684 SaaS Security with Overe: An Interview with Paul Barnes

Revolutionizing SaaS Security with Overe

In this episode, Uncle Marv welcomes Paul Barnes, co-founder and CEO of Overe, to discuss their SaaS security platform and its role in the IT Nation Pitch It Accelerator program. Overe focuses on providing automated security analysis and continuous monitoring for SaaS applications, addressing the increasing number of cloud security incidents.

Key Highlights:

Introduction to Overe: Paul explains that Overe was created to address the growing need for SaaS and cloud application security. The company offers two main products: Novia Assess, a free tool for visibility and risk assessment, and Overe Protect, a comprehensive service for policy enforcement and adversarial activity response.
Focus on Microsoft 365: Overe initially targets Microsoft 365 due to its widespread use among MSPs and their clients. The company plans to expand to other popular SaaS applications like Google Workspace.
M365 Benchmark Audit: Overe's free assessment tool goes beyond Microsoft's security score by providing a customized score based on the client's licenses, company attributes, and security policies. It also includes dark web monitoring and MFA status checks.
Licensing and Security: Paul discusses the challenges MSPs face in upgrading clients from basic to premium security licenses. Overe's tools help MSPs demonstrate the need for higher security levels without necessarily pushing for the expensive E5 license.
Automated Responses: Overe's platform includes automated policy enforcement and response to adversarial activities. The system continuously monitors for policy drifts and automatically re-enforces security settings if they are altered.
Framework Alignment: Overe's policies align with frameworks like NIST and CMMC, providing MSPs with benchmarking against industry standards.
Unique Selling Points: Overe differentiates itself with a user-friendly setup, comprehensive threat intelligence, and integration with endpoint data to reduce false positives and provide high-confidence alerts.
Market Strategy: While Overe is focused on MSPs, the platform is also accessible to mid-market and enterprise clients. The company is expanding its presence in the U.S., recognizing the significant market potential.
Future Plans: Overe aims to enhance its product offerings, expand its monitoring capabilities, and strengthen its U.S. sales and distribution channels. The company is committed to supporting MSPs and attending industry events like IT Nation.

Key Takeaways

Overe offers innovative SaaS security solutions with automated analysis and continuous monitoring.
The platform initially focuses on Microsoft 365 but plans to expand to other SaaS applications.
Overe's tools help MSPs assess and improve client security without pushing for unnecessary high-cost licenses.
Automated policy enforcement and response features ensure continuous protection against security threats.
Overe's policies align with industry frameworks like NIST and CMMC, providing valuable benchmarking.
The company is expanding its presence in the U.S. and aims to support MSPs through easy-to-use tools and strategic partnerships.

=== Show Information

Website: https://www.itbusinesspodcast.com/

Host: Marvin Bee

Uncle Marv’s Amazon Store: https://amzn.to/3EiyKoZ

Become a monthly supporter: https://www.patreon.com/join/itbusinesspodcast?

One-Time Donation: https://www.buymeacoffee.com/unclemarv

=== Music:

Song: Upbeat & Fun Sports Rock Logo

Author: AlexanderRufire

License Code: 7X9F52DNML - Date: January 1st, 2024

Transcript

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast powered by NetAlly. This is the show where we try to talk with MSPs, vendors, and thought leaders in an effort to help you run your business better, smarter, and faster. And we are here with another vendor spotlight for the IT Nation Pitch It Accelerator program.

And today we are talking with Paul Barnes, co-founder and CEO of Overe, a company focused on providing SaaS security solutions. And we're going to get into a lot of stuff, I think. So without any further ado, let me welcome Paul to the show.

Paul, how are you?

[Paul Barnes]
I'm very well, Marv. And thank you very much for having me. I'm really excited to talk to you today.

[Uncle Marv]
All right. Well, thank you for being a part of Pitch It. And I'll go ahead and wish you luck at the beginning here.

And hope to see you in November at IT Nation and get you guys on stage for the final pitch.

[Paul Barnes]
Absolutely. Yeah, we hope to be there on the stage. And yeah, looking forward to the rest of the program at Pitch It.

