Transcript – Managed browser and secure browser configurations is the doorway to the entire enterprise 

hello and welcome um I finally get to say something I’ve been waiting to say all year welcome from Snowy Minnesota this time of the year believe it or not it’s our first real snowfall in Minnesota on March 22nd which is just wild to say um we’re going to get about a foot to 2 feet between now and Sunday night so my kids are happy they can go play in the snow and they might get an extra day of spring break so who doesn’t love that as a kid right nice nice yeah uh Tim how’s it how’s the weather out there in in New York oh I mean obviously I’m decked out here you know it’s h it was like 2025 this morning uh but Wendy’s so pretty pretty mean and um this building is built in 1921 so uh not the best crazy it’s in yeah no welcome back thanks you know thanks again for attending um Tim golden is in Sunny uh Hilton Head South Carolina playing golf with his buddy so he he is still out on the golf course I don’t think think he’ll be checking in but what a jerk yeah excited to have uh Mr PA out though ction Zach Kowski which I’m sure the weather’s a little better no snow out here but I will say uh from Southbend Indiana and yeah plenty of snow and my mom texted me I think last week it was snowing and I thought that season was over so glad to be in California now yeah awesome and uh why don’t we just do full full introductions uh Henry uh Mr New Jersey why don’t you go first yeah I mean it’s pleasure to have be back on the show uh founder of stion co-founder sorry Zach hates it when I say founder uh co-founder of sanon we do browa hardening uh servers workstations for CIS benchmarks um Zach does his pitch a lot better than I do but I guess have my hands full with touching the settings every day and doing some dep work um I’m also enjoying enjoying not enjoying the one week of cold weather we have I think Tim it’s like cold this week it’s warm next week and it was warm the week before so perfect make me sick weather which I always enjoy yeah another back and forth no good no good um Zach anything else to add uh you know talk about yeah give me the pitch Zack give us the real pitch well I mean on the on the topic of weather too CompTIA CCF in Chicago was for fortunately like the warm weather of that week and I would have hated if that was cold again so good timing of the year for that but yes so co-founder to Henry um over at sention I handle a lot more of the external customer facing onboarding success sales marketing if you see a post on LinkedIn it is probably made by myself and then revised by my wife who makes it pretty um but yeah Henry as he introduced he is the Hands-On glass understands these gpos better than anyone I know um absolutely incredible and my job is to really introduce and educate on these settings why they’re important and ultimately introduce how ction is able to remediate and standardize about a thousand different security settings across workstations servers and browsers all to CIS standards nice um I’ll go next uh so yeah Jesse Miller founder of power PSA Consulting we help MSP scale Security Programs and do it profitably Tim awesome so Tim schner inquisitive it New York City um privacy consultant we also do a little uh MSP work um a little bit of Google Focus some Microsoft clients as well but uh on the topic today of browser security and why it matters so much um you know I’ll start and you know like I said said Jesse knows this but I’m I’m a big fan of the Google uh the Google work workspace Suite uh formerly G Suite but many things are very you know in a in a very browser Centric right like they’re they’re just the way the workflow is kind of coming coming through you know like almost everything’s based on the browser right even your your G your email like Gmail calendar um they were kind of maybe a decade before before kind of Microsoft moved to Microsoft 365 but um you start to work in that environment you realize uh the verticality of the security how much the browser is important to um basically cyber security posture which we’ll go through today but you know we’re gonna we’re going to kind of cover why it matters I think you know we’ll each pick kind of what our favorite advantages of it and then you know we’ll go through that we got a couple things to share as well and um Zach and Henry might have a little bit of a you know maybe maybe hint what they’re working for in the future here but uh hopefully we’ll hear a little bit about that as well so um so this is a really cool opportunity for us so we really for the last year plus we’ve been hardening workstations and servers and what we’ve realized from working with the msps is they want to start taking that next step to make a more secure perimeter and as Tim was introducing that browser whether it’s Chrome Edge Firefox it’s become this container filled of just all of the SAS apps and today not not a lot of these settings are being put into place and it’s not because they don’t want to it’s because there’s not a really good medium to actually change and standardize these settings for msps because you guys are doing it multi-tenancy a lot of the Enterprises out there can handle this because it’s just one Enterprise there’s not really a solution for this at the multi-tenant level so that’s ultimately what ction is working to do and to kind of put a bow on on what browser hardening is in the scope that we’re going to talk about today is it’s it’s the modification of various settings on the browser and that we got Tim golden here the golfer hopping in just coming to rub it in everyone’s face love it hey everybody better late than never right any hole in ones uh no I got a lot of broken things but we’re good came in say hello uh you guys got this awesome I’m gonna kind of listen in the background have it running in the background and hey Zach Henry Tim Jesse good to see you all good to see you good to see you it looks like you’re sitting on the clubs in the back or something oh there broken driving to the next hole so beautiful here in South Carolina but hey have a good rest of your uh stream we we’ll talk to you next week in the weather so I I would actually like to hear from the audience um who how many of you are doing you know are doing some sort of offering or some sort of structure around browser security for your clients today and um if there’s anyone doing it love to hear about that but I think you’re right Zach and that what I’ve seen is that is kind of Uncharted Territory for msps currently right especially with the small and mediumsized businesses it’s just it’s there’s so many settings there’s so many problems there’s so many uh then there’s been a lack of real good controls at a price point that SBS can digest so I guess would like to hear your comments on that and maybe Henry’s as well yeah and I I’ll I’ll intro that one too because we have been really just I guess researching the market right there’s a reason we prioritize this development and that’s because it was being asked for but when I bring up