672 Automating System Hardening: Senteon

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, powered by NetAlly, the show for IT professionals everywhere, where we try to help you run your business, grow your business, scale your business, better, smarter, and faster. We are back with another vendor profile for the IT Nation Pitch It Accelerator program, and today we have on the company Senteon, a cybersecurity company that specializes in providing automated system hardening and compliance solutions. And joining me to chat about that, Zach Kromkowski, co-founder and chief customer officer.

Zach, how are you?

[Zach Kromkowski]
I'm doing great. Nice to meet you, and thanks for having me on the show.

[Uncle Marv]
Well, thanks for joining the Pitch It program, because that automatically meant you'd be on the show, so don't thank me. Thanks, John Lardo.

[Zach Kromkowski]
I'll earn a follow-up episode.

[Uncle Marv]
Right. So, I guess the first question out of the box is, how do we do automated hardening?

[Zach Kromkowski]
Yeah. So, Senteon built the platform, Senteon, to effectively harden and standardize workstations, servers, and browsers to the CIS standards. So, this is all done automated through our platform with a learning mode, making the remediation, making sure disruption doesn't happen, and a whole lot of other compliance jazz that goes into it afterwards.

[Uncle Marv]
All right. Now, does that mean that there's some sort of agent or box that we've got to throw in a network?

[Zach Kromkowski]
Yes. So, this is a really good question. So, the big thing with hardening that everyone thinks is, I'll just use Intune or Group Policy, or I'll run some scripts.

What people don't realize is, there's about, just on the workstation alone, there's 500 different recommendations, and you can't even do all of those recommendations from CIS via Intune, which is always an interesting note to add. And on top of that, Intune, Group Policy, and PowerShell, it is a process that pushes changes but doesn't actually check if they work. So, to overcome this and answer your question, yes, we did develop an agent that is making these changes directly via the Win32 API in the RegKey, SecPool, AuditPool, wherever that setting lives, we're actually making the change without just trusting Microsoft to do it.

[Uncle Marv]
All right. So, I know you brought up Intune and everything, but there's still a lot of us that have the dreaded on-prem terrestrial servers and stuff and working with Active Directory. Does that make a difference in how this process works?

[Zach Kromkowski]
So, this is all very normal. On-prem is out there. It doesn't make a difference, since we are an agent-based tool.

As long as it's connected to the internet, we're able to operate successfully. It actually gets very interesting when the MSP has actually attempted to do hardening via AD, or maybe they inherited a client that has AD, and they just kind of took on that accepted risk without realizing it, right? So, after Senteon actually makes those changes, again, at that RegKey, SecPool, AuditPool level, if anything were to change after the fact, Senteon will put it back and notify you.

So, what that really means is, let's say, for example, you have 100 machines on new client. You have Senteon standardize all the baselines, all the configs, and on all 100 machines, five settings change at the same time. That very much is a quick indicator.

Something's misconfigured upstream, and now your engineers know exactly what they need to fix with an actual roadmap. Where things get really interesting, Marv, is when you do have these 100 machines, and all of the machines have the same settings drift, except for that one. One machine has 10 settings that drift.

Well, that's not a domain issue. So, what's causing five additional settings to drift here that aren't happening on the rest of the devices? This is where Senteon really adds value, because you would never know about that without our tool.

[Uncle Marv]
Okay. So, we're going off board already.

[Zach Kromkowski]
We're going technical. I guess I really prepped incorrectly. I apologize.

[Uncle Marv]
Well, because here's my thing, because my first thought is, okay, if I am doing a co-managed scenario where I've got a junior on site that decides to make a change, this Senteon agent is doing real-time monitoring, analysis, and alerting. Yep.

[Zach Kromkowski]
And on top of that, it'll notify you which user made that change, at what time, and what they changed it to, and how long it took for Senteon to change it back if they made the change outside of Senteon.

[Uncle Marv]
Okay. So, let's say my junior is a little aggressive and decides, he rechecks it and says, hey, that wasn't the change I made, and wants to change it back. This sounds like a back-and-forth battle that can be done.

So, I assume that there's got to be some sort of override or some variance of allowance of letting people know that either, no, this is something you cannot change, or you can only make this change to this degree. Am I on the right track there?

