688 Cavelo: Data Risk Management for MSPs
688 Cavelo: Data Risk Management for MSPs
Uncle Marv interviews Kris Shoemaker, head of channel for Cavelo, a data risk management platform. They discuss Cavelo's unique approach to…
July 29, 2024

688 Cavelo: Data Risk Management for MSPs

Uncle Marv interviews Kris Shoemaker, head of channel for Cavelo, a data risk management platform. They discuss Cavelo's unique approach to cybersecurity, focusing on data discovery, classification, vulnerability management, and identity access management for MSPs.

Uncle Marv welcomes Kris Shoemaker from Cavelo to discuss their data risk management platform. Cavelo positions itself under the attack surface management umbrella, offering a comprehensive solution for MSPs that includes data discovery and classification, vulnerability management, identity access management, and asset discovery. Kris explains that Cavelo's approach is data-centric, focusing on protecting a company's data and intellectual property. The platform uses agents deployed on Windows, Mac, and Linux devices to discover and classify sensitive information according to various frameworks. This allows MSPs to identify and protect their clients' "crown jewels." 

The vulnerability management module of Cavelo is highlighted as a robust solution, competing with major players in the field. Kris emphasizes that while Cavelo excels at finding and prioritizing vulnerabilities, it integrates with existing remediation tools rather than handling remediation itself. The identity access management feature is discussed, which helps identify users with access to sensitive data and tracks their activities. Cavelo integrates with both on-premises Active Directory and Office 365 tenants to provide a comprehensive view of permissions. Kris describes the onboarding process as streamlined and MSP-friendly, with easy deployment options and self-updating agents. He emphasizes that Cavelo is designed for ongoing monitoring rather than one-time assessments, though it can perform quick scans for potential new clients. 

The interview concludes with a discussion of Cavelo's position in the cybersecurity landscape. Kris positions Cavelo as a "left of boom" solution, focusing on proactive visibility and insights to help prevent or mitigate security incidents. 

Key Takeaways: 

  • Cavelo offers a comprehensive data risk management platform for MSPs
  • The platform focuses on data discovery, classification, vulnerability management, and identity access management
  • Cavelo uses agents on various operating systems to discover and classify sensitive data
  • The vulnerability management module competes with major players in the field
  • Cavelo integrates with existing remediation tools rather than handling remediation itself
  • The platform provides insights into user access and permissions across on-premises and cloud environments
  • Cavelo positions itself as a proactive, "left of boom" solution in the cybersecurity landscape

Website: https://www.cavelo.com/

 

=== Show Information

Website: https://www.itbusinesspodcast.com/

Host: Marvin Bee

Uncle Marv’s Amazon Store: https://amzn.to/3EiyKoZ

Become a monthly supporter: https://www.patreon.com/join/itbusinesspodcast?

One-Time Donation: https://www.buymeacoffee.com/unclemarv

=== Music: 

Song: Upbeat & Fun Sports Rock Logo

Author: AlexanderRufire

License Code: 7X9F52DNML - Date: January 1st, 2024

Transcript

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, powered by NetAlly, the show for IT professionals and managed service providers, where we help you grow and run your business better, smarter, and faster. We are here with another vendor spotlight for the IT Nation Pitch It program. And today we're going to be talking about Cavelo, a data risk management platform designed to help businesses manage their cybersecurity risks more effectively.

And to help me talk about it is Kris Shoemaker, head of channel. Kris, how are you?

[Kris Shoemaker]
Uncle Marv, I am happy to be here. Thanks for having me.

[Uncle Marv]
Well, I'm glad you're happy to be here. I was just thinking, if you're not happy to be here, we got a problem. All right, so Cavelo, data risk management, but from what I was looking at on your website, it's a little bit more than that, right?

[Kris Shoemaker]
Yeah, it most definitely is. We would be classified under the attack surface management umbrella. That's how we sort of position ourselves.

We try to bring together key functionalities for MSPs, data discovery and classification, vulnerability management, identity access management, and asset discovery all under one simple platform.

