State of Managed Security Services
Webinar Transcript on Survey Results & Panel Discussion
GreatAmerica hosted an educational webinar in August 2018, to reveal key findings of a survey they distributed to MSPs on security in the industry and becoming an MSSP.
Download MSSP Webinar Slides
MSSP Webinar Transcript:
(00:01:20) First, a little bit about the survey itself. TechValidate is a company we've used for about three to four years at GreatAmerica. They are the ones who ran the survey. They compiled the data and verified all the stats we're about to share. The main point is the vast majority of respondents are small and medium-sized MSPs, which is similar to most of the companies on this webinar. So what are the things that we found out from the survey? And what are some of the things that we're going to be hitting on today? Well, you're going to find out what percent consider themselves an MSSP today. You'll learn what security components MSPs are looking to add? Security and any offerings that you have always seem a little bit incomplete, and there's always the what's next, and we're going to touch on that.Welcome to the webinar everyone. My name is Greg VanDeWalker, and I'll be your moderator today. I serve as the Senior Vice President of IT Channel and Services at GreatAmerica. And what that means is that I have the opportunity to provide strategic direction to two of our business units at GreatAmerica. The first unit is our connected technology group, which provides leasing and other financial services to IT, MSPs, and Unified Communications Channel partners. I also serve as the Strategic Direction Leader to Collabrance, which is a wholly owned subsidiary of GreatAmerica. Collabrance is a Master MSP as well as a Master MSSP. And you'll learn a little bit more about them later on in the webinar. So we at GreatAmerica and Collabrance are very excited to share the details of our most recent survey of MSP partners. Also you will hear expert analysis of the data from a panel of distinguished experts.
(00:02:14) You'll learn a little bit about what percent of MSPs currently outsource parts of their security offering? Again, the age-old do we build, do we buy, do we partner? We'll hit on what some of your peers are saying about that. How many MSPs have looked at partnering to go to the next stage of the MSSP? And how important is that transition from MSP to MSSP part of your future? And there are varying opinions on that that we'll get into. I'm really privileged to have these three security experts on our webinar today. They will definitely be adding their perspective of the results from the survey. I'd like everyone to give a brief introduction of themselves and, in particular, what is your security background. So, Brian, why don't we start off with you?
(00:03:11) Hi, everyone, I'm Brian Wells with Collabrance. I've been in the IT industry now for over 33 years, specifically in that small to medium business market. As the Director of Product Development for Collabrance, I'm responsible for our current technology stack as well as evaluating new products and services. And as you can imagine, security is a huge part of everything we do. From laptops to servers, to SIEM, from UTM to VUL/PEN testing, security is always kept top of mind.
(00:03:52) I'm Jay Allpress, and I'm the Vice President of Information Security for GreatAmerica. My background is in a couple different areas. I was in banking for about the past 16 years at a $3 billion bank here in Iowa and then in the military as well, specifically United States Air Force. So between those two fields and my time here at GreatAmerica, I've got roughly 28 years working in and around information security.
(00:04:24) Hey, I'm Dan Hoban, Chief Strategy Officer at Nuspire Networks. Nuspire is a global Managed Security Service Provider. And my role there is security research, education, and advocacy. I also assist in solution design and product positioning. I've been in the security space for about 15 years now. And I've had the experience of dealing with some of the largest companies in the world as some small to medium-sized businesses, and I'm glad to be here today.
(00:04:54) Well, thanks, Dan, and thanks, everyone. And, again, we look forward to hearing your feedback as we go through the webinar. So we will be doing Q&A at the end so, again, please type in your questions in the chat area. We will get to as many as we can. If for whatever reason we can't get to all of them, we are very good and very diligent about following up one-on-one and making sure your answers are complete and you've got a full understanding.
(00:05:26) So before we get to the experts, you know, to say that security is a very hot and relevant topic today is quite a gross understatement. I'm sure every day your inbox is filled with emails about security, but it really isn't a new thing. I mean, security's always been important. I like to look at the banking system. When you think how long it has run digitally, I mean, it has been decades. And they've really had a good track record of secure environments. But I believe there are many reasons why security seems so top of mind today for the SMB space, in particular. But two things really come to the top of my mind from my perspective, I guess. First of all, when you look at the toolsets available today to the typical MSP, they're at such a low price point that proactive IT for the SMB space, it's a reality now. You know, 10, 20 years ago, all these tools to manage security effectively were available but only to the enterprise customers. Now these tools have been democratized. Second, I think, is the proliferation of devices. You have more devices. That means more points of entry, which means higher risk. So I know there's many reasons to be sure, but I think these two are really high on the list that contribute to all the noise about security in the SMB space. And you know, as you can see from our other technology partners, they're chiming in on the topic of security as well. And I'll let you read those for yourself.
(00:07:10) Dan, I'd like to ask you, at Nuspire, have you done any research in particular on your own to determine what the security environment is like today?
