How to work with MSPs and why they’re an appealing target for cyberattack - with Bruce McCully

Our guest for this week’s show is Bruce McCully, CSO at Galactic Advisors and author of Level Up: The Ultimate MSP Roadmap for Security, Operations and Profitability; and Plagued: The CEO's Ultimate Guide to HIPAA Compliance and Cybersecurity. 

Bruce grew an MSP from scratch, and after smoke-jumping into organisations and seeing the effects of ransomware, he transitioned his teams to be more heavily focused on security. This exposure to both incident response and forensics has led Bruce and his teams to a great understanding of what good security looks like. Galactic Advisors now have a focus on MSPs.

In an episode packed with insight and stories from the trenches we get Bruce's thoughts on how to work with MSPs, why they’re an appealing target for attackers, and how MSPs add value. We also get Bruce’s thoughts on the importance of culture, communication, and measurement in cyber security.

Plagued: The CEO's Ultimate Guide to HIPAA Compliance and Cybersecurity: https://amzn.to/3rBauuf
Level Up: The Ultimate MSP Roadmap for Security, Operations and Profitability: https://amzn.to/3GjTf4u

The Get Cyber Resilient Show Episode #83 Transcript

Garrett O'Hara: Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara. The conversation today is with Bruce McCully who's the chief security officer at Galactic Advisors and author of The Level Up, the ultimate MSP roadmap for security, operations, and profitability, and also a book called Plagued, The CEO's Ultimate Guide to HIPAA Compliance and Cyber Security. Bruce grew an MSP from scratch and after smoke jumping into organizations and seeing the effects of ransomware, he transitioned his teams to be more heavily focused in security.

Those teams' exposure to both incident response and forensics led to a great understanding of what good looks like. Galactic Advisers now have a focus on MSPs, and in this conversation, we get Bruce's thoughts on how to work with MSPs. Have they can be an appealing target for attackers, how MSPs add value, and then we dig into the importance of culture, communication and measurement in cyber security. Over to the conversation. Today I'm joined by Bruce McCully, who's the chief security officer at Galactic Advisors. How are you doing today, Bruce.

Bruce McCully: Hey Garrett, doing well.

Garrett O'Hara: Good stuff. Where are you, where are you dialing in from? As a matter of interest. You're over in the US, right?

Bruce McCully: Yeah. You know, I'm coming at you from New Orleans this morning. So a beautiful, beautiful day here. And you know, we're on the summer side of the earth. I'm sorry, we're getting ready for the winter side of the house. You guys are in the summer, so looking behind you [laughs] [inaudible 00:01:29] behind you.

Garrett O'Hara: Yeah. Lots of sunshine. New Orleans is so high on our list of places to go. I've seen, yeah, it's been on many travel shows and I've been in quite a few places in the US but not New Orleans yet. I cannot wait to get there.

Bruce McCully: Great town and lots of live music. Wonderful, wonderful culture. Just amazing place.

Garrett O'Hara: High in our list. And is that where you [inaudible 00:01:52] yourself, you live there? Are you traveling there for business?

Bruce McCully: Yeah, so I spent about half my year in Nashville, Tennessee, and which is also probably high on your list of places to go if you have [crosstalk 00:02:03]

Garrett O'Hara: It is. [laughs]

Bruce McCully: And uh, the other half of my year in New Orleans, so.

Garrett O'Hara: Fantastic. That sounds like a hell of a life. Good times. Well, look, so Bruce well, the, the first thing we generally get into with the, the guests is how do they get to where they are today? So obviously you're a chief security officer uh, for Galactic Advisors, great name by the way. And maybe if you can include how you came to that name as well, that would be [laughs] really cool to hear. But it'd be great to hear your journey. Like how did you get to where you are today?

Bruce McCully: Yeah, so I I started out by growing an MSP. So I, like my very first thing, I didn't even graduate college before I started a IT support business, and quickly turned that into a managed services provider. So that's kind of the direction that my career started in. And about four years ago, we started going into very specific niche. We actually started working with healthcare and in, in the US. It's all, you know, private, I don't know how it is in Australia, but in the US it's all privatized. And so one of the things that was hitting healthcare and still is, is ransomware. And so we were going into these hospitals and recovering them after their IT team was overwhelmed with a ransomware incident.

And that became kind of a, a transition for me from just doing managed services, to actually getting really heavy into security, because we'd have not only an incident response team, you know, like the guys that go in and clean it up, but we also had to have a forensic side and we had to go through and analyze exactly what the attacker got to, whether or not they're able to exfiltrate protected health information, which is basically, you know, personal information and medical records and stuff like this.