[Zach Kromkowski]
Yeah. So, an easier example, instead of a junior engineer maybe deploying a script over and over not realizing that Senteon's the one blocking it, an easier example to understand is that on-prem AD you mentioned. So, if that AD is trying to change something that Senteon doesn't want it to change, it'll fight back and forth, back and forth.

It'll be at unpredictable timestamps for the lovely excuse of Microsoft not being able to tell you when it's going to do that check, but Senteon will say, hey, I'm going to let this battle happen three times, back to back to back to back, and then it's going to generate a special type of alert that says, hey, I'm done trying to apply what you told me you wanted until you fix the upstream process that's not allowing me to do this successfully.

[Uncle Marv]
Okay, but there's documentation to say that, hey, this change is out of scope. Somebody needs to take a look at it. Yeah, absolutely.

All right. So, this sounds really good and it sounds like if you've got all of your CIS controls or whatever compliance you're using, it sounds like you can not only have a guide and, you know, a platform to do that, but in terms of deployment, like how long does it take to actually go through and put this in action?

[Zach Kromkowski]
Yeah, so kind of breaking down your question to really pinpoint CIS as a whole, you know, for those of us who don't know CIS, this is a community standard, 30,000 plus security professionals invest their personal time into making recommendations. And part of those recommendations they create, unfortunately, fortunately, is a lot of GPO recommendations. The documentation via CIS is about 2000 pages on how to harden a workstation and a server, another few hundred pages on how to harden a browser.

All in all, it's about 1200 different settings that they recommend changing. So, when we talk about deployment and time to set up, doing this manually, I mean, I said 1200 settings, that's going to be a lot of time.

[Uncle Marv]
Yeah, 1200 times five minutes. Yeah.

[Zach Kromkowski]
Yeah. And making sure you're doing it in between projects because no one can focus on just one thing. That's not how the world works.

Any who, talking about your exact question. So, Senteon's deployment has a built-in learning mode. What this learning mode does is it takes, you know, historical backlogs, looks at things that have been modified, and it will tailor a, we'll call it a risk assessment.

And it'll say, hey, all of these settings we determined through our telemetry are safe to change. Click here. The flip side of that is all of these settings have a unique data point.

And this data point will be presented to you, explained, and then you can place that individual setting on an individual machine. Because remember, you can do 100, 1000, as many machines as you want at once. And you can click here to put the rest in an exception group.

What that becomes then is your roadmap on how to improve your security posture over time. So, you get all the low hanging fruit done. All the more difficult things for the future, exception group for the future.

This whole process that I'm describing will depend on how messy the environment is, how much telemetry is picked up in the learning mode. Most of my onboardings, even first-time onboardings, take about 40 minutes.

[Uncle Marv]
Okay, not bad at all.

[Zach Kromkowski]
It only gets faster after you actually understand the full scope of the tool, right?

[Uncle Marv]
Right. So, in terms of managed service providers, is this something that, if you've got a multi-tenant dashboard where you can see all of these things, can you take a group of settings and deploy them across multiple tenants? Or is that something where you really need to do it tenant by tenant?

[Zach Kromkowski]
Absolutely. So, we are built multi-tenancy. We exclusively, Senteon Services, manage service providers.

We do have resellers and whatnot to target enterprise. But we, Senteon, built this for MSPs. What this means, to really elaborate on your question, is it depends how you want to use the tool.

Let's say, for example, you have your internal environment. You go through learning mode, and you're like, oh, this is the golden image. This is what I want for all of my clients.

Very easy within Senteon. You can click a button that's called automatic setup. This will now modify the script to add additional flags so that when you deploy the agent, it will automatically make a thousand plus setting changes.

You'll skip learning mode, and all of your clients will have the same exact settings. Why might this be a bad idea? Marvin, you're an MSP.

Have you ever changed a setting and caused something to break or a workflow to be disrupted?

[Uncle Marv]
Me? Come on now.

[Zach Kromkowski]
Right. So, it is up to the MSP how they want to do this, but that is an option. You can change thousands of settings across tens of thousands of endpoints in minutes, but each tenant, each machine within a tenant might have a unique application you don't know about, a unique use case that other machines don't.

