HITT- Cybersecurity and Incident Response – Dec 17, 2024
In the latest HITT, the team introduced new suppliers, including Everfast Fiber Networks and Cypher, focusing on enhancing cybersecurity strategies for clients. Jason Kaufman, a cybersecurity solutions architect, emphasized the importance of incident response planning, revealing that organizations with such plans can save significant costs during breaches. The discussion highlighted the need for education on email security and the risks associated with inadequate managed service providers (MSPs). Cypher’s flexible cybersecurity approach aims to support existing MSPs without requiring major overhauls. The call concluded with a focus on upcoming events and promotions, encouraging partners to engage and prepare for the evolving cybersecurity landscape.
Transcript is auto-generated.
On the first twenty four hours following a cybersecurity breach, what has to happen, how you can help guide your clients through the early stages of such an incident.
We’ll see the rapid mitigation, the remediation techniques that your clients will need to reduce the attack’s impact.
We are joined today by Telarus cybersecurity solutions architect, Jason Kaufman, and his guest, Rosana Fllingeri, VP of sales at Cyber Safe Solutions.
Both are returning to Telarus Tuesday call presenters. Jason, Rosanna, welcome back to the call. Glad to have you today.
Yeah. Thanks for having me. Really look forward to this talk track. It’s actually one of the the biggest, most demand cybersecurity conversations I’ve had this year, so I wanted to, you know, end it with one of the top talk tracks.
Understanding Incident Response
So perfect. Yeah. Yeah. I’ll take it I’ll take it from here. So, yeah, what we wanna talk today is incident response.
So we talk about, through cybersecurity training, a lot of remediation techniques and mitigations that you could do. You know, we talk about all the different tool sets, all the services, you know, anything that you wanna bring to the table in order to mitigate that threat from coming in and potentially contain it, after something after something breaches the network. So one of the first things we we talk about is, hey. Always plan for when an attack happens, not if.
But, you know, nobody really, you know, understands what really happens when that attack happens. So we wanted to cover, you know, some some of the some of the techniques here in different different flavoring. So you have a go to strategy for that. If the customer comes to you and says, hey.
We’re we think we’re actively going through a breach or we know we’re actively going through a breach because we have this blue screen that tells us that everything’s encrypted. What do we do? So we wanna arm you with those techniques and somebody to go to so you’re ready to rock and roll if and when that conversation happens. So let’s go to the first slide.
Wanna give you a few different data points for those great talk tracks that we have for that customer so you could say, hey. If you have this type of incident, call me because I’m your adviser for anything cybersecurity.
So some reputable, data points here, you know, I like to call them some truth bombs. If you look at the Verizon twenty twenty four data breach investigations report, which is a very well known industry report, sixty eight percent of breaches were involved with non malicious human element. So every part of our cybersecurity training always tells you that, hey, it’s much easier to breach a person that already has authentication and access in the into customer data rather than trying to breach it from the outside. In fact, sixty eight percent, I know it’s on the the Verizon report, but if you look across the industry, you’ll see that even get up to the upper eighties. It actually increases year over year because it’s much easier to hack. If you’re talking, if you ever talk to Jeff Hatcoat, our other cybersecurity architect in the west, he always talks about Betty from accounting. It’s much easier to hack Betty than it is to hack a firewall that constantly updated and patched.
And of of those incidents that happened, eighty one percent of the companies that have a plan in place, only thirty four percent consider those to be effective. So where that’s important for you is if you’re asking a customer or a client, hey. Do you have an incident response plan currently? You can actually challenge them on it and say, hey.
Are you confident that it’s actually up to date? Or what if you had a a ransomware attack that from this known entity or you had this type of breach? Do you know how your team would react to that? Or would they sit in bewilderment and have to pull out the run book?
Are there gaps in that entire plan in preparation? You’ll see a lot of them will start saying, I don’t really know of that. The biggest question in cybersecurity that we can ask is, are you sure? And that’s big data point right there that you can actually fill them with with, hey. You know, even though eighty one percent of people actually have it, thirty four percent, which is a very low number, you know, one of my grades from high school, thirty four percent is what I’ve seen on my report card a lot. That is not a very confident answer. So make sure you have that one in your back pocket.
Importance of Incident Response Planning
And then one of the big reasons why we wanna talk about incident response is if you have a plan in place and you can react very quickly. Organizations that have or incident response planning and have a company to go to or have a internal staffing to in order to react and contain very efficiently, they’ve comp one and a half million compared to those that do not, according to CDW. So that’s a very important conversation track. It’s saying, hey, customer, you know, in certain incident incidents, we can save you one and a half million dollars just by having that certain talk track right there.
Let’s have a conversation about it and see what we can do. And then on top of that, those that react within the first thirty days save more than one million dollars compared to those that don’t. So you can see the average dwell time now we’re seeing is generally decreasing over time. It was increasing to, like, two hundred, two hundred and fifty days.
But now with all the tools and techniques that people have from services that are now put in front of them consistently, sixty nine days is still a long time for a threat to be in the network before you react to it. So few data points there. I just wanted to share with you before we start getting the options that that you have in the marketplace today. So if we can go to the next slide.
Options for Incident Response Strategies
So a few different options we have today, and not really sure what happened to the text on the on the left one there, but, if you’re thinking, like, good, better, best there we go. Good, better, best scenario. Good is ad hoc. So that means that, hey.
I have breach. They don’t have anything in place. They don’t have the resources in order to be able to respond or contain to the to the breach, but they need help immediately. That is what ad hoc is.