(00:07:20) Oh, sure, we've done a lot of research. And we found that as many as four out of five organizations have recently been infected with some type of malware. Furthermore, we find that about 5% of the networks that we take over security management for have malware on their network at that point in time that they're unaware of. I think that a lot of times this goes unnoticed because every week organizations have security incidents that they need to follow up on. And if they don't have the right people or technology in place, a lot of times they go unnoticed. We found that a small business should expect one to two security events per month that require investigation. Even medium-sized businesses may require one or two incidents per week that they need to follow up on. And of those, we find that about a 1/3 require some pretty extensive action that needs to be taken.
(00:08:18) Well, thanks, Dan. You know, I appreciate that, and this is a question to the panel. I mean, when you looked at all those articles we popped up there, when you heard things that Dan had to say,you know, we do hear all the noise about security. What do you see as the potential opportunity for MSP specifically with security in the SMB space? Dan, why don't we just start with you?
(00:08:43) I think there's a great opportunity for MSPs when it comes to security. We are betting on about 15% of organizations by 2020 will be using some type of service to monitor or respond to security threats. Right now, that's at about 5% or less. So there's going to be a significant movement to security services. MSPs are in a perfect position for that because they've got the customers in line. And these customers have already bought into the model of outsourcing some of their activities. So there's a good opportunity to leverage those customers, leverage the work that MSPs have already done to really make the jump into security.
(00:09:30) That's good. Thanks, Dan. Jay, how about you? What's your take?
(00:09:31) Yes, I think there's tremendous potential there. I mean, if you just look at cybercrime costs from a worldwide perspective on companies like Forbes, The Wall Street Journal, they've done a lot of research. They've put a lot of data out there. And what they came up with was just those costs in 2016 were roughly $400 to $600 billion-- with a b-- but the interesting thing there is that those costs are expected to rise and reach at least $2 trillion by 2019. So cybercrime's a really lucrative deal for the bad guys, so to speak. And so I think there's tremendous potential for security service providers out there.
(00:10:06) Yep, that is a bit scary. But I appreciate that, and I agree. Brian, how about you? What's your take on that?
(00:10:13) You know, I see a huge opportunity for MSPs out there. Security is a major concern today and will only continue to increase. Everyone from small business owners to the enterprise customer has security top of mind. But it's those SMB customers that need to partner with an MSSP to protect their business.
(00:10:37) Thanks, Brian, I do appreciate that. Well, let's start to dig in to the data. We've got some really good results that we want to share and discuss. Here's the first question that we asked and that we're going to talk about.
(00:10:50) Have you lost any customers because they needed more security services you weren't providing today?
(00:10:57) Almost nine out of 10 partners surveyed said that they'd lost a customer because their offering was lacking. I mean, we used this result to help market this webinar because it really seemed the most alarming statistic that we got back from the survey. Honestly, that number surprised me that it was that high. Jay, I mean, what's your take? Did that surprise you at all?
(00:11:4) That's true. Brian, what's your take on that number?(00:11:22) Not really. I think those numbers really just illustrate the ongoing convergence of IT and security in general. So if you think about your IT security or your IT stack, name something within there that doesn't actually involve security. I mean, you'd be hard-pressed to do that at this point.
(00:11:46) You know, I have to agree. I don't think that statistic is very surprising at all. The IT threat landscape is constantly evolving. You know, years ago, a basic firewall and AV on the workstations was sufficient. That isn't today. Today, you need a true multi-layered approach. That MSP has to evolve to remain relevant, to maintain and grow their customer base. So yeah, if that MSP doesn't evolve, they most certainly will lose customers.
(00:12:19) Yeah. Dan, do you have any ideas on that as well?
(00:12:22) If the companies that don't evolve, they're going to be left behind. The security landscape is a game of leapfrog. Bad guys think of new and clever ways to get into networks and steal data. Those of us on defense have to come up with new solutions and new ways to stop those folks. And then, of course, obviously the bad guys think of ways to go around those new preventative measures. So as we're playing leapfrog, those companies that aren't continuing to innovate and evolve and provide new solutions, frankly, they're going to get left behind.
(00:12:57) Yeah, that's a good point. You know, when I think just from the business perspective how difficult it is to add MRR to the typical MSP. I mean, when you get that MRR, you love it, and you're trying to grow that. It really is a punch in the stomach when you lose customers because it's just something that you can't provide. You always understand, hey, this company got bought out, and they moved to a different city, whatever. I mean, you get that. But, boy, that leaves a mark when you lose that kind of MRR. So let's keep going on with some of the data. So this question was, what security components are included in your current security offering today? You know, I guess my observation when I looked at this particular feedback, the top vote only got 86%. I guess my assumption was--not as a technology expert but just more as somebody on the business side so I'm anxious what you technology folks think-- I just assumed that one, maybe two items would have been at that 98%, 99%, or even 100% range. The data doesn't make it clear that any one of these is a must-have. Jay, you know, as a customer, as an end user, how did you interpret this slide?
