Podcast – How a Security Operations Center (SOC) Can Help Protect MSP Clients

Jimmy Hatzell: Yeah, sure. John, absolutely. Before getting into any of that, I just want to thank you for having me on today.

Really, really grateful to be here. And, you know, I love talking about this stuff. So thanks for giving me a forum to do. Yeah, of course, but yeah, my, my, like you said, my name is Jimmy Hatzell. I’m the director of marketing for our Scout XDR product line here at Barracuda MSP. I actually came from Scout Cybersecurity. We were acquired by Barracuda a couple months ago and integrated into the MSP division. I’ve been in that role. I was at scout for three years prior to that position running our marketing team. So I get to work with all of our MSP partners help market their services to their customers, and really help everyone understand our platform.
And you know, some of these complex buzzwords that we’re going to talk about today. Yeah. Good stuff.

John Pojeta: So one of the common threads that has come up through this series as we talk a little football before we get started. Okay. So I need to know which team you root for. Or you can pass if it’s the Patriots or anything to do with Tom Brady.
Well,

Jimmy Hatzell: so last night I had a very depressing night because my team is the Eagles and, you know, they lost the Cowboys last night. I don’t know when this is being released, but
on a Tuesday after a Monday night football loss, which is just horrible, and nobody likes losing the Cowboys, but thankfully my college football team is Penn State and they’re ranked for right now, but by the time this podcast is released, I’m sure they’ll ruin that. So,

John Pojeta: well maybe unbeknownst to you, but we’re in Pittsburgh, PA and we are after a nice game against Buffalo, we are starting to drown ourselves in our own tears here.
It’s getting pretty ugly here. So I’m with you, I’m with you. So, so as we talked prior, Jimmy, one of the things I mentioned is we’re finding, we’re having some business owners, business decision makers, listening into the podcast. And typically we only tailor the conversations towards the MSP audience, but in talking about security, operations centers or SOCs, I’d like you to take a minute before we dive into some of the deeper for those that don’t have that background or experience.
Yeah, I have a little bit about what it is, how it functions, where it fits in before we get into the commentary. Sure. John,

Jimmy Hatzell: You know, I’m laughing a little bit to myself because my significant other is in the next room. And she is. Literally working on packaging up SOCs and I’m in this room and working on packaging up SOCs, and she works for a fashion wholesaler company in package design for SOCs, pretty company that packages up SOCs that MSP.
Can you use to help protect our customers? So the SOCs that I’m working on are completely different. And basically what that is SOC is a security operation center and, and it’s. Like you know, when you, when you watch like CSI or, you know, a SVU or whatever, they always walk into this room that has like TVs everywhere.
Has these maps that just like light up with like threats and stuff that. And that’s what we have. Okay.

John Pojeta: No, that’s a great analogy to kind of frame it for people to think about. That makes sense.

Jimmy Hatzell: Yeah. Like I go there and, you know, I get to, I’m not cleared to work in the SOC like extra clearance. So I have like my badge, and I scan in and like at a certain point, like the doors stopped letting these scan and like, I have to be like ex escorted and signed in.
But but what it is, is a center. You know, for security operations. And we have a team on a set of technology and products that we use to help protect small businesses and help it providers protect small businesses in addition. So it’s really like the nine 11 call center and dispatcher for cyber secure.
Got it.

John Pojeta: Okay. So let’s start in a little bit of the early phase. Let’s talk about the detection phase as a beginning. Obviously cyber-attacks there, there’s more of them in terms of volume. They’re getting more creative or they’re diversifying if you will, their approach to it and becoming much more sophisticated.
So if we think back years ago, we would get those emails. They were. Sketchy English at best at times, those kinds of things. And they’ve gotten very sophisticated as we look at it today. So how does a SOC that, that an MSP implements for a client help when it comes to the detection side of cyber-attacks?

