00:31:51] You know of really ringing the bell and escalating all the way up to like screaming and shouting outside the front door of the sock with a you know harm a hacker you know.

[00:32:00] And and still not getting the attention that they need to draw that so that's a process failure so you're going to have to go back and identify why the process failed and actually put your checks and balances in there you know first and foremost.

[00:32:11] All the way to the back of the house and I gave you kind of the horror stories but you know number one is just you know keeping the cash flow and for the business so it actually gets through this acquisition properly but the biggest when it's culture.

[00:32:22] If you can't success we merge the two and you're going to hand wind up with poison. Opposition environment that you know the glass door reflects it and everything else it reflects that that.

[00:32:31] Even as a you know CEO or CTO the company you're sitting down talking with employees you know personally like hey what could we have done better. You know just be open is like sometimes we don't have all the answers we try we we do our best.

[00:32:44] We've seen it in and leverage our experience but you know it's humans and it's human nature to fail from time to time and learn from your experiences. Absolutely.

[00:32:53] All right well great well I appreciate you sharing some of those thoughts and insights with us Jim and obviously again this is something that a lot of organizations go through at one point or another so it's.

[00:33:03] It's best to be prepared in terms of understanding what could be coming their way so glad we got to talk about that for a little bit yeah before we go to Jim yeah absolutely but before we let you go Jim we're going to still actually.

[00:33:16] Asking to hang around for one more second because we were hoping that you would take part in a spooky little segment that we like to call what scares you.

[00:33:26] As we've mentioned on the show before the cybersecurity world is full of chicken little's out there who are constantly warning us at the sky is falling when in reality some threats are over exaggerated.

[00:33:39] Of course that's only some threats because there are times when the danger is very real.

[00:33:44] So this bit is an opportunity for us to gather around the virtual campfire and here from the experts on what keeps them up at night would get their spidey senses tingly and so Jim I ask you what scares you. Honestly it's being complacent.

[00:34:03] The industry has a really bad habit of oh we solved it and you know thankfully over the last 20 years we've kind of gotten out of that process but there's still a lot of it that exists out there.

[00:34:12] Just most recently the threat actors have been very interesting and they're in their change in MMO.

[00:34:17] When you think about how we defend on the blue team side we're looking for EDR solutions we're looking for other process tracking solutions we've got this really cool integration with the cloud and we're looking at users that are being compromised things like that and without it out the old school stuff still hits us.

[00:34:34] Case in point, you know organizations that are still using text messaging as a multifactor option.

[00:34:39] There is several threat actors that are highly skilled at this point of targeting cell phone companies and really walking into brick and mortar stores and simswapping phones that gives them that first point of entry into the organization so the clock's running.

[00:34:53] Do you have a process to have your employee tell you they they their phones back in a weird probably not. There's a time delay built in that all the way up to most recently seen the threat actors actually stop running exploit.

[00:35:06] You know they're actually living at the infrastructure level they're living in your cloud at the highest level not they're not touching the actual VPCs and logging in where we have our really cool EDRs and all this other stuff to catch them.

[00:35:18] So you have to really work and read gear your visibility to just taking care of the infrastructure and the visibility and that ecosystem as well.

[00:35:26] All the way up to even watching vendors like Microsoft struggle with the volume of attacks they're seen and having to deal with with their own IR teams now in the recent the spad of I don't know if you've been tracking them but they've been hiring a lot.

[00:35:38] Because of a certain technique that's you know that's it's a truly a bypass in their platform that's it's a challenge to recover. So it's been interesting you know really kind of sit down like hey we think we got this and you know being complacent always kicking the butt.

[00:35:53] So that's usually what keeps me up in night bottom line yeah don't be complacent don't rest on your laurels because certainly the bad actors they're not doing that so. Good advice and that's going to wrap up the first half of our show.

[00:36:07] Thanks one more time to Jim Brum of direct defense really glad you could join us today as for everyone else please return for the second half of our episode featuring our big idea in security.

[00:36:18] Avoiding security monitoring alert fatigue when do you escalate to your client that and more coming right up so we will see you in a moment on the other side.

[00:36:29] Struggling to monitor the growing threat landscape pressure to reduce costs security skill gaps facing compliance issues these issues can translate to operational financial regulatory and reputation risks to your business. Checkpoint can help. Checkpoint combines an MSSP enablement program cloud delivered multi-tenant management.

[00:37:00] Sock platform and superior threat intelligence capabilities to give MSSP is the confidence to grow profitably out of reduced risk. Checkpoint is 100% channel driven we partner to deliver the best security everywhere visit mssp alert dot com slash checkpoint.

[00:37:20] Welcome back to cyber for higher the managed security podcast once again. I'm Bradley Barth with SC media and the first half of our show we talked with Jim Brum at direct defense about MSSP's overcoming integration challenges following MNA activity.

