The State of the Security Landscape: An MSP Partner Panel Discussion

Q and A: Gems and Takeaways on Identifying and Recovering From Threats

The 2021 Axcient MSP Xperience event featured a panel discussion with three experienced MSPs:

• Luis Alvarez – CEO Of Alvarez Technology Group in Salidas in Central California
• Jason Holbrook – owner and CEO, Empower Information Systems in  Newport VA
• Steven Tracy – Director of Managed Services with Entech, Fort Myers, FL

Axcient’s SVP of Product Ben Nowacky distilled this broad State of Security Landscape topic to focus the discussion on the first and last pillars of the NIST Security Framework: 1) identifying and 2) recovering from threats.

First, Take a Look at the Resources:

1. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity: This Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. This cybersecurity infrastructure is bucketed into 5 pillars: Identify, Protect, Detect, Respond and Recover.
2. Axcient Incident Response Checklist: This is a practical checklist of steps for an MSP to take as part of an incident response plan. First, it covers steps to take before you contact your clients – the Business/Professional measures to take to prepare as the party responsible for critical decision making and communications. Second, it covers the Technical steps to take for containment, isolation, and restoration.

You can watch the recording, or keep reading to see what your peers had to say…

Q: Ben Nowacky – What are areas that people are missing or aren’t thinking about when considering the “Identify Threats” pillar of excellence?

1. • Jason Holbrook – As MSPs, we have well-rounded tools that pick up laptops, servers, etc., but what we find to be just as dangerous are rogue access points – For example, Joe Bagofdonuts likes to bring his device into work and is a ‘hanger-on’ to your network, accessing inappropriate things. You should the extra effort to touch the network and try to learn what you don’t know.

1. • Luis Alvarez – Sometimes when we think about identifying threats, we think about the tangibles, but the intangibles are just as important. For example, you need to identify everyone in the org that has admin rights. You need to not just identify the physical assets, but perhaps there are folks that you need to dig in that maybe needed access to years ago now, but no longer does and it is a security risk. It isn’t just assets on the network, it is also access-based security threats. You can’t protect against what you don’t know about.

1. • Stephen Tracy – As a technology industry, we try to solve people’s problems with technology before identifying where there are people-driven issues, and sometimes it isn’t even technology, there are gaps or problems in process and procedures. So it is not just a matter of jumping straight to the need for full SOC, MFA, etc. without thinking about the why you need that.

 

Q: Ben Nowacky, Axcient – One of the often-overlooked fundamental pieces of the security puzzle is the risk assessment, and you can paint a picture of where the gaps are, what the problem areas are, and lay a roadmap for how to get to cyber-resiliency. How do you approach risk assessment, deploying it and using it with your clients?

• • Luis Alvarez – A lot of times when we engage with new prospects, we point out that the first step in our process is doing the risk assessment so we know where the gaps are and they tell us that they have been assessed to death, I have one I can show you or we just did it a while ago. I tell them that even if you did it six months ago, you are behind the times. We explain that it isn’t a “we will be done in 30 days” type of exercise. If you aren’t doing it frequently, you will miss risks.

• • We do risk assessments annually with our clients, so we know where they were when they started and how close are they to being where they need to be. and I tell them don’t be scared – you will see a lot of red and we like to use color-coded visual cues like red, yellow, and green, and these things in red are the things we need to address right away. We will get it all green. The way you handle data, the lack of MFA, etc. are the types of things you point out in the risk assessment that help clients to remedy.  It is used as an assessment piece as well as an education piece to see their progress.

• • Steven Tracy – I think of risk assessments as a multi-faceted tool, and he agrees with what Luis was saying about how it can be used with a prospect, but we also use it with clients who just don’t get it. We use it internally with existing partners where we have been educating them and they admit there are risks but they need to see it visually to understand and use it, and for clients who don’t understand as well, so they have it visualized and they can’t come back later and tell us they didn’t know. In addition to being an assessment tool, it is a risk mitigation tool so we can be sure they are aware of the challenges and gaps, and we have coverage for that risk if they choose to not address it.