[Uncle Marv]
All right. So that seemed like a lot. And I was going to ask you specifically the data discovery part.

Yes. Because it says data discovery and classification. So we're talking about the PII information.

And my question is, how do you do that on all of these disparate networks?

[Kris Shoemaker]
Yeah, great question. So first of all, we think that any organization from a security standpoint should be data centric and focused. So our philosophy is, what are we actually trying to protect with our security practice?

Well, it's a company's data and their IP that is effectively the collection of their data. So we have to find it so we can see and protect it, right? So we deploy an agent to all of the devices in a given customer network.

And those agents will do the on-device work for discovery of what's private, sensitive and important. And then they classify that by PII type, according to many different frameworks that have canned PII types.

[Uncle Marv]
All right. And these agents, I assume, run on servers, desktops. It says Windows.

[Kris Shoemaker]
Yeah. Windows, Mac and Linux. It doesn't matter to us.

We'll run on anything. We have the packages for deployment with any MSPs, GPO scripting or RMM of choice.

[Uncle Marv]
Okay. So I was going to ask if that's what you think makes your product unique, but you can go ahead and expound on that if you'd like.

[Kris Shoemaker]
Yeah. I mean, from a unique standpoint, like I said, we are data focused, right? Our goal is to give data visibility and insights to any MSP so that they have an understanding of where the crown jewels are in their customer environment.

Our job is to focus the efforts of the given choice of block and tackle tools that any MSP has already chosen to build their castle wall for defense. Because everybody builds that castle wall, everybody also forgets to ask themselves, what are we trying to protect in the first place? And if you can't see it, you can't protect it.

And that's kind of where we come in. That's our unique prop.

[Uncle Marv]
Okay. Now, you mentioned the fact that everybody can have their own castle, but we didn't talk yet about, do you integrate with all those castles in terms of plugins, APIs, stuff like that?

[Kris Shoemaker]
Great question. The answer is yes. We have an open API.

We have many pre-existing integrations with security products, PSAs, RMMs, et cetera, because we are an MSP focused company.

[Uncle Marv]
All right. Now, is it two-way sync? Because you guys are discovering devices and a lot of us have products that also will go out and discover devices.

Is it a two-way sync to kind of match up what both platforms are finding?

[Kris Shoemaker]
Great question. Depends on the integration.

[Uncle Marv]
Okay.

[Kris Shoemaker]
It's integration specific. So in some cases, yes. In some cases, no.

[Uncle Marv]
Okay. Simple enough. Yeah.

So, now tell me about the vulnerability management, because in a lot of cases, I'm finding that some people will identify vulnerabilities and that's pretty much it. And then you're kind of left to go and fix and patch on your own. Some of the products are actually starting now to help remediate that and not only direct you to where those patches are but help install it and stuff.

What does Cabello do in that regard?

[Kris Shoemaker]
Great question. Okay. So the first point I want to make about our vulnerability management module is that we are not a pretty UI wrapped around freeware.

We are a proper vulnerability management solution. We've written our own engine for the scanning. Our core competency as an organization is vulnerability management from a previous product that we had in an exit to a large MDR provider.

So we know how to do it right. We also pay for all the big fancy feeds, hundreds of thousands of dollars a year, and we braid them together into a master database that we're checking against from a total CVE standpoint. So we are competing with some of the big players like Qualys or Tenable in relation to our vulnerability management practice.

So we're kind of doing it right. Our philosophy is we are not the remediation tool. Most MSPs have already made their choice for what they use to remediate.

Our job is to do the best job of finding, searching, and focusing on the stuff that counts for prioritization in their remediation practices and then sending that information to be ingested into their tools of choice for remediation so that those tools can do the best possible job.

[Uncle Marv]
Okay, that's fair enough. So we talked about the data discovery classification. We talked about vulnerability management, asset discovery, identity access management.

Describe that piece for me.

