Frank Raimondi | Continuous Vulnerability Management in the Age of AI

[00:00:09] Hey everyone, welcome to the latest installment of MSP Business School. As always, I'm Brian Doyle. And with me today is another friend of the show. Frank has joined us a couple times now and he came in today as a late game pinch hitter for me, which I really, really appreciate. That's one of the beautiful things about Frankie. As a friend of the show, he'll jump in anytime that we've got a moment. Anytime you need me to talk, I'll talk.

[00:00:35] So I want to welcome Frank Raimondi from Nodeware to the show. Thanks, Frank. My pleasure, Brian. Great to be on. And yeah, I don't know if that's a good thing or bad thing that I'm available when you need me, but I'm here for you, man. No, what makes it a good thing? One, you know, love to have you on. We always have a fun time chatting, but it also gives you more times at bat, right? You know, those of us that are willing to help others out tend to get a little bit more FaceTime invisibility, right? Yes, absolutely.

[00:01:04] It's never a bad thing. So with that being said, today's going to be a little bit different. I don't think we're going to go so hardcore on, you know, things that we typically talk about, right? You and I have had many conversations about vulnerability on its own, but more about really the changing pace of technology. And then where things like vulnerability and advisory and those kind of things are, you know, really coming into play.

[00:01:29] So, you know, why don't we kick off first, Frank, for anybody that doesn't know who you are, maybe a little bit about your background, and then we'll jump in and kind of talk about the accelerating technology world that we live in. Perfect. So, yeah. So I manage our alliances and partnerships and sort of large accounts for Nodeware, and we actually have two parts of the company, IGI cybersecurity, which does penetration testing, compliance readiness, VC, so types of things.

[00:01:56] And then Nodeware is our software arm of the company, vulnerability management, threat exposure types of things. But I've been around in channels for a long time, a little less time on the software and MSP world sort of last five to 10 years, but long history around big companies like Intel and Apple Computer and Cinex before it was TD Cinex. So I've been around partnerships and alliances and really value the community element.

[00:02:26] And it's another thing we have in common around GTIA, and so we can talk some about some of that. But, you know, again, as you said, less about some of the products today, but more I think the understanding of the speed of things happening and what that implies for an MSP. I can get my perspective and you're seeing it as well. Yeah, I mean, look, you know, the word that everybody's probably getting tired of hearing all the time is AI, right?

[00:02:55] But the reality is AI, forget about what it's doing from a productivity efficiency, all those kind of standpoints. It's really becoming a, you know, a very big security concern too, right? And, you know, we're hot on the heels of the announcement of, you know, of Fable 5 going live and then Fable 5 coming offline. And, you know, and I think some of that is trying to put some guardrails around what's going on. But, you know, Frank, as somebody that's been in the vulnerability sector for a long time,

[00:03:25] it's certainly changing how we need to look at vulnerability, vulnerability scanning, those kind of things. Yeah, no, absolutely. You know, it was sort of when we sort of first became sort of the real evident piece and was going to change things. Oh, shoot, you know, we're done for, right? You don't need the vulnerability management. AI is going to do everything. And then it was like, you know what, not really. I mean, AI is going to make changes everywhere, everything, every day, right, that we deal with.

[00:03:52] But I think if you look at the devices and the access into environments, right, and what AI can detect and how quickly it can detect. I mean, we're already seeing some of the, you know, the vulnerabilities that are just discovered by random AI bots doing things within a system. Well, that's producing, in a traditional sense, a CVE, right, or a new vulnerability that's found. But it's finding them that much quicker.

[00:04:22] And I heard somebody today, I was on an earlier call about, you know, there used to be a sort of zero day or, you know, infiltration plus 10 before something might happen. Well, now things are kind of happening before they even get on site. So there's less than a zero day impact.

[00:04:40] And if you're not looking at the devices and the software that's on them and the open ports and the access to things on a daily basis, hourly basis, then you're really missing the boat and increasing the risk for your customer.

[00:04:57] So AI kind of, again, will expedite things, you know, or find things out more quickly, which is why, which kind of reinforces why you need a tool like, again, not to be too commercial here, but a tool like Nodeware or any of the other vulnerability tools that is looking for those. And, you know, it gets a daily download, right? We get a daily download of all the new CVEs and particularly the KEs, you know, known exploited vulnerabilities that get published.

[00:05:25] And those are going to come quicker now because they're being found and being discovered by some of the AI tools. But if you're not looking out for that and getting alerted of when a new one's been found in your environment or your customer's environment, then you're just waiting for disaster, right? So these tools, I think, are, you know, even more critical potentially than they have been before.

