Episode Summary

The MSP community loves nothing more than to get together at a good conference, and Right of Boom has fast become a favorite. With Right of Boom ‘24 coming up (March 6-8) , Mac is joined by its founder, Andrew Morgan, to discuss how the event came to be, what makes it so special, and what to expect in Vegas. Andrew, who’s been in the MSP world since before they were called MSPs, shares some ConnectWise history and how he got into the space to begin with. The founder of the Cyber Call and Cyber Nation also joins Mac in discussing the latest Okta breach. To register for Right of Boom, visit www.rightofboom.com.

Episode Transcript

MacKenzie Brown: Welcome everybody to Return of the Mac, episode four, what we are calling “Here Comes the Boom.” And there’s a reason for the title of this episode. Today I am talking to one of the most well-known faces of our MSP world, someone who’s been helping to organize and empower the MSP ecosystem, or the channel—I always like my channel, little graphics that my guy knows how to add to make it look pretty—for over the past two decades.

So he’s actually the founder of Cyber Nation, The CyberCall, and arguably one of the most, in my opinion, respected conferences in the MSP space, but actually one of my favorite, now favorite security conferences, the way it’s structured, the level of engagement, and of course the information that’s being shared during it. We’ll get into that a little bit later. But yes, I am talking about Right of Boom. And yes, I am talking about the one and only Andrew Morgan. Andrew, welcome to the show.

Andrew Morgan: Hey Mac, thanks so much for the introduction. It’s awesome to see you. Thanks for having me.

MacKenzie Brown: It’s great to see you too. Yeah, I’m actually really happy to have you on the show, because I had Wes on my first episode, and I’m doing this whole look back of the year, because I wouldn’t have met you without meeting Wes in lonely old Idaho, where he came to keynote a summit there.

And then I met you at Right of Boom and oh my gosh, I was so excited, and I’ve never seen a group of people being everyone, all the attendees to be so engaged and talkative about security and really invested in it. So I’m excited to break down some of that today.

But I know we actually have a hot topic to start with, as we do with all of our episodes. And yes, that is the Okta data breach. If anybody wanted to place bets, I hope you won on bets of what was gonna be the hot topic this week.

So I’d like to say it just keeps getting worse, but really, this is normal with an investigation, and with incident response of a big breach like this. It is controlling your narrative as an organization, dealing with the actual response of it, and then trying to beat the headlines of when it goes live and the type of information that’s released and new information that’s released over time.

So in short, around early November, Okta reported that a threat actor managed to access files inside its customer support system, where they stole these HAR files that also contained cookies and session tokens, which allowed them to log in and bypass some of the MFA, for those that had MFA enabled, and ultimately, access victim endpoints. So something time and time we’ve heard again happening.

Andrew, I think you mentioned something on initial access and patient zero. There’s not a lot of attribution on this. It’s coming to light.

Andrew Morgan: I found it Mac, it’s actually by David Bradbury, their CSO on their site. And he says, the unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. The service account granted permissions to view and update customer support cases.

So there it is. That’s coming right from the CSO of Okta himself. And again, if Ryan Weeks was on here, he would be talking about know thy inventory and railing on, you know, do you or your MSP have good inventories, and especially around your service accounts.

MacKenzie Brown: Oh, those tricky little service accounts always seem to get forgotten, or aren’t in managed service account mode, or don’t have the ability to be turned off in the event of something funny happening. Oh, you got to love that.

And unfortunately, this isn’t the first time Okta’s experienced some breaches. Actually, they were targeted by the Lapsus group. And I think there’s lonely videos of me on YouTube talking about this for Microsoft because we’d have, you know, helicopter noises whenever our team would hear Lapsus. It’s just never ending, and of course, the affiliate groups off of it.

But they actually accessed the admin panel back in March of 2022, which allowed them to reset customer passwords and access credentials. And then later that year, they stole source code for the Workforce Identity Cloud Service, but that was posted on GitHub or stored on GitHub for one of the accounts. Truly sad.

I know in this particular case, they’re saying less than 1% of the customer base is impacted. And most of the information of the type of data that’s been exposed is usernames, names, emails, things like that. Some of the other stolen data that was mentioned, which is a little bit concerning, is not just last password change, SAML Federation IDs, and I think they were also looking at customer contract information.

So really interesting, but also if you think about, I know there’s no attribution of this, but any sort of threat actor group, there might be some benefits to looking at that type of information, whether it’s customer support tickets in particular, contracts of particular customers and organizations. And then of course, they also looked at some information on Okta employees, but I think likely, given that 99% of this information that is exposed is emails and names, they’re really just predicting the trickle-down effect to be phishing and social engineering attacks.