So it’s a getting on the phone, and I’ve seen Rosanna do this, which is why I really want to pull her in for this conversation. Get on with the customer pretty much immediately and start, you know, advising to, hey. Do you have these controls in place? Do you have this contact?
Do you need do you need to have these resources? And then start start talking down that track on, hey. How do we contain it? And then start the remediation process.
The second one is retainer based. So this is where you get a little more proactive to where you have a team ready to go, a number that you can call, and you get priority SLA backed response times compared to the ad hoc. So, generally, retainer based has some form of application that sits on a lot of endpoints or sits on the networks and gives some telemetry data immediately to the incident response team so they can get some data points to react on rather than having to come in that ad hoc approach, which doesn’t have that type of, you know, software package with it. So they’re coming in a little bit more blind.
So this one gets you a little bit better reaction time because there’s more data that they can pull immediately in order to start that incident response. And then the best approach is the MDR that includes the incident response. So that provider that’s already protecting your network, protecting your data, protecting your endpoints and everything involved in your your infrastructure, they they have an incident response team that’s ready to go because they know no matter how much that you protect a a network or any of those devices, they know at some point they’re gonna have a breach that’s gonna bypass that because we have zero day tax.
We have Betty from accounting. We have many things that are outside of kind of that control to where now you need a team that could be able to come come at your disposal when you need it. So if you’re looking at the options for your customer that you can advise on, say, hey. If you don’t wanna, you know, if you don’t wanna have a retainer for a company to do this, then great.
We could do this ad hoc, and I have contacts for that. Or I have a company that can come in, protect the network, and they can react immediately when needed.
So let’s go to the the next, slide there. So I would do wanna integrate Rosanna. She, I know we had an, a, you know, slide before that kinda showed her picture where she’s at with VP of sales at CyberSafe. So we’re bringing in the big dogs here.
Use Cases in Cybersecurity
Somebody that has a ton of experience that I’ve seen personally on calls and does a great job in order to get things, moving very quickly. So we have three use cases we wanna talk about that Rosanna has seen in the marketplace a lot, you know, phishing, malicious application download, and brute force attacks. We’ll get into each one of those, what they look like from an opportunity level, and then kinda where it led, because I know everybody wants to talk about, hey. Where’s the commission on this stuff?
We’ll get into that as well. So let’s start with the first one.
So next slide, please.
Alright. So, Rizal, I’m actually gonna turn this one over to you. If you can give us a little background, and, we’ll go over a little bit of the impact, how you guys detected it, and then what the remediation tactic was in order to, get the company back up and running. And then we’ll we’ll highlight, you know, what that means for the adviser as well.
Absolutely.
I have a truth bomber too, that I wanna share with, I guess, the group before we dive into these use cases. So every year when the holidays come around, we usually start to see it around Thanksgiving and then it funnels all the way out through the new year. The cybersecurity vendors of all sorts send messages out and it’s like, hey, you’re gonna get hacked over Christmas, right, or the holidays or the new year time period. Now we don’t believe in education by sharing folks, but we do know that there’s some sort of communication that’s, you know, necessary to come from you folks to your base. The suggestion that I take in these situations is let’s just educate the importance of, you know, us being away from our systems during the holiday time period rather than leading to scare them with, you know, someone’s gonna click on a phishing email while while you guys are out for the holidays.
So subtle nuance in that communication.
Educating Clients on Cybersecurity Risks
When I meet every any partner I’ve ever met of ours, the first thing that I say to them is, well, I hope that your clients never have a cybersecurity event. I know for a fact that is, you know, an inaccurate or inappropriate way of thinking.
Something will happen at some point in time. So we wanna walk the very balanced line of educating them that they know that they can call you when something happens and then scaring them or potentially being a little distasteful in the messaging that goes out. So one of the things that I always suggest with year end messaging is, hey folks, you know, we’re approaching the end of the year, we focused a lot on cybersecurity this year, we’re able to help our clients with a couple of strategic examples.
Think about us in New Year or let’s spend some time so we can educate you what we’ve learned this year.
That way you plant the seed and it’s not scary message, to folks. Now jumping into the use cases, I think a really important background is whenever we protect a business, right, from CyberSafe’s perspective, we wanna make sure that we understand all of the places that they inherit risk from. You guys as strategic advisors could and likely should have this conversation before you even start the cybersecurity talk track, right? So where do they do business?
How do they do business? When do they do business? The more you can learn on that, the closer you can get to their business strategic planning for the year, the better you can detect cybersecurity events. So in this particular example, this happened security events.
Real-World Example: Phishing Attack
So in this particular example, this happens, I promise you guys, like, all day every day. Right? People are most guilty of clicking on something within an email.
Perhaps the phrase Betty from accounting, for this one.
Yes. Betty from accounting.
So Betty from accounting, is likely busy. She wants to be clicking on whatever she needs to to get her job done, and she’s ready for holidays to come about. So Betty from accounting gets a link and she clicks on it. Maybe it was a link to someone saying, hey, I’ve got this order or I need to change my payment terms, whatever that may be. The misconception here is that email filtering is going to stop all of these things, Right? We need to have it. There’s just no disrespect to any of those filtering platforms.
We also need to be making sure that we’re spending time to properly, configure our Microsoft three sixty five tenants. There are so many security things in those, but no one ever knows how to turn them on. Actually so much so that when we get proactive clients that sign on to our XDR or EDR plus offering, we go through a hardening exercise with them intentionally.