And so that that's, that's how I got to where I'm at today. As for Galactic, you know, when we were going into these hospitals um, well, there being these really rural areas all over the place, and I ended up getting my pilots license and flying little planes, and that, I don't know, it just ended up becoming Galactic from there.

Garrett O'Hara: Uh, you know, uh, in my head, I'm like, like a [inaudible

a [inaudible 00:04:12] Iron Man [laughs] flying around and cool saving the day. That's awesome. What a way to travel.

Bruce McCully: You know, I have to, I have to admit, like, it's not as fantastic as Iron Man. I, I remember this one hospital that we went into and they said that there, they would make sure that we had a ride once we got to the airport. And when I say airport, what I mean is a strip of land with some concrete on that strip and then a little outhouse next to it in case you have to use the bathroom. So we landed and it's all gated all the way around it. And six cop cars come like trailing up to the plane and that was our ride. Like we got a ride with the police, like with the county police to the hospital because they didn't have taxis or anything like that. I mean, this was a small, small community.

Garrett O'Hara: Full on. So it points to something kind of interesting and, and maybe we're going off script very early here, but like in the US, and, and it's the same in Australia, critical national infrastructure. So, you know, healthcare, water supply, those kinds of... You know, that's, that's sort of back-end fabric of a society. That's often in those kind of very small rural places where I read an article on CNN probably about a year ago, and the, the author described it, you know, one of the water supply systems in, in one of these towns like, imagine a community center with two, you know, very old plumbers looking after it, and that's kind of, you know, that's the level that these, these places are operating at.

You know, like, w- what are your thoughts in terms of critical national infrastructure, like healthcare, as an example. And I know Biden's putting a lot of money towards this, and there's some good plans there, but any thoughts on that?

Bruce McCully: Yeah. Well, I mean, when we look at it from a security posture standpoint, I, I mean, we're all aware of the huge gap, especially in the United States with SCADA, all of these other tools. Inside the hospitals it's, I wouldn't say just as bad, specifically because we have a very converged network, so think about like 1000 to 2000 devices on a network, and we've got workstations, phones.

My favorite thing, like the most secure thing on a network, a printer, just kidding. And then you also have lab tools and a lot of the lab tools, you know, they're running these old operating systems, Windows 7, et cetera. And there's just this huge, huge attack surface there that is all trusted, it's all converged. So it's all on the same land. I mean, it's, it's right for the Pickin's.

Garrett O'Hara: It, it is quite scary in healthcare. Had a guest on probably about a year and a half ago who, who we... Look, so I don't know if it's the same in the US but I suspect it is for medical devices to pass certification. They, they pass certification based on a particular operating system, you know, firmware, et cetera, et cetera. And they're often very old and it's very expensive to recertify. So the incentives are all wrong in terms of like upgrading to, you know, latest, secure operating systems and stuff. Is it the same in the US?

Bruce McCully: Exactly the same here in the US.

Garrett O'Hara: Yeah.

Bruce McCully: Yep. So we see, like I mentioned, that Windows 7 device, there's, there are actually situations where you see these old server infrastructure pieces that are being used by, by providers that are providing multiple hospitals access to data, for instance like when you go in and you look at PAX, which is a system that's used for doing radiology and reading out those results, the backend system on that, not only is it really old system, but it links all of these facilities together, which becomes, you know, a great destination if you're an attacker, because you know, how many people are...

And, you know, as we're talking about this, we should be talking about how to improve stuff. So, you know, how many people are looking at their VPN traffic to make sure that there's nothing naughty going across those connections. Right? So these are areas that we start to see more and more issues with.

Garrett O'Hara: Oh, [inaudible 00:08:20] so with Galactic Advisers, you, you kind of focus on MSPs. Like, am I understanding like you, your focus there is because of your pedigree in that space, so you probably had a really good sense of, of where MSPs were at?

Bruce McCully: Yeah. So, you know, we started, we started doing [inaudible 00:08:38] which was, we would go in and we'd do a free vulnerability assessment for a hospital. Right. And the reason was, is if we could get out of... I mean, there's two reasons, let's be, let's be honest about it. The first one is it's, wouldn't it be awesome if we didn't have any of these events to go to in the first place? The second reason was, is obviously gets your name out there when you're doing free stuff for rural hospitals that can't afford to have security teams come in and do this type of analysis anyways.

So all of a sudden we started getting a whole bunch of data and we started analyzing all of these facilities. And I remember this one, we went in and it was like November. It was like before Thanksgiving, and we did the analysis and then we sat down like after the holidays and did the readout and the IT director was like, "We've been doing it this way for the last five or 10 years, why would we, why would we change? Like, I don't understand, like we haven't gotten hacked yet."