[00:37:37] Right now I'd like to welcome back my co-host for the day bill burner because it's time for us to examine our info sec news and trends topic of the week presenting our big idea. In security avoiding security monitoring alert fatigue when do you escalate to your client.

[00:37:57] MSSP sock analysts are often baraged with security alerts that pop up as anomalous activities detected on clients networks not all of these notifications are worth reporting and acting upon but it only takes one overlooked incident to result in a full fledged attack on the customer.

[00:38:15] This segment will look at the perennially challenging question of when it's the right time to let your clients know that something may be a miss without any dating them with unnecessary reports will also examine how automation can help reduce the burden on strained sock analysts.

[00:38:33] As always we'll jump right into things. I feel like this is something that really needs to be individually negotiated with clients in terms of what the right threshold is for an alert being escalated to the client.

[00:38:49] But with that said if you're an MSSP with a sock that monitors a whole bunch of different clients at once maybe having different policies and configurations for each one represents too much complexity and maybe you need to set the tone or the guidelines to some extent so how do you how do you balance those conflicting interests there.

[00:39:16] Yeah that's that is a complicated one because on the one hand. You want to be fast when you spot something that looks suspicious you want to be on top of it.

[00:39:33] What you also want to make sure you know what exactly what it is you're dealing with because if you are too fast on the trigger when it comes to alerting the client.

[00:39:45] Then you run the increased risk of telling them the wrong thing or giving them misinformation or you go back later and you find that it wasn't what it originally looked like which can be embarrassing.

[00:40:00] I think this is why automation is so such a holy grail item because automation is how you more quickly identify and analyze some piece of attack activity or some kind of vulnerability.

[00:40:27] But you want to be as accurate as you can be so it's always going to be that balance I think that.

[00:40:39] If you're the MSSP you really need to be sure you know exactly what you're looking at before you escalate to the client because you know false positives or a thing. Applications that don't play well together are a thing and there are a million reasons why something can look.

[00:41:08] Either more ominous than it is or maybe not. Stand out as much as you'd like it to.

[00:41:18] But you know it's funny because if you look at the flip side of things to write you talk about just completely inundating your clients with too many reports and not wanting to you know flood them with all sorts of information especially when they could be false positives but you just know the one time that you don't you pass along.

[00:41:36] And some kind of important piece of intel that's going to be the time that it was truly a precursor or an indicator to an attack and that might even be worse of a scenario where you did end up escalating and then something bad happens. It's a hard balance.

[00:41:58] Absolutely a hundred percent. I'm going to bring up automation more shortly in terms of you know how that fits into the picture because certainly that can help but even there.

[00:42:09] At times if you rely on some certain automation tools you know you still have to at times configure certain settings and guidelines even to those tools and implement certain rules so you know let's talk about you know rules a little bit.

[00:42:24] What what to you are some of the biggest factors that actually justify some kind of an escalation or there are there certain red flags that in your mind.

[00:42:39] Truly warrant in most or all cases okay we always have to go to the client for this or if that's something that you're negotiating what what's supposed to be at what should always be at the top of the list of this crosses the threshold.

[00:42:55] Well if you see somebody has gotten into the system and they're poking around. The lateral movement is happening. You know that the big thing is to be able to see first what's really going on.

[00:43:15] And again that's where that's why you have so much demand for better automation and that's something that. People have had varying degrees of success and failure on but. You know if you. When it's time to escalate it's. When you have seen what looks like attackers trying to penetrate.

[00:43:50] Or they've gotten in and they're looking around if they've gotten in and they're looking around I mean that's red alert right there. If you see indications in the sock that there. That there's a lot of activity around. Exploiting of vulnerability.

[00:44:11] For example, first you have to make sure you're not looking at a false positive or a false flag. And so you have to figure that out as quickly as possible and then it's time to escalate there. But if that's that's the piece where you take the bigger pause.

[00:44:31] Also good if you're up on your latest threat intelligence that if you're seeing certain indicators of compromise or you're seeing certain TTPs that are associated with.

[00:44:46] Let's say a major serious campaign that that's actively going on you might be able to raise the red flag there and say oh you know this is you know like something like you know for example the you know the move it.

[00:45:00] And you see some signs associated with that then you know maybe that's something to where you know okay this is this is right in line with what you know our threat intel reports have been warning us about lately so here's his here's a scenario as well.

[00:45:19] Just taking that one step further you know in a lot of cases of course you want to escalate it to the client so that the client can ultimately determine what next action they want to take.

[00:45:31] But for those MSSPs that at times might have the ability to also do some level of incident response themselves.

[00:45:43] Is there again a certain threshold threshold or certain scenarios where it's okay for them to even take the next step of even going beyond learning the client but actually taking some type of mitigative action I think you never want to be in a situation where you're just going to operationally disrupt your client.

