697 Democratizing Threat Intelligence: Blackpoint Cyber's MacKenzie Brown
Play Episode
Apple Podcasts
PocketCasts
Overcast
Podcast Addict
Spotify
Amazon Music
iHeartRadio
YouTube Channel
PlayerFM
TuneIn
Castbox
Podchaser
Goodpods
Pandora
Audacy
Spreaker
Audible
Deezer
Uncle Marv sits down with MacKenzie Brown, the VP of Advisory Pursuit Group at Blackpoint Cyber, to dive into the intricacies of threat intelligence and cybersecurity within the MSP landscape. The discussion covers the challenges MSPs face in staying ahead of cyber threats, the concept of democratizing threat intelligence, and the importance of building strong vendor partnerships. MacKenzie shares her insights on the evolving cybersecurity landscape and offers practical advice for MSPs to enhance their security posture.
In this engaging episode, Uncle Marv and MacKenzie Brown explore the critical role of threat intelligence in modern cybersecurity. MacKenzie explains the dual nature of her role at Blackpoint Cyber, balancing threat research with enabling their SOC team to respond effectively to cyber threats. She emphasizes the importance of understanding both academic and real-world threat intelligence and how MSPs can leverage this knowledge to protect their clients better.
MacKenzie introduces the concept of the democratization of threat intelligence, advocating for making threat intelligence more accessible and actionable for MSPs. She highlights the challenges MSPs face, such as limited resources and the need to educate clients on the importance of cybersecurity. The conversation also touches on the necessity of having strong, supportive vendor partnerships that provide actionable intelligence and not just tools. MacKenzie shares her personal experiences and insights from her career, offering a unique perspective on the intersection of IT and cybersecurity.
Key Takeaways:
- Dual Role at Blackpoint Cyber: MacKenzie balances threat research and enabling SOC operations.
- Democratization of Threat Intelligence: Making threat intelligence accessible and actionable for MSPs.
- Academic vs. Real-World Threat Intelligence: Understanding the difference and its applicability.
- Challenges for MSPs: Limited resources and the need for client education.
- Vendor Partnerships: Importance of having supportive vendors that provide actionable intelligence.
- Proactive vs. Reactive Security: Shifting focus from reactive to proactive security measures.
- Importance of Basic Security Practices: Emphasizing fundamental security controls.
- Cybersecurity Misconceptions: Addressing the misconception that MSPs don't understand security.
- Cost of Cybersecurity: Discussing the financial challenges and the need for affordable solutions.
- Future of Cybersecurity: Insights into the evolving landscape and the role of MSPs.
Links:
Florida Mom Accused of Screwing Nail into Daughter's Buttocks: https://tinyurl.com/muh7chhj
Vuori Clothing (MacKenzie's Favorite Leggings): https://vuoriclothing.com/
=== Show Information
Website: https://www.itbusinesspodcast.com/
Host: Marvin Bee
Uncle Marv’s Amazon Store: https://amzn.to/3EiyKoZ
Become a monthly supporter: https://www.patreon.com/join/itbusinesspodcast?
One-Time Donation: https://www.buymeacoffee.com/unclemarv
=== Music:
Song: Upbeat & Fun Sports Rock Logo
Author: AlexanderRufire
License Code: 7X9F52DNML - Date: January 1st, 2024
[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, powered by NetAlly, and it is the regular Wednesday show, and I am here with what appears to be a black screen, but it's supposed to be MacKenzie Brown from Blackpoint Cyber. MacKenzie, are you there?
[MacKenzie Brown]
I am here. I have no idea. I swear, Marv, I did not touch anything.
I didn't touch a button. Not entirely sure why I just, that just happened. I could probably exit and come back in.
[Uncle Marv]
Yeah, go right ahead. I'll do some housekeeping stuff while you do that. All right, so this is the regular Wednesday live show, folks.
That's how you know it's live, because we have stuff like that happens, but as I mentioned, this is powered by NetAlly. The network and testing analysis experts, whether you're deploying, managing, or troubleshooting complex wired and wireless networks, NetAlly has the tools to get the job done. From the EtherScope NXG network tester to the LinkRunner AT cable analyzer, NetAlly's rugged purpose-built solutions provide instant visibility and simplify network testing.
With decades of experience, NetAlly helps network professionals work smarter, not harder. And I will go ahead and give a shout out. I used the CyberScope yesterday at a client, and one of the things that I used it for was to do an error check at the client's place.
They were complaining about a spot where they didn't think the Wi-Fi was working, so I went out there and one of the options with the Wi-Fi testing is to do an error quality check. And the place where they had the issues, it was a real issue, and I found out it was a real issue because, well, when I first got there, I noticed that it was in a spot that was surrounded by these iron metal racks that you see in warehouses all the time, and the place where they were trying to get their Wi-Fi at was right against a wall. They had a computer up against the wall there, and I kept getting interference, and I asked them, what's on the other side of this wall?
And it's another client or office space in the building. Right on the other side of the wall is their kitchen, and they have all of their appliances, microwaves, and we're not talking like little dinky, you know, microwaves that you normally see. These were big commercial microwaves, and so they were going on and off all day, and that was the issue.
So the CyberScope helped me to explain to them, you're not going to get Wi-Fi here unless you put an access point right there or move that desk. So there you go, and it looks like she is back, and video is working. MacKenzie, welcome back.
[MacKenzie Brown]
Thank you. I turned it off and on again, so apparently that was the trick.
[Uncle Marv]
You're 50% of IT problems, right? So, you know, I talked to an end user today who was having an issue and has had an issue for the last two days claiming that every time she tried to print from Outlook, it would shut down the computer. And we get the call, you know, I call her, and she's like, well, I already shut down, and I already did this, and I already did that.
I'm like, you didn't shut down because your station shows that it's been up for 16 days straight. She's like, oh, well, I closed the lid.
[MacKenzie Brown]
Sounds like the perfect punch line to a joke. Okay, I was waiting for you to say she just pressed, like, powered off the monitor, and that was it.
[Uncle Marv]
No, it was a laptop, and she just closed the lid. I'm like, why don't you try closing all your programs, saving them, and actually powering down your station, leave it off for a couple of minutes, and then turn it back on. I didn't hear from her the rest of the day, so.
[MacKenzie Brown]
So it worked.
[Uncle Marv]
I assume that it worked. All right, so let me go back and reintroduce you. I mentioned MacKenzie Brown.