And there were like three main things on that list. And I got a call-back from him in February. Like he reached back out to me and I was like, oh, cool, maybe he has questions on the list. Like maybe we can get them started on helping them out, whatever, and he, he wanted help, but it wasn't quite what I had hoped. They were hit and the attackers had, they were able to ransom over 700, maybe it was 800 machines. It was a pretty big environment that, that got that got hit. And the reason, I mean, this was kind of the turning point for me. Like, this is one of those aha moments that people talk about, the entrepreneurial seizure when you're like, oh, I'm going to start a business.

And this was kind of like the, the the seizure where I was like, I'm gonna, I'm gonna sell my current MSP and go, go make a change to my life because what what hit me was about half of the hospitals that were recovering were actually being protected by MSPs and MSSPs. And so we had a fundamental problem when it came to the way that we were providing security as an MSP. And so I decided, you know what, I'm going to go ahead and sell this very successful MSP in the, in the US.

I I grew it to eight and a half million in annual recurring revenue, which is pretty, pretty large for an MSP. And I'm going to go on a new mission, work to help protect a million people. And that's actually why I'm on the call today is why I do a lot of these calls, it's just to get the word out and help, help protect a million people.

Garrett O'Hara: Yep. That's a, that's a big mission and and honorable as well. Yeah, very, very cool. So with the, with the MSPs, and we good to maybe get a sense of your approach to kind of working with them. 'Cause I know you, you guys have done analysis on, well over 1000 MSPs in, and correct me if I'm wrong, in any of this, [laughs] and sort of doing the sort of digestation of that data. Did I make up a word?

Digestation. Digesting or summary. Yeah. It should be a word. Uh, But summarizing that sort of data so it's consumable by, by organizations, which is like, that's an, an awesome thing to do, but it'd be great to understand your, like your approach to that analysis and then what the outcomes were.

Bruce McCully: Yeah. So so far you know, we've, we've done north of 2000 now MSP networks. Just been out there moving along from that perspective. And one of the things that we do when we look at an MSP network is we look at whether or not, like if an attacker gets in, can they move laterally? But instead of just doing that, instead of just saying, oh yeah, they can move laterally or whatever, why don't we, why don't we prove it?

And so we actually use some of those tactics and methodologies that we found when we were in the hospitals with the forensic work and show them how the attacker will actually move in their environment, what they'll get to, et cetera. And we just do it by abusing user rights and privilege. And so that is usually that aha shocking moment that, that people don't really expect when they go through and they do this type of analysis. I don't remember the question. [

Garrett O'Hara: It was the, your approach to working with MSPs and what the outcomes there are.

Bruce McCully: Perfect. Let's try that again. So, so far we've done north of 2000 MSP networks and done the analysis part. And the first part is showing them, you know, if an attacker does click a link, if a user does click a link, what an attacker can get to and actually showing them the data and the resources that the attacker is able to then access. And that's usually that aha moment for people when they see, holy cow, if somebody just screws up on my team and clicks the link, this is what they'll get to, and this is the security response I'll have. That's usually that moment that they start investigating how to improve it.

So what we do is first we start with that step and then we provide ongoing education and provide them a third party analysis so that they can prove to a prospect or a client that they are in fact, third-party audited. And then once they have their security stack working, I mean, imagine you get everything working and you know that your alerts are working and you know that when an attacker's in your environment, you can see them. So you have telemetry, you know you don't have issues with lateral movement.

Like all those things are working. Now, what if you could go to a prospect and have them click a link and show them just how asleep at the wheel their current provider is. And that's how we help our partners and then grow. And that pushes my mission of helping to protect a million people forward. And a lot of people ask me, they're like, "Why don't you just us, the tool? Like, can we just get the tool?" No, you can't just get the tool. In order to use the tool, you have to have your house in order, and that's how, that's how we're doing it.

Garrett O'Hara: It, it's really heartening to hear you say that, because I think quite often there is a perception of a magic wand that you can go out and buy a, you know, a shrink wrapped product, you know, run a couple of DVDs and away you go, you're like, you're sorted and it's so much more complex than that. And uh, yeah, it's, it's definitely heartening to hear that when you've literally written a book on this stuff. [laughs]

Now, you know, not, not to get into plug mode here, but the book is called Level Up and it's available on Amazon. Right. And you know, without giving away too much that people don't want to go and buy the book, but any pro tips from that that's might be worth kind of, you know, using as a teaser, at least [laughs] to what's in there.

Bruce McCully: Well, you know, the, the book took me almost a year to write, so I don't think I'll be able to, you know [inaudible 00:15:45]-

Garrett O'Hara: [laughs] Yeah.