So that’s the first two things. But Betty clicks on this link and it takes her to a site where she can enter her credentials. She does because she’s just trying to do her job. I saw one of these last week actually with the DocuSign.
So a DocuSign link took them to a phishing link, put in your creds, now the threat actor has been given these credentials and they can poke around and do whatever may be necessary. Here’s the misconception here. Most people think that this is not a detectable event. That is not true, Right?
There are a number of different things that a strong security team should have been able to see in this situation. One, malicious link that was clicked on and interacted with. Security teams like ours always expect for them to have clicked and given their credentials. Right?
Even if the user says that they didn’t, they generally do and then they get scared and they don’t wanna tell us. That was the first piece. The second piece was once those credentials were given up, that account was likely logged into in two places at once because the threat actor was trying to do their job. Right?
Another misconception here is that as soon as that happens, the threat actor is ready to go. That’s not true, they wanna watch, they wanna look and they wanna learn of when they can strike at a time that makes the most sense. So the second piece is that should have been seen. The third piece is when a threat actor tries to learn more about a business, their job is obfuscating defenses.
If you guys ask anyone who has gone through this email use case, I guarantee you that it will say, oh, yeah, we didn’t know exactly what happened but then there was a rule set up saying take this email take any emails coming from the sender and forward them out or forward them to RSS. Right? I don’t even know what that was when I started working with CyberSafe. Right?
But, essentially, that’s a way for a threat actor to try to go without detection.
All of this is possible for a proactive security team to see. So that’s the underlying message here. Anything you wanna add to that, Jason?
Actually, I I have a follow-up question. So if we’re if we’re following the lines of of Jeff’s think like a bad guy, you know, talk track, you know, what what are they you said, you know, they’re sitting here and they’re not immediately reacting in order to, you know, gather all the information that they have immediately upon the briefs. They’re sitting there waiting. What are they waiting for?
So they can be waiting for a time that they feel is optimal to strike. They can feel they can be waiting for enough time to gather information. Right? So usually, we’ll see campaigns, phishing campaigns that are sent to an organization.
They’re sent to a number of different people. Sometimes they’re admins, sometimes they’re assistants, sometimes they’re the c level or just a day to day regular user. Why they would do that is they wanna increase their chances of getting in. But if it’s someone who’s moving really quickly, for instance, Betty from accounting, maybe she has some sensitive data but not everything.
So what that threat actor actually looks for is what emails is Betty going to get? How am I going to use this against this organization?
So that’s that concept of dwell time where they’re sitting there just waiting to listen and learn for something that’s happening. Now I do wanna just be very clear here. This is something that proactive clients, you will never be able to one hundred prevent one hundred percent prevent this. Right?
We can lock everything down. We could follow strong passwords. We can train our users. It only takes one time.
This is where we have to collectively train on detection and the importance of it.
That’s a great point.
See, we’re coming back to the same methodology on not if something’s gonna happen no matter what mitigation techniques and prevention techniques you throw out there, always plan for when. Because no matter how good some a tool is or a service is, you always wanna have a plan for when something gets through. So great point.
Any final words on on the, the phishing one before we move on to the next one?
The Importance of Email Visibility
Yes.
Visibility into the email is important for every industry regardless of what they do. Right? So I’ll give you guys an example that’s bubbling up to be really important.
Car dealerships, they just got on a regulation, FTC safeguards for non banking regulated entities.
Ignore the nuance there. Point is, Point is, many of them feel, you know, this isn’t really a fit for us. What do we really have in our email? We use different platforms.
If a threat actor spends one minute in an email account and they can click up or down, and there’s a name, a birthday, an address, anything that is considered personally identifiable regardless of industry that the client is in, that in that situation can potentially be a reportable breach. Right? So all it takes is as quickly as we all file through our email boxes is as quickly as a threat actor would need to do that for that business to potentially be on the hook. So very, very significant regulatory and compliance measures come along with this as well.
Great point. And that actually remind me of a of a use case that, you know, somebody got into to the email account of the CEO and didn’t do anything. Obviously, just sat there and listened and then finally figured out who the players were that could send checks out based on the accounts payable team. And now they were emailing the accounts payable team to send checks to specific or ACH deposits to specific accounts that they owned, and the company of eight folks were out five hundred thousand dollars within six months before they realized anything was going on. Because Betty from accounting never asked the CEO in person or picked up the phone and called them directly, hey. Is this a legitimate request?
So there’s a lot that happens there too. It’s not just somebody breaching and, you know, creating inbox rules or stuff that’s actually easily detectable. It is stuff like that to where they’re doing malicious intent with actually employees that make it look like somebody else is sending a request.
Yeah. I saw one last week for two million. And, the client that we were educating on, you know, how to move forward, they said, well, we just have we have insurance for this. And, unfortunately, misconception there, insurance does not cover in ninety nine percent of situations when the user voluntarily does something, like sending money to the wrong place. So I’m glad you mentioned that.
That’s a great point as well for everybody to write down. What insurance does not cover. Big misconception there. So let’s get on the use case number two. So, yeah, Rosanna, if you can paint us a picture kind of what use case two looks like, we could start digging into that one further.
Sure.
Risks of Downloading Software from the Internet
So the background on this is another education piece. I another thing that I did not know actually until this started to become a a commonly exploited threat.
When we go on to Google and we type in Microsoft Word, whatever it is, right, at Photoshop, something that we’re trying to download onto our systems, one, us as users likely shouldn’t have permission to do that, but let’s just say that we do.