Of course, more information is going to come out, as we know, so with respect to the investigation, good news, bad news, where are your initial thoughts on this, Andrew, as you’ve kind of been reading up on it?

Andrew Morgan: Yeah, I mean, my initial thoughts are if I’m Okta, I am probably looking deeply at SolarWinds. And what I mean by that, Mac, is we know what’s happened recently from the SEC’s perspective on SolarWinds. Again, Okta is a publicly traded company. We know that immense scrutiny is going to be looked at here in terms of what they’re saying, how they’re saying it, when they’re saying it.

So what I like to do from things like this is try to understand, as MSPs, what can we derive from this? And from the perspective of a lot of MSPs, when you talk to them about this, they’ll be like, oh, you know, my customers, they can’t relate, it’s too big. But what they can relate to, and I hope we talk a little bit about, is the business impact to Okta. Because whether you’re a multi-billion-dollar company, like an Okta, or you’re a $10 million company, there’s still a relative basis to the impact of the organization. So when we get to that, Mac, I’d love to talk. That’s the thing that is something that an MSP can draw an analogy to and what a business owner they’re talking to can relate to.

MacKenzie Brown: Absolutely. The business side is not talked about enough. We focus so much on the threat actors, the techniques and tactics, the recovery, the root cause analysis, but we don’t talk about the other things that coexist with that, which is the reputation side, the revenue side, things that you’re talking about as it relates to the business and what the long-term effects are. Especially for an organization that’s been in the news far too many times now around this, that hasn’t even finalized the investigation.

And last week we talked about SolarWinds’ CISO, the week before, we were talking about—or not week before, but episodes before—we were talking about the MGM breach. And we’re still waiting for more information to happen. We’re gonna be continuously waiting for more information to come to light on the outcome of this breach.

But the business side, I love that, of a good takeaway. Do you think, if you could really look at an MSP in relation to this breach, what are the key components that they need to focus on from the business side?

Andrew Morgan: Yeah, well, let’s start with this, Mac. I printed something that maybe we could talk about here. Can you see this?

MacKenzie Brown: Yeah, absolutely can see, I can see the end of the graph for sure. And the lovely arrow that starts at the top and ends at the two billion at the bottom, two billion dollars.

Andrew Morgan: Yeah, so this is two billion. So this is Okta’s stock chart prior to the incident and where it is today. So it went from about 80-some odd dollars a share into the mid-60s, or a two-billion-dollar haircut to market capital, about 24% of valuation of the company.

So again, an MSP might say, well, how does that relate to me? How does that relate to my customer? Well, again, let’s bring in one of my favorite people, Brian Blakely. He’s currently president of GMI, they’re a $150 million MSP, and he’s been on The CyberCall a lot. And he always talks about, you have to speak in the language of the business.

Because if you think about it at the end of the day, your owners that you’re talking to, the executives you’re speaking to, I hate to say it, they really don’t care about technology and security. They care about the result. At the end of the day, what they really want to know, what keeps them up, what’s on their mind, is their financial management—generating revenue and acquiring and maintaining existing customers.

Do they care about other things? Their employees, and a whole host of things that they have to as a business? Of course they do. But without revenue and without maintaining and acquiring customers, a business isn’t going to survive.

So we relate this back to when we’re talking about our security stack, and what we’re doing and how cool all this stuff is and the gaps we see and how they need it, if we’re not talking about how that relates to the core systems that drive revenue in their business, the risk to the reputation in their business, we are not going to be able to get engagement and sell them.

And the last thing I’ll say on this Mac, is if you think about it, the conversations, how it relates to a potential customer or an existing customer that’s being resistant and you see gaps in their security, as we relate it back and say, look, let me ask you a question. If there was an incident in your organization and it impacted this key system that generates 85% of your revenue, and it impacted your ability to deliver services to your customers, and now all of a sudden you need to disclose that this has happened, do you think customers and potential customers are going to lose confidence?

MacKenzie Brown: Likely. Yep.

Andrew Morgan: And the answer is, of course they are.

MacKenzie Brown: But from a transparency side, where does that fit in as well? Don’t you think customers also appreciate the level of transparency? I mean, I know we’re a little on-sided when we come to picking our partners and vendors, but do you think that there’s a level where they’ll lose more confidence, whether they’re net new or current existing customers, in the fact that maybe an organization wasn’t that transparent about where they were at or how they were dealing with the security side?

Andrew Morgan: Oh, no doubt, no doubt. I mean, the transparency is critical, but I’m speaking about pre-boom or left of boom, first. No doubt transparency in the event.

But I’m saying that where MSB struggle the most, Mac, is selling their offering at the right price, the right security controls for the said environment. Because oftentimes they’re not talking in the language of the business. That was really the point I wanna drive home.

Are you correct about transparency, right of boom, post-incident? 100%. I think transparency is critical.