Bruce McCully: ... not worth [inaudible 00:15:48] buy it, but I, I guess I would give you three things. The first one is simple, and that is documentation doesn't have to be hard. And one of the, one of the issues that we all run into when we're running IT departments, and I know that some of the folks on the call are running MSPs, other are running, you know, a full IT department. Some maybe are just small IT, one person shops. But one of the things that we all think is documentation has to be this really hard thing. And one of the ways that you can do that differently is you can start making documentation part of your process and we call it just-in-time documentation.

And basically what that means is when you're working on something, and more importantly, when you're kind of the knowledge guru, like the person that understands something in particular, when you're working on something, instead of you doing it, you get somebody else to do it for you, as in one of your minions, I'm sure you have them if you're the knowledge guru, or at least somebody that, you know, would have a hard time with that and have them documented as they go.

And what will happen then is they'll document the important pieces of things that they need to know in order to redo this later. And it will make it so that you, as the knowledge guru, the person that has all this stuff deep in your head, which you also become the constraint for growth and, and change in your organization, now have an outlet for that information and you can start getting it to the resources that need it in a way that they understand it when you're done. And then one of the other pieces to that just-in-time documentation is don't go and try to review the document and say, yeah, I gotta, I gotta proofread it and make sure it's all right.

Instead, once you know that it's, that it's done, get a link to it from the person that did it, maybe it's in your knowledge base or whatever. Then the next time that somebody has a problem with it, have them use the documentation. They might improve it as they go, and check the second person's work to see if it's what you expected. Because if it is then you know your documentation's good. If it's not, you know where you have to fix the documentation. So it's completely different mindset than just going through and building documentation out just in case somebody is going to need it.

So that's, that's number one. Number two is always have a plan to test your tools. A lot of the times, like when we go through and we do these assessments, we find that people... Like, I was just on a call earlier today and the person who was on the call with me, he was a, a CEO. So he, he owned his own business and he was surprised that we were able to move a malicious payload across his firewall. And when I asked him about it, like, I'm like, "You seem surprised about this. Why are you surprised?" "Well, because we went and turned all that on." And so I said, "Well, what did you turn on specifically?"

And he told me, and it sounded like the right stuff and I said, "Okay, now go look back at it and make sure it's still turned on and, and make sure there's no exceptions." And he sent me an email, like just before we got on said, "Found an exception." So obviously we didn't test our work in this case. Right guys. So what I'm saying here is even if you turned it on, and even if you went through and you double checked the settings with the manufacturer and in all of those things test it anyways, like throw a malicious payload across your firewall and see, does it get picked up? If it doesn't, well, you know, something's wrong, right? How many times has somebody done that? And the last thing is, is when it comes to security, like when it comes to really securing your organization, it's not about buying new tools.

It's not about like beating your people into submission. It's very simply changing your culture. And what I mean by that is, is you have these organizational habits, like, like the things your team does when nobody's looking, those, those are your culture. And you might have a great culture when it comes to hanging out with each other and talking to each other and all of that stuff. But if you don't have a great security culture, none of that matters, because someone's going to come along and break in and destroy that other culture that you've built.

Garrett O'Hara: So I'm going to, I'm going to quote you. You, your [laughs] and this is, is from the sort of research for the episode, but you, you said culture eats policy for breakfast every morning, before policy even wakes up. And which I, I totally agree with by the way. And it's an interesting one that you've raised because it does feel like cybersecurity culture gets talked about a lot. And we've, we certainly talk about it a lot on this podcast, in the industry conferences.

Like it's, it's everywhere, but it also feels like that many organizations, if not most organizations, still kind of struggle with how to create that good culture that you've just talked about. W- w- what did, what's your approach, or when you're kind of coaching organizations, how do you get them to get to that point where they can look around? And, and as you say, it's the bit where no one's looking [laughs] and they're, they're still doing the right thing.

Bruce McCully: Well, I, you know, let's start off with the, that quote for a second. The reason I say that is because a lot of people think that, you know, we have a behavioral problem in our organization. It's time for us to create a new policy or something like this. And what we have a hard time understanding is that policy is pretty weak when it comes to organizational change. And a great example of this that I like to use is, I mean, a- actually, Garrett, we'll get this on record, do you speed, or have you ever like driven your car over the speed limit?

Garrett O'Hara: dunno if like any cops listen to this, I may on occasion. Not saying I definitely have, but there might be times where I look at the Speedo and I'm like, oh, that's, that's a little bit harder than it should be.