browser hardening today to the majority of msps they go yeah I don’t want my client saving passwords to the browser and I would say the majority of msps today do allow that because they don’t have a medium to disable that right the only way that they’ve really introduced to me is using um kelvin’s sip tool which is absolutely amazing but at the same time that one disabling the password um browser saving password is one of about 88 different security recommendations right so why are you doing only the one that appears to be the most important or most important when there’s dozens more that you can Harden to secure your clients and that’s really the mission sention on to um solve for the market Henry please feel no I mean I think you put that pretty well for me the the thought process is is pretty much the same as it is for for workst servers right you’re using the browser is a tool it’s a tool you’re using to get your job done to do something uh that you need to do for work function or whatever it is and it just so happens that these days pretty much everything goes to the browser right yeah um and so I think we’ve seen a couple Solutions pop up recently for like Enterprise manage browsers I’m thinking about some tools that I don’t actually know what their price points are but like you can quote unquote totally move off of Chrome or totally move off Firefox to another Enterprise browser but it’s sort of like difficult to do so because you’re trying to teach somebody a new tool to teach an old dog a new trick if you will um and a lot of times I think they’re not quite as sated all so we’re just a happy me him you can stay on Firefox you’re with just make it that little extra bit secure um I will say some of those things are disturbing but you’re audio is cutting out a little Henry yeah it’s like every other word I’m not sure but to to what Henry was getting at you we have seen a lot of products come to Market um and I think it’s okay to shout those out on this on this um I give a shout out to Dan Dan Lee he he gave me a wonderful kind of demo of they got acquired by pal what was the name of the they’re using Talon right Talon yeah yeah and he they used Talon and I was like I was like Dan you know you guys and this is from my experience working at Banks and being a big Bo consultant I’ve worked in all these Financial Services firms and like the browser is a brick it doesn’t do anything it lets you into the Business Systems it doesn’t let you do anything else and I was like firmly have control with with Talon here so um but Talon you know is not something we see at msps right it’s usually an Enterprise tool so yeah and and same with Talon there’s another one like called Island IO and and what Henry was saying is there’s Solutions out there that completely replace needing to use Chrome or replace needing to use Edge and it’s this own Standalone solution and there’s a big barrier the SMB doesn’t want to learn a new browser doesn’t want to switch and to that extent the example I provided is a very much Enterprise like Fortune 100 Solutions so not for msps right again goes back to a lot of solutions not being designed for MSP capabilities or price point so really at ction we kept on hearing the feedback we’re like well if we can let them continue continue to keep the browser but still secure it and manage the settings would that be valuable and and so far it’s been a resounding yes and we’re excited to release that in just a couple weeks a lot of that ends up being compatibility though too right I think Tim you mentioned uh school workspaces is I guess the name of the service now is is sort of a pretty useful one for for msps and I think compatibility wise I mean there’s you’re not going to find a browser that be using Chrome when it comes to right Google work space compatibility so yeah I think you know I think and I know certain small businesses that are I’m just friendly with um actual friend of mine here locally uh runs uh a medical practice several locations and doesn’t have an IT guy he worked for an MSP in college and uh he runs Google workspace everywhere everything’s Auto deployed everything uh is an Enterprise browser everything secured but he built it that way from the ground up it’s really hard to come into let’s say a Professional Services or Architecture Firm that needs windows and has you know you’re just trying to get them to get off software that’s not supported anymore off of uh Windows 7 or something like that it’s a much more different proposition there so I think um that is really where the pain points come in uh for those types of solutions you know the other thing as we were talking about this you know I was thinking about it and it really there’s that trit saying you know X is the new perimeter right this identity is the new perimeter and now Bowsers are the new perimeter and so people I saw somebody post something if I hear one more person say x is the new perimeter I’m going to lose it you know so um and I kind of laughed and but here’s the thing that that just goes to show that attackers are going to be like water um they’re going to flow to the area of least resistance and so it’s an arms race right um initially windows and workstations uh that remember the the it wasn’t a firewall now the Endo is the new perimeter okay the arms race continues we get crowd strike to name a vendor there’s plenty of other ones out there um Huntress any of those that provide EDR uh protection now the attackers that’s not a that’s not a viable Target for them okay where do they go now oh we can go to the cloud we can use identity to do business email compromise oh okay now we’re getting good Cloud protection everyone’s using MFA well now what can we do we know their browsers aren’t configured and we could scrape passwords right out of a browser so it’s just going to continue to go that way and so I think this is the next iteration of you know the wild west so to speak for msps to be able to protect their clients and so that’s why I think it’s important right I I love that you said Wild West and I mean we’ve used that term throughout but it kind of hit me a little bit differently just hearing that story because when we go onto a platform whether it’s hardening the workstation hardening the server or hardening browsers MH people are like oh yeah it’s connected to the domain everything’s the same that’s how domain works okay let’s take a look at what those local policies are actually set to and even in onboarding I did today every single machine we onboarded had a different combination of settings and they didn’t have a good explanation they expected it to be the same but that’s the reality all of these settings all these configurations across thousands of endpoints it’s the wild west when your MSP needs to troubleshoot something they don’t even know what they’re going into because the gpos today are not standardized even if domain says they are right well I love I love that idea of standardization I actually that was what my post was focused on in LinkedIn this morning is that uh one of