(00:14:45) Well, I mean, there's a myriad of services and solutions out there, obviously. These slides do a good job showing that. What really is important to me is that businesses really have to consider the threats they face and what they do also, so two things there. How are you being targeted, and what do you actually do as a business? I mean, if you're a business that relies heavily on email, probably it's a good idea to look into security solutions around your email. So it kind of just depends. Another example would be if you're in the health care industry and you're regulated, you might need a compliance solution, something that helps you comply with those regulations. So it just kind of depends on what you do and how you're targeted.
(00:15:26) OK, good. Dan, how about you? What do you think?
(00:15:29) I think Jay, again, is spot on. I think this just shows that there is no silver bullet when it comes to security. There is not one product or software or hardware, there's no solution that you can purchase that's going to cover everything. To Jay's point, you really need to look at the threats and your specific need to help mitigate those concerns.
(00:15:50) OK, good. Let's keep moving here. The question that we posed was to the partners. What critical security components do you require customers to adopt at a minimum for your offering? So you know, Brian, I know Collabrance has some minimums it requires before you'll bring on a client. Would you mind sharing what some of those requirements are?
(00:16:18) Yes, certainly, I'd be happy to. Obviously, we all want our customers and servers and workstations sized to meet their needs. Supporting operating systems from the manufacturer are a must. Today, that means Windows 7 Professional or newer and Windows Server 2008 or newer. And of course, those requirements will change come January, 2020, when Microsoft discontinues support for Windows 7 and Server 2008. We require at least four gigabyte of memory for domain controllers, eight gigabyte of memory or more for application servers, obviously, following the application manufacturer's recommendations, some level of RAID in the server to protect the server from a hard drive failure. The server needs to be on a UPS. We do require a gigabit managed Ethernet switch, four gigabyte of memory or more for workstations. And our customers also need a managed backup disaster recovery solution, a managed unified threat management solution, RMM, AV, URL filtering. Those are really the highlights of our minimum requirements.
(00:17:34) OK. Well, you know, kind of the tenor of what I've been hearing from you folks is security is not a binary yes or no. Security is more of a spectrum. So, Brian, once you're sure that you've got some of those must-haves that you just talked about in place, what are some of the secondary what I'd called "like to haves" you'd prefer to have in place at inception?
(00:18:00) You know, those "like to haves" are really kind of an expansion of best practices, such as a valid manufacturer's warranty on customer's production servers; intelligent server hardware monitoring, SIEM via S&MP with such tools as Dell's iDRAC or HP's iLO. It would be nice to have a UPS on the Ethernet switches, on the UTM, and on the ISP's modem or router. Wake-on-LAN is nice to have to wake up computers when immediate patching is required. But be advised that those minimums and those like-the-haves are really dependent upon the customer, and any regulatory requirements they must abide by. SIEM and VUL/PEN may be like-the-have's for some environments, and may be requirements in others.
(00:18:52) That's a very, very good point, Brian. I appreciate that feedback on this. And we're kind of staying on the topic of what's included in your current offering.
(00:19:05) So I've got a question in particular for Jay. As a VP of IT security for a 550-plus employee company: What types of security do you have in place in GreatAmerica? And I've got a list of things up here. When you look at that list, how does your stack compare to this, Jay?
(00:19:26) Sure. I mean, looking at that list, and without going into any specifics or detail, we do all those things.
(00:19:34) That's pretty solid. So if this is already stuff that you have in place, what would you say would be some things that are critically important to you from your perspective that aren't on this list, that the audience might benefit from hearing about?
(00:19:53) Well, a couple of things stand out there. One, there's no mention of a SIEM solution or "SIM," depending on how you pronounce it. So there's no log management solution listed, and also, it doesn't mention any vulnerability or penetration testing. And really, those two things are pretty credible from my point of view. One, just the visibility into your systems that a log management or a SIEM solution brings is critical. And in the second piece there, the vulnerability and pen testing. I look at it as a way to test all these solutions to make sure they're doing what they need to. So it's great to have all these solutions in place, but then that vulnerability and pen testing does that check, where that verification walks around the fence and makes sure those solutions are doing what they're supposed to.
(00:20:38) Good. Thanks, Jay. Brian, what's your take on this slide?
(00:20:45) You know, many of those things are certainly requirements for the SMB environment. And again, it's really depending upon the regulatory compliance requirements for the individual organization. But next generation firewalls and unified threat management, those are a must-haves, and that has to be a truly managed solution. I think everybody would agree, email spam filtering is something that people should be doing at the MSP level. True backup disaster recovery solutions also need to be in place in today's world, because the best systems in the world get hacked every day, and you do need some type of disaster recovery solution. So I think all of those things that are brought up here are certainly very important.