You are officially the VP of Advisory Pursuit Group at Blackpoint Cyber, but you're also holding another title, VP of Security. You're also out and about. You've been on the road for a couple of weeks.
It's been a whirlwind for you, so tell me, how are things?
[MacKenzie Brown]
Oh, my gosh. Well, I was on the road for two weeks straight. I'm drinking champagne out of a can because I feel like that's the most Idahoan thing I could do right now, and let's see.
I was on the road for two weeks, and this has been my norm and came home to have to move. So, you know, no one can see behind here, but it's filled with boxes and trash, and I feel like I'm living in an episode of Hoarders right now because of the moving process. And yeah, I'm wearing two hats temporarily, but my primary role is helping run the division for the Adversary Pursuit Group at Blackpoint.
[Uncle Marv]
All right, so for the regular MSP, I think you might need to explain what that means.
[MacKenzie Brown]
Okay. So, Blackpoint Cyber is, well, under the hood, we're a software company, but everyone knows us as an MDR solution, MDR company. So, SOC is a service.
Within the SOC itself, it's called the Blackpoint Response Operations Center, and within that is my group, which is the Adversary Pursuit Group, and we are a threat intelligence and threat research unit. So, we perform threat intelligence analysis as well as threat research from reverse engineering to exploit development to just general really cool proof of concepts and simulations, and we contextualize the information within the Adversary Pursuit Group to enable our SOC. So, we're doing real-time analysis, providing actionable information and intelligence that our SOC analysts can then run with as they're doing triage and response to a case.
[Uncle Marv]
Okay. So, are you kind of like the white hats chasing the black hats and analyzing everything, or are you the people that grab what the black hats have done and reverse engineer it and find the fix?
[MacKenzie Brown]
I think a little bit of both, actually.
[Uncle Marv]
Okay.
[MacKenzie Brown]
Just call us gray hats.
[Uncle Marv]
Gray hats, all right.
[MacKenzie Brown]
Yeah, yeah. We're definitely doing a little bit of both. So, our research team, you know, we've, first and foremost, we definitely, you've heard me out there talk about this, we believe in, we have guiding principles and code of conduct at APG.
We're not just developing, like, things that could be weaponized, essentially, but we do want to get more information on what threat actors are doing. So, when we hear of an exploit, we actually focus less on, say, it's a zero day, we focus on the post-exploit capabilities. So, what happens after?
Why is this bad? So, we really focus on the why aspect of research, and then the intelligence analysis is, of course, gathering threat intelligence, what we know at an industry level, and then all of that is bundled together so that when we're escalated from the SOC, we can provide them as much context as possible, whether they need to change the criticality of the event that they're investigating or triaging, perhaps they need to build out new detection rules and scan across the environment, or it helps them threat hunt. So, it helps them point them in a direction so that they can understand the entirety of the story of what they're trying to build so that they can get the customer in a better place.
[Uncle Marv]
Okay. So, it sounds like you're at the forefront of a lot of stuff. As an MSP, we just kind of sit back and we don't even really glean the knowledge.
We just want to know, if you find stuff, can you block it and save our butts? And I know that for, I don't know, what is it, the last five years that cybersecurity has really been taking off in a sense of everybody's got to take cybersecurity seriously. We're still looking at it from the standpoint of right of boom, like it's always after the detection.
It's what do we do if something happens? And most of us are not out in front of it. And for various reasons, and we'll kind of talk about that in a bit.
You're smiling already, so let me, what are you thinking?
[MacKenzie Brown]
No, I would agree. I would agree. And this isn't a plug for the right of boom conference, but it's definitely how I got re-immersed into this crazy, wacky world of the channel and MSPs.
Great conference if no one's been there. I'm not paid by Andrew Morgan, but in every way, it's probably one of the best cybersecurity-based conferences I've been to and one of the only ones for MSPs. But like you said, I think we do focus on, we're less proactive.
We're most reactive. And we tend to take lessons learned and that's the best thing that we can get out of the silver lining of a bad situation. I'm surprised I'm still an optimist in my day-to-day life coming from incident response because I came from the right of boom world and I saw really, it's interesting, MSPs proactively want to learn what happened and how it's possible so that they can better protect themselves, they can make better business decisions and strategize what they do for their clientele.
But in the incident response world, it's not that much different. I would say that when I'm picking up a phone and I'm on the line with a very distraught CISO who's probably putting open to work on his LinkedIn at that same moment. But I will say that it's in a way they want to know what happened.
Was any data taken? How'd they get in? What does it look like for recovery?
And there's somewhere meets in the middle of what real proactive leadership is when it comes to security. And not a plug for threat intelligence, but I do think that that's sort of the bridge. To be proactive, you have to understand the why, why it matters, the applicability of it, the likelihood, the impact of all these threats that we're seeing.
So you can take a basic data breach. I shouldn't say basic. It's basic to us now, like we're desensitized to it.
So you take a good run of the mill Monday data breach, but you really look at people want to care about how they got in, like what were the weaknesses and flaws in the infrastructure? What was the impact? And of course the attacker's motives, why they targeted that specific organization, and all of that sort of threat intelligence in a way because we're able to aggregate that content.
Being proactive is making it relevant and applicable to your organization. As an MSP, that's probably hard because you have lots of organizations that you need to make it applicable to.
[Uncle Marv]
Right. And we have the clients that some of them don't really care. They just want to be protected.
They don't want to know how; they just want to know that it's done. And of course, if something bad happens, well, tell me why it happened. And it's almost like, well, you didn't really care how the food was made before, and it's going to take a lot of time to go back and explain the entire process now.
We're too busy trying to do the cleanup now. Let us get through that and then we can go back and address things. But then there's a lot of situations where MSPs are too busy to really get that deep.
I know that there are some that go out there and try to understand and we go to conferences and we try to talk to all the smart people in our industry. But when it's all said and done, we've got to take care of the day-to-day. We're still dealing with, did you turn it off and turn it on again, that sort of thing.
[MacKenzie Brown]
I'm waiting for my camera to show up again. I don't want to jinx it, but yes, you're completely right. Honestly, going back into the security community and even my own team and the things that we have to talk about, it's actually that reiteration of what you just said.
MSPs are busy because they are IT, but they're also CEOs, they're business owners, they're running a company. And so there's so many other things on their plate. You throw in cybersecurity in and of itself.