the things to talk with clients is not security as a negative or a um a zero sum game where we’re going to stop the bad things from happening to you and it’s going to cost you x amount but you’re probably not going to have to pay x amount in a ransom attack right how about taking the offensive and saying security is a byproduct of quality right and so if we can bring quality to your environment that’s going to in essence create security but it’s also going to create other good business outcomes such as troubleshooting improves breakdowns improves your browser doesn’t load or doesn’t do something right because your settings wrong but if it’s uh you’ve standardized that across the fleet all of a sudden it becomes much more efficient less breakdowns everyone is more productive so that that is a positive outcome of using a quality Focus to security right yep yep so I probably shared a little early but um if you guys have any any to add on here I also commented to the audience please add you know add your thoughts on this if we’re you think we’re wrong or we’re missing some here yeah but um I just you know sitting around this morning I thought of like these 13 right and some of them overlap and are kind of the same um Zach mentioned DNS filtering and and you know your domain and things like that but the everything goes through the browser um right Jesse I mean as you talked about like EDR it’s a big Focus right like because it’s the Ingress egress of pretty much everything coming in and out so right um but the but there are your ability to lock things down is pretty dramatic right you could basically just have an allow list of five websites that your businesses uses like and like a SAS application right like Salesforce email if you really wanted to lock things down and I and I’ve been there trust me I’ve logged into some of these into some of these uh you know insurance company systems or something like that and there there yeah there’s not much there’s not much surface area to basically attack um but you can also look at like and funny Jesse you just said like water flows right like and I think John Harden said the same thing about Shadow it it’s like employees will find a way to like basically get the job done by using some other tool even though it’s not the you know the authorized tool of the firm so yeah um you know just the ability to see everything that’s coming you know what what employees are doing uh sash license usage like are you did you pay for 10 licenses and only one person in the firm is is using you know using the the license right like so just the just the unbelievable amount of analytics um you can you can you can use it for blocking and tackling if you want to or you can use it from purely just uh an analytics and insights perspective but um you know Z Zach I think a lot of the things you mentioned in terms of those Chrome uh and I think you’re going to pull up the CIS controls for Chrome which I I don’t think I’ve looked too too far into but how much of that overlaps with this kind of some of these advantages or capab abilities so there’s definitely some on the screen and Henry you’re the one developing these settings so let’s let’s yeah I mean I think a lot of them probably upload download permissions get a lot of overlap allow listing um Mal command blocking is interesting one because it’s sort of tangentially related the way we look at it is probably more going to be like pring cross- site scripting specifically uh but extensions plugins all that kind of stuff definitely a lot of overlap right so the way we like to think about it I guess is anything you consider capability probably is going to have a flip side on the coin when it comes to security and be able to lock it down a little bit more yeah it’s it’s interesting you know why we’re talking about this is and I mentioned this in the green room is I think we’re we’re moving towards a world where the endpoint is ex is more and more ephemeral right the endpoint doesn’t matter people are using a wide range of different endpoints and yes you can lock it down to say you can only use an authorized laptop and these five apps but at the end of the day if we’re talking small business and work getting done it’s just not realistic right we want to create we want to reduce friction for the employees to do their job and so how can we do that we can push security to the core and use a zero trust mentality when we’re doing things and how do we do that like you know pragmatically as a Defender I’m always thinking where can I capture the best data and where are the choke points in my data flows right so if I the choke point can be the browser and because they have to enter they have to use the browser to enter the application no matter what device they’re coming from and if I can control that doorway I’m a lot better off and I’m getting a lot better data and I’m able to defend better as a Defender at the end of the day right that’s the other big thing I want to emphasize during this call so we do like I said Harden workstation servers browsers right by having this standardized in in a format that is secure you’re increasing the efficacy of your other security layers right crowd strike we called out it’s it’s looking for anomalies it’s it’s analyzing Behavior if you harden and standardize these systems you’re forcing very redundant Behavior the same things every day allowing for those anomalies to be more apparent allowing for crowd strike to react better less false positives quicker remediation time right right so can’t emphasize the importance enough of the topic we’re talking about today yeah yeah yeah so I mean just a these other things and Jesse mentioned zero trust right like um when I’m looking at it from from a privacy perspective I focus on malicious Insider Insider threat right someone how many employees walk out with like a customer list this is kind of like ultimate tool right the blocker right like they if you can get rid of screenshotting you can get rid of uh them sending a list to their Gmail or to some non-sanctioned like data repository like a Dropbox or something like that um you’re really taking a lot of the risk off the table here for you know kind of malicious Insider um and they’ll be they’ll be pretty well aware that like the company’s watching them as well so that coupled with a good kind of um employee contract NDA confidential confidentiality agreement like they’ll have a pretty good understanding of like what they’re allowed to do and what they’re not allowed to do so um but as you know you also mentioned Jesse like they should be able to check the weather Google Maps on the way home I don’t so you know I’ve been in situations where like the browser just doesn’t do anything um the the bookmarks up here on the Chrome bar are like employee awareness training uh you know all all all the kind of like corporate assets it’s like everything on the browser is meant for you to do your job or um help you kind of you know navigate the company so um yeah you know I think for most msps or outsourced it they’re going