(00:21:41) Well, thanks, Brian. I appreciate that. And before we go to the next slide, I'll let the listeners in on a little behind-the-scenes thing that we had. So when we were doing the rehearsal for this webinar, I asked Jay the question, and he said he had all of those. I didn't know that was going to be his answer. And then I followed it up with, well, what one or two things do you want to talk about that aren't on here? And he talked about the SIEM and the vulnerability and pen testing. Well, we asked that question as part of our survey.
(00:22:19) We asked, what new security components are you looking to add to your offering? And look what the top two vote getters were. So that was a pretty cool coincidence. And we've got what I think is another cool coincidence. So we did this survey in July, just last month, and so this is very fresh data. That it was back in January of 2018, Collabrance decided to layer in SIEM and vulnerability and pen testing, as its next layers of their master MSSP offering. So Collabrance announced just this past July that both of these offerings are ready to go. So based on Jay's answer, based on some of the things that Collabrance is doing, this answer was really exciting to us. So, Brian, if, from your perspective, you deal with partners all the time of Collabrance why do you think MSPs chose these two as their top components that they're looking to layer in?
(00:23:16) You know, I think it's really evolution. Take SIEM for example. MSPs today have some type of RMM solution that helps them be more proactive, and helps them get alerts based on triggers. But no one is, or can watch all the thousands of logs each server, switch, are UTM generates on a daily basis. If you're going to evolve, you need a SIEM solution to truly monitor an alert on your customer's critical events. VUL/PEN really is no different. Do you truly know your customer's environment is secure from the outside world? Do you know if that line of business application has been patched to resolve some known exploit? This is stuff enterprise customers have known all too well for a long time, and it's time to take SIEM and VUL/PEN to the SMB market.
(00:24:15) Cool. That's great. Thanks, Brian. Appreciate that feedback. So now we're shifting some of the questions of the survey into specifically around MSSPs.
(00:24:26) So what this pie chart shows-- we asked self-identified, "Do you consider yourself a master security service provider?" So upper right-hand corner in the dark, 18% said yes, without question, the vast majority said no. And then the upper left, in the light blue, 25% said that they're in the process of becoming. So I'm going to focus on the upper right, the 18% who say they are. You know, Dan, why do you think, from your perspective, there's only a small percentage of MSSPs today, 50 and then a bit of a follow up or you can merge the answers together, what challenges are MSPs facing today to become an MSSP?
(00:25:10) I think a lot of companies haven't made that jump yet, because there's some pretty significant challenges. And I think it really comes down two main things, people and technology. On the people side, IT is one of the fastest growing industries in the country. And IT security is the fastest of them all. And that makes it really hard to find good qualified security people. If you're looking to be an MSSP, it's hard to find those people, and it's even harder to convince them to work the graveyard shift. On the other side, too, technology is a huge challenge as well. These technologies aren't generally set-it-and-forget-it-type technologies. They involve someone who has a whole lot of expertise to be able to set these things up, to configure them, to tune them, to continue on with the ongoing maintenance and administration. And this can be very challenging. So I think trying to find the right people, and trying to find and administer the right technology creates a significant barrier that's creating challenges for a lot of MSSPs to make that jump.
(00:26:13) Yeah, that's a good answer, Dan. I just think scalability is something that everyone struggles with in this space. So I want to go back to the panel, and around this topic of what is an MSSP. From our experience, there's just a lot of confusion. There's really no one answer standard on where to go. You know, Brian, I know that from a Collabrance perspective you did a lot of research with vendors and industry association and industry expert, and there just wasn't like one place you could go. I kind of want to throw it to Dan and Brian. You know Dan, I'll start with you. How would you define an MSSP?
(00:26:52) Well, it can be challenging. And I think the reason is, a managed service provider has to take security into account for just about everything that they do. If they are managing a endpoint, they need to do it securely. If they're integrating a new note into the network, security is on the forefront of their minds. Heck, if they're installing a printer they have to think of the best way to do it securely. What I think the major differences is between an MSP and an MSSP, is the MSSP is actually offering security solutions. They're not necessarily offering a solution then do it securely. The focus of what they're offering is security. So they're looking at security technologies for endpoint, security technologies for the network, but the focus is security, where maybe the MSP is trying to do something else with security in mind.
(00:27:41) Yeah, Dan, again, when we were doing the rehearsal, I really appreciated that distinction that they have security solutions, not just doing things securely. And it's more of an intention. So that was helpful. I hope it's helpful to some of the listeners. Brian, what's your take on that? I mean, would you mind explaining a little more detail about what Collabrance did and how they landed where they did on this definition?
(00:28:06) Yeah, I'd be happy to. Collabrance is constantly evaluating its current technology stack to make sure we remain relevant. As the needs of the industry and our subscribers change, so must we. Collabrance did hundreds of hours of research into MSSP standards, what other organizations were offering today, and what we needed to provide specifically to our MSP customer base that serves that SMB market. And it's that research that drives the definition and the priority of the technology stack that we standardized on today.