It's a whole plate full to consume.
[Uncle Marv]
So I will say to everybody, so I've heard you talk before already. You've been doing some stuff. You also have a podcast.
But I want to ask you specifically about a term that came up, the need for the democratization of threat intelligence.
[MacKenzie Brown]
It sounds so fancy.
[Uncle Marv]
It does.
[MacKenzie Brown]
I know. I don't know if that's what we're going to call it long-term, but that's the best way to describe it. Yes.
[Uncle Marv]
Well, tell me exactly what do you mean by that? I mean, democratization kind of means like, hey, we're going to share this with everybody. But is that really what you mean?
[MacKenzie Brown]
Yeah.
[Uncle Marv]
Yeah.
[MacKenzie Brown]
So when I think of democratization, if I can say it right, this is what I get for drinking champagne at the end. I was going to say it's late for me. It's past 5 p.m. So no one can judge me, but it's way later for you.
[Uncle Marv]
You still have light out. It's dark here.
[MacKenzie Brown]
I know. We do. I don't know.
Is it dark there?
[Uncle Marv]
Yeah, it's dark here. East coast.
[MacKenzie Brown]
Oh, well, I'm not great at geography. It's daylight, it's summertime, it's 90 degrees out still. So democratization of threat intelligence.
When I think of the concept around democratization, I think of accessibility. And when you think of threat intelligence, people are like, well, that is accessible. It exists.
There's resources, there's feeds, there's crowdsourcing. And yes, all of that occurs. People write blogs.
And I was well-informed, so I have a director of threat intelligence on my team. He's my go-to man on our team, actually. And he lives and breathes this.
But we spend a lot of time in some of our conversations of just pow-wowing on the nitty-gritty of threat intelligence and why it sounds like a magic trick, why it sounds like something that organizations don't. They have to pay for a platform or they have to do X, Y, and Z, or they have to hire someone. And that's the problem, is he has probably some more like funny visual ways of explaining what the community looks like in the threat intelligence world.
But it's certainly around accessibility and the differences is between academic threat intelligence and real-world threat intelligence. Academic is kind of the consumption of all things. It's the full threat landscape.
It's a Microsoft Mystic blog going out. It's a CrowdStrike blog naming scattered spider. It's like all the things.
It's understanding an attack by a nation-state-based sponsored threat actor group. It's looking at things like the solar winds breach or a screen connect vulnerability, only because these are the things coming up in my head. All of this is an aggregation of data around what happened.
And it allows us to be, ideally, more predictive of what could happen. But threats are constantly evolving. We saw this with the Exchange Zero days.
We've seen this with WannaCry. We've seen so many vulnerabilities where they're just constantly evolving. We don't want to keep up on it.
So the idea around academic threat intelligence, it's not very applicable. It's hard to make it relevant. So organizations are just like, okay, so it's just like information.
But then you have real-world threat intelligence. And this gets a little more tricky in a way, but it's so that you can do quick analysis based on what you know, what you've gathered at an industry level, and what you've gathered from your own data within your environment and your organization. And you put those two things together, and you understand, you contextualize what's going on, and you respond quicker.
So real-world threat intelligence is timely, it's accurate, and it's relevant or applicable to your environment. Not just your environment, the industry you're in, the region of the world you're in, previous incidents or events that you've had to, overcomes the wrong word, but you've had to go through, basically. And it's also applicable that threat intelligence overlays across where your existing accepted risks are.
So the problem we have is, yes, threat intelligence is accessible, but there's this connotation that you need to buy a platform for it, or you need to hire in-house talent for it. And while these things are also true, and they're not mutually exclusive, it also means you have all these feeds, which means you have a bunch of noise. And does that noise really matter?
So now I need to hire someone to tune out the noise. And then you have to connect your own data sources into that, so that you have real-world examples as it applies to your network. But the problem is, is that data clean?
Are those systems you use, right? If you're pulling from some other data source, is that hygienic in a sense? So there's all of these complexities that go around with threat intelligence that it's just assumed only the most mature organizations have it.
And then layer on top of that being the realm that Blackpoint Cyber focuses on, the channel, the MSPs. You're providing threat intelligence that's real-world, not just academic, to MSPs who now have a whole... You may have MSPs who are probably more break-fix, and they have kind of a sporadic sprawl of industries that they cover.
You may have some that are focused on healthcare or education, and they have very strict verticals they focus in, some that are regionally based. So all around the world, there's going to be different types of threats, whether you're looking at government level, whether you're looking at a EMEA or APAC base, that's going to shift. And then, of course, everyone loves to add on compliance.
So there's other requirements that come in with compliance. So MSPs have a lot to handle. So when they think of threat intelligence, they're kind of forced in this academic threat intelligence world, rather than applicable threat intelligence.
And that's kind of where the system, I believe, is broken. So it feels like a magic trick. It feels like this is just fluffy things.
And yes, it's educational content. It's valuable. But as you said, MSPs don't have time to read an article on Hafnium, another article, or a new CrowdStrike attack, or the one that we were inspecting today on ESXi servers getting targeted by ransomware groups, which isn't new.
But what they do after they target those servers, you can read all of that. But to consume that every single day, that's not realistic, and it's not helpful.
[Uncle Marv]
Well, it's not just that. For most of us, it may not be applicable. I mean, yeah, I want to be alerted when things are happening.
But if I've got 50 articles or news alerts popping into my feed, and I've got to sort through, okay, which ones really apply to me and my clients, it can become brain fog to a certain extent. So the question is, when we talk about doing this democratization, first of all, do you have an idea? Well, I'm sure we have an idea of why it's so hard to do this, and why it's so crucial to us.
But I mean, what are the steps that we would take to do this?
[MacKenzie Brown]
Well, I mean, first step is always admitting that there's a problem. And then I would say that second step is having a conversation. I would say the steps, like having a conversation is with the partners that you utilize right now.
Are we speaking like an MSP? Or are we speaking downstream customer, just organizational company level?
[Uncle Marv]
Well, let's stop there. Because I think you're talking, those are two different things, right?
[MacKenzie Brown]
So threat intelligence is going to be two different things. I believe that at like the crux of it, we have a server room to boardroom translation problem. We have an IT person to security person translation problem.
And then we have that applicability of who the actual target is, whether it's an MSP, or it's going to be small, medium business, or a large organization.