Usually, the first, second, and third links, you guys all probably know this, I didn’t, but in case you don’t, are sponsored, right? Today, one of the most common attacks actually is threat actors creating malicious links, SEO poisoning, sponsoring them and waiting for someone to interact with them so they can advance their, bad actor tactics, right? So going out to Google and downloading anything we all know really, you know, is not a best practice, but it’s very important to understand the ramifications that can happen. So this is a real use case, from a client that we had supported as a proactive client, right, rather than an incident response situation. And I’ll tell you why we included this first. So in this particular environment, one of their users, they were a law firm, They went out to download a document that software that was responsible for helping with their documents.
They downloaded it, it was unsigned, it could have potentially been malicious. However, an underlying EDR platform would not and could not have noticed that this was a malicious platform.
So the EDR, if you guys are thinking, didn’t notice them going to the website, didn’t notice them clicking, and didn’t notice them downloading that malicious application.
That does not mean SentinelOne is bad. That does not mean CrowdStrike is bad. That does not mean Microsoft Defender has points where, you know, it’s inadequate. Right? Those are software tools.
Software has to work for all of the individuals that have downloaded it or businesses that have put it in their environment. Software cannot handle nuance.
It doesn’t know the difference between me and Jason, right? No matter how much we tune it, a SentinelOne or an EDR platform will never understand that difference. So really important piece for you guys to understand there. Now what happened was when the user downloaded this malicious attachment, this malicious piece of software, essentially what happened was they added it to the image.
So every time they spun up a new system, they took this malicious piece of software and just put it back on a computer and they reinfected themselves. They had the opportunity I should say, to reinfect themselves over and over and over again. Here’s the important piece, CyberSafe had a detection around potentially malicious behaviors associated with indicators of compromise. Again, we learned a lot from her incident response practice.
So we were using that EDR agent to continuously interrogate the environment. We had a detection on a watch list where this piece of software, was doing things that software just quite frankly doesn’t do. Would an EDR have noticed this malicious activity at some point in time? Yes.
However, you know, things like a DNS request or potentially reconnaissance in the environment, that’s the importance of having a security team that understands the underlying client.
So we got on the phone with the client and we said, hey, you know, we’re seeing this weird thing happen. Where did you get this piece of software? How did it happen? And essentially, it was an IT admin.
It was only in that conversation where they actually told us, wait a second, we just got the system. Do you think we bought it and it was it was compromised, it came hacked and we’re like, no. Right? Very, very unlikely.
What did you do when you were configuring this? Turns out the story that I just told you guys, they went out to the Internet and they downloaded something and they put it on that system. If the analyst did not take a couple steps there, every time they configure a new machine, they would have reinfected themselves over and over and over again. Right?
So the importance in that is being able to really, really understand what the client’s normal is and react before the abnormal comes. Now in this particular situation, if it was an incident response client, there is a very high likelihood, I’d say close to a hundred percent that they would have been in a full ransomware situation because they were proactively reinfecting themselves simply because one of their IT admins downloaded something from Google.
So this is a great scenario to say why best is better than the good when we show the three different flavors of incident response. Having that MDR approach that could proactively look at this and immediately react to something that a lot of the tools and telemetry were gonna miss, that’s a very important point to throw out there. And, also, I and sorry, Rosanna, to to interrupt you there. Just wanted to mention that, you know, this is important for, you know, the a lot of the supply chain attacks that are going on right now.
And this is this is why, you know, supply chain is not just about hardware and where things are coming from from manufacturing plants and stuff. It also has to do with supply chain of software. So if you don’t know where that software is coming from from a trusted source to make sure it’s not tagging on any of these poisoned applications, then, you know, you gotta make sure that you that you’re looking at where the stuff is coming from. So, Roseanne, I wanna kinda turn it back to you to close this one out.
We we gotta wanna hit the next one.
Sure. Absolutely.
So just closing remarks there is every organization has a obligation to get it right. Right?
We’re that’s not gonna happen. Right? We’re not going to get it right one hundred percent of the time when it comes to best protecting a business. So what we need to encourage our clients to understand is you can have the best products and tools in the world, but, unfortunately, they are going to fall off at some point in time.
That is where you guys as advisers and educators come in. That’s where providers like CyberSafe and Jason and team come in where we can say, listen, folks, it’s not about spending millions of dollars in your security program. It’s making sure that we’re taking the right preventative measures. We have proper detection measures, but most importantly, we’re talking about best practices across the business because that user should have never been able to go out to Google and go ahead and do that.
But mistakes are made all the time. Right? And it’s how quickly we can detect them and recover from them is essentially what saves businesses.
Human Error in Cybersecurity Breaches
Perfect. And then, you know, the the first two use cases are human led, breaches. So that’s where we’re talking about that data point that sixty eight percent of attacks happened because Betty from accounting or somebody equivalent clicks on something that they shouldn’t have or went to go download an application from an area that they shouldn’t have. But we want to throw one use case out there that fell outside of that sixty eight percent, which is a brute forcing attack, which everybody’s heard most people have heard the term brute forcing.
So, Rosanna, we have about three to three minutes here. Just wanna touch base on this one so we can answer some q and a afterwards.
Absolutely.
So as we get into this example, one other point that I wanna make is if you guys ask me what are the what’s the number one or number two real life event attacks, ways that hackers are getting into an environment. It would be through the email like we just mentioned, and then it would be compromising network assets. Right? So impacting an RDP, leveraging firewall firewall vulnerabilities.