Bruce McCully: Right, right. So I, I speed. I will admit it. And uh, I think we're being recorded in Australia, so hopefully, you know, this doesn't make it back to New Orleans, but I do speed. And the thing about speeding is it kind of feels good, right? Like, like you're like zipping along and you're zipping by people. And so there's that feeling that it feels good. The other thing is, is it's culturally accepted, right? Like, like nobody's embarrassed that they speed. In fact, have you ever gotten a speeding ticket, Garrett?

Garrett O'Hara: I may have had multiple speeding tickets. [laughing]

Bruce McCully: So, so you should see Garrett smiling right now, guys. So the thing is, is that when you get a speeding ticket, we all know that it costs you money and that, that's your, your fine, right? That if this was... If we look at speeding like a policy, so first off, it's a pretty simple policy. I don't, I don't know, in the states, it's usually like four, three or four words that are on a signed speed limit 55, you know, and you pass the spot sign six or seven times on your way to work and you still break the rules. Like you still go through and, and break the rule and you still smile when somebody asks you if you got a speeding ticket and you say three or four times.

So it means that you've, you've been penalized. You realize that you're going to, to get caught probably again, yet you still do it. So it's a simple policy. It's easy to find. The consequences are clear and we still break it. And this is the culture part. And like, just to give you some, some idea, I mean, just some quick research that I did before the call, just to give some numbers out. So 36% of drivers. Now these are US numbers. So 36% of drivers will get speeding tickets, according to somebody here at the US federal government. And the total cost of B, billion with a B.

So there is a bit of research done in the US for 2020 ransomware, and the numbers are shockingly the same. 37% of organizations are going to... Were attacked, and the total cost of recovery was $7.5 billion. So it was like just a percentage off. I mean, it's crazy. And so what this means to me guys, is that like first, we've got this culture issue and no matter how many policies we try to ch- apply, change, et cetera, we will still have this culture issue. And the culture issue is our teams have a bit of risk fatigue. Like they see broken stuff all the time. They might see policies that are unenforceable.

They might see passwords that are being reused from platform to platform, to platform or client, to client or user to user. They might see firewalls that aren't actually tested or aren't set up properly. And those all they see is risk, but subtly, subtly, we give this message that it's okay. And that is why we have such a cultural problem, if you ask me. And to fix that isn't an easy task. The way that we're finding this working, and we're working with a couple of hundred MSPs right now. And what we found is that if you create that shocking moment-

Garrett O'Hara: Mm-hmm [affirmative].

Bruce McCully: ... you know, think back to one of those speeding tickets when you were pulled over by the police. For that moment, actually like when you're zipping by them, first off you saw him and you saw the lights light up. Right. And then he came up next to you or came up like behind you and you're like, "Oh God, please, not me. If you don't pull over me, I, I promise I'll never speed again." Right.

So there's that whole thing. But that, that shocking moment, that like butt clenching moment where you're like, if I, if I just don't get... If it, if it just doesn't happen to me, I won't do it again. That is an aha moment. And probably after you go out, go through that and you have like, you don't speed for a little while, but then as time goes on, you start driving a little faster [crosstalk 00:26:06]

Garrett O'Hara: Next couple of days, right?

Bruce McCully: [laughs] Exactly. You might buy a new car that's red and then you're speeding again. And so what you have to do is first create that aha moment, that cop pulling you over piece, and then after you have that in place, you have to have some sort of ongoing reform or behavioral change. And the way that we do it is we do a, a weekly mission, just a simple mission, like one simple thing that you can do to improve your security posture every single week.

And what that does is that builds momentum and it kind of keeps, it's kind of like, you know what, it is kind of like, and I'm sure this is not politically correct, but it's kind of like AA folder security, right? So instead of focusing on, you know an addiction, what you're doing instead is focusing on improving your skills on the security side. And that has been very, very successful for, for our team.

Garrett O'Hara: That, it's phenomenal. And I love that you said behavior change, 'cause it feels like that's, that's the new rock and roll, right? When it comes to, you know, what was traditionally cyber security awareness. I think more and more people are realizing that actually this is behavior change programs and they are, to your point, much more difficult, much more complex. And and they just take longer the information tends to not be enough. People... Hey, your analogy there, by the way is... I'm going to, I'm going to steal it. I hope that's okay because it's just perfect in terms of you know, getting that the, the problem of policy across.

But you know, one of the things that I think would become critical as you do the, you know, the, the weekly cadence you know, those goals that the kind of ongoing stuff is the communication side of things. And that is clearly going to be very, very important in how you approach this stuff. And I think you've kind of alluded to positive being better than negative and, you know, and some of those kind of behavior change philosophies. What are the mistakes you see?

This is a two part question. So what are the mistakes that you see organizations make when it comes to communication? And then on the flip side, what are there maybe some good approaches or you know, things, things you've seen organizations do to great success when it comes to communication.