[00:05:49] And I think you've hit upon a few things that have really come out of, you know, as AI emerges that are becoming realities too. You know, you spoke at the top of, you know, that conversation thread that, you know, people were thinking, oh, maybe we'll go build our own, right? And I think very quickly they're looking at it saying, yeah, we can build and go maybe do a scan, but then we got to know what to do with it. And that's where companies like yours have the, you know, security professional expertise to better understand what's coming in. You know, what really needs to be worried about today?

[00:06:19] What might be something that you can, you know, kind of let slide a little bit further? And you're seeing more of that around everything AI, right? Like, you know, you can build almost anything in AI and you can build it quickly. Can you maintain it? Can you interpret it? Can you act upon it? Can you stay up and stay current with it? And I think, you know, what was feeling like a little bit of a threat to a lot of software companies, you know, ours included, right? Yours included is becoming a little bit less because we're starting to see, well, A, things don't come free. B, you still got to have the expertise sitting behind it.

[00:06:50] And then, you know, C, has tokens become the new oil, if you will? Can we actually operate it and sustain it long term? And, you know, and similar to that, it's these exploits are coming much faster because that access is available to us. Can we actually remediate them quick enough? And, you know, certainly. That's the key part, right? I mean, I think, you know, the AI tools and we have some AI tools within us, as do you. And there's things that can be discovered more quickly, right?

[00:07:19] Or more efficiently by the same number of techs and, you know, analysts. But you still, as you said, you still got to do it. But one of the sort of we had a customer discussion last week that we were approaching regarding the CMMC sort of surface, right? It's a big company, you know, and one of their CISOs actually just said it kind of we were like, really?

[00:07:44] Basically, so we'll just we'll throw the compliance, the regulations into Claude and have that compare it to what we have internally. And it'll tell us what we need to know and what we need to fix. And I was like, OK, good luck with that, for one. You know, you might get some of that. But again, the interpretation, as you say, the analysis and the prioritization, right, of that real world situation is going to be critical.

[00:08:09] And then, again, it's ultimately getting it prepared for the final audit, the final people that are actually going to put that stamp of approval on it or not. So it's going to help, right? But as you said, I think it enables sort of exemplifies or strengthens the need for the tools that are doing the grunt work, right? The real analysis and the up-to-date current analysis.

[00:08:35] Yeah, but, you know, again, AI is an amazing concept that's going to be here to really drive change moving forward. And I think all of us are excited about the fact that it helps us get to some problem points we all had as vendors, you know, potentially innovate, you know, in our innovation pipeline and getting there faster. And that's one of the things I'm seeing. And, of course, that means everybody benefits.

[00:08:58] But, you know, as we see with Fable 5 being pulled back, there's also some real-life concerns that come with, you know, innovating too quickly and making sure that we can approach things the right way and making sure that these tools are used right by the good guys and not, you know, getting exploited by the bad guys, if you will. Yeah, yeah. No, and I'll reference, you know, your article you just posted today when this was being recorded on the MIP, right, from the MSP to the MIP.

[00:09:26] And that information, you know, whether it's, again, sharing, you know, using it internally, sharing with your customers. Because, you know, any MSP, I'm sure they get 10 inquiries a day. Oh, I saw this tool. Is that – am I going to be impacted by data? Am I going to need this tool? And if you're, you know, using the information wisely, you still got to do your core deliverables, right? And there's no getting around that. And those might get some better efficiency on them.

[00:09:53] But, you know, maybe I could stand for – well, interpreter, right? I mean, you know, you're interpreting things for your customers differently now, and you have better tools to do that. But – Yep. And I'll say for the listener, if you don't know what Frank was alluding to, I put up a post about, you know, the managed service providers becoming really almost a managed information provider. And that's where the eye could also be very easy interpreter, right, as well. But that's not something, you know, I coined.

[00:10:21] I think both of us can, you know, agree. We started hearing a little bit more about that, probably starting with GTIA's, you know, communities and councils event. And then going forward, you know, but it really comes down to, you know, when we think about what our customers need now, we've got digital natives in the seat of making decisions. It's not like when you and I started where there was a lot of trying to help people understand what the solution was going to be and why they need to make the investment. Now it's, hey, how do I get more out of what I got?

[00:10:49] How do I get, you know, how do I get to my results faster? How can I better, you know, better build better outcomes for my organization? And there's never been a better time for the MSP to really be, you know, level up their game. If you've been wondering how to get more strategic or how to position yourself better with the customer, AI is probably your easiest avenue. If nothing else, just, you know, sharing with the customer, hey, this is what it is and this is why you got to care.

[00:11:15] And you and I as, you know, at our core security guys, you know, inside of ourselves and we're looking at it as and you got to know what's going on amongst your people because bad things can be happening without you even knowing it. You know, right there in your own environment. That's part of that ultimately, I think, you know, kind of like shadow IT has always been that, right? People bringing in their own device and having access.