[Kris Shoemaker]
Yeah. So this is, we've first found and classified all of what might be considered private sensitive or important in that customer's environment for an MSP so that they can have intelligent conversations with that customer about where their crown jewels list. The next follow-on is let's find and identify all of the users in that environment that have access through permissions to those crown jewels and identify what they've been doing over a period of time of their choosing with the permissions that they have access and things they have access to through those permissions.

So it's a way for us to have visibility into who's got access to what and been doing what with the access they have in order to have an audit trail to identify where in the environment those permissions may be demonstrating a potential vulnerability or weakness in their permissions model.

[Uncle Marv]
All right. So how broad is that scope? Are we talking, you know, we're just looking at data storage where, you know, people have access to documents and stuff.

Are we talking 365 portals? We talk in SharePoint, Active Directory. How deep are we going?

[Kris Shoemaker]
So that's a great question, Mark. So we ingest from both Active Directory for any on-premises resource and any Office 365 tenant together. So we can see that full picture of permissions depending on whether it is traditional file storage on an on-premises standpoint or cloud data repositories.

[Uncle Marv]
Okay. Interesting. Now, let's say I want to do something and spin up a client and stuff.

What's the usual onboarding time and go time experience like?

[Kris Shoemaker]
Yeah. Great question. Okay.

So we have made the experience as slick and easy as possible because we service the MSP market. We understand that time is money. And the more administrative touches there are, the less there is to the bottom line.

So we've made our agent very easily packageable and deployable with any RMM tool or GPO scripting that the MSP wants to do. The agents themselves are effectively set it and forget it. So once it's deployed to a customer environment, they update themselves for security and features.

So there's less administrative touch that way. And then in terms of setting up a net new customer, after deployment with RMM and the agents stand themselves up and report back to the tenant, it's simply setting up the first set of scans. Most of the time is waiting for the scans to run on the end user devices, servers or cloud data repositories.

It's really as simple as you can spend half an hour on a Monday to deploy things, set up the scans, let it run over the course of the next few days and come back to it on a Friday for data review of discovered and classified data, vulnerabilities that live in the environment, user access and permissions, and an overview of all of the assets that our solution has found in the environment as well, which is the last core tenant of what we do. And in that regard, our philosophy is we need to shine the light in the dark, scary corners to find everything that may need to be looked at further for vulnerabilities and data.

[Uncle Marv]
All right. So this is not the tool that somebody is going to pop in on a prospect view and for half a day throw it on there and then go back and be able to do a quote for them. This is for active clients that you're managing and you want to go deep on their cyber risk position, correct?

[Kris Shoemaker]
That is the core principle. The secret sauce is in the recurring scanning so that we can watch where data moves and migrates. We can watch when permissions have been granted to certain people.

We can see where amounts of PII are aggregating in the environment. But we do have a way for those MSPs to do a let's call it quick scan of a net new potential customer to get a real quick understanding of what vulnerabilities might live in that environment so they can at least have an initial discussion with them to open up the sort of gates, if you will, to say, hey, there are some improvements needed. If you allow us to deploy the product in full, we can get this, that and the other additional information to talk to you about.

[Uncle Marv]
OK, I was going to ask you about the scanning. You mentioned recurring scans. I was going to ask if this is, in a sense, real time, especially when it comes to device discovery, or is it scheduled, aggregated every so many minutes, every so many hours?

[Kris Shoemaker]
So it's scheduled on the scheduling and granularity of the MSPs choosing. We are not real time. And that is an intentional decision.

Because of what we do, we don't really need to be real time. And in addition to that, we understand that there is something in the IT channel and customer environments called agent fatigue. So because of what we do, we need an agent.

But if we make a kinder, gentler agent that can run quietly in the background, not consume and hog resources, not hip check other services on those computers out of the way to do their thing, we sit nicely in the background and basically sip resources when they're available. So that means our scans may take longer because we're using resources when they're available. But we are the kinder, gentler agent on those endpoint devices because we're not the noisy agent.

