Episode 64: Wonderful Synergy
Listen to the Podcast
Read the Transcript
Erick and Rich discuss the five new products from ThreatLocker and what they say about the company’s future direction as well as avoiding the dangers of relying too heavily on a few big clients. Then Rich, flying solo for an interview recorded during Erick’s vacation, speaks with Sophos CEO Joe Levy about all things managed security. And finally, one last thing: why a lot more Americans than you might think are open to working for an AI boss.
Discussed in this episode:
ThreatLocker launches new solutions, further advances Zero Trust security resilience and adoption
Sophos and Pax8 Announce StrategicPartnership to Streamline Security Management
Information about Secure by Design
Information about Secure by Demand
What Americans Would Want In An AI Boss
Transcript:
Rich: [00:00:00] And three, two, one, blast off, ladies and gentlemen. Welcome to another episode of the MSP chat podcast, your weekly visit with two talking heads, talking with you about the services, strategies, and success tips you need to make it big and manage services. My name is Rich Freeman. I am the chief analyst at Channel Mastered, the organization responsible for the show.
I am joined this week as I am every week by your other co host, our chief strategist at Channel Mastered, Erick Simpson. Erick,
Erick: how goes it? It goes great, Rich. It goes great. How are you feeling? How are you holding up in your first whirlwind travel odyssey of the year in 2025?
Rich: A little glimpse behind the scenes for our audience here, for the regular listeners and viewers.
The last episode of this show that came out a week ago, when we recorded that, I was in a hotel room in Orlando attending a Threat Locker event. And by golly, I’m still in that exact same hotel it’s one, in real time, it’s been one day but I’m still on that road trip, and it’s been a really interesting one, unlike last week’s show, actually our story of the week will be about Threat Locker, so I actually can share some of what’s been going on at the show here.
Erick: Awesome. We’re looking forward to hearing all the juicy news that you have to share with us.
Rich: Let’s dive right in then because just a few hours ago as we’re recording this, ThreatLocker unveiled the product news from this conference here. They actually introduced five new products Erick.
They all build off the base, the foundation of what ThreatLocker does and has always done. is a they offer endpoint protection built around a philosophy of deny by default. And so what they will always emphasize for you is it’s allow listing, but it’s more than allow listing because an allow listing products will in some cases, what, you could put team viewer, for example, on the allow list.
And if an attacker weaponizes team viewer, The allowist security program isn’t going to do anything about it. ThreatLocker is really designed to deny everything by default. And they started out, it was very much a prevention protection part of the NIST framework solution. No platform is perfect.
So they added EDR and MDR in years back, they’ve now added these five new products. I won’t go into all of them, but I will flag three in particular. One of them is called ThreatLocker Patch Management. It does exactly what they say. That’s an. Interesting move on threat locker’s part to get into something that the RMM makers do.
And then the other two particularly notable products, there’s one called Threat Locker web Control, which is basically DNS filtering and another one called Threat Locker Cloud Control, which is basically Microsoft 365. Security. Now, threat Locker will tell you this is all still. Endpoint oriented built around the one agent on the device centralized input and telemetry and so on.
But particularly in the web control and the cloud control product, Erick, you can see them making the pivot that a lot of security companies are making right now into a little bit more of the user orientation versus a device orientation as more and more of what. Businesses do happens in the cloud, and the device starts to take second place to that user identity.
We’re watching ThreatLocker move with them. Now the interesting thing about ThreatLocker, we’re familiar, we’ve spoken on this podcast before about this phenomenon in the secu Security world of platformization. Companies like CrowdStrike Palo Alto building these comprehensive end to end security platforms.
That’s not really where ThreatLocker is at. No I, just a couple hours ago, I interviewed Danny Jenkins, the CEO of the company, and they will continue to add products. And expand the capabilities of their portfolio as they see opportunities to extend this deny by default philosophy into other areas of security, but they’re still compared to some of these big names in security, a relatively narrow.
Or narrowly focused security company. And this is even more true when you think about platform more broadly in terms of what companies like ConnectWise and Kaseya are doing where they have lots and lots of different security functionality plus RMM, PSA, and this is all in response. To the desire that we’ve talked about a bunch of times, Erick, on the part of MSPs and end users alike to get more of what they need in the IT world from fewer vendors.
And ThreatLocker is continuing to be this, uh, end or end point oriented, end point specialist security vendor. I will just tell you this [00:05:00] Erick. That does not seem to be hurting them with MSPs. I don’t have an official number for you, but there are approximately 1, 500 people attending this event here this week.
And that probably includes the Threat Locker employees and the exhibitors and so on. But this is a pretty big event. And I, this is the first one of these shows I’ve attended. I’m told it was something more like 900 last year. So it’s big and it’s been getting Bigger and I’ve spoken to enough MSPs here to tell you they’re not just partners.
They’re not just users. They’re at their fans and they tend to have a security oriented mindset and they very much appreciate the rigor that ThreatLocker brings to protecting the endpoint and now protecting those cloud workloads as well. And they are willing it. to accept some of the inconvenience and maybe even some of the greater expense that goes with having this additional vendor relationship on top of the other ones that they have, but they want to be sure that they are getting that security responsibility right for their clients.
Erick: Wow. So lots of product announcements, interesting news in terms of product roadmap bridge. Does this Feel to you like the table stakes are actually shifting or more and more vendors forcing them to go into some of these other areas that traditionally. I’ve been relegated to RMM and other type of vendors.
It seems to me like we’re seeing more and more of this movement. Does that mean that the goalposts are moving and that in the table stakes are shifting, forcing these vendors to adopt more or acquire more of these solutions to. It would be competitive with MSPs.
Rich: I don’t think ThreatLocker is moving the goal posts necessarily for the for the industry.