(00:28:44) Well, thanks, Brian. And then a little bit of a teaser for our listeners, you know Brian mentioned the hundreds of hours. Part of the benefit of being on this webinar, we're going talk about a checklist that you're going to get. And that's a big part of the heavy lifting that Brian did. So thanks, Brian. Appreciate that answer. I want to go back to this pie chart that we just looked at. We were talking initially about the MSSP, those who identify as one today. I want to focus on the 25%, those who are in transition right now. And so we asked the 25% people who are transitioning, we asked them what percent of service providers are considering to outsource, a partnering with somebody to help you make that transition to be an MSSP? So about six out of 10 said that they were considering partnering. Dan, does that surprise you? High, low, what's your opinion of that on folks wanting to partner with this particular step?
(00:29:51) No, it doesn't surprise me at all. I talked a little while ago about some of those challenges, being the people and the technology. Partnering with someone removes those barriers. It takes the people and technology challenges down significantly. And I think that that's probably the best way to get into the market quickly.
(00:30:14) Yep, that's a good point. You know, Brian, Dan was talking about the people and the technology. I guess my question for you, Brian, in your opinion, does partnering with a master MSSP in any way reduce risk from a partner's perspective?
(00:30:33) Absolutely. Let's be honest, even if you had the time and the money for everything, you can't be good at everything. Those MSPs that are serving the SMB market have to wear a lot of hats for their customers. You are your customer's trusted advisor. You are their VCIO. You may still be acquiring hardware and software for these SMB customers. You are probably also doing all the implementation and migration services. And again, in the SMB market they are calling you for everything. You need to partner with companies that are best of breed if you're going to keep your competition out of your install base, if you're going to not lose any customers, and let's be honest, all while reducing your risk. So Nuspire provides the same components in our Collabrance technology stack that we deliver to the SMB community. They are the best of breed in the SMB market we serve, and thus, it does dramatically reduce our mutual risk, cost, and time of implementation.
(00:31:42) Yeah, Brian, that is an excellent answer. I mean, you do think about it. Even you look at the partners are thinking of partnering. You know what, we did the same thing at Collabrance. To your point, Brian, no one company can be best in class at everything. And so Collabrance has certainly partnered with other technology folks to put together our solution. So anyway, that was great. Continuing on this theme of partnering, I'm sure many of you know service leadership and Paul Dippell. There's a couple things I want to point out from them. In a recent survey they conducted, it showed that the best-in-class profit performers were more likely to outsource than their lower-profit peers. And they found that kind of interesting. And their interpretation of the data is that the high-profit partners realize they can leverage other organizations expertise to help what they call the velocity of their own business. And it really speaks to what Brian was mentioning in the earlier slide that no one can be the best at everything. So outsourcing is really a reality of the technology business today. The second one is the stats shown on the slide. It shows that they surveyed all MSPs who currently use a master MSP. And the results show that only 5% are less likely to use one in the future. So the flip side of that is 95% of the folks who have used some type of outsourcing with a master MSP, they've bought into it. They buy that business model. So it's certainly something that I know from a service leadership perspective, they are anticipating seeing a lot more of. Well, we're getting near the end of the webinar, and there's one piece of data that again, was pretty alarming that I want to go over. You saw this slide at the beginning. This was a slide where we asked MSPs if they've lost a customer because of their security. And again, about nine out of 10 said, yes, we did lose a customer because our security offering wasn't robust enough. Well, we asked the same question to those who currently are an MSSP, and the results are staggering. So only 5% of MSSPs lost a customer because of something they lacked in their security offering. So you compare 87% yes, compared to a 5% yes. That is a big delta. And again, back to the MRR, losing a customer is painful. You know, Dan, that distinction between 87% down to 5%, I mean, does that surprise you, Dan?
(00:34:35) No, not at all. If you think about the security landscape, on one side we'll call them the bad guys. They're part of a multi-billion dollar hacking industry. And these are large organizations, with a lot of well-paid employees, who have a lot of expertise, and they spend their time trying to figure out how to break in to your customer's network. On the other side, your customer, they have you. And if you are providing true security solutions, they're not going to lose you. MSPs, you may switch from one service provider to the other, depending on what your specific needs are. But if your need is security, and you're an MSSP, you're not going to lose customers all that often.
(00:35:19) Yeah, those are very scary things that you talk about when you look at the industry of cybercrime and, anyway, so I appreciate that feedback. So before we get to the Q&A time, I just got a couple things that we want to point out.