[Uncle Marv]
Or all at once, because a lot of these things are just spraying the internet for vulnerabilities.
[MacKenzie Brown]
So how do you make content? How do you disseminate and translate threat intelligence? That's the issue, is how do you build a system where all of these different audiences can consume and understand?
Because the CFO of a hospital is going to consume the same content differently as a system administrator for a government agency. They're looking at the difference between threat intelligence as I'm a nerd, and I can understand what I'm reading, whether you're an IT or security. Those really don't necessarily matter.
They understand it. Or if you're a CFO, and you're reading it from a risk intelligence, proactively of, okay, I don't need to know what that server or system does. I need to know, is that data valuable?
And is the efficacy of the threat actor's likelihood hitting it going to be higher? And is that impact going to be extremely destructive to our business? So we have to find a big solution is first figuring out how we translate to these various audiences and make it out of the academic realm.
That's one area to start, academic-based threat intelligence. No one has time to read all of that. But it does mean that we need to be better at translating the information and the intelligence that we're seeing for various audience types.
That way, I do think this is just a solution to cybersecurity universally around the world. People don't get it. They don't want to get it.
But we're trying to teach it in middle school right now. But they know passwords. They know more about YouTube than I do.
And they know more about coding in Python than I do. But I do feel like we have to find a way to translate this information for all of these audiences. And that's where the foundation really should start for this accessibility concept.
[Uncle Marv]
Okay. Do you have an example of how the concept of democratization has helped MSPs already? Or is this still kind of in the works?
[MacKenzie Brown]
So I probably have a whole handful examples. Because the way we run APG, and I won't spell out Adversary Pursuit Group over and over again, but we'll just call it APG. We do a two-prong approach, which is the basic approach for a threat intelligence program or a research threat intel, threat research type of division is to enable the SOC.
We're supposed to make our analysts. We're the additional utility belt on Batman. We're there to make our analysts better, make informed decisions, to be able to triage faster and help our detection team build out detections that can go across all of our clients and customers and partners so that we can proactively address threats as they come in real time.
The other aspect, and for a lack of a better phrase, is a marketing arm. So what our team does is, you know, we take insights from our day-to-day job supporting the SOC, enabling the SOC, and then we also take industry research. We take real-world events going around, whether it's, again, a zero day to a data breach, and we aggregate that information and we create content that can be, is free, and can be consumed by different audiences.
So that's the way we run our program. We run a normal TI threat research program, but the secondary arm of that, which is mostly beneficial, it's probably to MSPs, it can be beneficial to the industry and to small-medium business, but we design the content so it can be consumed and digested in a way where MSPs can find the applicability and put it within their downstream customers. We're almost finding a way to do the trickle-down effect of translation, if that makes sense, of why it would matter.
[Uncle Marv]
Right. So you're going to be able to contextualize the risk for us, help us understand what truly is applicable, and then, of course, you mentioned the fact that, so, of course, resources is always an issue. You know, putting somebody in charge of, you know, checking that every day, okay, there's a cost involved, there's a platform involved.
How does a typical MSP keep pace with this?
[MacKenzie Brown]
Right. Well, again, I feel like the problem we have right now is threat intelligence. If you look at, like, the product landscape and what's considered MDR right now, there's components of a lot of these products, and somehow threat intelligence is a part of it, which I feel like is so vague of what that means.
That's like saying, like, we use AI, but it's, like, machine learning, and it's just, like, a small component, not necessarily effective in all ways. But I will say that how it's going to work for an MSP would be the same open-source concept of we're creating content that can be distributed at no cost. You shouldn't have to hire talent.
You should be able, the most difficult thing you can do that would be the real solution is having a partner, and this isn't a plug for Blackpoint Cyber at all, but it would be having a partner that you know is being able to pipe in that information to you that is relevant, because that's where it should start. We have threat intelligence feeds, right? You can build, you can purchase solutions.
They're costly. They require in-house talent, right? They're going to require different things.
Threat intelligence shouldn't come at a cost. It doesn't necessarily, but there's so many public feeds out there that's time-consuming, and your time is money, and that's a resource consumption. So whether or not you say it's free, it's technically not.
It's looking at your existing partners and seeing how do they feed you information, whether it's notices, advisories, educational content. All of that to me is intelligence, and all of that can be gathered in a way that, I don't know, is a building block to somewhere that's going to be good for MSPs. It's not the full-fledged solution, but it is something that's a starting point.
[Uncle Marv]
Right. So for MSPs to just simply get started, I mean, is there... I mean, of course, we talked about step one and step two, but is there another step beyond that?
Because I think most people will admit to step one.
[MacKenzie Brown]
Right. Yeah.
[Uncle Marv]
Some people will say, okay, yeah, I'll... A conversation, yeah, we have those all the time, but then what's next?
[MacKenzie Brown]
So what I never... So I shouldn't say never see. In the year and a half, I've been submersed into this world of MSPs.
There's definitely two different types of partners I've met. Some that are just break, fix, they're right there, they're beginning, they're gaining success. Right.
They're just figuring it out. I just kind of categorize them in the same bucket. And then you have these more strategic, mature MSPs, and these are usually vertical focused.
They take a big stance on compliance and understanding that they're doing things that matter to their vertical as well. So compliance kind of fits hand in hand with that. And they're more focused on the return on investment of the specific solutions that they put in their tech stack.
So very much more mature, whether or not they're trying to get acquired or do something else or create a full fled family affair, I don't really know. But they tend to understand these concepts of threat intelligence because security is already initiative they've started on. So I think first and foremost is understanding one side, that first bucket of MSPs that I've spoken with, they're going to be at a loss when it comes to threat intelligence because they have to start the security conversations.
And then the second bucket is demystifying this complexity or magic trick that threat intelligence is and having them look at the partners or let's just say the vendors that they have relationships with, specifically the security vendors, and the types of information, whether it's subscription-based, a feed, whether it's white glove notifications, things that you would expect a vendor or third party to provide you, we all hope.
I'm rolling my eyes because that's not necessarily the reality today. But that vendor relationship, that bucket of MSPs, that is much more strategic. They're typically operating in one industry.
They understand they have more of a simplified tool stack. So they have a better head start on being able to integrate threat intelligence in. And it does start with the vendors that you work with.