A lot of that expansion including, and the patch management piece of what they’re doing is a little bit different. You don’t necessarily hear that from as many security vendors, but certainly The DNS and the Microsoft 365 stuff. And, we saw Kaseya acquire SAS alerts to add some of that, those capabilities to, to, so that kind of a thing has been going on and in a sense, we’re seeing ThreatLocker follow along with that trend where it makes sense for them while very much staying true to that orientation and philosophy of denied by default.
Erick: And, that’s the. Firewalling 101, right? Shut everything down, do not allow anything through, and just allow the things that you’re absolutely certain are required aligning with that deny by default philosophy. So I’m very familiar with that.
Rich: One last point on that too, because I’ve, like I said, I’ve been asking MSPs, what is it that you like?
Why are there 1, 500 people here? What is it that inspires this kind of loyalty? And one of the things that they universally flag reminds me a lot, if you remember the kind of enthusiasm that Datto has long inspired because of the culture and the support the support in particular that ThreatLocker provides is very impressive apparently to their MSP partners.
And it’s really intrinsically built into this deny by default model. If you do that. And I, by default, then every time an end user wants to install a new printer, they’re not going to be able to do it. Because it’s denied by default, which means that threat locker has to be very responsive to allowing these things through, checking them out and approving them.
And I won’t go into the details, but they have this whole system in place, basically where. Alarms go off in the the customer support center. If anyone is waiting in the support queue longer than 30 seconds, and if anyone waits 60 seconds managers get involved, all hell breaks loose basically, and the MSPs here really appreciate that.
So it’s a theme that we’re both very familiar with in the vendor world. MSPs really want responsive, high quality support, and that’s part of the success formula at ThreatLocker too.
Erick: Yeah, it’s very impressive. And, when you think about the MSPs need to establish SLAs in response to issues that come up or problems with their client environment or business operations and things like that, we always say that your SLA cannot be better than your upstream providers SLA because you’re relying on them to support you.
In this case, Sounds like ThreatLocker’s SLAs are much better than the typical MSP’s SLAs. So that’s that’s encouraging.
Rich: Let’s move on to your tip of the week, Erick. And this is actually a very interesting topic to me. It’s one of those issues that you don’t even have to be an MSP necessarily to wrestle with this particular issue.
And I’m curious to hear your advice on how to deal with it. This has to do with over relying on a few big customers. And tell us about it.
Erick: Yeah, rich. Exactly that. As MSPs, I think we’ve all experienced the scenario where we’ve [00:10:00] lost a big client, someone that represents, a considerable percentage of our revenue and how that has impacted our organization.
So this is all about. Not having too many of these big, giant ostrich, ostrich eggs in your basket of normal eggs. And, no, no illusion towards the cost of eggs in this in this tip of the beak bridge, it’s just about managing risk. And I think there are three things that. We should be cognizant of as MSPs when we are looking at our, at our revenue and the distribution of that revenue across all of our clients.
So avoiding over reliance on just a few large clients. And I know for a lot of us, we’ve, we’ve experienced scenarios where we won that big deal and it’s changed our business, but boy, with that comes additional risks because. We need to diversify our client portfolio to help manage that risk and especially rich when we’re You know, thinking about an exit strategy an M and a scenario.
But one of the first things that buyers look at is the risk of having too much, too high of a percentage of our overall revenue distributed among very few clients, that is a risk for them as well. So acquire a mix of different size clients. And of course your minimum client size. There’s no guidance here that says they have to be very small.
I’m just saying that having too much of your revenue represented by too few clients is the risk here. So diversify that across, smaller, medium size, and maybe one or two large clients, but keep an eye on that. Develop scalable service models so that you can support your standardized. services across these clients, right?
So you’re developing these standardized services, rich. I speak a lot on the program about, bundling and patching, packaging your services so that you’re maintaining a high profit margin across these folks. And don’t get pigeonholed into supporting a large client because of the revenue that they represent in supporting.
Some of these very unique or outlier type of technologies, right? Sometimes we get trapped in saying yes to a client because of the revenue represents, but boy, we’ve got to keep our team trained up or rent them up on something that we’re typically not really delivering to any other clients of ourselves.
So that reduces our efficiency and profitability potentially. If we’re not careful about that, then thirdly, make sure that we’re signing as long of term of agreements as we possibly can, no matter what size clients that we are serving, even if we do have a high percentage of our revenue represented by, small number of clients, just make sure that we’re signing long term agreements, three years or more, if you can get them with these clients and then have some.
Some teeth in those agreements, meaning that if they decide to cancel early, then there are some penalties that help you recoup the cost of your investment in onboarding these large clients. Sometimes it takes, a while to get to a point where you’re actually reaching your target margins with clients because of things that we may not have control over.
And I don’t want to get into a conversation, Rich, about, how do we avoid that? Because that is a whole separate. Tip of the week. Maybe we’ll pick that up in the future here, but just remember that the more that you can diversify your risk, the better for you, the better for your clients, right?
Because then, you don’t want to get into a situation where you’re negotiating on price to keep that client further eroding your profit margin. And certainly it pays dividends when you’re at a point when you’re shopping your organization for an exit to try to, get the highest offer for your.
For your organization, making sure that diversification reduces risk from a financial buyer’s perspective.
Rich: So is there a benchmark or a guideline for the folks in the audience? How few is too few? How do they know I am over reliant on too few clients? And I guess the follow up to that would be if.
If they flunk that test, I assume the answer is get your sales and marketing engine going, sign up some more accounts so that it isn’t just, three businesses or whatever it is supplying all your revenue.
Erick: A great question, Rich, and I start getting antsy when I start seeing, north of 15 to 20 percent of total revenue being, being realized through, a single digit percentage of clients, right?