(00:35:32) I mentioned that we would touch on Collabrance and tell a little bit about what Collabrance does. First of all, they are a master MSP, so your help desk, your NOC, and some of the typical things that you would expect. We're also a master MSSP. And Brian will touch on that a little bit on the next slide. It's a Midwest-based help desk. So it's live answer. Everybody is located in beautiful Cedar Rapids, Iowa. You know, so that's just the standard offering. What I'd like to point out are some of the value-adds that Collabrance offers. Dan mentioned earlier, the trouble with hiring enough people. We've got a team of people that will help you hire technicians, hire sales people, teach you how to run proper ads, help provide you data on testing those people before they come in the door. Do they fit the criteria of what a good tech looks like? Or do they fit the criteria of what a good sales rep looks like? We'll give you all kinds of support there. Also, from a sales perspective, we do a lot of sales training. How to coach up your salespeople so that they know how to effectively manage an entire sales process. If you don't have a process, we will give them a nine-step sales process. And in addition to that, we have what we call our virtual sales managers. I know sometimes it can be difficult managing salespeople on a regular basis. Well, we've got people who are experts at that, helping them with their daily workflows, helping them manage their funnel, help to prep them before they go out on a call. So there's a whole slew of things that Collabrance does, and I highly recommend you go to their website. It's a very robust website, can answer a lot of questions, everything from what do we offer to how do we price. So feel free to go to collabrance.com. You know, Brian, maybe you could explain to our listeners in a little more detail the Collabrance security offering, and how you help partners from a security perspective.
(00:37:43) In a word, our technology stack is layered. Collabrance helps our partners by delivering a standardized layered security offering. Obviously, we have threat detection on all devices, but we have a different threat detection solution running at the network layer. You add to that, DNS URL filtering, patch management for all devices, RMM and PSA, a managed UTM solution, a managed image-based VDR solution that includes off-site replication. For those users that need remote access, we offer VPN access for trusted devices. We offer secure remote control solutions for untrusted devices. We offer two-factor authentication for those organizations that have compliance requirements. And add to that of course, the SIEM and VUL/PEN that we've previously discussed. It is that layered approach that allows us to help our partners keep customers for life.
(00:38:51) That's awesome, Brian. Hey, thanks for that. And just another quick, hopefully benefit for those that are out there listening. I'd like to go down the line and ask each one of you--you know, there's so many places where you can get security information, online, partners, IT shows, all the stuff you see here, but I'd like for everyone to share one, maybe two places, where's your go to? Where do you go to every day to get the latest and greatest on security? Dan, why don't we start with you.
(00:39:21) I personally really enjoy hearing from threat hunters from the security researchers, from the folks that are on the frontline. A lot of times it gives you a quick look before it hits the mainstream media. One of the places that I go, and it's a shameless plug, but it's of a great value is Nuspire's security insights blogs. We've got security researchers who, every day are finding new trends, and finding new vulnerabilities, and they're putting them out there in real time. And often, you get to hear about things before everyone else does.
(00:39:57) Cool. Jay, how about you?
(00:40:00) Now, I'm really looking at things from a less technical perspective, and just trying to get a better idea of what's going on within information security in general. So with that in mind, there's two sites that I look at every day. One of those is Brian Krebs' on Security. It's a security blog, and somehow he seems to find out what's going on in the industry before everybody else. That's one I look at all the time. And the second one is bankinfosecurity.com. And I know not everybody is in the banking industry, and actually I'm no longer in the banking industry, but that actual website does a really great job of keeping tabs of what's going on in the industry, not just related to banking, specifically. So those are two sites I use on a daily basis.
(00:40:42) Cool. Thanks, Jay. And, Brian, how about you?
(00:40:45) You bet. I take a different twist on this in that I subscribe to several different newsletters. One of those I really enjoy is from the SANS Institute, and then another one also, more particular to our environment, is MSPmentor. So those newsletters are emailed to me directly, and then I can just follow those links to articles I'm interested in learning more about.
(00:41:12) Yeah, thanks, Brian. I appreciate that. I know I hit the MSSP alert as well every day, get that. But if Dan can shamelessly plug, I guess I can too. You know, Collabrance and GreatAmerica have a lot of great information, not just on security, but on a lot of the things that you see up there really to help your overall business. How can you run a more effective, a more profitable MSP? So hopefully you'll take an opportunity to hit the Collabrance blog, as well as the GreatAmerica blog.
(00:41:46) So that's it for the content. We're ready for the questions. And at this time, it's my privilege to turn the microphone over to Jackie Schmid. Jackie is our director of marketing for our CTG group, and she is going to moderate the Q&A time.
(00:42:06) OK, thanks, Greg. It's been a real pleasure working with these four professionals. They're excellent. They're consummate professionals, and they really have a wide breadth of experience. We're going to try and get through as many of these questions as possible. So the first question, Jay, I'm going to ask this one of you. In your mind, what is the major difference between traditional NIST and CIA security and cybersecurity?
(00:43:06) Yeah, I can definitely give you my opinion on this one. Traditionally, the word for the industry was information security through all the years. And now, you see that word cybersecurity more and more on going back to five, six, seven years ago. How I look at that is that cyber to me means things connected to internet, computers, technology, so digital, right. So anything in that realm to me would be cybersecurity. And in my mind, information security umbrellas that. So the way I look at it is if you've got a spreadsheet, a piece of paper, in your hand with customer information on it, you still want to protect. But that's not in the cyber realm. That's going to be within the information security realm. Now, the minute you put that into a fax machine, it becomes digital, and then you're talking cyber. But to me, there's not a ton of difference, and they're kind of related at this point. But the difference is really what the word cyber means.