Bruce McCully: Yeah. So on the communication side, the, the biggest mistake that we see when it comes to communication is we see people saying things once, right? So they say it and they think that their team heard them. And this goes for everything, but specifically in security land, don't reuse this password, okay. Like something like this, right? And then you look, and before you know it, when somebody is adding a new user or a new vendor, they reuse like a, a different password and then they make, make a single password up that they're reusing for each one. We didn't communicate it enough.

So we didn't get them to understand not just how, but the why piece, but also the ongoing communication around why not just reuse this password. Why not just do this? And what we've found the most successful organizations doing is communicating those at least 11 times in different ways. So that's one of the things that we always work on when we're working with our partners is, how do you communicate this 11 ways? And that becomes really difficult. Like you can do a webinar, you can do an email blast, you can do a Teams chat, you can do a phone call. All of a sudden you start to run out pretty quickly. And so that becomes one of the hardships is how do we re communicate this over and over and get to it at least that 11 times.

And I stole that from sales. Like you have to see something 11 times before you decide to buy. Same thing here, guys. It's just, you're selling something a little bit more important maybe than than the used car. The other thing that you mentioned was what are the good approaches? And when it comes to the communication side, the best approaches that we've seen is something that is engaging. And what I mean by that is sharing this story, like going to your team and taking a minute and sharing the story of something that's actually happened.

And it doesn't have to be like the got in. It could be your, your billing person spending a minute going to the water cooler and telling a story how she got the email about the two gift cards from the CEO, asking him to go like, her asking her to go buy, you know, two gift cards for everybody on the team and sharing how it was just silly, there is no way that that would, that she would fall for that.

But sharing the story, because ultimately there's somebody at that water cooler that isn't aware of that attack factor, that hasn't thought through that, or might fall for it 'cause they're new to the team. And I would just say along the way of sharing stories, one of the things that our team has created that I really, really dig and I hope everybody takes a moment to do this.

We have a channel on Teams, and I'm sure you can do this with other platforms too, but we have a channel on Teams that we call the Barrel Roll, which is just like a spot where you can just like put random stuff, like ha, they tried to get me with the gift card, email, blah, blah, blah. Like that type of stuff that you would usually say around the water cooler. So you have a spot to put those random things in an ongoing basis because with, in the US, a lot of folks who are working from home right now, and I'm not sure if you guys are dealing with that too, but from that standpoint, having that little piece of humanity like going through your day is really helpful.

Garrett O'Hara: Phenomenal, phenomenal. I'm just looking at time here and I've got so much more to ask and so little time to [laughs] to ask it all, which is a great problem to have. So I'm going to drop a couple of questions here, but I want to circle back quickly on MSPs and maybe just pick your brains a little bit in terms of for people listening today, evaluating or looking to go and work with an MSP or an MSSP, maybe more particularly, what, what are your ad- what's your advice in kind of ensuring that, you know, that MSP or MSSP is, is doing, you know, air quotes, good security?

Bruce McCully: Yeah. So what I would do, the very first thing I would do if I were going to work with an MSPSA, guys, who does your third-party auditing? Like who goes through and audits your environment and makes sure that your things are working right? And if they don't have a good answer for that, that's kind of telling about what they're doing when it comes to their results. So that would be the first question I'd ask. The next question I'd ask is when I have a problem, let's say our organization has an incident.

Let's say we have a event. Do you have a written plan that you use to respond? And hint, they m- they may say yes here, but ask to see it right after they say yes. Say, "Can you give me a copy of it?" And if they him and ham that it's going to take them four days to get you a copy, think about what that means when it comes to their response time. So those are 2B2 questions that I would definitely ask when you're going through and you're deciding who you want to use as a part for when it comes to security.

Garrett O'Hara: Awesome. And then as we kind of round out the conversation like I do understand you've got a perspective on how we measure things in cyber security, and that maybe in some cases we're measuring either the wrong things or measuring incorrectly or things that aren't really meaningful. Can you talk to us about that?

Bruce McCully: I can re- Garrett. I would love to come back to that NFW question for a second, if that's okay with you.

Garrett O'Hara: Yeah, absolutely.

Bruce McCully: So one of the things that you and I kind of chatted about for today's caller, it was in the list of questions you had sent over, was why are MSPs the attack factor? Like why do hackers go after MSPs? I just wanted to spend a minute on that-

Garrett O'Hara: Yeah.