• • Ben – So as a CYA – an MSP can say “we documented all this and told you the risks, don’t tell us we didn’t tell you about it”.

• • Jason Holbrook – I see the biggest gaps and how else do you deploy risk assessment? For us, the risk assessments are important to understand the environment and communicate the risk to the client what the risk really is. The challenge to us as MSPs is translating risk into budget. I am a small business; do I need a sim? Do I need locks on all these doors? We can relate it and visualize it in a sense like “I keep my money in the bank or I could build a vault to keep it in, which do you want?”.

Jason Holbrook: “When we run into a client who just doesn’t get and we use the risk assessment to try to help them assign a priority and assign it a budget so they can become comfortable with the idea of being comfortable, we want them to understand risk so they can be comfortable and sleep well at night.”

• • If they say they understand but don’t want to address the threat? They have this great assessment that really breaks it down for them. Then ask, “What is the low-hanging fruit that most orgs can do to protect themselves?” Such as MFA, you kind of wade them through and help them prioritize, be really good listeners, and try to help them feel comfortable.

 

Q: Ben Nowacky – Is the financial investment in security a barrier you have to bridge, such as understanding that you need to spend money to be secure?

• • Luis Alvarez – Quite frankly, it used to be a problem when you talked to clients about BC and security but for better or worse, things have changed and folks are anxious to have the conversation now. They may not want to spend the money but they wanna talk.”

Luis Alvarez: “It is Kevin Bacon Country now, everyone is 2 degrees of separation from a cyber-attack.” You don’t have to come up with esoteric examples because everyone knows someone who has been hit. You can point to someone down the street that has been through it.”

• • You need to recognize you need to walk them through the education process and then they want to get to the final point, but there is no end. It is a constantly-evolving world and there must be investment on their part. They want to get to the final endpoint of their security plan, but there is no end as it is evolving so it is an ongoing conversation and long-term investment on their part.

• • Jason Holbrook – To Luis’s point, from my experience: most of my clients either think they are bulletproof or they are freaking out – you have to find that mid-line and get them to calm down and pay attention and start talking about low hanging fruit. One of the best things that happen to us from a security standpoint are the insurance salesmen pushing these cyber security policies because we are their second call after the cyber insurance company.

• • Steven Tracy – It is funny how you mapped that out because that is truly where most clients exist, if they don’t have specific legal compliance needs (those are the easy ones), they think that since they have anti-virus on their workstation and a password policy, they are OK.

• • It is getting easier to have those security budget investment conversations partly because of cyber insurance, and you need to able to map out with a risk assessment or your managed services to those specific cyber insurance requirements.

Steven Tracy: “It becomes less of a sales pitch because the client has multiple people telling them they need to do this, not just the MSPs account manager with ‘commission breath’ telling the client they need to add all these different services to keep them safe.”

 

Q: Ben Nowacky – Moving on to the Respond and Recover Pillars – Axcient put together an Incident Response Checklist that can come in handy. How have you seen the recover pillar evolve in the last 2 years? How do you think people perceive it?

• • Steven Tracy – it goes back to identifying risks and priorities. You can slowly recover everything or you can quickly recover prioritized items based on how important those things are to your client’s business and previously determined RPOs and RTOs. Everyone wants to recover, but you can focus on being operational and bringing solutions that meet your objectives, we need to work with them to identify these priorities and objectives.

• • We now have cloud backup and disaster recovery and BDRs that are prevalent, and the recover conversation is just like the security conversation, and recovery is not only possible if they are spending an enterprise budget, and there are solutions that we need to discuss regularly and the MSP needs to educate why it the solutions are important and what the value is to the client.

Steven Tracy: You can be the hero and have everything lined up to be restored or you can be the field goal kicker lined up who misses”

• • Ben Nowacky – A previous boss said people ask “what have you done for me lately?”; it doesn’t matter how well you have done in the past, it is what you just did.

• • Jason Holbrook – Recovery has evolved to be very fast in the last few years. The speed of the technology with Axcient has been incredible, I have witnessed a 5-minute recovery.
    