to have some happy medium and I think it’s a good idea to start with just turning something on do just thinking about like the analytics and functionality of it and starting to clamp down as you go I think with a similar conversation right Jesse with like application weight listing you know like a thread Locker or something like that yeah that’s a that’s a great point I’d love to hear from you Henry um to put you on the spot if you had to say two msps to start getting a handle on this what are the top five things they should go do and standardize across their browser Fleet right now top five probably top three or top three top five well I guess the top one I learned about this one recently there’s a chrome API I guess you call it called Web USB I I think I just learned about this today um and that’ll let your browser just directly access any USB ports you got plugged in data stores things like that uh and so I’ve been reading about some fun vulnerabilities that like you bypass Hardware encryption or like Hardware two Factor like U Keys things like that um so that’s probably number one just for recency bias for me um other than that I mean there’s a lot of protections for fishing for driveby security um plugins things like that so just Shing you’ve only got approved plugins you somebody things are oh go ahead that’s a great one I think is yeah locking down your plugins right so we can do I mean we can do some of that with in tune and obviously Google workspace and stuff but um I think the tools are available it’s just kind of sitting down and saying okay we’re going to have to go do this because at the end of the and I think that’s another great piece to your point Tim for um employee usage on sites and what apps are being used that’s a great piece to bring into your s spr is we have a list of all the applications or all the plugins your browsers are using should we be using all these can we shrink that list right because as you said The more you have to cover the more chance there is for things to break so um oh yeah great great slide here Tim a good Segway into that so I’ll let you right into what you were saying yeah so yeah like the biggest thing is when as product uh you guys are senon a product right for MSP vendors right how do you get them to tell the story back to a non-technical business owner right and I think I was just trying to include a slide on this right like what are we’re talking some of the stuff is a little geeky but like let’s talk about the actual how does it relate to their business and I think these are just these are five I could think of this morning right like um yeah clearly it’s gonna help with insurance like sure fitall like would love this um lower chance of breach right like because if you’re the executables on business email compromise don’t go through uh you know the kind of The Insider threat like have you ever had an employee walk out with a customer list like that’s a pretty easy story for an MS to like ask a small business owner um licensing like it’s interesting because uh when I worked at the big four this was like a huge business was like actually rationalizing companies you know companies will have 20 30 SAS licenses and what are they actually using it’s the same thing like from a personal basis like are you really watching Netflix Prime and right like there’s there’s apps that do that right from a personal basis but like you think about like the company’s SAS appetite or um expenses in a year like this will give you a lot of insights and I remember when John Harden came on from Sasso uh he told me like the biggest thing that resonated with small businesses was just to see kind of like where they were using licenses and like what websites they were on like the majority of the day um really kind of gives them a lot of insights on like what’s really happening like how’s the job actually happening even though they run the company so there’s a layer I think above that too when it comes to sort of SAS licensing um that I’ve seen more so at at large Enterprises but I think even for small businesses you start to get a little fatigue with the amount of different licenses you’re trying to manage trying to understand that and the experience I’ve had is it gets to a point where when somebody on a team is looking for the newest tool the company’s just going to tell them find the lowest bidder right because they just don’t really have a handle on anymore so if it does whatever you need to do find the lowest priced one right so we’ve had situations where they’ve actually had to move off of a platform they’ve been on for 10 plus years because somebody else is coming out with one that does does less but it’s cheaper and so I think being able to get it Grable on that and making sure that you’re getting licenses that you actually need or actually do the job function for you is is pretty important there as well yeah so I think this is probably easier to sell than most tools um Like Jesse trying to talk to a small business owner on like selling xdr like yeah maybe not so easy right or or yeah I mean even dark web monitoring is like you know just just some the tools that are out there and I think yeah getting in the Weeds on the types of different tools that you’re that each one what it does if they want that great if you’re talking to them and they have the it manager sitting in the meeting and they’re like well what about this and what about that you got to you got to satisfy them and answer those questions but even typically from like a results perspective yeah I’m going to have xdr and I’m going to have an endpoint configuration manager and I’m going to have a browser configuration manager and do I talk about all those different things no I talk about quality out outcomes as we standardize and streamline your environment to make sure your people are working 99.9% of the time right that’s the that’s the outcome that they want and how they get there is really you know secondary or ancillary to the business owner so I think that’s the way to approach it right yeah I think the the concept of control is important when talking about these configurations um and I did um for something we offer over at senon is you know I’ll go and present ction to your customers for you right that’s just part of the process that I offer and I got to do that yesterday and you know I did introduce that control aspect hardening your workstations hardening your servers is going to tell you um you know making sure your your employees are using that inactivity timeout or what they’re doing and making sure they can’t go outside of their scope easily because something we also do is configure all the user rights assignments so it’s making sure that people only have the right access they need and he wasn’t as interested about that from his perspective um and he is the it manager and um I think it op side of it but where he really cared about was seeing that these default configurations and the state that they were actually in so in this example on the OS level there was a store passwords