(00:44:040) All right. With that question, I'm going to move on to the next one. Dan, I'm going to ask this question of you, and if you don't know it, feel free to just let me know. An attendee asks, how would an SLA change with the shift from an MSP to an MSSP?
(00:44:25) I guess it depends on what the current SLAs are. I will tell you that the SLAs for the security side are a lot more on what happens before maybe you get that phone call. So a lot of times what you're going to look for with an SLA for security service is, how long after an alert is generated are you promised to follow up and do that investigation? How long after your MSSP partner finds out of a indication of compromise before they call you, and then how often are they going to follow up? In the security space, it's really hard to make promises in terms of remediation, because some things just naturally take a lot longer than others. But what you're going to find on the SLA side is folks in the security space that are making promises that they're watching over the network, they're going to respond very quickly, and they're going to follow up in near real time with you.
(00:45:23) Thanks, Dan. This question is going to be for the group, but, Dan, I'll ask you first. In the SMB environment—this comes from a customer of ours the SMB environment, we run into challenges where the client can be unwilling to make the investment into advanced security. What have you found to be the most effective route to educate clients on the new threaten landscape and the appropriate investment to address those threats?
(00:45:56) Yeah, I run into it all the time, and I'm sure a lot of the guys on the panel do as well. And I think it's because people still sometimes subscribe to that widget mentality. Security is a challenge, and they're going to buy something, and that should take care of it, because that's how they deal with other challenges. So it does become troublesome, and it is difficult sometimes to convince your customers that they need to spend a little extra for advanced security measures, because they figure, well, I already buttered the firewall, I already have anti-virus, why is that not enough? And I think there's two different ways you can approach it. One is from the business side, if your customer is more focused on the business side, and the other pieces may be on the more technical side. Do you have someone who does have a technical understanding of how threats work? Take them through different scenarios. Explain to them how something that is a crypto miner or ransomware works, and how it's very easy to get through traditional security measures. Hopefully they can understand the impact that something like that could have on their business. For folks that don't understand ransomware, malware, viruses, or any of that stuff, it's better to maybe take it for more of a business approach. Talk a little bit more almost like an insurance game in terms of, well, if this doesn't hold up well, what is really going to be the fall out? What are you going to lose? Is it customers? Is it money? Is it brand identity? And you can usually relate to the business folks a little more on that side than talking about tech terms they may not understand.
(00:47:25) Thank, Dan. This next question, Brian, this is for you. Johnson asked: "What's the difference in your mind between UTM and SIEM?"
(00:47:36) Yeah, so you UTM is Unified Threat Management. It's kind of a fancy word for a firewall or a next generation firewall. But Unified Threat Management really means that this next generation firewall is your wireless control, it's your VPN controller, it does IPS, it does AV at the network level, all those kinds of things. So that's kind of that next generation security guard protecting you in the outside world. SIEM is Security Information Event Management. This is really a deep dive into all the logs that are on your Windows servers, your Windows workstations, your ethernet switches, and even your firewalls, your next generation firewall, your UTMs. When you start looking at all those devices and all those logs, I mean, you're talking about thousands and thousands of events that are generated on a daily basis. So it's those logs that we actually send to Nuspire, where they can correlate and then manage the data. They're the ones that have the Security Operations Center, the SOC, that's available 24/7, 365. And based on the SLAs we've defined with them, they send us back alerts, and prioritize those alerts accordingly. So kind of two different pieces of the puzzle. Everybody really needs a UTM. Maybe not everybody needs SIEM. Certainly those in compliance regulatory industries certainly should look at a SIEM solution. And there's a lot of devices out there that are critical that need to be maintained securely that somebody needs to look at those events on a daily basis, real time, and that's where SIEM and Nuspire come in.
(00:49:34) Thanks, Brian. The next question here is for Jay. How would you measure security risk against your stack or baseline?
(00:49:44) There's a couple of different approaches you can take here, and both involve the use of several different tool sets. The first way to think about it would be you can look at it yourself. So the Center for Internet Security Controls provides a 20 critical security control tool. You can just, yourself, use that tool to go through what you do, what you don't do, and what that means to you. There's other tools out there, like the banking industry has a cybersecurity assessment tool that's very straightforward. You could use that tool to measure where you're at. One of the questions earlier mentioned NISC, so the National Institute of Standards and Technology. They have guidelines out there around information security as well. So I mean, you can use tools yourself to gauge where you're at. Or the other approach would be you hire someone to do it. Obviously, you bring in a third party to walk you through considering the things you need to look at within your stack, and determine if what you're doing is appropriate compared to the risks and threats you face.
