How MSP's are dealing CISA changes

A

How have changes at CISA affected MSPs? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cyber security. An attack is coming. It's about keeping us safe. He's just a disgruntled hacker.

B

She's a super hacker.

A

Stay alert, stay safe, stay saf. This is safeload. How have the changes at CISA affected small market cloud service providers? I'm going to say that again. Sorry, they are not a cloud service provider. I got a cloud service provider on my mind. 3, 2, 1. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In this week's interview segment, we're going to be talking to Jason Puffall, the VP of Security Services for Vancord, an MSP based in the Northeast. Talking with Jason about what he does when talking with clients, particularly around the security conversations, and then also talking about how CISA really affects what he does on the day to day and how that works into his communications with customers and just really the changes and how they've really rolled downstream and affected what is happening on the MSP level. But first, talking with Matt Kapko, who. Look, if you read cyberscoop, if you listen to Safe Mode, you know, Matt is very well steeped in cybercrime. And cybercrime stories can tend to be more the, the wild side of things, of what we're covering. And this week was no exception. We had probably one of the more wild stories we've had this year. Matt pop off with some indictments handed out against two Americans that have been roped in to ransomware attacks. Take it away, Matt.

C

Yeah, I agree, Greg. This, there's wild ones all the time, but this one really stood out. So federal prosecutors accused three cybersecurity professionals of carrying out their own ransomware attacks against five US businesses in 2023. That alone would be bad enough. But the trio accused of participating in this conspiracy, they were working jobs to help companies recover and negotiate ransomware payments, going against exactly what their jobs required them to do. They were effectively allegedly moonlighting as criminals that their jobs required them to thwart.

A

So basically turncoats, I guess that you could say the defenders saw a chance to grab a bag and decided, hmm, this, this seem to be a lot better than, than the jobs we have going on here. So what were some of the victims like? You know, what particular ransomware strain are we talking about here?

C

Yeah, so they didn't name these specific victims, but the, the group of co conspirators, they allegedly carried out this conspiracy for a two year period ending in April this year. They're specifically accused of attacking five US businesses over a six month period in 2023. One of those victims, a medical company based in Florida, paid them a $1.3 million ransom in May 2023. This group is comprised of three individuals. Ryan Goldberg, a former manager of Incident Response at Signia, Kevin Martin, a ransomware negotiator at Digital Mint, and then a third individual who went unnamed but allegedly obtained an affiliate account at ALF v. Black Cat to initiate the attacks. ALF v. Black Cat is a notorious ransomware group that was linked to all sorts of attacks on critical infrastructure providers.

A

So one of the more wild things too about this and, and, and clarify if I have some of these details wrong. Goldberg, I believe almost flew the country too after, after he started to be investigated. I think that's in the, the court documents.

C

That's correct. Goldberg allegedly fled with his wife to Europe this past summer once he learned he was being investigated by authorities. Court records show that he allegedly confessed to the attacks during earlier conversations with the FBI. He initially denied it, but came clean. He told authorities that he conducted the attacks to get out of debt. He was earning $214,000 in annual salary at the time from Signia and told authorities that he got a $200,000 cut from the ransom payment. He remains in custody pending trial due to flight risk. His co conspirator, alleged co conspirator Martin was arrested Oct. 14 and freed on a $400,000 bond. He's pleaded not guilty and is out awaiting trial.

A

So all of this is alleged, but it's just, it's been a really wild week, a wild couple weeks. I, I feel like when it comes to talking about defenders who have turned to turn against the law and, and turn against their jobs, I was in court for the Peter Williams not trial, the arraignment where for those that have not been following this, a L3Harris executive who worked on offensive security tools turned around and sold those offensive security tools to a Russian Azeriday broker for millions of dollars and bought a house, bought a bunch of luxury watches and was eventually caught and fessed up and is now awaiting sentencing. That will come in January. And then we have this story which gives it a run for its Money. And that these two guys, who are just incident responders, who, no ransomware in and out, turned around and said, why don't we do this ourselves?

B

Who's.

A

Who's going to find us? Well, you know, you've been found. Yeah. So, yeah, it just, it's just wild. And it just goes to show that, look, a lot of what we cover in terms of the ransomware ecosystem, threat actors, we generally think about Eastern Europeans, and that is where a lot of these actors sit, in Eastern Europe, in Russia, but not everybody. If you read through a lot of court cases tied to ransomware, you find that, like, remote work. Remote work. You can be a remote criminal, too. So anywhere in the world, Anywhere in the country. I mean, even though, like, Digital Mint and Signia have corporate offices, I mean, these guys were remote employees. I believe one lived in Georgia and lived in Florida and just either lonesome at home launching these ransomware attacks. So it just. Just so I can't get over this. This story.