using reversible encryption right he had that setting enabled so reversible encryption was perfectly access and when he saw that he he was no longer thinking about that control aspect he’s just like holy crap this is a real security risk and it’s already on my system this third party software sention is telling me this is in place and can be taken advantage of so that’s when the conversation really shifted from hey here’s all the control aspects and all the Streamline and standardizing benefits here’s a real thing and that’s what really turned him into a security buyer as opposed to just a control my employees bu buyer yeah and I think that that’s absolutely valid because you have to know who you’re talking to right so if it is the it manager or somebody who’s the it Ops person that they’re going to understand that context and the ramifications right it’s and if it’s a decision maker who says I just want business outcomes and I want my business to run better and at the end of the day I want the bottom line to be better and be protected uh and get a competitive advantage in the market right that’s the way to approach that conversation so Zach you want to try to share your uh list I’m just curious to see it yeah yeah so one of the things that’s really entertaining with with what we do and I’ll pull this up is we do base our entire solution sentian off of um the CIS standards you’ll hear me say that this entire time and people don’t realize these CIS standards that we are doing come from an extremely long PDF so the one once this is populated on the screen is going to be the PDF just to harden a single Chrome browser they have um and that is going to share momentarily right I think it’s in maybe I gotta share it yeah I know okay there it goes so this PDF here is just to harden a Google Chrome um browser and you’ll notice this is 232 pages right the updated one okay this isn’t the most up to date I guess I have an old one but um and they keep on modernizing another reason actually I mean that’s another reason these are so hard to manage updates come out PDFs get old hence example a um and your engineers can’t be that upto-date expert on all gpos so that’s just a cool thing that we get to do for our partners and here’s this web USB API one that Henry was talking about um but yeah this is 200 some pages that’s not something an engineer wants to read and then if they do read it they need to understand each setting create the Powershell script configure this at the browser right it’s just a ton of work to get this done and when you add in hardening a workstation and hardening a server the amount of pages go into the multi thousands I think to do all of the workstation server and browser combined is about 2800 pages of reading no one wants to do that so um that’s that’s the really big thing here here and um yeah just an overview of some of these settings I mean have you seen this before Tim or Jesse is this new to you I have yeah and you know I think it’s like you said it’s it’s something where absolutely when you can use a tool to streamline and get your Baseline you know I think people probably watching this will agree with me the CIS controls typically if you’re looking at let’s say for a server right you go and push the recommended CIS controls out you break almost everything on that server by doing it so I think there is a there is a place where you do have to review them and you do have to understand what they’re doing and you do have to get a baseline right but you definitely don’t want to have to enter that in every single time on every single machine so you do need to understand them unfortunately you are going to have to read and you are going to have to understand it so I I want to encourage people to do that right you need to know the technology that you’re deploying but you know being from an operations background and that’s what I do is help msps scale their security practices you absolutely need to have a repeatable way and a simple and streamlined and an automated way to be able to push those security settings out once you do have a baseline so I you know again I think there’s there’s both pieces to that and I love that you said like pushing this out will break something that’s something we hear all the time and I really want to Advocate um especially for our partner base they are pushing the majority of these out um as you can see in this share um and I can zoom in if that helps but there are L1 and l2s so level one is more targeted at hey these are just best practice like the end client that user on the machine probably won’t get mad they might get a little annoyed but they’re not going to be freaking out not able to do their job I mean let’s let’s look at one of these block external extensions right so this is if they want to probably install an extension that is not already approved so this not part of the Chrome web store not part of the Chrome web store so would be annoying for them but also now they can create a ticket reach out to the MSP and have a better relationship you you you solidify that workflow to become a partner at that end client level so again these configurations um there is a huge mindset I’m gonna apply these in every single break it doesn’t have to no exactly and I think for yeah if you’re familiar with ig1 ig2 ig3 from a CIS risk perspective you think about it the same way you know um L1 you are pretty good pushing all those out right and then as you start to go up you may have some issues but again it’s a control you do it in you know soft you do it like software deployment you do it in rings Alpha Beta and then and you work outward from there so again speaking to services and Professional Services this is a good way for employ for msps to start building in professional service projects and going after accounts using something like this like hey we’ll come in and we’ll do this for you and work with you as in a consultative fashion so yeah so and then you can pre-approve right I’m assuming Zach so like if you got a HubSpot Plugin or Office 365 Plugin or whatever it is um yeah and I think Henry can talk towards that but that’s more the management of G Suite right Henry yeah yeah you can you can set up a set of approved plugins and then I think there’s a process too where you well even if you’re not a g Suite user which most msps aren’t right like they’re still going to have a Google admin account I’m guessing right is that right I actually I don’t know about that one I’m not sure what the Chrome management looks like as far as plugins and things like that go that’s probably an Atacama question actually yeah I me I was gonna mention atakama and I don’t know if Scott’s on the on the call but I got a lot of he had a great webinar this week and Henry or Zach I don’t know if you saw it but you you should check it out um just cruise through it but um some great you know a lot of overlapping themes in there uh they also did a Matt Lee is going to love this a CIS vendor mapping for controls 1 through 18 I think there was probably like five or six controls which