We're the quiet agent. And that was done as an architectural decision.

[Uncle Marv]
OK, great. So if we were to talk about Cavelo versus some of the other products out there, I already asked you what makes you unique from an overall cyber posture. Where do you see this sitting in the current landscape of where we are and then where do you see it going a few years down the road?

[Kris Shoemaker]
Yeah, great question. So I'm sure that you and your audience may be familiar with the left and right of boom concept from a security standpoint. Right.

And just to sort of make sure that whoever might not be, I'll just spell it out. So left and right of boom was a concept co-opted by the U.S. military. And the boom is in the I.T. world, the security incident, the moment of everything on the right hand side of the boom on the scale is the reactionary things, right? The what happened, how they get in, how do we prevent it in the future, who do we have to report to? And all of your sort of block and tackle tools like AVMDR, XDR, EDR, blah, blah, blah, seem to sit in this world. And we are pronounced left of boom, right?

We are distinctly left of boom. We sit in the advanced, proactive visibility and insights world so that we arm MSPs with the ability to be proactive and make the remediation steps necessary to lessen the potential for a boom to happen in their customer environments or lessen the severity in their customer environments if it does happen, because they've taken the time and energy using the insights provided by our platform to reduce through proper hygiene any of these bad potentials. So that is kind of where we sit. So this is a we are a very good way to round out a security practice with the set of pre-chosen block and tackle tools.

But we will never in the future go into the active block and tackle remediation world. That is not who we are philosophically.

[Uncle Marv]
OK. So right in there, I'm sitting here, I am, you know, people can't see us on video, but you probably saw my eyes wandering back and forth, left of boom, right of boom and trying to figure out where that is. The thing I did not ask you is when you're looking at the security posture, we did not talk about if you're lining up against any of the protocols out there, NIST, CMMC, that sort of stuff, so that we can give our clients a report and say, hey, here's where you are according to your compliance.

[Kris Shoemaker]
So the answer to that is all of the things that we do as base understanding for finding PII, for looking for vulnerabilities and reporting on these kinds of things are built against NIST frameworks, CIS, et cetera, et cetera. So, yes, people can search against the criteria of these frameworks based on what is found in the real world customer environments that they're searching in with our platform and produce these reports as for auditing purposes, et cetera. They can also schedule and send to whoever they would like these reports in either an executive PDF or CSV or Excel, whatever outputs they want in whatever scheduled form they would like, it can be produced out of the platform.

[Uncle Marv]
All right. Well, Kris, that's a lot.

[Kris Shoemaker]
It's really not. And it is a little different than most people at an MSP are looking for or at. Oftentimes, what we'll do is we will use the asset discovery and vulnerability management portions of our platform to replace existing tools.

And they will add new skills and forms of recurring monthly revenue by offering data discovery and classification and identity access management. So we can both strip down and reduce costs and add net new things to their security practice that they can offer to make new money. So we are a little different.

We are not yet another block and tackle tool. And that is the messaging I would like to leave your audience with today.

[Uncle Marv]
I appreciate that. And yes, that is exactly what a lot of us do. We'll do those first two and then kind of stop there.

And, you know, don't dig deep, especially when it comes to the data discovery and classification. So that is great that you guys are doing that. Kris, thank you very much for hopping on the show, folks.

That is Kris Shoemaker, head of channel for Cavelo. And if you looked in your pod catcher, you saw the name C-A-V-E-L-O. I'll have a link to their website, Cavelo.com, as well as guest information for Kris here. Kris, looking forward to seeing you. We talked before the show about missing each other at Secure but look forward to seeing you at IT Nation Connect here in November and see if you're one of the final three to pitch.

[Kris Shoemaker]
Oh, we intend to be.

[Uncle Marv]
Right. Thank you much, sir. Ladies and gentlemen, that's going to do it.

Thank you for hanging out for another vendor profile for the IT Nation Pitch It. Check us out, subscribe and come back for more of the IT Business Podcast. We'll see you soon.

And until then, Holla!