C

Yeah, I agree. I think it just, it also showcases that ransomware negotiation in particular is. It's unregulated. It's a bit of Wild West. Everybody knows that it's going on, but there's no real hard rules of engagement. And this is pure speculation, but I think once you get involved in that really deeply, you might be. You might find it appealing, right? You. You see other criminals making huge sums of cash, and it's like, I don't know, that that must be tempting to some of them.

A

You know, it's. It's funny that you bring it up that it's not.

C

Yeah, sorry.

A

It's funny that you bring it up that it's not regulated in that. Okay. Yeah, it's not regulated. I'm not sure regulation would have stopped this or, or to think about it a different way. We already kind of have regulations on the books in the form of laws, right, that say, hey, don't. Don't rob people, or don't lock up people's business infrastructure and demand millions of dollars generally. We've talked a lot about what the cfaa, among other laws, really sort of signifies. And I would say it's pretty cut and dry here that the CFAA says, don't do this or you're going to jail. And here we are. Just, it's. Look, I can't. If you're a defender, like, there are a lot of defenders out there legitimately doing their jobs, and I, I just, I. I feel for them when you hear stories like this, because these type of stories Even though they're wildly like off, like one in a million people are going to see this and, and go, and I really trust these people. So it just, it sucks. It just sucks all around for the people that are actually doing their jobs.

C

Certainly makes our job harder. I agree.

A

So we will follow up on both of these court cases, definitely this one as the sentencing comes and then as the Peter Williams case comes next January too. We'll be following up on the sentencings there. And I'm sure there'll be more cybercrime stuff coming. There always is. And Matt Kapko will be here for cyberscoop covering it all. So thank you, Matt.

C

Thank you, Greg.

A

And now to our interview segment with Jason Pufal, the VP of Security Services for vancord. Vancord is an MSP based in the Northeast in the US and it was a really interesting conversation because I got to talk to Jason about the conversations that he's having with organizations that understand they need to have a cybersecurity plan but don't have the knowledge or the resources to to build out their own in house team. Really interesting conversation. Talking about the conversations that Jason has with his customers in what needs to be done from a cybersecurity perspective and how organizations really hit that sweet spot between following the rules of the road but realizing that there's going to need to be some money and some resources that go into improving their cybersecurity posture. We also have an interesting conversation about how Jason looks at the changes at CISA and how it really affects what he is doing and how it can ultimately affect his customers. Check it out. All right, and joining us on this week's interview segment for Safe Mode is someone who actually I had the honor of being on Jason's podcast for his company talking about what I do on a day to day basis. But I am happy to return the favor and bring on Jason Puffall, the VP of Security Services for Vancord. Jason, thanks for joining us.

B

Yeah, it's a pleasure. I'm glad we have a second chance to talk.

A

So just to set the stage, what is Vancord?

B

We are a 20 year old managed service provider. We really, we started out traditionally in that managed services space space and eight years ago saw obviously a lot of the trends in the security space added on an entire cybersecurity practice. So now we are about 60 people strong, 45 engineers, dedicated folks providing security services, as well as a whole team providing sort of day to day IT management for clients.

A

So with that, you know, the MSSP landscape. I feel like like everything in cybersecurity, it has really evolved over the past five years. So I'm wondering what do you see at like a high level? What have been the biggest shifts in terms of like client expectations or threat complexity or the conversations you're having with clients who don't have, whether it's the budget or the resources, the personnel to bring a security practice in house.

B

Yeah, yeah. And actually that's a. The last bit to. Nice segue. So we, a lot of our clients probably have a couple of IT people and you know, they're tasked with doing everything IT related. People treat them like, hey, you understand technology, therefore you can install my printer and you can do this wildly complex implementation of a new project. So, you know, they're, they're really stretched thin the security aspect. We're brought in often to provide sort of strategic and guidance solutions in the security space because they're not going to hire dedicated like chief information security officer per se. They probably have told one of the folks that are providing IT services internally that hey, by the way, you have security responsibility too. And they may not have the background for that. So we provide a lot of the guidance. We will provide implementation for security projects all the time. Very often though in support of a team that already exists sort of on site or at least full time employees for a company like that.

A

So what are the most common security gaps or misconceptions you encounter when you are taking on those new clients that just have the IT team and then they get that tap on the shoulder that's like, oh, actually there's all this cybersecurity compliance that you need to worry about. And they go, wait, what, what's happening here?