um not quite in depth we’re not there yet on that but uh you know it was pretty good just talking about how you’re how they’re addressing CIS controls yeah Matt Lee’s been doing a really cool CIS working group which I’ve had the pleasure of being on as well so that’s another thing with these when you follow the recommendations here a lot of them see if I guessed one correctly will map back back to a control right right this is letting you know this is 4.8 and I guess just kind of preview the slide that I I I made in preparation right hardening your browser is going to assist in meeting about eight of these CIS controls across nine different safeguards I was going to make that point is again we’re talking about using security as an Innovative lever not just a um conservative lever or conservation lover and that’s you know that’s another thing you can talk about is innovative ways to do your Workforce is doing stiens for employee laptops running everything through the browser and lowering your costs right so we can lower costs and actually increase our security and if we’re trying to get something like a sock 2 or something like that um we can actually evidence and prove really easily that we’re doing all the things we’re supposed to be because we only allow entry through a browser that’s configured and protected right so that’s that’s a really good point and something something we talk about too is cuz these controls map back to other Frameworks or regulatory items and and we design our reporting so you can do those tailored reports um Henry I interrupted you yeah I was gonna ask Jesse do you know if the sock 2 will allow you to scope directly to manage browsers as opposed to like the entire workstation uh it will well yeah it depends what’s in scope right so yes you can scope it to whatever you want basically as long as as long as is an atest station it’s not a framework it’s basically you have another framework under on below it right which is as J said what’s in scope go ahead yeah so yeah but my whole thing with it is for For Better or Worse sock 2 is what you’re going to get asked for in a lot of competitive situations especially in in larger Financial Services or Enterprise applications right so it’s you know we can we can take our we can put our propeller hats on and talk about how it’s not real security and all that but my thing is is we can blend both of those why can’t we do both you know yes let’s let’s make it really so again it’s that Innovative kill two birds with one stone Force use security as a force multiplier right yeah let’s let’s scope it down and get our get the the certifications done but let’s also actually increase our operational output and let’s make sure that we’re being secure and we’re protecting ourselves better we’re giving less of an attack surface right so we’re knocking three things out there with one way uh with one new innov approach and so I think when you start talking that way with your customers and thinking in an Innovative fashion and using security as that lever that can be very powerful as an MSP when you start to bring those kind of new ideas and thought leadership to your clients I I love where you went with that because that’s something I actually really do encourage our partners to do so a lot of msps today will have you know their EDI tool tool their wh listing their backups right a lot of pieces of security layers A lot of the time very reactive right and not a lot of msps are taking this proactive step to change settings because it’s the right thing to do they they change settings when something is broken or or a cve comes out but what we’re talking about in this webinar is changing the settings because it’s the right security thing to do to prevent the next attack from being successful so that’s that’s the big thing with this and when you’re talking about having msps Elevate their conversation that’s what I want them to do when they think of configurations and ction right show them where they currently sit tell them hey I’ve been doing the best I can with the tools at my disposal to protect when a Cyber attack happens I’ve now matured that side of my business and I want to take the next step with you I want to proactively secure your environment and that’s where configurations can bridge that conversation yeah let me go go ahead Tim yeah no I’m just curious so I don’t want we don’t want the cat out of the bag too much and STI like what you guys are doing so just kind of walk me through from a high level you deploy the tool um how much of this stuff kind of Auto configures right like so you don’t have to read that 2800 pages of documents right to create this dramatically you know reduce this attack surface area like that’s that’s my why I’m such a big fan of browser security I’m so glad that like the channel is getting you guys and at a comma like this year maybe I’m sure there’ll be more to follow but like just walking through like how you know it is hands off right like so you don’t have to do you don’t have to do too much of it right yeah and I’ll let Henry kind of go more in depth to this but one thing I want to call out is the settings we’re touching only about 15% of them so only on a workstation server and browser only about a hundred of like that’s not even 15% but about 15% of the 1300 settings we do are configured to the right state by default so that’s that’s a ton of work but Henry yeah please introduce more about how ction works here yeah I mean specifically targeting uh Tim’s question there I think the goal is that they have to do almost no reading or research so we’re actually trying to iron it down to the point where the only things you really need to look at are are things that you’ve touched before or things that we’re going to see are going to cause issues and that’s going to be true for your browser it’s going to be true um so ideally if you run a really clean system and you are confident you running really clean system you probably won’t have to read much of anything uh unfortunately I don’t think that generally is very true uh for most environments uh that we’ve encountered and so probably maybe 20 or 30 of the you know affir mention 1300 uh typically we’ll have to look through more carefully and then a greater like 100 that they’ll have to confirm hey I see that this is here yeah so I mean if you AB tested the way Jesse was is saying he he recommends you know these companies roll it out so I’m sure it’s it’s fine you’ve got a couple couple guinea pigs to uh shake out the Kinks so goes yeah that’s definitely the thing I mentioned earlier is even if they’re on domain like your settings are not standardized and something ction does its best to try to do is let you know which ones aren’t standardized so that you can better create exception groups and those ones that are misaligned those are the ones maybe you want to read about maybe that where you need to elevate your knowledge because sention can’t tell you everything um but it will tell you where you need to look yeah that was that was my point right is