[00:46:00] The client's got to make that decision on their own but maybe there are times where you can at least quarantine something where like if the client has certain redundancies in their system and network that it's not going to completely.

[00:46:13] Waylay them so are there scenarios where you can where that can happen. You know as a service provider priority one is. When you know that something is happening you have to act the incident response has to kick in immediately.

[00:46:33] Yes, you notify once you have a good fix of what's going on you notify the client so they know that it's you know something is happening but don't wait.

[00:46:47] To start taking actions when when you can clearly see that an attack is underway and you have your playbook to deal with that. It's much better to go to a client and say. You know attackers were attempting to do this this morning but we stopped it.

[00:47:10] Yeah, so and certainly that's something that can be you know worked into. The guidelines in the contract in the first place that you know all of that you should have that understanding both sides of the relationship in terms of you know how much autonomy.

[00:47:26] The the MSSP is going to have in scenarios like that so as long as that's discussed and understood beforehand then you know in a situation like that as you're saying.

[00:47:38] Yeah, you know better to take the action and not to you know ultimately end up out of in action. The situation suddenly exacerbates and that makes sense.

[00:47:49] So let's talk about automation and where that's going to fit into the picture there because that's going to be one of the the top ways to alleviate the burden on on sack sock analysts that are just constantly.

[00:48:06] Dealing with just scores of information so what do you leave to automation to the machines what do you leave to the to the human analysts from an MSSP perspective. So this actually in infographic that we did not too long ago that that kind of showed.

[00:48:34] Here's incident response when you don't have automation here's incident response when you do have automation and. The benefit with automation is particularly. For things that go bump in the night right so if some if you have automation. A platform that that is constantly.

[00:49:00] Keeping an eye on things and something happens at like two in the morning. Automation allows you to immediately start dealing with it instead of this happened at two in the morning it's now eight in the morning we have to see how much damage has been done if any.

[00:49:20] Whereas. You know a good automation tool. Will immediately start trying to block off avenues of attack. Will immediately start. Closing off areas where the bad guys can get in or if they are in there to get them out. Again we go back to. Automation.

[00:49:50] Yeah, as many tasks that you can automate. The better so if you have. A platform that. Can immediately act upon finding something that doesn't look right. Yep, you know now you have.

[00:50:12] People in the sock who are not having to be up at two in the morning looking at looking at the stuff. Yeah and they can you know once they log on in the morning.

[00:50:24] Actions have already been taken and that frees them up one to get more sleep to. To focus on the more strategic. Challenges that need to be addressed.

[00:50:43] For sure, yeah you know it's it's not easy the alert for tea has been a problem for a long time it's certainly not something that we're going to.

[00:50:54] To solve the problem here just through one brief discussion, but it certainly helpful to review some of the important ways and tactics that MSSP's can at least as we've been saying reduce.

[00:51:10] Some of the burden and reduce some of the complexities while introducing efficiency so I appreciate the fact that we were able to spend a little time talking about that today bill.

[00:51:20] But we're at a time for this segment so we're actually going to move on from our big idea in business because next up is a segment that we like to call dear cyber for higher.

[00:51:31] Now this is an advice column segment where we get to play marriage counselor between MSSP's and the clients to help mend fences when the relationship goes a ride.

[00:51:41] Now the following letter has been dramatized and anonymized to protect the innocent, but the conflict represented here is a very real problem that companies face. And so bill it's time to immerse ourselves in some juicy MSSP melodrama and this complaint comes from the provider side of the relationship.

[00:52:04] So fellas, cue the music. Dear cyber for higher. My once reasonable rational sound of mind partner has been brainwashed. Clearly they've been hanging with the wrong crowd influenced by others with an agenda that clashes with mine.

[00:52:26] Those others that I'm referring to in this case are actually vendor companies who distribute so-called research reports that are anything but unbiased and tech agnostic. Tainted by loaded survey questions and dubious analysis, these reports seem to always have something in common.

[00:52:47] The number one most damaging or dangerous cyber threat, coincidentally happens to be the area of specialty for that vendor who's releasing the report. My clients CEO or IT director then reads these findings and asks me why aren't we prioritizing this issue or partnering with this vendor?

[00:53:08] And I have to talk them off the ledge explaining why what they read is marketing hype, bordering on misinformation. Whatever happened to critical thinking, sincerely sick of species and spurious survey statistics in Saskatoon.

[00:53:26] Bill on one hand it's good that the client is reading up on these things trying to keep up on the latest trends but you have to know who your reliable sources are. That's not always easy in this business is it.

[00:53:39] It's not I mean when security vendors put out reports first thing on us say is just because a security vendor has put out a report doesn't mean it's useless right it's knowing what you're looking for so.