B

So I think, and actually I did a podcast about this probably four years ago and, and I think it still holds true. The vendor landscape does a great job selling security and fear frankly to sort of these, I'll call them smaller businesses. Right. Our sweet spot is probably the 50 person to say 500 person company. So you get these niche solutions being positioned by really good salespeople, but they might not be the right thing for a small business to do because they already aren't patching routinely, they aren't doing security awareness training. They may not have a good, you know, EDR MDR product. So a lot of the conversations that we tend to have are, let's really look at what I consider to be the fundamentals of security. Make sure you've got those things in place. And easily 50% of the business that that we work with probably are not adequately training their staff, which I would say is paramount to any security program they might have. They probably have an edr, but it might frankly not be one of those that I would consider to be robust and sort of reliable. So we have conversations around. Let's shore up the things that you need to do from a fundamental level before you start looking at those more sort of uniquely positioned controls. There's this idea that security has to be difficult, expensive, and complex. And sure, at some point. Right. There's probably an element of that. But for most businesses, if you just do the core things, backing up your data, providing a few tools that you need, training employees, you're going to be well positioned.

A

Yeah, I was going to say let's dive into that a little bit more. It sounds like your approach to, like, risk assessment and helping clients prioritize their security investments is let's not overwhelm them with all the acronyms basically that we deal with, whether it's like xdr, sim, whatever. Let's, let's get you some building blocks first before we tackle the big stuff that the big players like to sell you.

B

Yeah, I mean, you really, you really want to make sure that you've got those, those basic controls in place before you, before you start getting, before you start trying to make complex decisions. And they sound great. Some of these tools sound really cool when they're positioned. But you know, again, if you're not patching, these threat actors are essentially just organized crime. They're looking to maximize your return on investment. The easiest way to be able to compromise an organization is basic social engineering and tricking employees. Right. So make sure you train them or they'll use published vulnerabilities to basically sort of break in the back door technically. But they're not really sophisticated attacks and they're things that you can circumvent with really the sort of most basic of efforts.

A

So when you do have client engagement, I'm wondering, how do you measure and communicate the RRI of your security services to clients, especially those, again, without the deep security backgrounds that the larger enterprises have.

B

So certainly one easy way is discussing ransomware. It still remains top of mind. It's a concern for people. One of the most common things that clients will tell me is, well, I don't have any data that you know, that a threat actor or a hacker might actually care about. And almost always, you know, the easiest thing to say is these are targets of opportunity. Right. It's all about making money. Sure. The data is a piece of it. But ultimately they want to make money by extorting you. And if you make yourself an easy target, they might get 10 grand, they might get 100 grand. We've done a lot of incident response work and you know, they're incredibly expensive so there's always just the positioning around. Well, let's reduce your risk and, or make it a little bit easier for you to recover if something actually does happen. We also deal with a fair amount of manufacturers who now have regulatory requirements, CMMC being one of those. So then you have your conversation where you want to evaluate, well, what amount of your business comes from the Department of Defense or that defense industrial base. And how seriously do you want to take cmmc? Where is this going to fit within your business? So you'll have those conversations about business value, business growth relative to security initiatives.

A

So the CMMC part of it, I want to get to that. We'll get to that a little bit later. I want to ask you first really more about the operations that you do have in house and wondering if you could walk us through your company's approach to threat detection and response. What metrics matter most to you when you have your staff that are actually doing the work for your clients?

B

Sure. So we're not, you know, we're not a huge company but we offer a few things that I think are unique for a company our size. So we actually stood up our own security operations center. So the purpose of that is to monitor our clients infrastructure for potential threats and that's looking at output from firewalls, output from your, I'll call your advanced antivirus, right, your mdr, your EDR solutions, looking at authentication data, identity data and trying to make determinations around you compromised. Are there threat actors that are actually looking at your environment and communicating those potential risks or those potential incidents to clients? That's more of the tactical side I think. We do do a lot of work where we simply talk about the employee risk to some of the financial fraud that we see. Right. The modification of POS and invoicing or the risk for social engineering for simple, you know, making phone calls, responding to phishing attempts and providing your credentials. I come from an academic background. I am a firm believer that 50% of the risk for an organization is people based, not technology based. And you have to train your people. So will conduct phishing tests, we'll conduct social engineering tests and we'll provide data around. Here's the amount of people that click links. Here's the amount of people that provided credentials to give that perspective and that real sense of here's your real risk. Your employees will effectively circumvent all of your security controls. If they're asked for their username and password, they'll provide it. And that goes a long way because I think it takes it from a, well, this has to be a technology based attack or is, you know, I've got a great firewall in place and therefore I feel secure. And when you boil it down to say, yeah, if a user clicks a link and simply provides a username and password, your technical controls don't matter that much. So you know, there's, there's a lot of, think of really practical advice that we try to provide simply around risk mitigation.