understanding what your um template for settings looks like and understanding because again that speaks to Quality and repeatability so we know if we deploy this subset of settings and we have a few off because we know certain tools or pieces of industries that we work with need them off we can create less friction again for our clients when we roll this out and so I think it’s important yeah to do your homework and know but also once you have that to be able to move quickly right absolutely um one other thing we can talk about we didn’t necessarily dive too deep into like the types of attacks that might happen to the browser I know one that kind of surpris I was gonna say I wanted to get there so thank you for bringing that up yeah yeah I think that’s a really good one to talk cuz it’s all like yeah standardizing is good hardening is a thing but like like what risk is actually being mitigated and I think one of the interesting things if you look this up like this is reducing the risk of fishing attack being successful so there’s some settings in here that will harden you know when you click an executable well a link and you get redirected right it may trigger an executable and you can configure your browser not to allow that or spoof domains right these are settings within Google that are not on to by default that can better predict if it’s a fishing website which I know is not the right word but um hry you can talk more about these attacks if you want yeah it’s kind of like how an iPhone because everything goes through Safari right like Safari is a pretty lock down browser right like by default so you know you click on that FedEx fish on your text and it it won’t detonate your phone right so it’s it’s the same concept with your with your Dell laptop right so yeah go ahead Henry sorry oh you’re good we we have like D drive by download if you want to introduce that but I think cross-site scripting is another one we can talk about yeah I mean I think a lot of these things end up being really simple too so Tim you were talking about um that’s a long question yeah you guys can probably follow up um you guys should reach out to Zach or or Henry whoever there uh wherever this feed came from but uh this could be that’s actually a pretty good summary so I think we did good in the webinar that was that was pretty good um not that far off you kind of describ the learning mode that cion goes through yeah Henry you’re talking about the taxs yep yeah so you were talking about the MacBook and the way the uh Safari prevents like the USB or us I was talking iPhone Safar Mac is a little more dangerous yeah it’s about the same I guess um but just the way those things uh work there’s like such little things you can do uh to help prevent those things from happening uh my favorite sort of when it comes to driveby security it’s just say like if you can enable a setting so that when a file is downloaded asks you where you want to download it to you can mitigate so many of those attacks just because you’re going to see before it actually gets downloaded on your system um so just little things like that that I think Safari does well and it’s possible to do it under your D laptops possible do it on Chrome that I think is pretty valuable um things like crossy scripting all those items just generally come down to bunch of configurations that whatever reason they don’t enable them by default but you’re going to probably not see issues um so a lot of those types attacks are pretty easily preventable as long as we sort of on top of it um and then Zack if you wanted to address that question yeah um the one that was I mean we were good on addressing the question before with the learning mode but um I know before we were talking about what was it the great suspender attack on Chrome I think that would be a good one it uh I thought it was suspender I can’t remember it had to do with extensions if which again is something you can hard right you’re blocking the third party extensions you’re allowing only certain ones but that’s another good attack we can dive into yeah no more honey uh shopping where you get automatic unfortunately taking that one away those are all Watering Hole attacks right so we’re just talking about ensuring that you’ve only using approved applications so that you don’t have a plugin that is maybe inherently benign but was breached on their end and so then they’re getting access to your browser and things like that so just yeah the the the whole thing of just you’re just uh piling on supply chain risk with every browser extension you install and I don’t think employees well employees are never going to think about it that way um they’re so your best case is to limit that and try and educate on the backend right the supply chain comment is actually really great for that right because we treat applications you install we treat software you install with so much care right that we have so many solutions around approved software disapproved software plugins are essentially the same thing yeah yeah they are it’s you just you’re just creating a piece you’re creating a trojan horse into your network with every I mean if you could explain it to your users that way is that you are creating a trojan horse into the interior of your network with every blow browser plugin that you install you know that which that that that is what it is and again we talked about attackers being like water okay yeah they’re locking down applications they’re locking down the endpoint where’s where’s the next logical uh attack surface the browser and uh plugins so how else will I know what discounts honey will give me when I’m shopping on company time yeah um obviously malicious Insider threat I think I talked about that before but um clearly you know it it makes it really hard for an Insider to steal things um so keep going what else you guys got well I one thing I’m curious and I I I did do a webinar with um Dustin about this on Fifth wall but um we talk about hardening the OS and the work on the workstation servers and that is something that fifth wall values and cyber insurance is starting to ask to on forms I’m not sure and I’m curious if you guys know is is cyber Insurance G to start caring about the Integrity of browsers or is that still out of scope any predictions on that one I think it’s out of scope but I think they realize as you said you’re hitting eight CIS controls and just your your risk buy down and affordability right like this is one tool that’s going to be fairly cheap on a per endpoint basis yeah versus the kind of you know Jesse that was another prediction I made like people are going to start ripping some tools out right and replacing them with cheaper one so that that’s what I was going to say is I I don’t see I guess in the near F in the short term at least asking about browser protection but I do think that again it can be a creative way to meet insurance requirements for Less so if you need to to say um for example are you using MFA to access sensitive data oh well we have this old Legacy server with um that’s