But I would say if you're in the other category of MSPs, you have to build out a roadmap of how to get to the security aspect, to get to the security vendors. And a requirement for your security vendors, in my opinion, should be that relationship where they are giving you actionable intelligence, whether it's, hey, yes, we patch systems, but here's what that, you know, potential critical flaw does or not critical flaw, whatever. Or, hey, we offer services, or you can subscribe, or here's a whole area where we have educational resources, because the MSPs job now at that point is how do they educate their downstream customers?
So the democratization and accessibility part gets tricky because we're working with two different maturity levels of MSPs.
[Uncle Marv]
I'm going to ask you a question that I don't know if you're ready for. But you've talked about the world of MSPs as if this foreign language, you know, exists for us, as opposed to the rest of the world. So I know that you're previously, you were with Optiv and the Microsoft detection and response team that was at the Dart thing.
[MacKenzie Brown]
Mm-hmm.
[Uncle Marv]
The Dart thing. So let me ask this. I mean, it almost feels like you stepped into our world, and you're like, what the heck is going on here?
I mean, is it really something where the MSPs, and I'm going to add the vendors too, in our space, are we that far behind the eight ball on this?
[MacKenzie Brown]
Mm-hmm. I mean, it's so funny. When I came into the channel in the first five months, this reputation or consensus across the masses, even from other MSPs, that was the biggest thing is, oh, MSPs don't know security.
They don't know security. They're just figuring it out. They offer some solutions.
But I am a person, I like to think I have a fairly high EQ. I can cry at a lot of commercials, especially that involve animals. And I do think I have empathy to understand that.
I think that's kind of a misconception. I think cyber security in and of itself is a misconception that the IT person doesn't understand security concepts. Where do you think security concepts started?
So I have a lot of empathy and a lot of understanding, deeper understanding of the IT person, not necessarily the MSPs, but they all came from somewhere, right? So I have empathy for the singular IT person because things that they're doing, things that they understand, directly impact security activities and initiatives. And seeing I started in help desk, I went from help desk to IT support, IT support to network support.
I worked up the chain. And then I got into security because I was like, oh, this is cool. Through auditing, not cool.
But I understood that there's such a divide that keeps getting bigger and bigger, especially when you look at people that are leaving cyber security based curriculums and colleges now. There's such a divide. I think every single cyber security person should be required to do network plus at a minimum or go get their CCNA or something to be able to understand that the IT person can easily adopt security principles versus the other way around.
So when I came into the MSP space, when we're talking cyber security and the reputation that it has, I think it's just one big misconception. I think that they actually, I think most MSPs, because they understand IT, and I say most MSPs, I've probably met two where I'm like, you're lawyers? This is weird.
But most MSPs understand IT at such a deeper level that they also understand security. It just has to be explained differently. And compliance adds a whole other wrench to the wheel there as far as kind of making it more complex.
More complex and not necessarily, again, checkbox mentality. Not necessarily that's what the driver is for security when it's, that shouldn't be the driver for security. So I have deep empathy coming into the MSP space because there's a lot of smart people.
And there's this connotation that they don't know cyber security. It's not that they don't know it. They just haven't found a way to apply it.
And they're also busy, like you said.
[Uncle Marv]
Well, all right. So somebody's going to get upset at this, but I think that there is an arrogance when it comes to cyber security. And some of the security vendors in our space, they tell us, well, you're just an MSP.
You're not going to get it. And every time they come up with a new alphabet letter in front of DR, you know, EDR, MDR, XDR and stuff, it's almost like, oh, we've...
[MacKenzie Brown]
And the XDR, don't forget that one.
[Uncle Marv]
Yeah. You know, every time we add a letter, you're not going to understand it. And that's kind of how we're being treated to some degree.
So, yeah, it's kind of... I don't want to say it's a pissing match, but it's like, it is pissing me off that you're...
[MacKenzie Brown]
It's a bunch of... Oh, you said this was live. It's a bunch of circle high fives.
Everyone's just, you know, smelling each other and high fiving each other. I completely agree. And a lot of redundancy on the acronyms too over time.
They're starting... I'm like, you know, there's multiple acronyms that mean different things, but they're the exact same acronym. And I agree.
I mean, that's my position on cybersecurity being in it for a little over a decade now. I'm not to age myself, so please, people don't judge me there. But it's not very inclusive.
I'm not just saying that because I'm a woman, but it's not inclusive around the concept of security. Security, the industry, if you ever walked on a showroom of RSA or what I'm about to do next week, which is going to Black Hat, and you really look at the vendors and then everyone that's wrapping everything in MDR and all the other vendors that are showcasing or startups and startup alley, and you get desensitized and it just kind of creates that further divide you're talking about of what could be deemed as arrogance.
Because it's not... It's expensive. I think that's what it comes down to.
Cybersecurity has to be budgeted for, but yet it's required. So you have to prioritize certain security controls or solutions, really. Controls and solutions, same, same.
People are also controls. So you have to hire people or you have to hire a third party. All of this is just money.
And sitting here talking to you about threat intelligence, obviously my champagne in a can is kicking in, but it's the same thing. Most threat intelligence today is also just money. It's one big high five circle for the community.
And that needs to change because I certainly don't view MSPs as the ones that don't understand cybersecurity. I've had a plethora of discussions and conversations with partners in the past year and four months, or it's not like I'm counting, days I've been in this prison. I've had a plethora of conversations that were of security topical.
They were around cybersecurity. And I've had a lot of security group conversations where they had to do research on just general IT network, infrastructure engineering things to understand what the attack is and what the threat is. So I would agree.
There is... I don't know if I'd use the word arrogance because I'm still in the community, so I don't want to get exiled. But I do think that there's a huge misconception.
I think there's an inclusivity issue financially. It's not realistic. I think there's outdated and insane requirements from the compliance and regulatory organizations, as well as cyber insurance.
That's leading the way for cybersecurity. There's a lot of things that need to be fixed. All right.
[Uncle Marv]
So let's clarify something here. Arrogance was my word. So you're off the hook there.
I'm the one that said arrogance.
[MacKenzie Brown]
On the record.
[Uncle Marv]
We can kind of talk about the fact that you're right. Cybersecurity is expensive. And I think the reason that arrogance comes up for me is that a lot of times...
Now I'm doing some of the stuff. I'm not doing all the stuff. And part of it is if we're looking at adding something to our stack and it's expensive, because remember, our clients are not used to spending a lot of this money either.