A

Not only risk mitigation, but it sounds like identity management too because you are right from a, from a standpoint of you could have the best EDR, you could have seven EDRs if you wanted. If I hand over the keys to my castle, that's, that's, you know, all those EDRs go out the window. So I'm wondering like, does the light bulb go off there? Like, because I would imagine if you had a conversation where it's like, oh, you need these identity management tools, blah blah, blah, you're going to get like a glazed overlook. Like what. But once you frame it from the standpoint of hey, if you know Tim in Accounts Receivable hands over his, his password, that, that's a problem. So here's the tools that we can serve you to make sure that that doesn't happen.

B

Yeah, and, and those, those are the most important conversations because I think it people love to talk IT things. And so when you're, when you're kind of hanging out and you're talking with more technical groups, it's great to talk active directory, it's great to talk some of these identity sources. But when you're talking with the people who probably are making the decisions around spend, you really do need to boil it down to risk. And in trying to demonstrate the level of risk that actually exists and try not to make it so hypothetical.

A

So for your own tooling, how do you balance automation and human expertise in the security operations? And where do you see AI machine learning, any of like the new cutting edge stuff fitting in at the MSSP level?

B

So we tend to do a lot more human driven security work. Now the downside of that is and especially in the services space, some of these automated tools like automated penetration testing or automated tools that will do that, that incident analysis work, they do drive your costs Down. So from a competitiveness standpoint, there's an attractiveness to that. But I think from a, from a result standpoint, you still want human beings. You want human beings performing your pen test and looking at the results. That's not to say there's not room for tools, but you have to have human beings actually thinking about what an attacker might look like. Be creative about the attack, but then also be able to write a report that is meaningful and provides meaningful outcomes. It's the same thing with, with any kind of incident analysis. You need a human being to talk about what actually happened, where's the real risk and turning that into solutions to make your business more secure. So we wrestle with it all the time because there's clearly clients want to hear that using AI and we are in a variety of cases. But I'm not turning all the decision making over to AI because I think we've hired good people for a good reason and we want them to bring their expertise to a client.

A

So you mentioned CMMC a couple minutes ago, wondering how you help clients navigate the increasingly complex regulatory landscape landscapes that they face. I mean, I'm sure you deal with all types of companies in different industrial sectors, but you mentioned cmmc. So I'm wondering what exactly are those conversations like where it's not just necessarily a technical conversation or an in house conversation, it's oh, here's this other stuff that you need to worry about that's totally outside your organization.

B

So I think one of the most interesting parts. So there's a few things about cmmc, it is only a recent, recently finalized rule. So for the last, let's just say half dozen years it has been evolving and there's certainly manufacturer that has taken it very seriously because that defense industrial base is a huge part of their business and they knew they'd have to comply.

C

Right.

B

But then there's a huge portion of manufacturers that might do 5 or 10% of their business with sort of the Department of Defense and are questioning whether or not it's worth maintaining that business because the cost of complying with CMMC is potentially so high. So we have a lot of, a lot of conversations and I think that probably with unintended outcomes as far as that support to these federal programs, people are starting to back away a little bit from working with them because the requirements are onerous, the costs are high, and I think it's unclear even what the assessment landscape and the assessment timeframes are going to be. So it's a struggle for smaller manufacturers for sure. And I honestly think there's an element where they look out and they say, well, our government's making decisions regarding security funding and they're contrary to everything they're saying about the importance of CMMC and protecting the cui. Is something going to change in the CMMC space? So you have people continually waiting because they just don't know if that landscape's going to change.

A

And I'm wondering too if you've been watching the rulemaking with Cercia as well, because I would imagine that will probably affect people in, in the same space and in the same way that you are saying in that it's like, okay, I have another thing to worry about. How is this going to affect this line of business? And I don't know if this is worth it in the long run.

B

So yeah, it's hard. I mean, I think the conversation that we try to have is. So actually I'll give you a real world example. I just had a conversation with a client that really is trying to decide do we or do we not want to maintain this defense industrial base work. And the way I positioned our services was NIST 800 171, which is the framework, the baseline for CMMC has a lot of good elements to it. And let's work on those things that you as a business need to do just to be. Just to do, just to address those fundamentals. Right. Going back to our earlier conversation, so let's address multi factor authentication, let's address security awareness training. Let's address some of the things that I would advise you to do regardless of whether or not you were to go down the path of cmmc, if you decide to do it. Now, we've made progress against, I don't know, 20% of that standard. So you're in a better spot than ignoring it. But you haven't invested yet in those things that might be unique to cmmc. And that's the conversation that I try to have guiding clients to do the right thing to protect their business, just like I would any business. And then if they choose to move forward, then start to do some of those more complex things.