So, best practice is to run learning mode on every single tenant. That's best practice, but we all know MSPs are busy, and I have plenty who prefer fire as opposed to water.

[Uncle Marv]
Well, you know, we just assume that we'll win the battle when Mr. CEO calls and says, why can I no longer do this that I've done for 10 years? And you have to just, oh, we deployed a security strip. Sorry.

[Zach Kromkowski]
Let's actually expand on that one too, Marvin. I know you didn't intend this, but the best thing about this, if you do love fire and you just want to see what breaks, when that CEO calls and you're like, hey, what the hell happened to my device? With Senteon, you can now click three buttons and every single change you made will be reverted back to how it was before Senteon.

So now you can change thousands of settings and have a safety undo button. Only Intune had that.

[Uncle Marv]
Interesting. Very nice. Maybe you shouldn't have.

Now that's a good feature.

[Zach Kromkowski]
It's funny. When we built the company, I thought the most claim to fame button was going to be changing the settings because there's a million and one scanning tools out there. I'm not going list those by name, but there's plenty of tools that can do scans.

No one does remediation. We actually fix the red that you find in your scans automatically. No integration required.

We just make the change, right? Our changes will populate in your scans. And I thought that was the aha.

Turns out the aha was the undo button. That's what people care about.

[Uncle Marv]
The do over button is huge and a nice turn from the 70s and 80s there. So here's the question. I know that there is this, I don't want to say rush, but there's a lot of companies claiming to do a lot of this automation and make companies adhere to the standards and stuff.

What makes this unique besides the undo button? What makes this actually unique and something that MSPs really want to get their hands on?

[Zach Kromkowski]
Yeah. So there are a lot of players in the security world, but when I talk about security configuration management, if there's anyone listening to this episode, I mean, shoot me an email. Let me know of one that actually makes security configuration changes.

That's the difference between Senteon. We do something that is 100% complementary to your security stack. We're not an EDR. We're not whitelisting. We are making config changes. And just to kind of elaborate further, how does configuration hardening map or fit into your security stack? That EDR, right?

It's looking at behavior that is anomaly. I don't know the word, man, live recording. That is an anomaly?

I said the word. The EDR is looking for anomalies that are not common, right? If you have those anomalies are going to be hard to pinpoint by standardizing and hardening all of your settings across your workstations, your servers and your browser.

You're allowing other layers of your security stack to be more effective, increasing the efficacy of alerting on real things going on. Right. I mean, if I was able to tell you, hey, SMB one, it was off for the last five years, but it kicked on.

Would that be interesting to you?

[Uncle Marv]
Sure.

[Zach Kromkowski]
Then EDR may not be able to tell that because by default, this is not configured. So now you're getting more data points that would not exist without hardening your system.

[Uncle Marv]
All right. Well, before we run out of time here, let me ask a couple of other questions and get an idea of the things that MSPs want to know about, because this sounds like something that would be great to integrate into the stack. But of course, price is going to come into play.

I usually don't try to ask price on this, but is the model, in a sense, a subscription with a minimum? And how does that work?

[Zach Kromkowski]
Yep. So I'm happy to talk about price. That's not something we hide over at CENTION.

So we do have a bill on usage model that does come with a couple minimums. So the bucket, the majority of our partners fall into is two hundred fifty endpoints. That's really our final price break.

We really talked about doing tier pricing and lowering and lowering, honestly, from an owner to owner. It was just too annoying to have so many different price points. So at two hundred fifty endpoints, we decided we're going to drop your price point to a dollar.

It's per endpoint per month. However many systems you're doing, you're getting the full use of the tool to do workstation server and browser hardening all for a dollar. Twelve hundred settings.

Incredible. That does after the two hundred fifty minimum, that is bill on usage. So we do want this to be extremely MSP friendly.

So the majority of our partners today will say, hey, the total opportunity is this amount. This is my goal. And we allocate that full amount.

And then we only bill for the minimum and then on usage on top of that minimum.

[Uncle Marv]
OK, just ruin my other question.

[Zach Kromkowski]
I'm sorry. That's good. We both had a little stumble on a live recording.

[Uncle Marv]
It happens from time to time. So let me ask this. So I know in looking up Senteon and you, I know that there is a lot of opportunity for education.