    Jason Holbrook: It is possible, and when you have your client in a situation where there might be a breach or ransom, let them know that ‘Hey, I just walked you away from a 2-million-dollar breach”, and there is no better way to get a big S on your chest.  And explain that we won’t be paying a ransom – and you are golden.’

• • Luis Alvarez – The incident response plan is critical, and we do it first 90 days with each new client. We make an incident response if they get hit with malware or get breached. Once we go through and document that exercise and we flesh it out over time, we cover all these different scenarios and have a plan in place and should something happen. “It makes them feel better and makes me sleep better at night. Our incident plans go right down to how it will be communicated when email is down.”

• • Ben Nowacky – Knowing the affected organization’s methods of communication is important. If MS Teams or their email is down, you need to know the mechanics of their typical communications, and that can’t be a ‘wartime decision’.“ It is important to go over the client’s preferred communications at the beginning and bookend the incidence response plan with it.

 

Q: Ben Nowacky – Are you charging for the initial risk assessment, or doing it as a no-cost prospecting activity?

• • Jason Holbrook – We will charge for it, and then if there is an engagement we will credit it back. I think that anybody who is not willing to pay for a risk assessment, may not ending up being a really great customer.

• •  Luis Alvarez – The risk assessment is too big of an exercise and time-intensive to give it away from free. The perceived value based on what they spend and its value is tied to what it costs, the reality is it is a professional service we provide and if you don’t want to pay for it, then someone else will.

• • Steven Tracy – I will be the dissenting voice here, it depends – we do a lighter risk assessment to identify some of the needs without charging, but the way we have structured our entire sales process, we have some points where we would eject customers along the way if they aren’t taking these things seriously. We don’t do it for any old customer, but there is a certain amount where we are investing in it ourselves and we see the return on the investment.

 

Q: Ben Nowacky – Do you have any tools for creating a continuity plan or incident response plan, whether homegrown or tools in the market? Good IR tools you recommend?

• • Luis Alvarez – There is a cool product we discovered called ‘Plan for Continuity’ by Cloud Oak. It is a hosted service that clients have access to build an incident response plan, and if you have it set up correctly it takes care of all the communication pieces. We have used it for real instances and in practice as a tabletop exercise. Once it is done you have a deliverable with an actionable package of how to move forward. I am not trying to do a commercial here, but I think it is affordable and one of the best tools out there.

• • Jason Holbrook – We pulled out the NIST compliance documents and shaped ours based on them, and we use our own documentation and spreadsheets. Nothing fancy but it works for us.

• • Steven Tracy – We document some of the processes in IT Glue. And I am not affiliated with it, but we found Plan for Continuity by Cloud Oak on msp-navigtator.com and it is a good place to look for tools like this.

• • Ben Nowacky – We have said it all – get out there and do it. Thanks to you all. Great stuff.

 

Are you ready to roll out full incident response plans to more of your clients?  With Axcient, you can still make your margins; you get business continuity and disaster recovery at up to 50% less than you’re paying for backup alone. Compare a complete solution to what you’re using now and see how your Incident Response Policy stands up. Start Your Free 14-Day Trial Today!

Ben Nowacky // SVP of Product, Axcient

As Senior Vice President of Products for Axcient, Ben Nowacky leads the Engineering and Security teams to provide business continuity and cloud enablement services. He’s also a semi-amateur boxer and modern-day renaissance dog trainer. When he’s not banging the keyboard and helping MSPs, he loves long walks on the beach and romantic dinners with his wife.

More Great Stuff From Our Blog:

Check out some other interesting pieces from our blog: we examined the toll cybersecurity has on MSPs mental health and offered a comprehensive list of tools and resources to feel better.  Also, we dove into how chain-based backup works and why chain-free is the way to be, we talked with Jason Phelps from Huntress Labs about planning for the next ransomware attack, our CEO David Bennett explains why the current cybersecurity landscape means traditional backup is dead, or learn how you can ditch pricey on-site appliances with Local Cache for Direct-to-Cloud BCDR.