Again, I think. 20 percent is probably the ceiling for me. Certainly I know partners that have way larger percentage of their revenue being represented by more than [00:15:00] 20%. I know some partners that are, 40%, 50 percent of their revenue comes from a couple of large clients. And that gets really.
Really risky.
Rich: Okay. Something to pay close attention to folks for sure. Now we’re going to take a quick break here. When we come back on the other side we’ll be doing our spotlight interview of the week. And we are very excited to have Joe Levy, the CEO of Sophos, a company I very briefly alluded to a little bit earlier on in the show.
He’s going to be joining us. Talk a little bit about the managed security landscape. In particular, I will point out we recorded this interview while Erick was on vacation recently. So this was me flying solo with Joe and you’ll hear what he and I spoke about when we come back on the other side of this break momentarily.
And welcome back to part two MSP chat. podcast, our spotlight interview segment, where I am very pleased to be joined by the CEO of Sophos that is a position that he has occupied for a little bit under a year at this point, although he has been at Sophos for a long time his name is Joe Levy, Joe, welcome to the show.
Hi, Rich. It’s great to join you. So we’ve known each other for a while, and I’m going to guess almost everybody in our audience is familiar with Sophos, but just for those few people out there who are new to Sophos, and for anyone who is new to you, just tell folks a little bit about who you are and about what Sophos does.
Joe: Certainly. Thanks again for the opportunity to join you and your guests, Rich. My name is Jill Levy. As you mentioned, I’m the CEO of Sophos, recently stepped into the position. I’ve been with Sophos for about 10 years now. Previously in the role of CTO, and I’ve been in the cyber security industry for longer than they have been calling it cyber security.
So Sophos as a refresher is a 40 year old cyber security vendor very well known for our endpoint protection technologies. And over the years, we’ve diversified to cover all of the critical cross domains of modern IT operating environments and deliver security technologies and services to them. So that includes network security, email security, cloud security, integrations with all of the investments that our customers have made across all of their other I.
T. assets, integrating it all into our X. D. R. platform and then our M. D. R. service managed detection and response, which we’re now protecting over 28, 000 customers globally with today on. It’s one of the fastest growing areas in the cyber security market and certainly within the world. The history of Cephal’s great to talk with you more about that.
Rich: Yeah, absolutely. And that is the main kind of topic of conversation I want to get into is MDR and maybe managed security. More broadly, but I’ve got to take advantage of the opportunity. Anytime I’m speaking with the CEO of a significant cyber security company, I just want to get the view from, the captain’s chair your perspective, just on the security industry broadly right now in terms both of the business landscape and maybe the threat landscape.
Joe: The threat landscape never rests. It’s. Continuously evolving. This is why the industry needs to continuously evolve as well. We get to see a lot of really interesting firsthand insights within our MDR business. Historically, we’ve protected on the order of about 600, 000 customers globally, but it’s really at that interface into the security operations of the businesses that we protect through our MDR service that, that we get all these great novel insights to the evolutions within the threat line state.
Most recently, we’ve been seeing variations on combinations of mail bombing campaigns and the use of fraudulent IT helpdesk interactions that the threat actors are actively using and leveraging against many of their victims. This is a continuous kind of evolution. There’s the adaptation that we see within the threat landscape.
As we step up with capabilities of technologies, the threat actors have to adapt in order to stay in business, and that’s what’s driven this progressive need within the industry to move from just buying a technology and deploying it and maybe occasionally checking in to see how good of a job it’s doing, keeping you secure to these 24 by 7, 365 security operation mandates that most organizations are recognizing what they have today.
And I think it’s because of that, that the market has come to the point where it is now, where we’re recognizing the need for services like managed detection and response and for vendors to work really closely with partners through MSPs and MSSPs in order to be able to really effectively deliver these kinds of solutions to customers.
Rich: And so that the evolution, the complexity of the threat landscape and the inadequacy of older techniques where you install and monitor infrequently. That’s what’s make because, [00:20:00] your MDR service is as you said one of the fastest growing, if not the fast growing, fastest growing parts of the business, but just industry wide, if you look at the different segments of security, there’s, high double digit growth going on in MDR right now.
So it’s that complex threat landscape and the inability of a typical MSP or IT department on its own, that’s driving that growth.
Joe: So there’s a couple of levels at which we see these kinds of constraints that are driving the growth of MBR. And I should say more broadly that it’s not just managed detection and response at the intersection of extended detection and response.
But we’re seeing that movement pervasively across the cybersecurity landscape today. Detection and response has become the new means by which we just do a better job with cyber security, and it crosses all of the domains. It’s not just the end point. It’s not just the network, but it’s cloud. It’s identity.
It’s email all of these primary pillars of modern I. T. Environments and there’s a couple of things that drive this wonderful synergy that exists between MBR coming from vendors such as suppose and the growth of the M. S. P. Space. And that is Many MSPs have arrived at the same conclusion themselves that in order to do a better job for their customers.
And ultimately, this is what we’re all in this business board so that we can do a better job delivering protection. Many MSPs have recognized that they would love to be able to do MDR on their own, and some of them have undertaken it, but they quickly realize that it’s difficult to staff for 24 by 7 by 3 65 for shift work.
Across all of the geographies and across the diversity of technologies that they need to be able to. Maintain for their customers and they’ve learned pretty quickly that it’s a good idea to partner with a larger vendor like a cell phones who’s made this investment into this global capability with over 500 analysts that are now driving our NDR service in our combination with secure works.
To be able to keep our customers secure. So it’s that economic factor, really. It’s that we, number one, we realized that we needed to do a better job than just throw in technology over the wall and then open to the best. We needed to provide the actual security operation capability.
And then the MSPs themselves recognizing that they themselves might not be able to effectively, efficiently, profitably scale that business on their own. So to have the opportunity to work with a vendor like Sophos. It’s transformational for many of them.