I know that you were recently on with, you know, the world famous Matt Lee. So it sounds like you would spend a lot of time educating MSPs on this. How much time?

[Zach Kromkowski]
I don't like to discuss how much time I will use quantity numbers of what I've actually produced. So when I brought Senteon to market with my co-founders, we realized MSPs and honestly, the enterprises at the time when we were doing market research, they don't know what all twelve hundred settings are, what they do, what kind of risk is mitigated. Right.

No one knows the three thousand pages of PDFs. Quick side story, as we're already over on time. We have a partner who part of his interview process to hire someone asked if they'd be willing to read all three thousand pages.

That's not something I'd want to do as a as a first job or as a second job or anything else. That's just three thousand pages of technical documentation. So we realized that and it was very hard to communicate the actual risk and security benefit that was gained by configuring and hardening systems.

So what I took upon myself and our team at Senteon is so far we've rewritten about 550 GPOs. We've rewritten each one from a security perspective. What that's become now is a weekly webinar series where CIS joins me on a LinkedIn Live.

We bring a subject matter expert guest and we talk about 10 to 12 settings every single week. We talk about these from a security perspective. If they're important to get your client to do and if it's a very sensitive or more disruptive setting, we talk about is the chew worth the bite.

So very much targeted at MSPs. Very educational. You won't hear a lot about Senteon on the show, but obviously that's what Senteon does.

[Uncle Marv]
All right. So you actually talked to somebody at CIS. The name that what's his name?

Rich?

[Zach Kromkowski]
Yeah, Rich McGraw. So he's full time CIS. But when I started this series and I rewrote all of this, they reached out to me and asked if they could actually contribute and be part of the show.

So little Senteon is just working with CIS themselves, co-hosting a webinar series. And it's been a great experience. Really been working closely with them.

[Uncle Marv]
All right. I'm going to have to get the link from you to share in the show notes when we publish this. And folks, by the way, you know, if you're just listening in the car, Senteon is spelled S-E-N-T-E-O-N and the website is Senteon.co. So I'll have a link in the show notes and be sure to check out the weekly show. Check them out on your road of conferences this summer. And look forward to seeing you guys in Orlando at IT Nation Connect. So, Zach, let me ask you this to end off the show here.

How are you liking the Pitch It contest? So it's what, two or three weeks in now?

[Zach Kromkowski]
Yeah, we are a few weeks in. I actually just met last week with the facilitator, Sam and Sean, and really just gave them the feedback. You know, it's a very, very beneficial high level because it is very one-to-many oriented, but the flexibility for them to take one-on-one sessions like they did last week for me to ask more relevant questions to my unique business challenges.

I mean, they invested time back into us and hopefully us giving our time to them is a win-win for everyone. So very much appreciative of the program.

[Uncle Marv]
All right. Even if you get the set of steak knives for third place?

[Zach Kromkowski]
I'm kind of hoping for those.

[Uncle Marv]
All right, folks, there you have it. Zach Kromkowski from Senteon. Check them out.

You will have the links in the show notes and everything else is over at itbusinesspodcast.com. Check out some of the other vendor profiles that we have this summer. And of course, any other shows that we have there.

But Zach, I'm going to try to get you on a regular show here soon.

[Zach Kromkowski]
I appreciate that. And one thing I want to shout out to the people listening, we're happy to provide as a thank you for you having us on, Marv. Any of your listeners can have 100 free assessments, internal, external, completely free.

This will be an exportable report to use as sales presentation to show them where their current security posture sits versus where they can improve. Just if you do reach out, toss Marv in the inquiry or an email, and we're happy to give you that promotion. I want to thank everyone who has me on their show.

[Uncle Marv]
All right. There's a one benefit you have, folks, for knowing Uncle Marv. You get 100 free assessments with Senteon.

So, Zach, thank you.

[Zach Kromkowski]
Thank you so much for having me.

[Uncle Marv]
All right, folks. That'll do it. We'll see you later.

Check out the show, like I said, at itbusinesspodcast.com. And got a lot more shows coming up. Tons of stuff happening with Pitch It and, of course, our regular live show, Wednesdays at 8 p.m. Eastern. We'll see you soon. Holla!