Jimmy Hatzell: Yeah. You know, you bring up a great point. Like the cyber landscape has clearly changed where before people in small businesses didn’t really think cyber would be a problem for them. Now, everyone is. Developing that fear because it’s happening to people. Everyone’s most people have experienced that, that email sent from them that wasn’t supposed to be sent from them or a ransomware or something like that.
And it’s starting to become really real. W with, with the security operation center, we use a set of products that, you know, some of its proprietary software that we build and so on, but it’s just using products that different security products and managing and monitoring them. But, but it’s not, it’s not so much.
Totally like you do your best for prevention for prevention, but even the like people with seemingly unlimited budget, like the U S government or governments around the world are fortune 500 companies. They’re all getting hacked as well. So we know that this isn’t a problem that we can fix with money and make, you know, make an organization and penetrate.
So it sort of changed from, if not if not now, when, you know, it’s, how fast can we detect a cyber problem in an organization, if you go and look at like the Verizon breach report of the past couple of years they’ll always have statistic the average time of. To detect a cyber threat and it’s usually just shy of a year.
It’s in the 260 range, 230 range. I think it was the best it’s been. And that’s how long attackers sit inside of a network before they actually execute their attack. So contrary to popular belief, people think someone gets their password, they go in and take their stuff. It’s not actually what happens in most cases.
They’ll get it in. Look around they’ll provision themselves some of their own credentials. They’ll set them out, selves up, try to get other accounts. And then they’ll attack one big thing at once. So with the security operation center and the, the technology that we use, we can detect that, not in, you know, matter of hundreds of days, but hundreds of seconds and take that response time down.
That’s really the big difference between an attack being, you know, something that gets written on a. Report that, you know, maybe the board sees maybe they don’t and that’s sort of the end of it or this big public problem. That’s on the news and, you know, lots of reporting and money span and insurance claims and all of that.
So it’s really all about the time to detect a threat.

John Pojeta: Yeah. So what you’re describing there, you’re basically saying if the detection has that type of speed to it, the year later really doesn’t matter because they no longer have access. Is that what you’re describing? Yeah,

Jimmy Hatzell: absolutely. It’s important to catch people right.
When they get it and, or right when they start acting and you know, it’s not so much like. The philosophy of let’s just protect everything. And then nobody will get it and doesn’t, it doesn’t actually work in practice. So you do that anyway, and you try to not like, get anyone to get in, but need a way to figure out if you have a cyber problem.
And we are that way

John Pojeta: to figure it out. Yeah, no, it makes sense. And what you’re describing. Yeah. Sort of that, that, that news side of things and all the drama that can go with it and all the pain that comes along with that process. If we put in for some MSPs who are helping more small to mid-size companies, they could actually totally cripple that size company.
It may not hit the news in a, in a big way, but it could put that company in theory, out of business, or really cripple them or set them back for a long period of time to.

Jimmy Hatzell: Absolutely. I mean, you know, people, when they quantify, when they try to quantify this to dollars, they’ll think, oh, my shot, cyber insurance, my blah, blah, blah, blah, blah.
But if you’re an it provider and all of your clients get hacked, that’s reputation and in a world where your reputation is everything, you know, your, your attention is a commodity and people want to know they want you to be that trusted advisor. And have being well secured and being able to check these things, not let them turn into a massive problem is it’s protecting the economy really because it’s people can go out of business and it’s happening.
Unfortunately more often than I would like to.

John Pojeta: Sure, sure. W one of the things you’ve mentioned in sort of been a theme as we’ve gone through the series of podcasts here is to think when not if, and you already brought that out to the surface. So, so let’s talk it through from. We it’s been detected. So it’s been confirmed by the MSP that it’s played out.
What are some of the things that you think should happen or do you see MSPs doing to contain it as best as possible and minimize damage?

Jimmy Hatzell: Yeah, great question. I think like for us, it would be, or for, for, for, for me, it’d be easiest to probably just walk through what happens. If we detect something so w with what’ll happen is, we’ll have an alert come in and it might be something like Say someone created a forwarding rule in an end-user mailbox.
And that forwarding rule is to an external source. That’s something that we look out for and alert for. So we have that alert. It goes to an analyst, they review it and then they’ll create the tickets, ended over to the MSP. We’ll get a hold of them immediately, immediately call them up and we’ll open up zoom bridge, whatever it is.
And say you know, was this supposed to happen? You know, this is from St. Petersburg. Do you have any clients who are in St. Petersburg right now? You know, and, and maybe in some cases they acquire a company just got bought by a Russian company and they you know, they’re setting up the email forwarding to the new domain, but the more likely scenario is someone form credentials on the dark web, on his locked in their mailbox.
So then we’ll actually send containment instructions right then and there. They have the ability to reset the password right from their dashboard, but we’ll also set up a zoom bridge with the clients and we’ll sign an incident response analyst and a senior analyst to that as well. And we’ll all get on with the MSP the it provider.
And talk through it, answering questions. They have helped them get through containment do some investigating. So say we, we find out that it was from that one IP address. Let’s look in our data our data lake and see if that IP address has been anywhere else. Oh, let’s see. Oh, they were trying to log.
To active directory you know, five minutes ago as well. So let’s look at that and we’ll actually go through everything until it’s contained. We’ll write up a report of everything that happened, and we’ll provide that to the MSP, and they can present that to their end client or any insurance companies or any regulatory agencies that need to see exactly what happened.
So it’s not like a, just forwarded over, Hey, this is happening. It’s, let’s get on together and figure this out and, and. Listen, John, everyone says that they have an incident response plan. They all say that, you know, they have it. Everyone has to have it, right. They have to have some sort of compliance, but in real life situations, when it’s your business reputation, it’s your life’s work at state.
It’s all of your money at stake. Those things get thrown out the window and people stop acting rationally and they just start doing things. So having someone who’s been through this process, hundreds and hundreds of times there to help you along the way and advise you and make the right moves and call people in the right order and do the right thing and not get yourself into trouble is so, so.