Rich: Yeah I’ve long had the idea, in my head, every year new research data comes out about the skills gap in the security world.
How many more security professionals the world needs to deal with the threats out there right now. And, I see those numbers every year and think to myself, that’s tailwind for managed security. Because, even if you have the the sophistication, maybe to take some of that function in has just finding the people and affording the people.
It’s going to be impractical for a lot of companies and I. T. Partners out there.
Joe: That’s right. There’s way more demand than there is supply for skilled cybersecurity operators today. So that’s one economic factor. Another economic factor. That’s pretty important to consider. Is this notion of the cyber security poverty line that we’ve been talking about in the industry for a little over a decade now, a term originally coined by Wendy Nather.
And I’ve been fortunate enough to join Wendy on some webinars being able to discuss the topic with her directly. And basically what that states is that there are economic constraints that prevent organizations. From doing everything that they need to in order to run a good cyber security operation, and it could be anything from falling victim to the fact that cyber security is an industry is a classic market for lemons.
It’s just. It’s difficult to understand what the most effective technology is and for a non expert in cybersecurity to be able to differentiate the claims of one vendor versus another. How does an organization go about determining what the best technology is going to be for them in their hands?
Because it’s at the interface between the technology and the operation of that technology that really begins to make a difference. So there’s one dimension where the cybersecurity poverty line works. Another one, of course, is strictly financial, does an organization have the budget necessary to make the investments in the right technologies to build up a security operations center?
To be able to develop a mature and a robust risk management strategy and framework whereby they can both measure their risk and then over time, continually drive that risk down. Many organizations are just poorly equipped to be able to do that kind of thing. So that’s why it’s incumbent upon the industry, the combination and the partnership between vendors like Sothost.
And the MSP population to be able to do a better job at that very thing for our customers.
Rich: Given some of the variables, the issues [00:25:00] that we’re talking about here, is there a particular kind of profile of the MSP that is most likely to benefit from MDR most likely to need it in terms of, size or maturity revenue, et cetera, or is this really an across the board?
Requirement.
Joe: We see a pretty broad spectrum. And so I’ll begin at the higher end, the larger enterprise focused MSPs and MSSPs. What they’ve come to recognize is that they have a greater ability to serve a broader base of customers with a more diverse set of integrations and technologies when they partner with a vendor like Southwest or MDR.
We make it easier for them to augment their ability to reach and serve their customers. It allows them to provide stratified services where, for example, we can do tier one for them and then they could be the escalation pat and they could provide more white glove. Services and more bespoke kind of security advisory engagements.
So for the larger MSPs and MSSPs, it allows for greater scale, greater differentiation and economies of scale for the smaller MSPs. I’ve had some conversations with our MSPs and we’re fortunate. We have a global network of about 7000 MSPs that we work with today. And there are some of the fastest.
Growing segments of our channel and of our business worldwide. And we’re really grateful for these relationships and I hope to continue to cultivate them and build more of them. I’ve had some of these MSPs actually say to me, your MDR service has been life changing for us, like those very words, which are.
Pretty profound when you think about it and what they mean, like when I dig into that a little bit, what they mean is that they recognized very early on that they needed to do a better job for their customers that it wasn’t just a matter of let’s sell them with technology and let’s occasionally check in with it, but that they needed to provide them 24 7 3 65 security operation capabilities, many of them explored building that themselves and they quickly realized that there’s just A lot of capital investment requirement in order to be able to do that sort of thing, whether it’s the staffing, the training, the retention, we’re in a competitive market, as you pointed out.
So salaries are sometimes out of the reach of some of these organizations at scale. And then just building the technology platform themselves to be able to do it and then integrate with everything. It’s a pretty daunting task. So when we built MDR, we did it intentionally and from the very, very start for partnership with our MSPs and our global partner community with a really good understanding of what they needed to do in order to meet these needs for their customers, to be able to allow them to be more competitive because the MSP space itself is a very competitive space and then to be able to continue to grow and then maybe even grow into these sort of specialized services that we were talking about a little bit earlier.
Yeah, the short answer to the question, Rich, is I think MSPs of all sizes could actually benefit from these kinds of relationships with veneers like Sophos.
Rich: You know what one reason MDRs is growing so fast for Sophos growing so fast in the industry, is that the, the installed base of MDR subscriptions, if you will, is rel relatively small relative to, antivirus email security, EDR, is there any pattern at all to the companies that are not.
Doing MDR so far. And, is there just an awareness issue? Is it is it really just a matter of helping people understand the value proposition or is there any kind of misconception out there about, do I, or do I not actually need to do MDR on top of what I’m doing today, what can you tell me about the people who haven’t gone that direction yet,
Joe: from the perspective of the MSPs and the MSPs, I think they’re.
For the most part, they’ve already arrived at the conclusion that they need to provide some kind of an MDR offering, whether it’s what they provide on their own through a partnership with a vendor like Cephos or some combination of the two of them. For cybersecurity vendors I think some of us figured it out earlier than others that in, in order to really make a difference in cybersecurity outcomes we cannot have this sole dependency or this split responsibility model.
Between the vendors and the customer, the vendor and the partner we need to have this more tightly coupled shared responsibility model where the vendor has more skin in the game and we provide not just the technology, but the operation of the technology you could see the skin in the game manifest itself with such things.
As the million dollar warranty that we have on our MDR offering. For example, we take this stuff pretty seriously and I think more and more cyber security vendors are beginning to realize this. Now, one does not just casually wander into [00:30:00] doing an MDR service. It took us a couple of years to design this.
And one of the things that we were primarily concerned about in the design was number one. Can we do this scalably, efficiently and profitably? Of course, but number two. And just as importantly, can we do this in such a way that it doesn’t introduce conflict with our channel? And we spent a lot of time talking with our channel partners to give them an understanding of what we were intending, taking their feedback in the design of the program itself, and then we just continue to iterate on it so that this is something that is complementary to our channel partners and our MSPs, allows them to grow and scale and thrive.