[Uncle Marv]
So let's get into Overe here. So it is a SaaS security platform here. And from what I can understand, you guys do several different things, all from the standpoint of automated security analysis, continuous monitoring.

Tell us a little bit more about Overe.

[Paul Barnes]
Yeah. Yeah. You got that right, Marv.

And so, yeah, just very high level, I think. As you said, yeah, we focus on the SaaS security side of things. Our background's very much been in endpoint security for many years, coming up to 20 years.

And so one of the things we have seen, especially in the more recent years, is that for particularly every one endpoint security incident we used to see, there's another six or more cloud or SaaS incidents. So that really sparked the need, especially in the MSP base, to have more focus on SaaS and cloud applications. So, yeah, coming back to Overe, where we're focused is really based on that challenge around SaaS apps and the visibility and the monitoring of numerous policies.

Overe is really taking that all on board and providing that automated platform. And we do this in two distinct products. We have a Novia Assess product, which is a free tool, which is really there to help provide visibility off the problem to the MSPs, and the MSPs can share that with the clients.

And then we have Overe Protect, which is that kind of full white glove service where the flick the switch and we will apply best practice policies across the SaaS apps and then monitor and respond to any adversarial activity we see. And we do it in a very unique way.

[Uncle Marv]
All right. So when we're talking SaaS apps for managed service providers, I know most of us understand the 365 platform and we're dealing with, you know, Azure and SharePoint and all that stuff. But what other SaaS applications are you guys helping us protect?

[Paul Barnes]
Yeah. So at the moment, so we are fairly early stage. So we've been working on this for about 18 months.

So Microsoft is job number one. So we're heavily focused on Microsoft. Yeah, we are going to extend this to more line of business applications and the most common applications MSPs and the clients are using.

Looking at obviously things like Google Suites will be one of the Google Workspaces, sorry, one of the next things. But then we're also looking down at the endpoint as well. And so that's something which I think is still very important where there's more data to be gleaned on the endpoint, which can help making decisions on whether the adversarial activities are real or not.

So, yeah, not to not to kind of show our hands too much because it's a highly competitive market, but we're certainly following the key areas of risk and following those places where users have most of their data.

[Uncle Marv]
All right. So I want to get into the protection in just a minute, but one of the things I wanted to ask about was the M365 benchmark audit.

[Paul Barnes]
Yes.

[Uncle Marv]
So is that just basically an overall score based off what Microsoft does as terms of their security score or is it much, much more?

[Paul Barnes]
Yes, it's more than that. So the security score is useful, but it's also not contextual to the end customer. So I'll give you an example.

So if you don't have an E5 license or have the access to all the security policies, then you're never going to win that race. And so what we do as part of the free assessment is we look at your license, we look at the other attributes of your company or the client of the MSP, the size, the geography and vertical as well to really provide a kind of more of a prioritized list and a customized score of where they sit with their existing policies. And we do this in a really easy to understand way.

And this is a free tool which is available today. We've got a lot of customers using that as a sales tool to educate their clients. But, yeah, it's beyond what the Microsoft security score does.

Yeah, there's other things which we do. We do dark web monitoring for free in there as well. So we look at all the identities, we'll check the MFA status and really make this super easy for the MSP to understand where the risks are.

And then, you know, for us commercially, we look at that as an upsell tool into premium service, which is called OVA Protect, which is automated monitoring and response.

[Uncle Marv]
All right. I'm going to ask a sort of technical question because you brought up the E5 license. I know that a lot of us are struggling with just to get our users to get off of, you know, the exchange plans or the business basic just to get them to Premier bumping into the E5 license.

What are the added benefits that you're looking at when you're talking about, you know, looking at this from OVA standpoint? And is this a way for us to tell them, hey, you need to, you know, bump it up a little more?

[Paul Barnes]
Yeah, so we are actually the tool doesn't really a neat, neat experience around this. And we'll never recommend for any kind of clients of MSPs to go to an E5, like 90% of the stuff that they don't need. So it's mostly trying to get them up to business premium or, you know, the some of the protection plans, the P2 plan, for example, is always a good one.