So we're stuck in the middle a lot of times where we got to go back and tell the client, okay, you know what? This cyber-attack happened. So in order for us to protect you going forward, we're going to have to add $5 a seat.
To that customer, that's a lot of money. And then from the security vendor to turn around and say to us, well, you just need better clients or you need to be more mature in your MSP. And it's like, okay.
[MacKenzie Brown]
Well, I would fire them immediately.
[Uncle Marv]
Yeah. Fire your clients. Come on.
No, really?
[MacKenzie Brown]
Yeah.
[Uncle Marv]
Yeah. So yeah, I can see that to where I wasn't... I'm not going to say it, but if you're not spending three digits a seat, I'll say it that way.
You're not an MSP if you're not charging this much.
[MacKenzie Brown]
They're big dollar seats. Yeah. If you're not spending all of that money per seat.
[Uncle Marv]
Right. So that's kind of where it is. It is that separate type of thing where, well, if you're not doing all of this in your stack, where, okay, well, yeah.
I have an MDR. I have ThreatLocker. Stop slamming down on me so much because...
[MacKenzie Brown]
Yeah. I think you touched on a couple points there, but the biggest takeaway for me, and I've heard someone say they absolutely hate this turn of phrase until I come up with a better one, but it is third parties should be trusted advisors. You're having a relationship with them.
Not that I'm perfect on relationships in my personal life, but I will say you have trust there and you want to be able to nurture that relationship. And when we're working, when we're shopping, for lack of a better word, for vendors to supplement these controls that we're required to do, the conversation around price point shouldn't be actually the main bridge of divide there. I think if they are coming to you with a greater price point, but not another option, then we're just furthering the problem.
So if you're going to a vendor that does one thing, but they don't do other things, for instance, I know this sounds like it could say a platform play conversation, but this is the world we're going in, is if you're going to be spending money on something, why do you need to have redundant technologies? If you're purchasing additional solutions for every single requirement control that you need to check a box for, that should just be included. And a lot of the configuration, a lot of the education of what's best practices, right?
Like, I mean, MFA is obviously out there that people still aren't doing and no legacy authentication protocols. Like there's a lot of things that are out there. I think we need to hold vendors accountable.
I'm speaking as a vendor as well. So you can throw your fruit at me, people, but I think we need to hold vendors accountable. And I think that it should be, I'm spending money with you.
I expect you in your realm, being a vendor, this is your expertise. You are my trusted advisor. And so I need to be knowing what exactly that return is.
That's the hardest thing too, I'd say with MDR is a great example. How do you show return to your customers as an MDR provider? If there's no incidents, there's nothing wrong.
You would be surprised at how angry customers get.
[Uncle Marv]
They are. I have some myself where they're like, we haven't had anything happen in two years. Why do we still have to keep paying?
And it's like, well, there is stuff happening in the background. I just don't have a report to show you, which I need to have. Those are the things we need to have.
[MacKenzie Brown]
Those are the expectations that I think when people are going out there and focus less on the price, the price is obviously always going to be a component of whatever shopping you're doing. But I would sit down and have the real conversations of what are you giving me? Not just services or better pricing packages, but what resources are you giving me?
Reporting is a great example of that. If you're working with a vendor and you can't get a report that directly aligns with your return on investment, then why are you working with that vendor? If it's not like some cheap AV or something that you just have to fill.
I also think that it's difficult for me coming from a space in incident response where a lot of the attack vectors were successful, a lot of the activities of the hacker was successful because of basic things that aren't being done and even basic things that are like free. So I think that's also the better conversation I've had with MSPs is they understand those basics. They understand like the CIS controls.
That's the most proactive thing I've seen compared to doing honestly doing incident response and investigations for Fortune 100, Fortune 500 companies. They're well aware of it and they have many commas in their budget for cyber security and they have many solutions and they can afford their own SOC and an MDR on top of that and their own threat intelligence program. But they still get hacked and so there's this like the one positive connotation I have seen around MSPs is that I said I would curse so I can say one bad word, they give a shit.
They actually give a shit and that giving a shit matters. It's not the bottom line whether or not they can afford it is one thing that should again always be obviously in a component of your decision making process but it's the conversations that I've had where it's like well how what are you giving me? What are those resources?
What is that reporting? What does our relationship look like? Are you actually stopping the threat?
Are you going to pick up the phone and call me? Are you going to do additional analysis after it? Like what are your recommendations?
There's so many layers that as a partner because you have to protect your customers and you have to show that dividend. You have to show the return to them. You need your then trusted relationship with that vendor to provide you more than just application control.
That's not a that's not like a jab at ThreatLocker by the way. I play nice with everyone but it's you need vendors that don't just be like yep this is what we do and look at this cool dashboard and there you go. That'll be a hundred dollars a head.
[Uncle Marv]
Yeah so listen I just got ThreatLocker six seven months ago so take a jab if you want. I do want to say one thing in the vendor space. There's a part of me that is don't bundle just a bundle.
There's a part of me that is like okay there are some companies that are just trying to bundle to gain market share with no real benefit to us as the MSPs or to our clients. That will be a show later down the road just to say that and the fact that you mentioned vendors should you know play nice with each other. Having the integrations and the APIs so that you know if I use you know an RMPSA and then I want to add in you know this great security product can I just find a way to add it in and make it work as opposed to no you can't because you got to be a part of you got to be a part of our bundle package.
You know that's just my thought.
[MacKenzie Brown]
Yeah well I can't say anything because we do have a bundle but we also have things outside of the bundle.
[Uncle Marv]
Your bundle is relevant to what you do though.
[MacKenzie Brown]
You know I will say the one thing that I was attracted to before joining Blackpoint there's many things. One the technology under the hood. The component of cloud response and the M365 patents around that were really like impactful to me because this is how I shop for an employer.
And but the big thing was the methodology that since 2019 this is the bundle and we're simply offsetting costs by building new functionality new features of what would be an entirely separate solution included in the bundle at no extra cost. Because to me this is the same concept of the democratization. It's the issue that people have to budget for things they have to be doing.
When we should be spending more time going back to basics making sure people do data management which no one's ever doing. Privileged access management you know cleaning up cloud as well as on-prem and identity and access zero trust. All these things are free they just take time so why are we prioritizing solutions that are hypothetically doing that for us.
They're redundant we don't see the return on them. You're paying for bundles that's not going to sell you on it. That's also something I feel like I've been waterboarded with a little bit since joining the MSP community is this hatred for certain vendors.