Rather than something that they would view as being competitive.
Rich: I’m going to set you up with a potentially self serving question here, but I am curious to hear your thoughts to the extent that most M. S. P. S. either have or know they need. And MDR service from your perspective, from a SoFo’s perspective, what are the things they should be looking at if they’re in the phase of evaluating their options, or if they’re even just rethinking the service they’re using now, what are the things you think they should be looking at
Joe: so many dimensions that this should be measured on?
So number one, isn’t doing business. When MSPs are choosing the vendors to align themselves with. They have to ensure that there is just a complimentary business model that they’re easy to do business with, easy to onboard that provide them really reliable base of operation, provide them profitability, scalability.
These are all the fundamentals of how do you choose a vendor. Of course, these are critically important. But then within the MDR space itself, not all MDR vendors are created equal. And there is clear differentiation between some of the capabilities and competencies and scalability of the different MDR solutions that are out there today.
One of the most critical elements of MDR is just. Ensuring that there is a sufficiency of interfacing with all of the other investments that the MSPs are going to find in the diverse basic customers that they’re serving. Most customers probably have some kind of a Microsoft footprint, so it’s obvious that there needs to be really good integration with Microsoft.
We’ve made very significant investments in ensuring that we’ve got Tight integrations with all of the Microsoft security APIs that can benefit not just the E5 subscribers, but anyone who’s using any kind of a Microsoft endpoint solution, for example, or Azure solution. And then we’ve built a set of bespoke detections and that.
Demonstrates clear value above and beyond what the customer is going to get from the Microsoft investment itself. And that, of course, covers a very large base, but then you’ve got dozens of other vendors who are out there, and we just want to make sure that we’re doing a good job delivering the integrations and delivering the detection logic on top of those integrations to provide above and beyond benefit to whatever the incumbent investment might be.
So that’s one big differentiator that MSPs would need to look for. Another one is just the efficiency of operation. So many of our MSPs. They’ll co manage NBR with us, which we think is a great model because we have a lot of MSPs who do run a SOC, but they run it five days a week, and it’s a nine to five kind of an operation.
And then they want to make sure that somebody’s got their back after hours, weekends, holidays, so that they can go live their lives. So we have a lot of these engagements where there’s this command model with NBR and our MSPs love that it gives them the flexibility to deliver a security operation service to their customers during a set of business hours and then know that the customers are going to be kept secure by us outside of their operating hours.
So that’s a flexibility in the engagement model that we built at the very start with our NBR offering that our MSPs have really love. I could go on but you know clearly there’s multiple dimensions by which the MSP should be measuring it and ultimately it just comes down to. How good of a job can we do for our customers when we partner with this vendor?
Rich: We’re talking about managed security. As it happens, we are recording this conversation within a week, maybe two weeks of Sophos officially closing its acquisition of SecureWorks. For folks out there in our audience, not familiar, maybe with SecureWorks or that acquisition, just tell them a little bit about, Who SecureWorks is, what they do, why you acquired that company and who will benefit from the fact that SecureWorks is now part of Sophos.
Joe: SecureWorks is one of the best known and trusted brands in the MSSP space. They’ve been at it for about 25 years and over the past five years, say within their recent history. They’ve gone through this transformation where they’ve encoded all of the learnings that they accumulated in this time in their MSSP engagements, providing security services to their [00:35:00] enterprise customers.
And they built it into this platform called Tejas and the Tejas platform is the basis for what I think is one of the best XDR experiences, extended detection response experiences within the industry, but it’s also the basis for the delivery of the MDR service that SecureWorks has been providing. And they were a publicly traded company.
So their records are publicly available. They’ve since been delisted since we’ve taken them private, but there’s still a public record of that. They were about 300 million in revenues at the time that we acquired them. One of the most significant operators in the MDR space, and we think that the combination of the Tejas platform inside Cephos Central is going to provide one of the best XDR and MDR experiences that the market will have.
And there were a lot of other adjacent technologies that they built and security services through their advisory practice that they built from the course of the engagement with their customers over the years. Examples of that would be their vulnerability detection response offering, which we’re planning on integrating into our managed risk offering.
Another would be their eye sensor, which is a network detection and response. In line. I. P. S. We’re gonna be converging this with our network traffic analyzer. And then they recently introduced an identity threat detection and response service, which came out of all of these advisory security engagements that they had been doing.
And they, what they do is they capture the learnings of those security engagements, advisory engagements. And then they just manifest them into a technology that allows for a much more repeatable and scalable delivery of that kind of engagement. We’re really excited about bringing these capabilities into self essential.
As I mentioned in some cases, there is going to be an offering that existed in the self host portfolio and the secure works portfolio, and we’re going to be bringing the best of the two together. We want to be able to do this in as a non interruptive. Way as possible for our customers and our partners.
The first thing that I would do as I begin to preview some of this is I would say we practice principle of first do no harm in the way that we do our integrations and it’s going to inform the way that we run the secure words integration. We want it to be continuous, non disruptive, seamless process for our partners and our customers.
So things are going to be the same tomorrow as they were yesterday for the foreseeable future as we begin to bring these portfolios together. But over time, we are going to bring unified go to market motions and unified platform capabilities to market. All I could say is that we think there’s a wonderful combination and we believe that we’re going to be able to do a lot of benefit for the cybersecurity industry and for the partner community as a result.
Rich: So this is not a managed security question exactly, but it’s a question I had the opportunity to ask someone from Bitdefender last November. And I’ll ask you too, and get your perspective on it. There, there is a lot of excitement in the cyber world and the security industry about the power of AI to help defenders.