John Pojeta: Yeah. And it’s interesting that you describe it and that reality of, Hey, everybody thinks they’re ready for the event, but when it actually plays out, they’re really not. So one of the things I’ve shared with people over the years is so in 2009, my wife and I had a house fire and. Mentally, we, you know, you go through insurance side, you check the boxes, we had four kids at home at the time you go through what would happen and it happens and it’s disarray, it’s utter disarray.
And so what you’re describing is the reality of how people will respond versus how they would intend to respond. And they don’t they don’t clearly line up. So. So let’s take this now from a standpoint of MSPs working with not clients, but I get, well, I guess we could say clients too, but really in the prospecting side it becomes a different layer.
So as they engage, they’re trying to come up with a way to. Provide to the prospects away for them to digest the information and not get bound up or caught up in the analytical side and, and the, the microside and share it in a way that it can be digested, but also process where the prospect understands the value in that.
Talk to me a little bit about from a, a marketing and an engagement standpoint, how MSPs are promoting SOCs and actually getting through some of those barriers to get them into.

Jimmy Hatzell: Yeah. Great. Great question. And you’re spot on, like if you go in leading with, you know, this SOC is this speeds and feeds, blah, blah, blah, blah.
Nobody’s going to understand what you’re saying then they’re, they’re stuck on site. They think you’re talking about, you know the things that go on your feet, so you really need to back up and, and it, it mean to have a conversation about risk and a business discussion because. Cybersecurity is not actually an IT problem.
It is, you know, we, we throw it solutions at it. And we, as I T providers are the ones solving this problem, but it’s really a business problem that needs to be treated as such. So the same way, all MSPs are trying to level up their business model and move away from that. You know you know, I fix it approach and call me if something’s broken approach to I’m here to help you consult on your business and solve your, it needs in a way that streamlines things increases your revenue, lowers your operational costs.
Cyber security needs to be the same discussion. It’s about risks. So we always advise our partners, and we actually train them on a sales process to do so to do this. But but talk to the annual. And figure out what information and systems you’re actually trying to protect. Nine out of 10 times someone I’d actually say 99 out of a hundred times, someone will come in before asking any questions and say, listen, we need to get you this endpoint protection.
We need to get you this email protection. You need to get you this. We need to get you that without asking what, what, what they actually care. Yeah. So if someone doesn’t actually, you know, verbalize where they care about protecting how you are telling them how to protect it doesn’t make any sense. And we found that people will go in, we’ll go into healthcare providers and, you know, you might think, oh, they want to protect their, their you know, electronic medical record system, or they may want to protect their Patients social security numbers and employee data, and sure.
Yeah. They care about protecting all of that stuff. But what they really care about protecting will cause the most damage to their business is this research that they’re about to publish. That is, you know, like that leaked out all the revenue for the next 10 years would be gone. You know, and without asking these questions and having this discussion, you’re not going to be able to pull that out and give them a reason on why they need to invest in cybersecurity because in their head, they don’t know, you need to start from the.
Yeah, there’s,

John Pojeta: there’s two fascinating points you brought out there. One is the, it, it gets amplified in this space because those that work inside of an MSP are technical driven. And so it’s easy for them to go to that side of understanding the micro and the macro, but. It leads them then to what you’re saying is really getting into presentation mode sometimes right out of the gate.
Hi, how you doing? Here’s how we can help, but they’ll also frequently, they’ll take an off-ramp too early. They’ll start asking some basic questions. The prospect will give them something that they want to they, they, they latch onto it quickly because it’s something for them to easily get into. Here’s how we can.
And what you’re describing is what they gave. You might not even be the roots problem or opportunity when it comes to the services they provide. So a big piece, big piece, no doubt. At