And so we'll quantify the needs, the client, show them the risk to say, hey, here's where you are with your exchange only online license. Here's where we need to get to you at least a business standard and show them like that journey. And it's also, you know, obviously if MSPs are kind of reselling Microsoft to the end clients, it's also a revenue generating tool for them to say, hey, this is why you need to increase your license and the security reasons why you do that.

But we don't kind of say to everyone, hey, go to E5, because most of those capabilities are irrelevant for the folks which we're dealing with.

[Uncle Marv]
OK. All right. Now, back to the monitoring a little bit.

Now, part of your product is not just threat monitoring, but there's some automated responses built into that.

[Paul Barnes]
Yeah.

[Uncle Marv]
Can you tell me what type of responses you are doing?

[Paul Barnes]
So there's really the first area for responses on policy enforcement. So we have a strategy, a four pillar strategy. So the first pillar of our strategy is assessed.

So that's what our free tools really do. It says, hey, here's where the issues are. And so, you know, that curated score and guidance.

The next piece is hard. So the hard piece is all about policy enforcement. So we'll say, hey, here's all the policies, which we have a list of best practice policies.

We have about 10 at the moment and we're adding to it all the time. But then the what one of the key points of that policy. So it's not just set and set it once.

So then if they change, someone changed an entry, then we'll have to come back and set it again. We're constantly monitoring for any drifts. So we have drift response.

So if someone, an adversary or an IT admin accidentally turns something off, obviously using it as part of an attack, we'll auto respond with enforcing that back on. So we're monitoring within a minute that will be back on. And then obviously the monitoring response.

So if we have any critical alerts which are bubbled up, the capabilities there at the moment is manual response. But we're featuring the automated response. So we've got a very rich roadmap of things which we're doing.

And yeah, it's just a case of making sure we've got the auto respond correct for critical alerts. But at the moment, it's a click of a button to auto to respond. So that's what we did both on the policy response and adversarial activity response.

[Uncle Marv]
All right. So now if we're talking about policies, I'm assuming that those will map to a framework like a NIST or CMMC?

[Paul Barnes]
Yeah, so we have a policy. We do CIS benchmarking as well. So what we have is, because we feel CIS is really great in what they've done with the cloud side, especially Microsoft 365.

So in our free tool, this is again in the free tool, we have for any MSPs which want to leverage CIS and benchmarking, we note those relevant policies which are enabled. And obviously, it's not to say, hey, you've got everything CIS enabled, you're CIS compliant, because there's a lot more to it. But it's a guidance to say, these fit in that bucket.

And we give them like the CIS policy IDs and those things. Our curated list of best practice policies, that's based on a security team saying, hey, these are the most important things. We're not trying to be like a SIP, CIPP, which is a great tool, free tool for those which want a full Microsoft policy orchestration to do loads of onboarding, offboarding, and all that kind of thing.

We're not trying to do that. We're trying to just do the most critical policies. So it's not going to be, you know, everything, best practice in there.

It's going to be our security team saying, if you don't have these things turned on, and it goes beyond security defaults, there's other things in there. That's kind of the angle we're taking, because our main focus is very much on the monitoring and response side of things, not so much full policy orchestration of the 390 security policies which are in Microsoft, which would be a nightmare for us to manage. And there's better tools out there like SIP.

[Uncle Marv]
Right. Now, setting SIP aside, I know that there are a lot of products out there, a lot of platforms popping up that are trying to do a lot of what you're doing as well. So what is going to make OVERE unique in this space?

[Paul Barnes]
Yeah, that's a great question. So I think our experience, user experience is great. It takes two minutes to set up.

And again, we do all the heavy lifting for policy enforcement and the monitoring responses. Ultimately, yeah, we're going to see threats and respond based the way we do it. We contextualize several different sources around different threat intelligence feeds.

We have our own threat intelligence. We look at the apps connected as well. So it goes beyond what others do.

And I hinted at it before. So the endpoints are also interesting as well. So we have several endpoint integrations as well.

So what that means is that we're able to triangulate data from the user, the endpoint, the cloud side of things to make the best decision. Because the last thing we want and the problem with other tools out there, or the challenge with other tools out there, is that they're very noisy. And our whole game is to have a very high confidence, low false positive platform, which the MSPs can just turn on, experience a value immediately, and then just feel confident that we're going to alert to the most critical things and give them the context around why we made that decision, which is often gapped in others from what we've seen.