I will tell you right now, compromised VPN accounts have what I have spent my last two weeks talking about in every incident response scenario that we’ve dealt with. I was actually on the phone with Jeff Hatcoat last week and I said, I’m so sorry, I have to move our meeting. We just got three incident response calls, all with the same threat actor group, all compromising network devices. Right?
So in this particular situation, RDP was publicly accessible on the firewall. Essentially, what that meant is that the actor understood that there was RDP there, they could have exploited it. The client did not have the proper protection measures or protocol in place to protect those accounts, right? So MFA was not enabled, there was no two factor there.
So if you got a password you were in in this situation. So what happened was this allowed for a threat actor to make their way into the environment and do reconnaissance. Right? Figure out what else is happening here.
What can I learn about this business? Now how something like this can be detected is by looking at network traffic, looking at Syslog, paying attention to MID, so any sort of network intrusion detection that may be built into a firewall or on top of that. Those are all very important datasets.
Now, here’s the distinguishing factor. What needed to happen in this particular situation is someone had to know that these logins were abnormal, Right? Again, this goes back to education. This goes back to following best practices.
If a business does not do any business or work with anyone outside of the United States, well, we should make sure we’re following GIP filtering. We’re we’re making it not possible for them to do that. Now here’s where the understanding of the client piece comes in. If we work, let’s just say CyberSafe proactively works with the client and we know they’re largely international, we have to treat them differently than someone who’s only a regional player, you know, in California or in New York or somewhere in Texas.
Right?
So the first piece is having the visibility to understand this is occurring. The second piece and the most important piece is being able to respond to that. Now if we’re facilitating an incident response scenario in this situation, this is a really, really tough one to detect without visibility.
Most of the time, organizations find out about this after the fact because there was no way for them to have those checks and balances there. When something like this occurs, regaining trust of the environment is mission critical. So an exercise that we would take if this were an incident response situation is, let’s figure out what assets are where, let’s move to protect them, let’s move to disconnect.
Right? So in the situation I was just telling you about that was talking about with Jeff, we disconnected those VPNs immediately. Right? That was our way of making sure that we could cut off the threat actor.
And then we had the conversation of removing back to a trusted state. So I know that these were three very pointed examples. But the point here is guys, we can give you a million, right? We can talk with your clients about a thousand ways someone can get into an environment.
Unfortunately, examples like this will only get us so far. We don’t wanna meet people after they’ve had something like this occur. So we wanna move to that education standpoint where we can say, hey, folks. Here are best practices.
Proactive vs Reactive Cybersecurity Measures
We’re not gonna force them on you, but let us educate you because it’s going to be cheaper. It’s going to be a lot quicker for a business to proactively help you recover rather than reactively because the harsh reality is businesses don’t usually recover. They usually don’t get their information back. And unfortunately, that downtime, cost quite a bit more than just going with proactive solution in the first place.
Hey, Rosanna. I got one last question, then we’ll turn it over to Doug for q and a. So compensable, you know, one of the most important questions for this call. The incident response, is that something a partner can get paid on?
Yes. Absolutely.
And then how many how many opportunities that you come in for incident response lead to managed services after the fact?
Let’s say ninety nine point nine percent of them. The only time that they don’t is if that company, unfortunately, goes out of business because they just can’t work.
Okay. And then the managed services are compensable as well too. Right?
That’s correct. Yeah. They they moved after the fact, you know, that they need to make changes.
Perfect.
Well, thank you, Rosanna. Really appreciate you going through the use cases with me here and, turn it over to to Doug who may have some q and a unless we need to move forward.
Engaging with Medium-Sized Businesses and MSPs
Thank you both. Terrific presentation. We do have a few questions we wanna touch on.
Zachary Schechter just wrote in a few minutes ago and asked, hey. For folks that are working with, medium sized businesses, SMB customers, they already have an MSP that they’re working with, but it becomes apparent that that MSP is really not that far advanced.
Suggestions for approaches and way to get in ways to get into that conversation.
Absolutely. Tale as old as time. Right? It’s very tough to come in and, you know, we don’t wanna call anyone’s baby ugly, so to speak.
Right? So we wanna walk that really fine line of making sure that these folks understand that we’re an ally to them to a degree. But usually when they’re not doing really good, you know, a strong job of security, it’s not their focus area. Right?
So we educate the client to say, well, when you hired this MSP, you probably brought them on for help desk or firewall management or for a particular reason. Did you really hire them for security? Usually, the answer is no. Right?
So we can talk with them about checks and balances and why they’re so important. How you can make that MSP an ally to you if you’re not fully replacing them is making sure that they understand that there’s likely going to be room to improve from a day to day practice perspective. We can keep them in the loop. We can associate them with wherever they’re contracted to be supporting.
If they just really are inadequate, we can talk with the client and say, hey. Look. Let us educate you about all of the things that we have to offer and then you guys can make that business decision. You guys haven’t worked with CyberSafe before.
We educate first, sell second. Right? So we don’t wanna burn that bridge. Let’s just say it’s not an opportunity as of today.
Maybe that small MSP has a you know, there’s a relationship there on an executive level. We don’t wanna come in and jeopardize the opportunity at large, but we’ll talk about ways that they could potentially begin to change and create a road map with them on how to do that.