[00:11:34] But, you know, the shadow AI is, I think you'd probably, God, if I was a business owner today, that would, I mean, you know, I would be that much more concerned. And I don't think they're there yet, right? And I think they're kind of just still sort of seeing it as, oh, this is kind of cool. You know, everybody, go ahead. But how you protect the data they're accessing, you know, what they're providing now, what they're using it for.

[00:12:05] And I don't know that, have you seen many good tools yet for an MSP to help with that? Well, no, that's the challenge. I mean, you know, obviously folks like John Harden over Lemhi are trying to find some better ways to do that. And, you know, they came to life a couple weeks ago, as many of the listeners know. And, you know, there's certainly some other tools out there, but I don't think anybody's got a panacea for it. And the reality is it comes back to that user education, right? Just like we have phishing testing.

[00:12:32] It's almost like the security and awareness tools really need to start bringing in AI concepts into those tools as well, because I think the threat's even more than me clicking on the wrong thing. Like, you know, it used to be, oh, you got that text from your boss saying to go get the gift cards. And, you know, there might have been a $50,000 problem.

[00:12:49] But now you're talking about potentially exposing your entire financial information or putting your customer list in and really or your IP into AI totally innocently, totally being done by somebody that doesn't know any better because they saw a video that said, hey, you can get better controller reports as, you know, in finance if you do this. And those people are trying to make a name for themselves. They don't understand, you know, the other side of this. Hey, you're using a free tool that's training the LLM.

[00:13:16] That information now becomes part of it, you know, and all the things that go with. And to me, that's the scary part right now. Like, you know, somebody can do something totally inadvertently and truly innocently that can create much bigger havoc than I think even the phishing threats were. Yeah. Yeah, it's funny. Just, you know, I've been using Gemini a bit. I used some cloud. You know, I haven't really used OpenAI or chat GPT very much.

[00:13:43] But the other ones, you know, you ask it, you know, compare these two things or, you know, tell me about these two companies. And it's easy to forget what is public and what you're doing. And as you said, training them. Yeah. What are the things that people want to look at? And it's just, yeah. As old farts like us, right? It's like, this is a little scary.

[00:14:08] Well, you know, the shadow IT part was always scary because, you know, I used to always make fun of the marketing groups, right? And which I feel like I can do because being part of that world, you can do it. But, you know, marketing is constantly trying new tools, right, to try to get engagement, those kind of things, and uploading, you know, a customer list, which may only consist of, you know, individual name and email address. But it's still contextual information.

[00:14:34] In Massachusetts, that would be enough to be in violation, as an example of some of the privacy rules there. And, you know, it happens every day. And nobody meant to do anything wrong. They just wanted to find a way to get a competitive edge. And I'm just seeing AI being the same way, but I think it's a little bit more widespread. It's across all departments. Everybody can have a use case for it.

[00:14:56] And I think businesses haven't gotten yet to that point where they're at least saying, hey, let's buy, you know, buy pro versions for everybody so we're in control of what goes out. Or, you know, certainly we need to get AI policies drafted and have AI, you know, education events internally because it is happening so fast. And everybody's certainly seeing the benefit. You just sort of springed a thought in, you know, sort of the cost benefit, right, or the cost analysis, right?

[00:15:26] If you say that the pro versions, right, what is that going to cost per employee? Okay, does that, you know, I got to put another thing in my IT bill, right? I mean, you know, the same was with vulnerability management, you know, a few years ago. People, you know, I can just do it once a month or once a year checkbox and I'm good. It's like, no, right? You need this. And so all these things, you look at a security stack of an MSP and the amount of items on there, it's just really just humongous, right? It's humongous.

[00:15:56] And so, you know, adding another AI tool and maybe, you know, I guess people probably are a little bit more open to grab that in. But, you know, but again, it's another aspect of cost that you need to do. So that may be some value of the position and maybe have some other people you can bring on to talk about that is how do you really position, you know, the value of doing some of these tools and the cost benefit and the, you know, just the security value of doing that.

[00:16:26] Well, I think it goes back to the whole MIP conversation, right? Because really this is where the service provider has an opportunity to step up and a little bit more neutral, too, because I don't think, you know, obviously there's now ways that we can sell AI as a community. But I think a lot of folks are still looking at it going, all right, the customer's using X and how can we get control around it? But really it's educating the leadership at a company and saying, hey, here's what we're seeing. Here's what's the reality.