Bruce McCully: ... because I think it's really important to think about. And I think it's important not only for that folks that are running MSPs or that are considering using MSPs, but also the folks that are running IT departments, because really what it comes down to is an MSP is just a larger IT department that's running IT for multiple organizations. And when you think about it, like when you think about getting it, like, think about it from the standpoint of a hacker, let's say that, Garrett, let's say you had a hacker hat, like a little black hat that you wore when you're, quote unquote, hacking.

So you put on your hacker hat, how would you get it? Well, we've already seen it. The, the number one way in is through the user, right? You trick a user and you get them to click a link or give you access. And with users working remotely, and all of the different things that are happening there, and the fact that a user, when they actually do their work, they have to decrypt their data. Like they have to actually be able to see the data on the server settings that they've got keys and all sorts of access. And then you got that other piece where they make bad decisions.

So Garrett puts on his hacker hat, he tricks the user, gets onto a workstation, and, and what you get a computer. Now let's ratchet that up a level. What if Garrett instead spent some time and started working to trick a help desk user, right? Like instead of focusing on just the regular user, focused all of his efforts on all of the different support desk users that are all over the place out there. Now, instead of getting the user, you get an entire company, because that help desk user has keys and access to all of these different things inside of a company.

So now imagine instead, our focus is on an MSP, and an MSP has access to five or 10 or 100 different companies. Now he's hit the jackpot, right? He's gotten access to all of these different environments and bam, he's, he's, you know, winner winner chicken dinner. But the thing is, is there's another much bigger problem that I see out there, and I just want to mention. And the reason I want everybody to be thinking about this on, on today's call, we've already seen an attack factor through an [inaudible 00:37:05] right? We saw this in July with the event with the Kaseya PSA product.

And we already know that that's an attack factor because we've seen it in other types of remote monitoring and maintenance tools. And here's the thing. I see that as an opportunity for an attack, or I see that, it's not just in the RMM. We've got remote control tools out there. You have your privileged access management or PAM tools out there. You have backup agents. You can execute PowerShell from a backup agent. Imagine if you're the attacker and now you can execute PowerShell on everything that that one backup agent has installed on it?

We've got antivirus out there. We've seen that as an attack vector, we've seen weaponized antivirus and XDR products used. We've even got the SIM, and finally, the new breed of [Sassies 00:38:08] all of these have enough rights and are capable of becoming weaponized and being used as an attack vector. So we've got really four different levels that you could focus on if you had a hacker hat, Garrett, and that very top one is the one that I think is, is the highest risk.

And if you're looking to secure that, if you're thinking to yourself, "Well, shoot, thanks, Bruce. Now I'm [inaudible 00:38:32] not going to sleep at night. What do I do?" Well, there's a couple of things that I just want you to think through. One is when you're building your layers of security, and we always talk about layers of security and I just named a bunch of pieces of the endpoint layer, when you're building those layers on you end point, I want you to think about, okay, if XYZ product gets hit, how do I shut that down?

And I want you to have a path and a method, and maybe even the script's already written to shut that layer down. And so basically what you can do is you can have the ability to, if you do have an event on your hands with one of your layers, you can shut that layer down remotely. And when I was running my MSP, we did that through the perimeter. Like we actually had firewalls set up, but with users working all over the place, we really have to do it at the end point now. So that would be my quick suggestion from, from that talk, that discussion.

Garrett O'Hara: Yeah, absolutely. And, and you raise, what I think is, it feels like where attacks and ransomware is going to go, it's, it's more efficient as you say, to attack further along or earlier in the supply chain or, you know, as an MSP. And I, I think we're going to see more and more of that because why would you attack 10 organizations once if you can at- attack one organization and get to those 10, it just, you know, it makes way more sense in terms of just pure resourcing and cost.

So, so coming back then on the, on the measurement question [laughs] 'cause I'm very keen 'cause the, the reason I'm asking this with, with sort of uh, I'm like a dog with a slippers because I agree with you, and you'll call it IS or whatever, but I'm very keen to hear you say things that I'm going to agree with probably.

But yeah, I'd, I'd just, I'd love to get your take. You know, I, I personally think we as an industry, you know, we have metrics and KPIs and things that are like, okay, they're, they're information, but so what is quite often the, the two words that float through my head when I see a lot of them, and I'd love to get your thoughts on w- what are good things to measure in terms of security outcomes?

Bruce McCully: Well, let's go back to... I'm going to... Two things, first off, I, I just want to make sure that we're really all on the same page, logic doesn't change culture. Okay. And that comes back to that speeding thing. 36% of drivers get tickets, and we spend $6.2 billion on those tickets. Garrett admitted that he's gotten three to six or however many he's gotten here. So we know that logic doesn't change culture. So I just want to make sure that we're not thinking, okay, now if we just start measuring this right, it'll fix it, because that's not quite what we're looking at. What we can do though, is we can measure those ongoing steps that get us there.