And that’s where it kinda leads to the to the pen test conversation. So if you have an MSP already and you’re you know, maybe you have some doubt that they’re effectively managing it, that’s a great time to start positioning on, hey. You know, we don’t we wanna work with the MSP here, but let’s see where they’re at. Let’s see if there’s any gaps that we can help them fulfill because you never want the pro the company protecting, you know, the infrastructure also performing the penetration test to see where the holes are. You want a third party always do that. And that’s why we always educate on having a third party do that and then change those third parties year over year so you get a different visibility and a different team trying to figure out how to breach a network. So that’s one of the talk tracks that we generally lead down if there’s an MSP that there’s potentially some gaps, is start talking that pen testing conversation, to lead into that cyber safe education approach.
Understanding Cyber Insurance in Incident Response
Yeah. Important separation to note.
Couple of questions came up about cyber insurance and the value of that. Questions around how strictly, those requirements associated with an insurance plan have to be followed. Rosanna, you mentioned earlier that, insurance certainly doesn’t cover everything. Are there important exceptions or requirements that our advisers need to know about?
Yes. So in an incident response situation, we will triage alongside you folks. Right? So I saw one of the questions is, you know, as an adviser, shouldn’t we tell them to contain and call insurance? Yes.
But we wanna make sure we’re we’re giving very clear direction on that. A lot of the times people jump to try to recover. And sometimes IT professionals actually impact the data that we can use or the artifacts, you know, us figuring out what might have happened when. So we actually asked them to do nothing until we triage with them. Now you’re probably thinking, well, how do we do that in in a real live active breach situation?
Our team is accessible twenty fourseven, three sixty five, we will triage with them and tell them exactly what to do and when. When it comes to insurance, yes, that is one of the first questions that we ask. Do you have cyber insurance and who are they?
We usually have them reach out to their insurance carrier. Sometimes they don’t if we can’t quantify what’s happened because the last thing we wanna do is go let the insurance body know, hey. Something happened here. We don’t really know what it is, and we know you’re gonna ding us.
Usually, the first call that we make is actually to legal counsel, alongside with the client. If they don’t have it, we can help them with it. So we can put everything that we’re about to do under privilege and then take legal guidance from there. As far as approved panels, yes, we’re on a number of them. If we’re not on an approved panel, we can still do the work. There is a way to get reimbursed.
If we hear that it’s not an option for us to have the client reimbursed or to do the work, we will make sure that they are put in their hands of someone that could properly support them going forward. We will do that. We don’t charge for it.
We just wanna make sure that your client is properly handled.
And then we could take a run at the future, you know, long term.
Run at the future, you know, long term support from there. And then one more really important question that I did see in the chat. So Cyber Safe includes unlimited remote incident response on all covered assets with our proactive solution. So if they’re an EDR, which is their endpoints network, I’m sorry, their endpoints, desktops, laptops and servers and EDR plus which is their endpoints plus their email or an XDR that is fully included, they do not need a retainer.
If it’s not a client of ours and we meet them, we can do an incident response scope of work, depending on the environment, they can be fifteen thousand, I’ve, you know, I dealt with one for eight months and it was north of two hundred and fifty thousand, right, it was pretty impacted environment. So it does run the gamut, all of that is commissionable and anything that comes out of that, is of course tied to whomever, you know, introduced us to the opportunity.
Summarizing Key Takeaways from the Presentation
Thanks, Rosanna. Terrific information. We are out of time for q and a, but I’ll leave the chat window open. You can continue to, submit questions and comments. Jason and Rosanna will continue to answer those. Jason, last word for you to sum this up today.
Yeah. I think it’s, you know, great great topic here and great, you know, not only data points, but also recovery techniques in order to have that conversation with your customers to show what value you can bring to the conversation when, you know, keyword when an incident response happened or a breach or anything like that, even if they have somebody protecting their infrastructure. So I think it’s good to take Rosanna’s information down and, have that in your back pocket in case you do get that call. So thank everybody for joining.
Thank you both for being here. As always, terrific presentation. Hope to have you bath both back soon.
Alright. Thank you.
Introduction of Cypher as a New Partner
Alright. As we mentioned, the chat window is still open either for Jason and Rosanna or for our next presenter coming up. Time to welcome a brand new supplier to Telarus. It’s Cypher, delivering solutions built to connect people, processes, and technology to support every step of the cybersecurity management cycle. Today, we’ve got we are joined by cyber VP Cypher VP of channel sales, Tyler Smith. Tyler, glad to have you here today. We’re very excited about the new Telarus partnership with Cypher.
Likewise, Doug. Thank you for having me. Great breeze, though, by Jason and Rosanna.
Lot of topical stuff that we’ll probably cover a little bit of when we talk about Cypher categorically. We’re that same sandbox. So, look forward to to telling the audience more and also explaining how the wins work, the professional services side that advisers can be comped on as well as the recurring services side. So we got a good runway to cover here.
It’s all yours. Welcome.
Cypher’s Unique Approach to Cybersecurity Services
So, again, thanks everybody for staying tuned in. We know it’s the end of the year, so it’s it’s it’s kinda cumbersome to try to get everything, wrapped up. A little bit about, Cypher. We so I I’ll start with myself, actually, maybe a little bit easier.
I’ve I’ve grown up in and around data center cloud and security for about, fourteen years at this point. So that you saw that mindset of starting with everything on prem, that castle mentality, and now that’s evolved to maybe hybrid cloud and on prem all the way through full cloud and kind of the introduction to AI now as well. And what Cypher has partnered with Telarus on is unique in a few different aspects. I think one of those aspects that is gonna be highly redeemable to the adviser community for Telarus is that as you think about MSSPs, MSPs, right, that managed service provider, managed security service provider, typically, you have this approach where everything has to be all in one.