But I do agree. I think that I think it goes back to the accessibility and inclusivity around cybersecurity. It should be there should always be an option.
Like price is obviously a component of it but price shouldn't be the barrier from getting some level of protection or some level of assurance. And then that layering of when you're shopping or when you're doing work have the part it should be a partnership with your vendor. That's why we call MSPs our partners and not just MSPs or customers right.
Because it should be a partnership. We do better when you do better basically. We always say that in incident response too.
Even though everyone wants you do a full investigative debriefing you're in there for three hours you're going through all the nitty gritty blood splatter analysis of what occurred and that's all they give a shit about. But then we're like okay we're going to wrap up this debriefing with all the things you need to go clean up and why you need to enable certain policies and settings and do these things. And I'll tell you their eyes glaze over at that part.
We need to like flip the switch a little bit there. And MSPs are kind of a key component as far as infrastructure goes to actually taking the end of what we see on a right of boom debriefing of oh shit hit the fan. But they take that information closer to heart because it's things that they have to implement or reconfigure.
And that's again this is like this whole misconception IT people don't know security. Who's the one enabling all the things that need to go into place to make security stronger or to harden an environment. It's going to be the IT person.
[Uncle Marv]
Yeah. Yeah. It's going to be us and the customer only looks at it from that means you're going to charge more isn't it.
So you've got to go through that. All right. So MacKenzie before I go off on a tirade let's put a pin in this.
I'm going to have to have you come back on. This was fun.
[MacKenzie Brown]
I would. This was fun. This was fun.
I'll fly down to Florida. Oh we've got a good amount of people in Tampa. I don't know.
You're not in Tampa.
[Uncle Marv]
I'm on the other coast.
[MacKenzie Brown]
Again I don't know geography but I know how to get to an airport so I'm pretty good.
[Uncle Marv]
I'm on the other coast but I will be I go to Tampa a lot. I've got two client offices over there. I go to the ASCII conference in October or whenever it is.
We'll figure something out. So we'll do that.
[MacKenzie Brown]
I've got to bring my boss Wilfredo on. You'll let he's based in Tampa. But you want to hear some good war stories.
I do. He's your guy.
[Uncle Marv]
I do. So there you have it folks. MacKenzie Brown Blackpoint Cyber.
We didn't talk much about them. It's been I believe three years since I had anybody from Blackpoint Cyber on. And I do want to do this real quick because I asked you before the show if you had seen the mug.
So at the end of 2023 I do my podcast awards and somehow without me ever giving Blackpoint Cyber a best swag noggin at any of the conferences you guys won for best swag for 2023.
[MacKenzie Brown]
I'm trying to think what swag that was. It wasn't a t-shirt.
[Uncle Marv]
Well yes. So of course when I had people vote I had to let them know that they had to include what the swag was. It had to be real swag.
So that way they just weren't.
[MacKenzie Brown]
My marketing people are going to fast forward through this whole episode.
[Uncle Marv]
Are you kidding me? One of them was your pen which this actually was in a final list for one of my shows. You guys this is a nice pen and it's got a beautiful pen.
It's a very nice. I like pens with a little weight to them. Yes.
Yes. I like.
[MacKenzie Brown]
I'm waiting for the infomercial like 1-800 to call you like pens are running out people buy a couple licenses get a couple pens and then your shirt is hanging in my rafters.
[Uncle Marv]
It's over there. I know you can't see it. I'm pointing but they said that you had soft shirts this year and they were nice.
So that's what happened. So I had been waiting to find somebody to send the mug to. We finally got that done.
So thank you guys for reaching out and hope to have Black Point on more in the future and see what happens for this year's awards.
[MacKenzie Brown]
I would love it.
[Uncle Marv]
Now are you ready for the segment that everybody loves to hear?
[MacKenzie Brown]
I know but I'm so nervous.
[Uncle Marv]
I know.
[MacKenzie Brown]
You made me so nervous with this.
[Uncle Marv]
Well while you're getting ready let me tell everybody that you've been seeing me drink from this mug throughout the show. Our drink sponsor is Super Ops and you saw the name there Super Ops streamline your MSP operations the all-in-one platform for service desk invoicing and project management boost your productivity and visibility with automated workflows and real-time insights deliver exceptional service and maximize profitability. Super Ops elevate your MSP.
So they are a proud partner of the podcast here. They are the drink sponsor. They are also the sponsor of this segment the Florida Man and MacKenzie was not quite ready so I will ask you the question.
Do you have a story to challenge Florida Man or would you like to answer a random question?
[MacKenzie Brown]
I mean I was just I was just saying this earlier is I'm in Idaho and many of the cops episodes are based here and yet and I have a great Florida Man thing but if I talk about it probably everyone will figure out where I live. That's not already public knowledge. So I'm going to go with the question which terrifies me.
This feels like truth or dare.
[Uncle Marv]
Not truth or dare.
[MacKenzie Brown]
I'll just say dare if I don't like the question.
[Uncle Marv]
All right here is the question my random question generator and this is this is how random it is. What is your favorite piece of clothing that you own?
[MacKenzie Brown]
That seems my favorite. Yes. I'm going to sound like a basic bitch here but I mean like my Viore and Lululemon leggings.
Okay so there's this thing they're called leggings.
[Uncle Marv]
I know what leggings are but I didn't hear the first.
[MacKenzie Brown]
Well you like work out in them.
[Uncle Marv]
Okay.
[MacKenzie Brown]
But most of the time it is post COVID world where I can wear a button-up and a blazer but no it's like party down below. No one knows I am not wearing professional pants. I'm simply just wearing leggings.
That's my favorite clothing. I fly in them. I drive in them.
I walk around town in them. I've got a whole drawer filled with just black Lululemon leggings. All right psychotics.
[Uncle Marv]
So are those the ones where you wear like the long sweaters overneath or the long shirts overneath and then you don't even have to you can wear like crop top.
[MacKenzie Brown]
You can wear like a sweater. You can wear anything. I mean if there are women listening to this podcast which Marv I don't know what your demographic is.
[Uncle Marv]
There are.
[MacKenzie Brown]
Then they will know the sanctity of a good legging. But yes in the wintertime like I snowboard too and I wear them under my snowboard pants. I mean there's you can't it's a whole season.