(00:50:44) OK, so as Jay was speaking, I realized that I missed a slide that we were going to talk about. So, Greg, can you pull up the next slide? Just next steps for you guys. We recorded this webcast so we will be sending that out. We also have an MSSP checklist. He was talking about all the tools. This is one tool that you can use. What we did was compile elements that we thought would be critical for a managed security services providers to have, to be offering. And this is done with just a ton of research from our team on what is included in the industry. And again, we talked about, there are no industry standards, so this is just our recommendation of what we put together. Also, you heard panelists talk about where they go to get resources. We're going to be sending that out as well. So watch your inbox this afternoon. We'll be sending you a comprehensive follow up so that you have all the data at your fingertips that we talked about today. We are also putting together a full research paper with the results that we gathered from our survey so that you can see what other MSPs responded, and some of the more intricate detail on the survey results.
(00:51:56) Next questions we have here. Brian, this one's for you. We had a couple questions about Collabrance and the offerings that Collabrance has. One says, do we have to use the Collabrance SIEM stack? And the other ones says, if we want to use just the Collabrance SIEM or VUL/PEN, are those available a la carte? Can you address those, please?
(00:52:18) Sure, will start with the first one. Do you have to use our SIEM stack? I guess my answer would probably be your traditional IT response was, it depends. I'd be happy to talk with you about what the SIEM solution is that you are using today, how those alerts are gathered, how they are correlated, and how they are triggered upon. But in a nutshell, I would think we should be able to use somebody else's SIEM solution, and we would just want to make sure--the devils in the details--we just want to make sure that it lines up with our offering. And then the second question, are any Collabrance offerings a la carte? And again, the answer is, it depends. It depends on what that offering is. Obviously, as a white label help desk, there are certain requirements that we want met in order for us to be that help desk for the end user. But there are other solutions. Maybe a customer has in-house IT, and they're truly looking for that backup disaster recovery solution. We do have BDR in a few organizations around the nation, where they have internalized IT, they handle end-user help desk, and then they reach out to us if they have any BDR issues. So the answer is, yes, we do have some offerings that are a la carte. We would just need to talk with you about your specific example.
(00:53:50) Thank you, Brian. We do still have about five minutes left, so I'm going to keep asking questions. This question is, when assessing a process, what indicates whether they need SIEM or simply intrusion detection? Brian, do you want to answer that one?
(00:54:07) Budget is a big one, and regulatory compliance. And you know, again, the best systems in the world get hacked all the time. Obviously, if they've got systems internal that require ports to be opened from the outside world, VUL/PEN is always good, but that VUL/PEN test is only a snapshot in time. What did their system look like when we ran that VUL/PEN test? Again, if they have ports open in their firewall, if they have systems available to the outside world, having a SIEM solution, having a SOC available to us monitoring that solution 24/7, 365, really kind of drives home the need for those kinds of applications, those kinds of products and services.
(00:54:55) So here's another question also regarding education. Alex states, when it comes to cybersecurity, MSPs must recognize that risk mitigation is a balancing act between technology, awareness training, and security education and governance. You were talking about the people in technology, Dan, as well as the importance of security. Is there a reason why security education, or security awareness is not part of the security spectrum? Dan, do you want to touch on that?
(00:55:27) Yeah, I think so. Because a lot of times what we're talking about--and he brings up a really good point-- is we're talking about implementing security controls, maybe from an IT perspective. So it's you working with the IT person at your client's organization. And that's where you're really talking about who are the people, what are the processes, what is the technology. Security education, security policy, really needs to be the lifeblood of the entire organization. So it's not something that can just live in the IT department or it fails. And so, really it's kind of a separate topic, it's related, you could write novels on it, but it really needs to be something that is ingrained in the culture of the organization from the CEO and down. Not just something that might live in the IT space as something that you talk about with people along with technology. It really needs to be something that's just like HR, it's everywhere in the organization. And, Jackie, one interesting thing. When look at the spectrum of services, and again, when they get the slide back, if you remember, it was the spectrum that ranged from like 86% to 21% of what people offered. Security awareness training came in at about 59%. So about six out of 10 companies said, today, they have that as part of their offering. In some of the research that I had done, and I have gone out and looked at the offerings of many, many, many different MSPs and articles that were written on it, industry specific, I was quite surprised the number of people--and again, specific to the MSSP--that did not bring up security awareness and user training. We had quite a bit of discussion on that internally, and I think the reason why it wasn't brought up much at the MSSP level is, my belief is that that is something that they might consider MSPs should be doing today. That that should be included in the MSP offering. And if not including then the MSP offering, certainly included in the MSSP offering.
(00:57:40) Excellent. If you have questions, you can go to our website, fill out a contact us form, or you can reply to the email that we'll be sending to you this afternoon. Thanks, everybody for attending, and thank you for our wonderful panelists.
Review your security offering and use this checklist to help you evaluate your technology roadmap.