There’s a lot of anxiety about the power of AI to help attackers. Who’s benefiting more from AI so far and why?
Joe: So I would say at this point, the defenders have the upper hand in the application of AI to cyber defense. And we’ve been embedding AI in our technologies and our products for.
About seven or eight years now we acquired a company called Invincia in the 2017 timeframe and they, they had some of the best deep learning neural network architectures that we had ever seen designed for the purpose of classifying, executables. That was the basis for what they brought over to us.
Since that time, we now have about 60 deep learning models in production. We’ve rolled out transformer architectures into our email security product offering to be able to do a much better job of detecting business email compromise, which is at its core. A manipulation of language and the transformer was just much more effective at any kind of ancestral technology at dealing with that sort of thing.
And then naturally, since the broad availability of generative pre trained transformers and large language models, we’ve been integrating LLMs into our security operation practice. So our MDR analyst team, for example, they’re aided by a large language models that help them to do things like.
The obfuscating obfuscated encoded command lines interpreting opaque PowerShell being able to tie together various disparate events that are brought together within a case framework and then to construct a timeline and a narrative around those disparate events. So all of these are already aiding [00:40:00] our analysts and we, we think that defenders are probably going to continue to have the upper hand.
Now, on the attacker side, we’ve definitely been seeing a professionalization of social engineering attacks, phishing attacks everything within that domain. We really haven’t seen too many instances of vulnerability discovery being driven by an AI or construction of novel novel exploits or novel malware or anything of that sort.
Doesn’t mean that it’s not going to happen, but for the time being we believe that the defender. Certainly the defenders within the Sophos NBR practice have a significant advantage through use of AI. For
Rich: the record, that’s pretty much what the guy from a bit defender said as well. His explanation for why the defenders are benefiting more so far was a little depressing though, which was just basically that the oldest old school attack.
Techniques and threats are still so effective out there that the attackers don’t need to innovate. They don’t really need help from AI yet getting better at what they do. And so they’re ignoring it so far. It’s the defenders who really want to take advantage of the benefits they can get.
Joe: Very true. I’m very pragmatic. You’re right. A little depressing. But the other side of that coin is that there is a lot of opportunity for us to do a meaningfully better job at cybersecurity. If we could just help more organizations get better at the basics, get better at basic hygiene, understand what their attack surface looks like from the perspective of an attacker on the Internet, do things like ensure that they’re hatching their systems on a more regular basis and just having a better understanding of what their footprint looks like to an attacker and whether they’re minimizing that footprint and reducing their overall attack surface.
Helping them to identify that more quickly and helping them to prioritize what they can do in order to remediate it. I think those are very significant things that the community could get better at doing. And it’s something that we’re certainly focused on particularly in partnership with our MSPs who we know that’s a central concern to also.
Rich: So as long as we’re talking about, depressing and encouraging developments you’ve been in security a long while. Let’s go back 10 years to when you, you joined Sophos over the course of the last decade. What has maybe discouraged you most about where we are now versus where you might’ve projected we would be 10 years ago and what is maybe most exciting, encouraging to you about where we’ve gotten to 10 years down the road.
Joe: So to continue the theme of the last topic we were talking about, again, I wouldn’t call it discouraging, but you look at the amount of progress that we’ve made as an industry in very basic things like reducing these unforgivable vulnerabilities that exist in software, which are broadly exploited the fact that the industry hasn’t done a better job, just reducing really egregious kind of software defects.
That is alarming. Now, the good news there is that CISA on the cybersecurity and infrastructure security agency has put a lot of effort into a program called Secure by Design and its counterpart Secure by Demand. And both of those are economic levers that I think are finally going to help move the industry forward when it comes to how tolerant we are of these unforgivable software vulnerabilities.
The moment we could actually get vendors to take the security of their software more seriously, and this broadly, all software, not just cyber security software, but as soon as we can start reducing these highly discoverable and easily exploited vulnerabilities. You begin to raise the cost for the attackers and that that’s something that I think we begin seeing traction with soon as a result of these initiatives and may the investments and the capabilities and the benefits that we get from CISLA continue for a long time to come.
So that that’s one dimension of it. Another is just the fact that our IT systems become more complex, more interconnected all of the time. And insecurity lurks in these interconnections. If you do something very simple and you start to say, how did the data flow in and out of my business?
If you start thinking about how you do what you do, whatever business you happen to be in and begin to just map out the way that data flows, you quickly begin to realize that we live in a very highly interconnected and complex world. Our supply chains make it more difficult for us to understand data flows within our business.
We have to concern ourselves, not just with the security of our own systems, but our interconnected systems up and downstream within our supply chains. So the problem only becomes more complex over time because our IT systems become more interconnected and more complex. And that, that makes doing security harder.
And that just means that we need to have a better way to understand what does the surface look [00:45:00] like to an attacker and the industry. Is starting to do a better job of that. Now, we believe that things like Managed risk from our current offering and vulnerability detection response from secure works, though, those are steps in the right direction.
But what we need to do is we need to make it even easier for organizations to understand what is the priority of things that they need to go fix? And how can we help them go fix it? So that’s one of the frustrating elements. The satisfying elements are just the evolution of thinking around how important Detection response capabilities are the fact that we’ve gotten past this idea that once you invest in a technology to protect you, that’s it, that’s all you need to do, and it’s going to take care of you forever.
It took a better part of a decade for us to get through that. And when I joined Sophos 10 years ago, it was probably just at the cusp of that transformation of thinking where we went from, we’re going to protect everything and everything is going to be perfect as long as you buy the most expensive firewall to actually, we need these really good combinations of technologies and services in order for us to be successful at this.