[00:53:59] If you are looking at a report that's based on research analysis so the security vendor is analyzing the most prevalent attack types to happen for example. And they're collecting that data from all of the tech that they have deployed among the customer base. That's useful stuff,

[00:54:29] especially if you, especially if you use that particular security vendor. The other thing that can be useful is some of the survey type research that gets done where they're talking to people and the trenches but.

[00:54:49] There's always going to be a 10-Jovaya because the goal of the report is indeed you know marketing to show the world what you have and what you're doing for customers and showing. What you know.

[00:55:09] All important things but I think it I don't think you cut reports like that out of your diet. But you make it part of a more balanced diet so what do I mean by that.

[00:55:26] I mean let's start by looking at what we do here at cyber risk alliance where we produce a lot of reports. That are based on both resource research and things happening in the work in the news.

[00:55:42] And we go at it from a more objective viewpoint, you know, where we might include. One vendor's report but balance it against something from another vendor's report right. Where when we do survey research we're reaching out to our direct audience.

[00:56:11] And so it becomes more, it becomes a more of an objective look. So you want to include that type of content. Into into the diet of what you're taking in. So it's more about balance than. Who to believe or who not to believe.

[00:56:38] Yeah, absolutely I think you summed it up well. You have to take it with a grain of salt. You don't just necessarily throw it out and discard it as being meaningless.

[00:56:49] There absolutely can be nuggets within these reports that can be useful to you but at the end of the day. You do also just want to watch out for that.

[00:56:58] You know, no good foot the fear uncertainty and doubt that sometimes certain vendors can start you know pumping out excessively for the point of selling something.

[00:57:11] And over time you start to again get a better sense of critical thinking and you're able to separate some of the more valuable information from the not so valuable information. So you know thanks yeah go ahead. Red flags to watch for.

[00:57:25] If a vendor's report is using language about. How they the only ones detecting this thing. They're the only ones remediating. When they start varying into that language. That's when that's when you know you start to feel more like sick of species and spurious surveys.

[00:57:56] And that's when you start to get a better sense of statistics in Saskatoon. Fair enough Bill fair enough appreciate the advice another relationship saved. Hopefully our listeners have learned from this and don't make the same mistake.

[00:58:11] And remember if you've been struggling with your managed security services relationship, whether you're the user or the provider. We want to hear from you so please write to us at cyber for higher at cyberriscalions.com and we might use your letter in a future episode.

[00:58:26] All right. Well, it's almost time to wrap things up. But before we go, it's time for us to get a little random as we share with you drum roll please. Our irrelevant news of the week.

[00:58:38] Now this is a real newest pitch that I've received in my inbox for reasons that are entirely inexplicable to me. Are you ready for this one Bill? I am. Ready more ready than I've ever been for anything. Okay. All right. So let's get brand them.

[00:58:55] Hello, Bradley in an effort to bridge the connection between astrology and dating. The dating app do a dot com conducted a comprehensive study analyzing more than 500,000 of its users that the results were outstanding.

[00:59:12] For example, did you know that vergos are the most desired ones and Scorpio and cancer or a match made in heaven? Did you know that Leo's claim the crown in wanting kids?

[00:59:29] I mean, these are the things that we really need to know apparently. So my question to you, Bill, is number one have you ever once based any decision in your life on astrology or horoscopes and secondly, what would that look like if let's say a cyber security professional

[00:59:52] or a use astrology to make a key decision, maybe an MSSP for its clients like hmm let's take the last example. Should I should I share this alert? Should I escalate it to the client? What does the horoscope say today? So those are my two questions for you, Bill.

[01:00:08] Yeah, I might be biased myself and saying this but the second you start talking about security and astrological terms. I'm running the other way. I just I don't want to I don't want to talk to you case closed.

[01:00:32] Fair enough. Yeah, I'm not sure if the best way of going about deciding what the fate of your client is going to be is to look up at the stars and constellations.

[01:00:46] I will say, I have not had an astrology reading. I have not had I think other than maybe a relative doing it for me one time just for fun.

[01:00:56] I've not had my palm red. I have not done tarot cards. I've not really done any of those things so I do have a magic ape.

[01:01:05] I'll maybe stick to my or at least I used to. So sticking to the magic ape, I'll if I asked it are we out of time today it would say all signs point to yes.

[01:01:16] So we're going to be wrapping up the episode but fret not because we will you back again next week with episode number 27.

[01:01:24] So one last thank you Bill for being our host of the week really appreciate it. Meanwhile for everyone else feel free to check out even more cybersecurity podcast content on the SC media MSSP alert and channel E to E websites until next time I'm Bradley Barth.

[01:01:43] Please reach out to us via our show page with your comments, questions and insights about the business of cybersecurity will keep the conversation going on the next episode of cyber for higher. Your inside source for cyber outsource.