[00:16:53] There's a lot of noise, you know, around those two letters. But here's the reality. Your teams are using it, whether you know it or not. Is your information protected? Do you have a policy to govern them? So if you see somebody using it the wrong way, forget about everything else. You can terminate them if it's, you know, for cause and you have data to back it up. It's really an education that, you know, if you're looking to become, there's always been this argument from my world of VCIO of,

[00:17:21] hey, we really can't embed ourselves in as leaders. And ultimately, we don't want to have decision-making control, but we do want to have influential control. And this is a topic that I think we can be very influential with and really start working with the customer. And it's ultimately going to lead to the projects that we want to do. It's going to elevate us, but it's also a defense mechanism. I'm hearing more and more from the MSP community that these guys that think they're AI gurus now,

[00:17:46] who have nothing to do with traditional IT, are coming in and taking that AI seat right out from under the MSP. Interesting. And a lot of that's going to come back to the, you know, the expectation that the customer has of their MSP, right? I thought I was already paying for that kind of stuff, right? I mean, that's the angel dilemma, right? Yep. Have you defined the edges, especially in the world of AI? You know, have you defined the edges of your relationship? Are you viewed as a commodity?

[00:18:15] If you are, this is an opportunity to maybe step up because it's a really hot topic. And even the smallest of businesses are kind of like, what can I do with AI to a degree? But I think, you know, when in talking to the MSPs I speak to, many of them haven't even done their first project yet because everybody's still very confused on what can be done, what should be done. And, you know, we've added readiness assessments within our tool. And again, not to be a, you know, a commercial, but it's to kind of help everybody kind of level set and go,

[00:18:45] hey, we even thought about what our strategy is. Do we know who the people are going to be involved in this, you know, as we get into it? And that's where an MSP can really go in and shine today saying, hey, here's your procedural concerns, your people concerns, your security concerns, your data concerns. I mean, you know, is your data even clean, right, before you even go into those things? So there's a lot to be gained today through just a simple conversation of what don't you know, Mr. Customer?

[00:19:14] What have you been thinking about AI and can I help you formulate those thoughts? That's a great positioning, right? It goes back to the influencer, back to the trusted advisor, you know, any of the various terms. Because if you're not answering and talking, they're having that discussion, somebody else is going to be. Yeah. Or they're going to find somebody else not thinking you're the one. And that's the biggest shame. You've already got the relationship, right?

[00:19:39] And, you know, that's what we're trying to share with folks is if you haven't just asked people, where do you need help? You know, that's question number one. And if you hear the same thing enough times, then if you're wondering what your next webinar should be. So we're getting near the end of our time, Frank. I don't know if you have anything else you wanted to cover off on before we wrap up for today. No, I just, if you don't mind, I just wanted to just remind people a little bit of the points that we offer.

[00:20:08] Just, you know, continuous vulnerability management, right? And thread exposure is really our core deliverable with NodeWare. You know, it's easy to use, quick to deploy. It's the full enterprise coverage, both for devices and for the applications on the Windows devices in particular. We're able to monitor and manage those vulnerabilities and patch. And we support tools. You know, the data goes into the VSAIL toolbox, as an example.

[00:20:35] So if you are doing compliance, we're easy to fit for that kind of thing. The other piece of our business, again, just is services around penetration testing of all types, right? Physical, on-site, keyboard, OASP sort of application testing, some VCSO stuff. So if you're interested in any of that, we'd love to hear more from you. You can find me on LinkedIn or reach out at NodeWare.com and we'd love to have some more discussion.

[00:21:05] But thanks so much, Brian. It's been a great conversation. Well, I thank you for stepping in very quickly and jumping in here, as you always are willing to. But, you know, I always learn a little something, too, when you join me. So I appreciate that more so. And, you know, I'm excited that, you know, we're not too far away. For those of you that are going out there, GTIA is in about a month, give or take, from on this video live.

[00:21:29] And it'll be really fun to see the channel come together at one of those shows where pretty much almost everybody is there. Yeah. And I agree. Everybody's there. And it's a really different variety of a show, if you haven't been before. It really is the community.

[00:21:48] It's, you know, you can talk up to your meetup, go up to the CEO or, you know, GTO of Pax8 to England to, you know, TD Cynics to, you know, the largest partners and MSPs in the world to the biggest vendors. So it's really is a good avenue if you haven't signed up yet. I know they're still taking registrations and hotel rooms are available. So it's in San Diego, which in August is never a bad place. Nope.

[00:22:18] Weather's always great in San Diego. So you can't go wrong. But awesome, Frank. Well, thank you again for joining me today. And listeners, as always, you can get this out on YouTube. You know, just subscribe so you can stay up to date on all the latest episodes or download it anywhere that you want to listen to your podcast. Within the show notes, we'll have Frank's LinkedIn address as well as address or links to both Nodeware and IGI. And, Frank, I'll see you in about a month in real time.

[00:22:49] All right. Take care.