And those SOWs or agreements or contracts include multiple line items that have to go on paper, not only for the adviser to be comped, right, but also for the solution to be delivered. There’s a considerable amount of requirements that you feel like are stacked, and and you gotta have this all in one approach.
We have almost reverse engineered that to be the opposite. And I think that’s one thing that we were going through the introduction with Telarus and then how do we differentiate, what do we look at as a a separating factor in our approach as an MSSP is that the customer is gonna have these customers we’re working with now, right, whether it’s you think agnostic of industry, it could be high compliance like health care and financial services, it could be very low compliance, There’s always gonna be some incumbent technology that exists. Maybe it’s not a full stack. Maybe they’re just BYOD and have email security, whatever the case may be on their posture.
We don’t wanna necessarily approach these customers and say, hey. We have to rip everything out now. You’ve gotta reinvest in your technology stack, whether it be equipment or services, what have you. A point that came up earlier. Right? There’s an incumbent MSP that’s been working with a customer. What what could the gap be there?
Cypher has the autonomy to approach that in any capacity that the customer needs based on their phase schedule and approach.
So think about as a tech adviser, how do you get comp working with Cypher? You get comp starting at that front end approach, that assessment.
That doesn’t necessarily have to be a recurring service of any kind. That’s what we would categorize as professional agreement, a onetime approach, SOW that goes out, tech adviser can get paid on that. And as Jason and Rosanna mentioned earlier, that almost always leads to additional services that the customer needs entirely, whether that goes all the way through MDR, EDR in a fully managed environment, or it’s just segmented to a particular stack of their technology that they can’t manage.
One thing Cypher has an extension of is a vast array of supported technologies. We call them, like, OEM integrated solutions. Right? So if those customers have either an internal IT team, which is almost always the case, at least a few points of contact, or they have an MSP that’s local or regional that’s supporting their environment, a co managed coexistence approach is absolutely a reasonable step to take.
The only way you’re going to see a considerable amount of churn on an existing MSP level is kinda what Jason and them harped on earlier. They’re just not performing. Right? In that case, that’s outside of your control. It’s outside of our control. We’ll fill the gap. We don’t necessarily wanna talk a customer into cutting ties with anything unless there’s a demonstrable reason for that.
And the best I think the best situation we’re in now is we look at what does twenty twenty five have coming up with NIST two dot o approaches with PCI increases in compliance, HIPAA increases in compliance.
The Growing Importance of Cybersecurity Awareness
Compliance.
The best thing that’s happening right now is just generally being aware of the market. So if you look at the the awareness of the c suite, so we could be well, we always think about CIO, CISO. Right? Think about expanding that C suite audience, the COO, the CEO, the CTO, perhaps.
The awareness of sigh of cybersecurity and security awareness in general is higher than it’s ever been, and it’s only getting higher. Where the c I CIO office used to own and contain all of those cyber measures, now that’s expanded across the entire organization down to the staff level with security awareness training. One thing we want to start positioning as just a general conversation beyond the posture piece is let’s talk about how often is a customer doing assessments. What kind of reporting do they need? Do they have in house tools that provide that visibility, not only to perhaps an external auditor, but to their internal team on where those gaps may exist.
Cypher can provide that with GRC compliance services, GRC tools.
Those are items that if you think about that general category of what providers have currently in the market, we can combine all of that into one delivered approach again that’s phased in model around what the customer can either budget for, the most important part. Right? Like, what how can they budget for this as in a re in a reasonable time frame, but, also, how does this need to be delivered?
The right now, if you think about security in the market, the unemployment rate for security architects in general is point zero eight percent.
So full employment is two percent. So the unemployment rate for security architects is point zero eight percent. They’re effectively overemployed. The talent gap is what’s driving the majority of security needs, enhancements, and what budget controls are, and also how to demonstrate what that posture is.
That’s a critical critical element that we see across any size customer. It could be a twenty user customer. It could be a ten thousand a global customer. How how can they prove that zero trust networks are in place, that endpoint detection and log monitoring exist, data residing.
Where does that stay? Is it resting point data? Is it transit data? Can that be demonstrated at any times?
Those are the questions we always get is we thought we had this in place, but it turns out we didn’t have this in place. Or we had it in place, but we can’t demonstrate what our security posture is. Creating that visibility and awareness through tools that are simple tools to implement and not only simple but affordable based on what the volume of the customer is. So if they’re a smaller customer, let’s say a hundred employee company, they’re not gonna pay the same that an enterprise customer should pay for a for a similar level of service.
It’s gonna be based on their number of endpoints. How many users are actually in the environment? Let’s let’s quantify this down to a reasonable approach and not have this sling everything we can into an SoW and just hope that this works out. We wanna be methodical.
And I think as you think about methodical, you think about capturing their security posture in a reasonable aspect. Employee awareness training, employee awareness reviews, considerable approach to this, consistent pen testing. Where do those gaps exist? How do we slowly start to fill those gaps, but also be autonomous enough to know that the market changes every day.
The amount of attack surfaces change every day. The type of attack services change every day. And the vectors that these threat actors are using now are no longer a couple of hackers sitting in a basement trying to penetrate a network. These are fully funded companies that have payroll and HR and, recruiting talent that is bringing in what the skill set is needed to make them a global threat actor.
Adapting to Evolving Cyber Threats
Right? There’s a lot of pride in that security world of we’re the best hackers in the world. We’re the best at of, going to retrieve billions of terabytes of data in order to hold a company ransom.