MacKenzie Brown: But left of boom, the conversations that we need to have, need to be more so of, yes, this is a shiny toy we’re trying to sell you and the purpose of it is very important and what it’s going to mitigate. But also it’s mitigating the cost risk associated with going through an actual cyber attack. And the cost that is somewhat, can be completely destructive to a business and put them out.

Andrew Morgan: Yeah, yeah. What would 25% loss of…if you had to, literally, tomorrow, take 25% of your business away. And oh, by the way, Mac, you’ve done some incident response in your day. I don’t know, $600 an hour for IR, $600 an hour for legal or more, right?

MacKenzie Brown: Definitely up there. Yeah.

Andrew Morgan: …Just getting started. So again, I know you can’t use FUD to sell. That’s not my point. My point is it’s gotta be business conversations. That is what is going to get somebody to do something, not technology conversations.

MacKenzie Brown: Well, I’m really excited then, we’re going to talk about, a little bit later on, Right of Boom. Just because I have heard through the grapevine that there’s going to be some focus on that business side.

Which, in the interest of talking—we are doing these focus groups, and we’re doing partner meetings that are more focused on larger MSPs and of course, individual MSP owners, about all the things we’re talking about from a security side. But what I’ve noticed is I can talk about cool security stuff and nerd out with them all day long. And then someone like Jon puts on his hat and he’s like, hi, I’m here to talk about the business. And their ears perk up a lot more, as it relates to how to sell security.

Not just, here, we’re going to educate you and help you understand selling a good stack, especially as it relates to security, but how to sell it in a way that is meaningful and makes sense and speaks to the business mind of the MSP, like you said.

Andrew Morgan: And think about this, Mac, why we have to become very good at sales. Because I think a lot of times MSPs think of sales as a bad thing, like, ooh, the salespeople. If I can’t get a transaction, if I can’t sell the right offering at the right price, I can’t secure that company. Think about that. If they’re not doing the right things and transacting and giving me the right amount of money, they’re not secure.

MacKenzie Brown: Right. No one budgets for security typically, so that absolutely also makes sense. So being responsible, you’re not just selling security, but you have a responsibility to be prescriptive in a manner that makes sense, because they won’t, don’t care about the shiny toys. But they do care about the risk and the outcome of those toys not being in place. I shouldn’t use the word toys, but you know what I mean? Technology, tools, whatever, all the fun stuff.

Well, I love your perspective on this. We’ll get right into it. Andrew, you are the founder of Right of Boom. You’re the founder of Cyber Nation, a founder of Cyber Call and Cyber Cast, in addition to leading the ConnectWise cybersecurity strategy back in 2016. So this is really impressive. You have a very impressive resume here and kind of how you started.

How the hell did you end up at this level of, you know, MSP Master Pimp Daddy, I don’t know. I introduced you as just like G’d up, cool guy, but really, how did you end up in the channel? How did you end up in the channel? And then also focus on cybersecurity, which, you are one of the few that have really taken initiative to focus on cybersecurity within the channel. While there are a lot, but—

Andrew Morgan: So I was fortunate that in the late 1990s, I thought technology was something that was going to be around forever. In other words, what could I get into coming out of college and that I would never be laid off? That was just my mindset. Where should I go? And I thought technology would be the place.

And so we were VARs and system integrators back then. It was before we were called MSPs. My company that I worked for at the time was called Progressive Business Systems here in Tampa. And we had a friendly rival in Tampa by the name of the the Bellini brothers, called ConnectWise.

MacKenzie Brown: Sounds like a mafia story. I’m loving how this is starting.

Andrew Morgan: And what was interesting is we had some mutual customers and I became friends with Arnie. And one day in the late nineties, early 2000s, I forget exactly when, he said, Hey, come over, I’m building some software I want you to see.

And it was actually the prototype of ConnectWise, Mac. And the first ConnectWise Manage, it’s now called. And I said, wow, that’s really fascinating. I think I can help you sell this. Anyway, fast forward, I was one of the first employees at ConnectWise.

I was fortunate that—I owe a lot to Arnie, that he gave me an opportunity. I spent some years away from ConnectWise, but eventually came back in 2016. I thought that their cybersecurity strategy really needed, you know—I shouldn’t say needed, there was really no cybersecurity strategy at the time.

And I’ll tell you this flat out, Mac, that I took a lot of heat, a lot. I was not a popular person in ConnectWise, because the rhetoric was at the time, MSPs are not mature enough, they’re not ready for cybersecurity. And I was fortunate that both Arnie, Jason McGee, and a few others believed in me, that this is something we should pursue. We should pursue potential acquisitions, investments, strategy, et cetera.

MacKenzie Brown: Is this when the term MSSP came out, or…?