Jimmy Hatzell: 90% on discovery, at least if you’re having a meeting, we also like one thing we also help people do. And like you said, a lot more technical sellers we’ve created this scoring system for cyber health.
And cyber hygiene really. And, and it’s like basic discovery questions. You should ask me. We have like the top 15 of them have like, you know, what are you doing for backup? What are you doing for email protection? You know, and there’s like different categories and you can sort of rate this. It takes like five minutes, and I’ll actually generate a risk score and categorize it as a high, medium or low.
And, and that’s something that business owners can really digest, but it’s also good for testing. Sellers, because it’s very prescriptive. Here are the questions you were asked asking, and then, you know, it’s, it’s quantitative as well.

John Pojeta: Sure. And they’re not as comfortable in that sales environment usually.
So that helps them sort of force the questions upon the prospect to some degree. But the other thing is it probably also naturally brings up other questions based on the answers they give, give them opportunity to explore further regardless of the scoring side, but they can take things deeper than.

Jimmy Hatzell: Yeah. It’s like, I’m like, we need to be like the doctor in this scenario. Like the first conversations that someone has, or the referral is like the friend that is telling someone to go to the doctor, like, Hey, listen, like, like even little bit and your knees not looking so good. And I really think you should get a, look it, and then we go in, like, we’re in the lab coat, we’ve got the clipboard, like, okay.
You know, W what’s your diet look like? What’s your exercise? How much you walking? Does it hurt when I do this is everyone. I do that. And that, you know, those questions like pat, you know, how you feel, you know, I know how I feel when the doctor starts asking these questions like, oh, wait, am I not walking enough?
Am I eating right? Am I doing this? And it’s important to go through that process before, you know, writing the prescription.

John Pojeta: Yeah. And I think one of the things that’s, that’s also real there to understand is we’re all guilty of not always being completely honest with our doctor. Is there a certain things that make us uncomfortable?
There are prospects, even though you go through those questions, they’re not going to be completely honest with you and you got to kind of take it with a grain of salt and dive deeper, get you to more of that honesty, which helps a lot. So, so true

Jimmy Hatzell: human

John Pojeta: nature. Yeah, it is. It is. It’s natural. So I asked you the question before about response of a SOC.
So they did, they detect it, and they respond, and I attended intentionally or not, but you start positioning from your Barracuda side of, okay, we get this, we go back to the MSP, they take it to the company. That is what I would think of in terms of outsourcing a SOC. So the, the MSP in the field is outsourced your services and off they go talk a little bit about outsourcing insourcing and some of the reasons you go either direction or some of the things.
And MSP should think about before they actually go into deciding or decision phase of in-source. Yeah. Great,

Jimmy Hatzell: great question. And you know, like you can call me cliche for this one, but I really don’t like to think of it as outsourcing because it kind of gets you on perspective of what it is it’s really partnering and, you know, We’re in the biggest cybersecurity talent shortage that has ever happened before.
And it’s one of the biggest talent shortages of any industry. It’s going to continue to get worse. Organizations are looking for people with 10, 15 years’ experience, and we didn’t have enough people enter the workforce 10, 15 years. Go it just hasn’t happened. The attack surface is getting bigger.
I cost a lot of money to build a security operation center and have people with that much experience working 24 hours a day, seven days a week. I mean, we’re responding to things on Christmas Eve you know, every single year, because that’s when the hackers are out and that’s when they’re attacking.
So I think. Larger MSPs who can afford a large capital expenditure without an, a clear ROI for you know, 12 to 24 months first, like before really getting any significant revenue or it’s starting to pay for it. It’s probably not going to make a lot of sense to do this in-house. And the reason for that is because of the sheer amount of manpower and expertise, technical expertise that it takes to monitor security environments 24 7.
Now I’m not saying you need to partner with us right away. It’s important to have a place that you can go to or number you can call. Like, I like, I like to just simplify it as that, like I talked about us being the nine 11 for cybersecurity, your, you know, your emergency dispatcher, you really need that in your organization.
And someone with that experience. So like, I think it makes sense for organizations of all sizes especially it, because it providers are really needing to become cyber first, just the way the market has moved unless you’re really, really big and you want to make one in house it’s definitely makes sense to find a security partner and you should ask them, you know, questions like you know, how are your, how is your team certified?
What technologies are you using? What happens when an incident happens? Can I talk to another MSP that’s working with you? What’s your interaction with my end users? Do you sell direct as well? Things like that to really dig in and find the partnership that works most, and you should.
Internally too. So every it provider period, like you should have a SOC monitoring your environment, like you’re working at it, it’s, it should it’s, you know, you should be testing the best security and you know, we know this, so go out and test a couple of them and see, you know, how it works and your interaction with them.
And when you find the right provider it’s important to find, you know, Like, it’s not just important to have the right technology, but someone who’s going to help you get your clients bought in as well.