Rich: When you were talking moments ago about getting a complete view of the the surface and understanding where the vulnerabilities are, et cetera. I immediately started thinking about attack surface management, which is a. Very hot category. I’m still in the security world right now. I don’t know if you folks do that or if there’s anything on the roadmap that’s something that you might want to get into
Joe: critically important.
Totally agree with you. Our managed risk offering is attack surface management. We partner with tenable for the delivery of their tenable one platform as a fully managed service. And again, this gets back to most organizations would love to have some sort of an ASM or a chasm in inside their operations to get this continuous view of what is their attack surface, internal, external identity, all of the components, many of them just don’t have the funding they don’t have.
The skills they recognize that it’s probably somewhat beyond their reach in order to both procure, deploy, operate, and continue to operate the technology. So we realized the opportunity there to make it a turnkey decision for customers and for partners to say, here’s a managed risk offering that will give you everything that you were hoping to be able to get out of this technology.
And you don’t need to worry about operating it. We’ll do the operation for you. We’ll do the prioritization. We’ll give you the reports that you need. We’ll tell you the steps that would be required to remediate your top three vulnerabilities. We can work with our partners to help you with the remediation.
It’s a really important step to fixing this like basic blocking and tackling hygiene problem that we keep coming back to.
Rich: So I want to circle back quickly. You mentioned secure by design and secure by demand earlier on there. And these are both from CISA secure by design. Is basically a pledge that a vendor can take to embrace.
I think it was like six or eight pretty basic security practices or controls in terms of how they code and deliver their solutions. Secure by demand is more about the people on the purchasing side of these technologies, any kind of technology. Insisting on, working as I understand it, insisting on working with vendors that have committed to creating secure products to some extent, based on what you were saying before.
That for the real change that needs to happen in the industry, the vendors outside the security realms, vendors in general, Need to take security more seriously for the folks in our audience is secure by demand, maybe the low hanging fruit, the easiest way to apply some pressure to the vendors they work with to take this security issue more seriously.
Joe: Absolutely. I was so pleased when Sisa rolled out initially secure by design and then the counterparts pure by demand. You could look at it again on economic terms. Does supply create the demand or does demand create the supply? And the answer is a bit of both, of course, but we’ve had an abundant supply of cyber security technologies for a very long time.
And we, despite that, we have failed to see the effective practical application of it. So the supply itself didn’t solve the cyber security problem. When it comes to secure software, we could have vendors like sophos, who were one of the first in the industry to sign the pledge. And I think there are a few hundred who have signed now.
You could have every software vendor in the world sign the pledge. But until there is that demand counterpart until buyers start voting with their procurement dollars about which vendors they’re going to put their trust in, I don’t think we’re really going to see a big difference. It’s when you combine [00:50:00] the 2 parts of the equation together.
And you get the supply side vendors who are really taking it seriously, really opting in doing the right things and being transparent about it. The transparency and the audit auditability of it is absolutely critical. And then you couple that with the demand side where buyers start holding their vendors to account.
They start holding their partners to account like this. This software that you’ve chosen to bring into my environment to be my PSA or my RMM solution, for example, national services, automation, remote monitoring and management, which the MSP community will know very well. How seriously does that vendor take their software security?
And I’m not picking on any particular. Platform here, but if you think about the level of privilege and the level of access that MSPs bring into their customer environments. When they’re installing these administrative tools that allow them to do what they do for their customers. It’s effectively the keys to the kingdom.
They had full administrative access to all of their endpoints, their cloud infrastructure, all of their firewalls. The MSP should be very concerned about how seriously their vendors are taking secure software design. Because ultimately they’re the interface to the customers and they’re the ones.
Who are going to be primarily accountable for something going wrong. Especially for the NSP community I think secure by design and secure by demand are really important and should be paying real close attention to the initiative and the advancements that it’s driving.
Rich: We will include links to both of those in the show notes for this episode so folks can check it out.
And I, I definitely encourage ’em to do that. So we are still relatively early in, in 2025 here right now. And I understand there’s only so much you can say on a podcast. But as you look down the road to the remainder of of this year and where you and Sophos will be focused, what’s on the roadmap and so on, what can you preview for us that’s coming up?
Joe: So our focus is going to be on getting the integration of SecureWorks right. This is our highest priority right now. I’m just beginning to engage with SecureWorks customers and SecureWorks partners. I’m looking forward to doing a road show and going out and meeting as many of you as I possibly can. The first thing that we want to do is we want to ensure that we’re maintaining the trust that you placed in SecureWorks when you chose to do business with them in the first place.
So that’s my highest priority right now, then it’s a matter of getting the businesses integrated so that we can continue to do an exemplary job for our partner communities and continue to be the vendor that they consider one of the easiest to do business with. I want to make sure that this whole integration experience is something that all of our partners view as exceedingly valuable.
And then three, of course, is bringing the technologies together. And this is something that engineering teams on both sides. I’m, first of all, I’m delighted to say that there was just About the best imaginable cultural alignment between the two organizations and when they got together in front of a whiteboard in Abingdon in the UK at our headquarters about a month ago it many of them just felt as if they had been working together for years already.
So we’re off to a very good start. And as many people know, one of the places where integrations and acquisitions sometimes go wrong is in cultural misalignment. I’m delighted to say that we have a very good cultural fit. And that’s going to enable us to drive this integration of the technologies and the platform together.
As I mentioned, I think Tejas is one of the best XDR experiences that I’ve seen. Anyone who has had the opportunity to work with it generally has the same opinion. And I’m very excited to be able to bring that Tejas experience to the entire Southwest customer base. And then to effectively replatform the delivery of our MDR service.
On the combination of Cephala Central, the Tejas platform, and then all of the other Cephala security tooling that we’re going to be able to bring as an option to the combined set of customers.