And what I mean by that is right now, you see people talking about, oh, what does our patching look like? And people are talking about how long it takes to get to 80% patching or how many days it is required for us to roll out this particular patch. And what I would rather see us measure is something that's about the steps along the way. And I'm going to explain that for a second when it comes to habit. So let's say that, let's say that you're trying to lose 10 pounds and you decide to, to weigh yourself every week. And the first week you gained three pounds, the next week you lose four pounds.

The week after that you gained 10 pounds. If you're only measuring the outcome, as in how much weight you've gained or lost, there's no way for you to figure out how to improve that particular behavior. And so what I would like to see us measure on the security side is start measuring the behaviors that create the outcome that we're looking for. And so rather than looking at how many passwords or if, if a password gets breached, we look at how people are utilizing passwords in the environment, for instance.

So we start looking at, okay, we're seeing that this particular password is reused three times. And obviously we're telling this based on hashes and stuff like this, and this gives us an indication that we have a problem here. So that would, that would be my thought process when it comes to measurement, Garrett.

Garrett O'Hara: Yep. And, and I totally agree with you. I think the, the thing I've struggled with is how often the, the proxies we try and use for like in security don't necessarily stack up. You know, we might measure one thing and then think, okay, that's where our security's at. And actually it's way more than that. For example, you know, we work in, heavily in the email space and you could produce a report on the number of spam messages blocked. Cool. Or you know, how many malware thing how many pieces of malware we blocked. That's all fine. Like, that's there, it's information, but what do you do with that?

And the thing I think I've struggled with, because I totally agree with you, I think we need to measure the behaviors, 'cause that's the thing that ultimately tells us where we're at. But coming back to what you said earlier, so often those behaviors are done when nobody's looking and they're behaviors that are actually really difficult to measure. You know, is somebody letting somebody walk through a turnstile, well, maybe they are, maybe they aren't. You know, to our tailgate through a turnstile, I should say. So those broader security behaviors, I think that's, that's where I kind of struggle.

And I, you know any thoughts on, on that stuff? Like how do you measure the things that aren't seen, or do you use engagement of, of, you know, some sort of engagement measure as a proxy for, well, if people are engaged and they understand, then you know, hopefully in the moment when no one's paying attention, they're actually going to do the right thing.

Bruce McCully: I haven't figured this one out completely. I'll start by saying that like, once somebody figures this out, I think we'll have a much better methodology for changing security. But from my standpoint right now, today, what I would recommend is that you figure out what these, going back to those small missions, like these small behaviors that we want to implement, one of them might be checking for over pr- privileged users in the environment. And you get an entire team to participate that, in that process for this particular week, that raises visibility to it.

It eliminates the issue. And then if you return back to that in 90 days, we'll do it again. And we see that it stayed that way, we know that when we have success. If we see that it's, if it's increasing, we know that we have problem. Like we still have people over provisioning users. And so that would be the path that I would go down, is basically create a number of measurements that can be part of those weekly missions and then engage your entire team.

And the weekly mission, keep it small. It has to be as like one small battle cry each week, and then that creates the momentum and gives you a way to come back and measure that over time.

Garrett O'Hara: Yup. And, and I think over time is the key here, right? It's not going to happen in, in, in a week or a month. It's, it's a long term behavior change program. So we are very rapidly approaching the, the hard stop. But I wanted to maybe ask one last question, which is just on a positive note, what, what are you most hopeful about in terms of cyber security or cyber resilience or, you know, our industry or MSPs in general? What's, what's the thing that you feel okay, we're, we're doing this well?

Bruce McCully: Well, what I'm seeing is I'm seeing MSPs really engaged and wanting to improve the security of their community. I mean, we go and the folks that are allowing us to audit their environments to help build knowledge for the rest of the community. I mean, w- we've had over 2000 people say yes to that. Imagine that. I mean, that's, that's huge. That's somebody saying yes to having somebody look at their dirty laundry, right? So this is, this is a big deal. And I think I'm really hopeful based on, on that, and people's response to the findings. I think people are interested in making, making their security better.

Garrett O'Hara: I think that, that, that is the perfect note to, to end on. Bruce been an absolute pleasure to meet you and to get to speak to you for an hour. I really do appreciate it. And we'll put links to your, to your book in the, or your books actually, I should say, in the, in the show notes and make sure that folks are aware of where to, to get that. Thank you so much, really appreciate the, the time and the conversation.

Thanks so much to Bruce for joining us and as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe. And please do leave us a review. For now, stay safe. And I look forward to catching you on the next episode. [silence]