[Uncle Marv]
Are they thick? They're not like the cheap workout leggings right?
[MacKenzie Brown]
No, no, no. So Fiori is like a better brand. This isn't a plug but I'm gladly do sponsorship for them if they're listening which would be random but Lululemon is a little bit thinner.
[Uncle Marv]
Can you buy them on Amazon?
[MacKenzie Brown]
No, no you have to buy them from a store. Although there are some on Amazon that aren't bad but yes leggings 100% and I challenge the first MSP to wear leggings to come up to me at a conference wearing leggings and I will buy you dinner.
[Uncle Marv]
What? All right.
[MacKenzie Brown]
Probably going to regret that part but.
[Uncle Marv]
Do they have to see you in person or do they have to reach out to you?
[MacKenzie Brown]
Oh no they have to show up at a major conference in leggings.
[Uncle Marv]
So what's your conference schedule the rest of the year?
[MacKenzie Brown]
I think I have a weird mortgage one I got to go to and then I'm going over to IT Nation. I think that's the next like big one.
[Uncle Marv]
IT Nation in November.
[MacKenzie Brown]
Yeah.
[Uncle Marv]
All right.
[MacKenzie Brown]
I'll be more specific on when I'm there but or Black Hat but okay it's Vegas so I don't feel like Vegas is an appropriate location to do a dare. Yeah.
[Uncle Marv]
All right. So I should run across to you at IT Nation. Will you be at DattoCon?
[MacKenzie Brown]
Which one?
[Uncle Marv]
The one down in Miami.
[MacKenzie Brown]
Oh actually I think I am going to be. I think I will be at that one.
[Uncle Marv]
IT Nation and DattoCon are like ones right after the other.
[MacKenzie Brown]
Yeah. I mean we kind of pulled away. We did all the DattoCon last year.
I will say my favorite one was Australia. Not just because it's Australia but the audience the people there they're just so eager and awesome. But yeah I think I'll be at the Miami one.
[Uncle Marv]
Okay. So if you go to DattoCon you can go there and then you can drive up to Fort Lauderdale. Visit me here.
We do a show and then go on up to Orlando.
[MacKenzie Brown]
In leggings.
[Uncle Marv]
So I won't be in leggings.
[MacKenzie Brown]
Watch I'm going to bug my marketing people. I'll be like first off we won best swag. So take note for pens and we could do better but we should make Blackpoint leggings because that would be nice.
[Uncle Marv]
There you go. All right so here was the Florida man story that you would have gone up against. A Florida mother so not actually Florida man but a Florida mother named Jacqueline Goszczynski has been arrested and charged with child abuse for allegedly losing using an electric screwdriver to drive a nail into her 12 year old daughter's buttocks.
[MacKenzie Brown]
What? That is terrifying.
[Uncle Marv]
This happened back on July 20th in Pinellas County which is on that coast.
[MacKenzie Brown]
You're like that's not where I'm at. Different coast.
[Uncle Marv]
According to the arrest report Goszczynski and her children were hanging pictures in their house. The exact circumstance leading into the shocking event are really not clear. Law enforcement took her into custody this past Friday the 26th and has raised serious concerns about child safety and the potential for abuse within family settings.
[MacKenzie Brown]
Oh my gosh Marv that's a Florida man story that's really dampening. Well you know how I play Florida man which is I thought you were going to play as you look up your birthday because it always changes and my Florida man that's the most recent was a little bit more Florida man cooked alive as after deputies tasers ignite fuel at a gas station. See I visually would much rather see that than a child in a staple gun being shown into the buttocks of a 12 year old.
I want to see a man on fire running through a gas station that's how I want to end my day.
[Uncle Marv]
Oh man. So on my birthday this year it happened this year a Florida man named David Jerome Jackson was arrested after being found hiding in a clothes dryer.
[MacKenzie Brown]
Is that R. Kelly's song Trapped in the Closet? Oh my gosh hiding in a clothes dryer.
[Uncle Marv]
Yes so folks I should also let you know head over to itbusinesspodcast.com click on the sponsor page not only can you check out NetAlly and Super Ops but TruGrid a partner as well this year. TruGrid was the travel partner for the ASCII Edge event that I was at last week so the recordings that you'll hear from ASCII will start with a TruGrid announcement. Check them out great secure remote access option for you.
That people that you know for people that need to get back to their desktops and servers with zero trust. So check them out and I do want to give a very special shout out to my listeners. It is happening you guys are supporting the show of course you can always go to the you know support the show page and give a donation through PayPal or become a patron but one of the easiest things you can do that is probably the most that you could do is if you shop on Amazon use the store link on the website start there as your home page and then everything you normally buy at Amazon no change to you no whatever Amazon takes care of providing a little commission back to the show that is fantastic. I'm actually going to do a video which might be an Amazon live and we'll start promoting some of the things that you guys are buying and give everybody some ideas on what to use tech wise when it comes to shopping on Amazon.
So I appreciate that. Thank you very much and MacKenzie thank you for coming on the show.
[MacKenzie Brown]
Thanks for having me. We'll have to do this again for sure.
[Uncle Marv]
We will. All right folks that's going to do it. Thank you all for tuning in.
And remember always head over to the website and find your favorite pod catcher because we do a lot more than these live shows. There are audio shows dropping all the time. So save us in your pod catcher.
Catch us when we're out there. And of course we'll see you out at the conferences and I'm going to be looking for these Viori leggings to do it.
[MacKenzie Brown]
You won't be disappointed.
[Uncle Marv]
Go to the website. Not to be creepy but just to see what MacKenzie is talking about.
[MacKenzie Brown]
Start with like the men's joggers. Just start there. Promote yourself.
[Uncle Marv]
All right folks we'll see you out there. Take care and until next time. Holla!
MacKenzie Brown
VP of Adversary Pursuit Group
MacKenzie Brown oversees Blackpoint’s threat research and intel team, The Adversary Pursuit Group (APG), while also acting as a key thought-leader for the Blackpoint brand representing the overall product ecosystem and broader security vision among partners. Her background in incident response includes supporting global customers and navigating advanced adversary investigations as an incident manager at Microsoft. Mackenzie is an active advisory board member for the Idaho Women in Technology organization, and strives to bring transformation to the industry for a better tomorrow. During her time at Blackpoint, Mackenzie has been awarded CRN Channel Chief & listed on Women of the Channel list for 2023 and 2024.