sitting in the environment and it’s just on an open network it has sensitive data we don’t have secure MFA to it what’s what’s to me like again think like an attacker what’s the shortest path or the easiest lift to say yes on that MFA well it’s probably to put that thing in a segmented mode and access it through a secure browser that’s locked down and has all the controls on it to get there so it’s again leveraging browser security and leveraging standardization along with a zero trust design to creatively meet controls while being the least friction for the business that you can I so I somewhere down the road I can see them doing like car insurance like the odm port that goes in fast going like how about how about an underr or Plugin yeah for your browser I mean you could yeah I could see that happening hoping they learn a couple lessons on that yeah I hope so but it definitely won’t be a supply chain attack if you dramatically went yeah exactly you dramatically want to lower um and have exposure on like on their behavior so I don’t know but Zach I I they’re just so it seems like they’re always a year reactive on everything so I don’t know when it’s coming but yeah well and cyber Insurance may be reactive and and I think in the market of msps itself we are especially over at cenan right this is what we do we are noticing a trend where msps are wanting to take that proactive step I don’t think insurance is going to catch up fast I think it’ll take a lot of time but um at the same time talking about the audience we we all serve in this room I do believe security is becoming that top of Mind conversation we mentioned CIS controls mapping eight different ones just to harden a browser right something you can do in minutes um if you have the right Automation in place right and I do believe msps are turning that corner um to be more proactive well you have to be right if if if you don’t take that next step because it’s it’s always going to be Market driven right so the customers are asking for it now it’s no longer pushing this to the customer you know you you are further commoditizing yourself I think as an MSP if you’re not thinking proactively about these types of things and you know if if you that’s where you want to be that I think that’s fine but I think most msps are trying to move upstream and trying to provide more trusted advisor type relationships with uh bigger clients better paying clients and just better relationships right and that’s the way to do that is to leverage thought leadership and proactive methodologies like this like browser security yep um couple minutes left uh maybe do some closing thoughts and uh get out of here a minute or two early yeah I’m good with that TS not here we don’t have to be right on time right on I don’t think we’re ever on time uh Henry closing thoughts like uh you know what what’s a good takeaway here for for our viewers putting me on the spot when I’m not ready for it well uh gosh Zach and go I feel you do this to me every time actually every time I’m on the show you lead with me on this um no no no uh I think closing dots probably best time is now to start thinking about the browser as uh as your next frer right yeah somebody said they they hate it when I say that but it is sort of a manageable perimeter it’s smaller than managing your entire network it’s smaller than managing your entire system uh and it does do a lot because everything goes to the browser so I think it’s definitely worth starting to think about that uh starting to do the simple things and then sort of if you get started early before insurance is asking you for it it’s a lot easier to get it all done when it’s absolutely required yeah yep I think that’s really good and and Heath if you stay for one more second man my closing thoughts what is what is an asset right I mean a lot of msps today and Matt Lee Praises this like what is an asset and I think a lot of people forget this browser is a an asset of yours right this is an asset that needs to be documented that needs to be standardized that needs to be hardened needs to be secure right and this this concept of understanding what types of softwares what type of hardware you know controls one and two of CIS are so critical and browsers is one of these assets it is one of these assets that needs to be proactively managed proactively hardened and like Henry said doing this stuff ahead of time jumping the curve being ahead of the curve is going to make meeting regulation getting cyber insurance and assuming you do it with the right automation with reporting a testing toe security so much easier when when the time does come yeah yeah I’ll go next um yeah for me I think uh the takeaway would be is that you know I think people can sometimes get Whiplash because it’s like oh now we got to learn this right so it can it can be a little bit daunting but I think you know we’re we chose technology because we like to learn and so I think you know starting to build kind of your talk track and your thought process and how you want to be ready to have these conversations with clients around something like browser security and leveraging it leveraging it as a business Innovation um rather than just a reaction to the industry so that I like that phrasing a lot that’s really good Tim my closing thought yeah I mean I like I said I think everyone’s underestimating the importance of this year I think it’s equally or more important than most of the security stack and the fact that g Suite is basically taking this browser Centric focus and it’s worked extremely well for them to provide a very safe environment um the world is SASS and the world of installed software is gone and Jesse made a great comment about how you know like that that that installed software most of it’s kind of locked down right and vulnerabilities and why not go for browser extension right which is like just a a trojan horse sitting there waiting waiting to attack so I think that you know I you’re just getting so much buy down risk from a risk perspective here that it’s really important it’s really a no-brainer um you’re going to dramatically lower your breach risk your data loss risk uh you’re going to get a ton of analytics and I really put that slide up really because you’re gonna have to sell this as a MSP or an mssp to the business owner and there’s there’s five good reasons right there like that you can get them to buy it so um but uh yeah those are my a little long-winded on the takeaways but those are good it was almost right time thank you guys for coming on um this was uh this one of my favorite episodes uh next week da Sizer how she selects vendors so um it’s nice one from I think it’s third third element Consulting Don is uh she’s out on that conference conference circuit so um Tim should be back but but Zach Henry appreciate you guys coming by this week and uh for us really excited for the launch and uh you know I guess it’s coming in the next 90 days put me back sooner than that cool guys uh one minute back and we’ll we’ll see you next week peace thanks guys bye