A

So from the clients side of dealing with the federal government to what you might have to deal with on the federal government being an MSSP that works with smaller sized companies, I'm wondering how you see what's been happening at CISA over the past couple months and whether any of that has affected you, whether it is more in what they have been pushing out in terms of information to help you with your security posture or with like funding that may come through the Ms. ISAC and all of the cuts that we've seen to the state and local side of things. So I'm wondering what your relationship with cisa, especially as CISA has gone through a really tumultuous year, what's that look like?

B

So we, we're definitely seeing some concern around the MSI SAC and the pen. You know, that potential lack of threat related data, vulnerability related data and then, you know, and then the outcomes around how do I better protect myself? We do a lot of work with sort of K through 12 and state agencies and municipalities that read and rely on that data and oftentimes ask us to help interpret what they should do to protect themselves better. So I think losing that source of information is going to be a real challenge for state agencies for sure. I think, you know, we're in the middle of October, Security Awareness Month right now. And so it's kind of ironic that we're seeing these changes to CISA which you know, for the last 20 years has been responsible for promoting and advocating around information security and cybersecurity primarily for individuals. Right. Their focus has been small business related tools and advocacy for businesses. Sorry, advocacy for individuals. Those programs are kind of going away. So some of those things that I would say again are fundamental and maybe really cost effective and give clients or give companies some information, they're going away. Maybe that's good for us in the sense that they're going to need an outlet and they'll start to turn to MSSPs. Probably, probably to help. But I think in general it's a negative to these small businesses because they are continually trying to improve but also improve in a fiscally responsible way.

A

So I'm interested in something you said there, particularly with the information sharing or stuff that comes from the Ms. Isac. It's well known that part time to the government shutdown cisa, also the information sharing cisa, not the agency cisa. The information sharing bill has lapsed and a lot of conversation around that bill, at least in Washington with our sources where the value in the data has always been something that has been questioned. Some people like it, some people don't, some people say it's not that worthwhile. And just to make sure that I have that you're saying that actually within what you're hearing from your clients is that the data that was coming through CISA was actually worthwhile and actually, actually actionable. Like you were having conversations about it from your clients and they were making security Decisions based on that data.

B

They were. I think where I would say a lot of clients struggle with data that comes from the Isaac is probably more from the automated feeds and how to potentially integrate some of those feeds with their tool set. That always has been a challenge and I think that'll continue to be a bit. So you're more technical, you're better resourced companies or maybe those are more technical people can use that data in an automated fashion. But I think even small businesses get value out of the just a general written vulnerability information and written threat information to be able to think about. Well, is this a risk to my business? And if so, do I need to reach out to somebody to help me? There's value in just knowing that you have risk and then reaching out for support. So there's really two, you know, there's, there's the technical people and then there's those that just understand risk to their business, but there's value in that data for sure.

A

So I don't know how much you've been following the bill or the possibility that once the government does start up again that we would have a CISA reauthorization or something that is new. But I'm wondering from your perspective, what would you change to make the process better or just improve that bill for the companies and the enterprises that you work with?

B

One of the challenges are there tends to be an ISAC or information sharing center for that's industry based and for some businesses they actually don't have to have access to the Ms. ISAC or the, you know, the financial ISAC or the rent isac. Right. And I think finding opportunities to make that data more broadly available will help protect more businesses. And so. So on the one hand, I know that that's probably not a specific federal obligation, but ultimately the country is more secure if we provide more data more quickly to more people and let them sort of figure out what to do with that. So I am a, I'm a proponent of transparency and as much information sharing as we can, as broadly as we can, because it just allows people to make better decisions.

A

Interesting, Jason, really appreciate you hopping aboard. Like I said at the beginning, it's always fascinating to hear about what happens at a level that doesn't ultimately affect the Fortune 500 or the federal government or those large enterprises. However, with what you do and the customers that you have, it is still incredibly, incredibly vital to totally understanding the full picture of how this country can get to a better cyber security posture. So really appreciate you hopping aboard to talk about all the things that you've been working on.

B

Yeah, I appreciate it. And you know it's this is important conversation to us because it to your point, just because you have a lot of money to spend on security doesn't mean you should be the only one who can be secure. So find those resources and hopefully we start to see even more of this, this information and these in these tools available for more companies.

A

Great Jason, thank you so much. Thanks for listening to Safe Mode, a weekly podcast on cyber security and digital privacy brought to you by Cyber Scoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.

B

Com.

A

Thanks for listening. Check us out next week.