Rich: Okay, Joe Levy, CEO of Sophos, thank you very much for joining us on the show here. For anyone in the audience who wants to maybe get in touch with you, follow up on something that you’ve said, learn more about you, learn more about Sophos, where should they go?
Joe: www. sophos. com connect with us on LinkedIn follow me on LinkedIn. And if you already have an account executive that you’re working with within Cephos. You can continue to work with them and we can help you get access to the entire SecureWorks portfolio as well.
Rich: Okay, very good. Joe, once again, thank you so much for joining us on the show.
Folks, we’re going to take a quick break here. When we come back on the other side, I will be rejoined by Erick. He and I will chat a little bit about this very interesting conversation with Joe [00:55:00] Levy, have a little fun, wrap up the show, stick around. And We’ll be right back.
All right. And welcome back to part three of this episode of the MSP chat podcast. And once again thanks very much to Joe Levy of Sophos for taking time out of a busy schedule to join us here on the show. Erick, I have a news update and a fun fact for you about that interview with Joe Levy.
I’ll start with the news update. I recorded that conversation with him Two, three weeks ago while you were on vacation skiing in Park City, Utah and as we’re recording this final little bit of the show right now, it’s actually just a few hours after Sophos announced that pretty much their entire product line is now available through the Pax 8 marketplace.
So that’s actually kind of Big news for them. They were obviously well aware of the fact this news was coming when Joe did that interview with me. They weren’t in a position to talk about it, but this morning, good timing on their part, they did send over the press release. I’ll very briefly read you a portion of Joe’s quote from the press release about this Pax 8 announcement.
MSPs want to align with vendors who are easy to work with, and this agreement will make it even easier for MSPs to work with Sophos. Something we’ve long been committed to with cybersecurity speed and innovation are essential for defending against attackers. This partnership with Pax8 accelerates MSP access to critical cybersecurity tools.
So big news for for Sophos actually joining the Pax8 marketplace. I’m sure the Pax8 folks are pretty excited to have Sophos on the line card for their marketplace as well right now. That’s the news update. Let me give you the fun fact. So off the air, right before recording of that conversation, I’m chit chatting with Joe and with some of the PR folks.
And it was like, Hey, where are you zooming in from rich? I’m in my home office in Seattle. What about you, Joe? I’m in my home office as well. In Park City, Joe is probably like up the street from you. If you’re Airbnb, when you were, out in Park City, you were right there in his hometown where he lives and works most of the time.
And it was like what are the odds actually of that?
Erick: Wow, two ships passing in the night without knowing of each other. We go to Park City every year, right? So maybe there’ll be an opportunity for me to buy Joe a beer next time I’m in the area and we can, expand our conversation.
Rich: All right. Folks, that leaves us with time for just one last thing on this episode of the show here. And surprise, it comes to us from the world of AI. A company called Full Stack Academy went out to a bunch of people and asked them a simple but interesting question. Would you someday be willing to work for an AI boss?
Would you be okay reporting into ChatGPT, essentially? And would you believe it, Erick? 65 percent just shy of two thirds of the people they surveyed said, Yeah, I’m open to the idea of having an an AI boss. And some of the other data Fullstack Academy collected kind of hints at why people might be open to that idea.
65 percent of people surveyed think favoritism Is the main human boss flaw that AI bosses could fix. And apparently people are so upset about human boss bias and misunderstanding and everything else that goes with working for an actual human being that 60 percent said they are open to the AI boss tracking everything they do.
If it means higher pay. So two thirds, 65 percent my boss is going to be AI, fine. Even if that boss is watching me 24 7, as long as I get paid more, I’m good with that. And I’m even better with that because my AI boss, unlike my real boss, is not going to play favors.
Erick: It’s very interesting, Rich, how folks objectively feel.
Or subjectively feel about this bias and this favoritism and all the office politics. Heck I left the enterprise because I was tired of dealing with the internal politics of it. I had no idea that people would go so far, like 65 percent of respondents said, yeah. I’d consider that, right?
Yeah, let’s just hope that the I know that they mentioned also in the article some of the avatars that they would, consider being their AI boss, and I’ll read from the article, Barack Obama, Morgan Freeman, Ryan Reynolds top, the list of celebrities and public figures, AmErickans would choose as avatars for their AI boss.
Who’s missing from that list? Obviously, Rich is Arnold Schwarzenegger, right? Because nobody really wants the Terminator to be your AI boss avatar, right?
Rich: Yeah. Yeah. I’ll say just from my perspective, that the [01:00:00] thing that gives me pause about reporting to an AI boss is, human or non human.
Do I want. A boss who hallucinates regularly. I’m not sure if that’s a great idea, but a lot of people don’t worry about it so much. Apparently. Thank thank you, Full Stack Academy for revealing that fact. And thank you, ladies and gentlemen, for joining us on this episode of the show. That’s all we’ve got for you this week.
We will be back again in one week’s time with another episode. For you until then, we will just remind you, this is both a video and an audio podcast, which means that if you’re listening to us, but you’d like to check us out on video, go to YouTube, look up MSP chat. You’ll find us there. If you are watching us on YouTube, but you’re into audio podcasts to go to Apple, Google, Spotify, wherever it is, you get your podcasts.
You also find us. There and wherever it is you find us, please subscribe rate review It’s going to help other people find and enjoy the show just like you do This show is produced by great russ johns. It is edited by the great riley simpson They’re part of the team with us here at channel mastered.
They would be happy to create A podcast for you. Podcasts are just a tiny part of what we do for our clients at Channel Mastered. If you want the big picture, go to www. channelmastered. com. Channel Mastered has a sister organization called MSP Mastered. That is Erick working one to one with MSPs to grow and optimize their business.
You can find out more about that organization at www. mspmastered. com. com. So once again, thank you so much for joining us. We’ll see you in a week. Until then, folks, please always remember you cannot spell channel without M S P.