Yeah.

[Uncle Marv]
All right. So I have a couple of questions that I want to ask you that are a little bit on the business side of it. As I was starting to describe what OVERE was, there was mention that this could be for small businesses and MSPs.

So I want to just address that real quick. Yeah. Have you been doing this with MSMBs or is this strictly an MSP platform?

[Paul Barnes]
So we are focused strategically on MSPs. But because the buy is changing, we don't want a high barrier to entry to our product. We don't want to have a product which you have to engage with salespeople and it's a demo.

We want a super easy and very much a product-led growth organization. That's kind of our background. So with that approach, we're actually seeing a lot of mid-market and other businesses come to us and take the product as is and find use of that.

But strategically, MSPs is kind of our strategy, our active strategy. But there's several SMBs, mid-market enterprise as well, which see value in the key points we're trying to deliver around automated response, like high confidence, easy automation, ease of management. So we're not closing the door on anyone.

But our go-to market is MSP.

[Uncle Marv]
All right. And then a question of geographic logistics. So if people haven't quite figured out yet, you are across the pond.

You're over in the U.K. where you've been operating. And when we spoke before we went live here, you mentioned that you're now coming into the U.S. officially. I guess is the right word to say, right?

[Paul Barnes]
Yeah, that's correct. So our headquarters are now in the U.S. And so, you know, that's going to enable us because we are essentially we've worked in similar organizations where 70% of the business MSP businesses in the U.S. So 30% is kind of the rest of the world. So we know that most businesses over there and strategically for us, it makes most sense.

So we're building our sales arm out there and looking to work with some partners. We see huge value in certain VADs, value added distributors. And so channel is going to be very important for us.

But U.S. is critical for our success. And so most of our customers today are U.S., even though we're geographically based here.

[Uncle Marv]
Nice. So, you know, fairly young in the business cycle here. You've been in the industry a while.

We didn't have a chance to get into that. But what do you see happening? You know, once pitch it is over and you guys are now at the next stage with growth and everything.

What do you see OVR going in the next couple of years?

[Paul Barnes]
Yeah, I think it's just going to be really just feeling like our pillars, which we set out strategic pillars. We're just going to be continuing on with that whole ability to make a product which is very easy to leverage, to sell on as well for the MSP, show value very easily. And we'll just continue to expand the coverage of what we monitor.

So that's on the product side. More on the strategic go to market side. Again, I think it is, you know, working with distribution partners, firming up the U.S. sales arm and going global with this. And, you know, we had great success in other businesses doing something similar. Things have changed in the last few years. You know, there's a lot more vendors in the market.

So it's highly competitive. You know, working with RMMs and PSAs is going to be important. But the game's changed with those guys as well.

So it's not as easy as it was probably five, 10 years ago where you were the only cybersecurity vendor to work with them. So, yeah, we're navigating that very in a very measured way. But, you know, 100 percent focus on the MSP channel and supporting them.

So we'll be at the shows, you know, hope to be at IT Nation, especially as part of this program, the Pitch It program. And, yeah, that's kind of our plans and just expand. And hopefully our customers will see value in what we do.

[Uncle Marv]
All right. Well, Paul, I want to say thank you. And for the listeners out there, Paul Barnes of OVR is here and the website.

And I probably should have spelled it earlier to let you guys know. Of course, the link will be in the show notes. O-V-E-R-E dot I-O.

And Paul, like I mentioned, has been in the industry. He was previously with a vendor that will be on the show here in a couple of weeks, BlackPoint Cyber. So you've got some validation there, Paul.

[Paul Barnes]
Well, thanks a lot for having me, Marv. It's been great talking with you this evening.

[Uncle Marv]
All right. And we look forward to seeing you in Orlando in November. And, folks, that is going to do it for this vendor profile for IT Nation's Pitch It.

And be sure to head over to the website and catch the rest of the contestants. But head over to the website and check them out and join them in their mission to redefine SaaS security for us and our clients. Paul, thank you again for being on the show.

And that will do it, folks, for this episode. We'll see you soon. And until next time, Holla.