John Pojeta: Yeah. One of the big things you mentioned in there that we find is very frequent. As we have conversations with MSPs that small to mid-sized space is most common.
One of the biggest roadblocks, a lot of them face is not wanting to be a 24 hour off. And what you’re describing is the value in, in SOC as a service, thinking of it that way as outsource that in an inappropriate fashion to, to help meet the needs of those companies that have the 24 7 side of requirements.
So they’re not immediately off. Your potential list of clients, if you want to think of it that way. But I think what you, what you brought up that’s equally important is how to start a conversation as an MSP with SOC as a service. So have that list of questions, more, the things that you really view as vital to know before you would consider engagement testing with them.
All of those things are, are, are truly important as they’re starting to evaluate different organizations that can provide them that service.

Jimmy Hatzell: Yeah, absolutely. And you know, it’s just part of regular due diligence at Barracuda. You know, our, our tagline is your journey secured and, you know, within scout something that we’ve always said prior to working for our crew and you can see why it’s such a good match You know, cybersecurity is a process, not a product.
So you can’t just have one product to solve all your cyber needs. It’s an ongoing thing. No, you should align to a framework and work towards it and should have cyber goals for six months, for nine months, for a year, for two years. And, and, you know, always have the direction that you’re going. And this is, this is just part of that next thing for, for many organizations.

John Pojeta: Yeah, you bet. So as we wind down here, I sort of made a list. I always try and give listeners sort of the, the bullet points of things that I have as a takeaway, because we want to try and always make sure you have a, Hey, we can talk for 25, 30 minutes, but there’s probably two or three things that really ring out for somebody.
So the, the few things I wrote down was, and again, we, we keep pushing down on this button, but treat it as a window. I love the commentary around it’s a risk and a business discussion. So how do you have that conversation and stay out of the technical aspect? You mentioned the cyber hygiene, checklists.
I think if they don’t have one, now they could certainly reach out to you on, on how to get those types of things. And then a great way to evaluate. I’ll say outsourcing, but pardon? Sorry. It’s ingrained in me, but partnering with, with a SOC that can provide SOC as a service and how to start a conversation there to really start determining if there’s a good fit and evaluating best fits for both parties.
So what else would you want to leave people with or what else really jumps out at you?

Jimmy Hatzell: I don’t know. I mean, you can probably just take over my job as a director of marketing at those points. No, I, I would just say like for the SMBs, they don’t have access to the same tools and protection that the fortune 500 does or large, even, even like mid-market companies and MSP is.
Only solution. We have to protect those businesses and the SMBs are what holds up our entire economy. It’s provides the most jobs. It’s what makes our communities, our communities. And it’s sort of just up to like, like it or not, no matter what happens is up to the MSP is to step up here and, and provide that security and that guidance and, and stop people from going out of business.
So I think like there’s, there’s more than just. Let’s, you know, increase our revenue with cyber sort of aspect to this for the MSP community. Like you have an important job to do. And, and we, as, you know, a partner wants to be here to help you achieve that job.

John Pojeta: That’s great stuff. So why don’t we end where we started?
Who do the Eagles get next week?

Jimmy Hatzell: No, no. After last week I’m checked out, checked out after

John Pojeta: last night and the, and the suffering that occurred. Nah, it was bad. It was brutal. Yeah. Well, Jimmy, I can’t thank you enough for the time greatly. Appreciate you joining us and bestowing the wisdom and experience, and they’ll always be.
As somebody listens to the podcast, ways to engage directly with Jimmy, if you’d like to reach out to him and get some of the pieces that may help fill in the blanks for you. So thank you very much for the time, Jimmy.

Jimmy Hatzell: Yeah. Thank you.

John Pojeta: My pleasure. Good stuff. Well, thank you everybody for listening. And again.
As always feel free to go to PT Services Group, theptservicesgroup.com/buzz. Love to get any comments or thoughts that you have on my conversation today with Jimmy, you can listen to past podcasts that we’ve done there. And you can certainly give us some feedback on things you’d like to hear about in the future.
So thank you again as always for joining us and we’ll see you soon.