Being able to be fluid in that, be autonomous in that is really where providers stand out. Can they demonstrate that? Cypher has the ability to demonstrate that with every potential compliance effort you would need all the way from ISO to PCI to HIPAA to CCI, FedRAMP, what have you, have those capabilities. But on the back end, we’ve also got the people to shore those gaps.
So we’ve got SOX based in the United States. We use a pod model. And a pod model, if you’re not familiar with that, effectively states that we’re gonna work directly with every customer. They’re gonna have a point of contact at a Cypressoft that is their point of contact.
Think about it kinda like an account manager except on the technical side. And bringing all of that together for QBR reviews with the customer, detailed compliance and logs, reporting documentation, that’s what helps you stand out. It’s not necessarily focusing on the bits and bytes, but what’s the human aspect to it? How do you humanize this and make it real?
Partnership Opportunities with Cypher
We’ve done a really good job of that over the course of almost twenty years since we’ve been in business two thousand four. So we’re excited to get started with the Telarus program. We’re excited to revisit a lot of the tech advisers that we’re familiar with already.
So whether wherever you are in that journey, if you’re a tech adviser adviser that’s on this call saying, we’re at the beginning of doing security. We wanna get better. There’s a partnership aspect with Cypher. If you’re a mature tech adviser that’s been doing cyber and data center and cloud for a long time and you’re kinda peeking over the fence, like, who is an up and coming provider that can shore a lot of the gaps and allow us to be comped and win deals in a much more lean capacity, we check that box as well.
So I’ll pause there, and, Doug, we can segue into, any q and a.
Just one question so far. We wanted to talk a little bit about availability geographically.
Global Availability of Services
John asked the question if you’re available in EMEA or, where is the footprint and where can advisors take advantage of your services?
Through global. We have SOX in across North America starting in south so all the way down to Brazil, North America, Canada. We have headquarters in Spain that we can partner with that have SOX across the EMEA region and in the UK.
We do a little bit of work in that a in the Asian market, primarily India.
In the China market, it gets a little wonky just with the the the data wall there and some of the restrictions, but absolutely a go a global presence.
Are there particular types of businesses that lend themselves to your solution, either verticals or just size of businesses that you find a sweet spot?
Certainly. Our average size customer is probably in that five hundred to six hundred employee range.
So perhaps they have an internal IT team. What you typically see is two IT resources per one hundred employees. So you look at a five hundred employee company, you’re looking at about ten IT resources.
We come in, coexist with that kind of environment. All the way down to customers, Doug, that are twenty five employees that are kind of in a start up micro SMB focus.
And we have customers that are global such as, like the NFL, for example, Cypher customer, global approach. Nice. And a considerable amount of banks, FinServ, health care, etcetera.
Let’s talk about the primary solution set that you offer, and what what should make our advisors think of Cypher when they’re looking at a particular solution opportunity?
Overview of Cypher’s Solutions
So we call it XNDR. You may know that as XDR in general. If you were to Google what is XDR, that’s probably the simplest way to go about it. We use a categorical approach of whether we can have all eyes on all endpoints at all times, which is kinda that x XDR approach, all the way down to MDR, EDR, and segmenting that on what based on what the customer needs or starting with EDR growing into XDR.
But that detect detection response would be our sweet spot. GRC is a really strong performing category for us, and then all the way through the OEM integrated technology model. We have so many customers that come to us and say, hey. We purchased, Splunk as a SIP.
We wanna own Splunk. The customer, for compliance purposes, wants to own Splunk. They need to demonstrate that they own the license, etcetera. We can manage that for them. They technically own the product. It’s a really lean approach to allowing the customer not to reinvent anything, but then we come in and actually manage it on a day to day perspective. They have a dedicated Cypher engineer that’s their go to contact.
So XDR that detects your response at the top, GRC, and then all the way down to that OEM integrated technology where customers say, we don’t want an MSP to come in and manage everything. But if you have an expert that can help manage, elastic for us from a SIEM perspective, that’d be great. We can check that box too, and the tech advisor gets comped on that.
One-Time Services and Professional Offerings
So the managed services make up a big part of your portfolio, but you also have various one off services available as well. When should advisors be thinking about you for those?
Think about any, opportunity that’s a direct one time need. So pen testing, GRC assessment, setting a baseline for what is the approach to, their twenty twenty five missed compliance need to be. Think of that as professional services. So it’s not recurring.
We’re not trying to get them to commit to a thirty six month agreement. This is gonna be something that’s a onetime delivery. Our team comes in almost in a parachute pro model, works directly with the customer to build an assessment and baseline, and that assessment may sit there, Doug, for a couple of months before they take action. Right?
They’re gathering budget. They need to complete other priorities. We totally understand that. But tech advisers can now be paid directly off just SOW onetime deliveries that always kick start what that next step is gonna be.
I know our advisers, can find a lot of information because I did at the website, cipher dot com. That’s c I p h e r dot com.
Contacting Cypher for Immediate Needs
But if they have an immediate opportunity and want more information right away, what’s the best way for them to pursue that with Cipher?
I will put my email in the chat, and that would be the easiest way to get in touch with me, and I will ensure that anything gets delivered that’s requested.
Very good. Tyler, we’re very excited to have you and Cipher associated with Telarus. This partnership’s been a long time coming. We’re very excited about it. Hope to have you back on the Tuesday call again soon. Thank you very much for presenting this today.