Andrew Morgan: Well, MSSP, I think, had been out, to be fair. For example, Fishtech, Gary Fish’s company. There were definitely companies that were MSSP’s at the time. But from a maturity perspective, most MSPs had no idea what a framework was.

And so anyway, fast forward, like I said, they believed in me. We did a lot of things that eventually ConnectWise has done complete initiatives on now. 2019, we got acquired. I stayed for a little bit. And I had been working with several of the vendors on helping them with their go-to-market, specifically security vendors. And decided to ask a few of them if they would allow me to work as a consultant if I went out on my own, and they did.

Fast forward, the pandemic hit, and I launched The CyberCall because people, I felt, needed a community. All the shows that everybody was going you know had everybody—

MacKenzie Brown: A lot of shows, I’ve learned, everyone goes to. I can’t imagine, pandemic hits and then all of a sudden they’re at home like, wait, what am I supposed to do?

Andrew Morgan: Done. And I was just talking to Aharon Chernin from Perch, who again, somebody I owe a lot to. Aharon gave me my first shot at consulting, and I worked with him at Perch when they had no MSPs and all the way through exit, but we did Perchycon and we were the last actual event in 2020, late January, 2020.

We were just talking about how literally, that was it. That was the last actual event, the pandemic hit. And then, you know, we were talking about, what can we do to bring MSPs together? And we did a virtual event, I created this event with Huntress and Perch. It was called The Cybercon. We had like almost 2000 people show up virtually.

And then I said, Hey, do you want to keep going? You know, keep, and that’s where The CyberCall was launched.

MacKenzie Brown: Well, and like you have thousands of people who join The CyberCall too, which I thought is insane. I’ve been on it before, but when I saw the amount of people, I was like, wow, this is a community, legitimately.

I think that’s what really perked my interest of the MSP space, or the channel in general, is the level of camaraderie that occurs. And, you know, a little spicy on Reddit, but overall like, really a level of just like truly engaged community that cares and joins every week. Like, they’re going to church. I think The CyberCall is your guys’ church. They’re just joining and they’re meeting new guests every week.

Who’s been your favorite guest so far on The CyberCall, as you’re talking about that? I’m just curious.

Andrew Morgan: But that’s, I was going to say, Mackenzie, that’s kind of hard. You’re—as one of my guests…

MacKenzie Brown: I can’t just kill the recording, I swear. I’m like, you better say me. But no, you’re totally fine.

Andrew Morgan: I mean, you’ve been awesome. I mean, look, we’re in three plus years doing this now. And I do I have to say this, for all MSPs listening. Can you just come every week?

What I mean by that, Mac is, it’s only when there’s like a cyber attack or some supply chain event in the MSP space. That’s when our largest audience shows up. You know, when we’re talking about these are the things you need to do. Then you get your regulars, you know. But it’s just very funny when there’s, you know, it’s unfortunately the highway crash, everybody shows up.

MacKenzie Brown: Yeah, yeah, ambulance chasing a little bit.

Andrew Morgan: That’s human nature. But I would say my favorite of all people on, it has got to be John Strand. Just because he’s hysterical. He’s literally one person that arguably is, I’m sure off the charts IQ, right? But he can take security, and not only make it funny, but relatable. There’s a really amazing gift the man has.

And also the fact that he is willing to help anybody. You know, his pay what you can courses, if you can’t pay for something, he doesn’t care. He’s just a very good human being. And that’s what you typically find from hardworking, literally grew up dirt poor and has just worked his you know what off. He’s just an amazing human.

MacKenzie Brown: It’s okay, you can say he worked his a** off. I curse on this. I’ve got Patrick, he will—we’ll do the swear counter and he will beep out all the words. Sh*t, See, I tested it. He’s already probably blurped it out for me.

But I mean, you’re totally right, I love Jon Strand. I did my very first Wild West Hacking Fest. I think I even texted you during it. I was like, oh my God, you know, Malware Jake, you gotta bring this guy on. This is a great preso for MSPs this year. And it was fantastic, but John Strand, did great.

And actually I just registered, if anyone, you know—I guess I’m just doing free promotion for him right now, but the Snake Oil Summit starts next week and you can type in Snake Oil Summit, first thing that’ll pop up and go register. It’s completely free, virtual event, and there’s some really cool speakers for the day. They have some training too you can sign up for, but you’re totally right.

The amount of free—and those are the types of things we need. Let alone in the security community, but especially in the MSP spaces, people are constantly asking for where to turn and free resources, and CIS is another great one, obviously that puts out a lot of those, but training is a huge one.

So I won’t try to get off topic too much, but so John Strand, congratulations, you have won Andrew’s Choice Employee of the Month or Employee Ever of The CyberCall. So I think he’s going to have to go back on The CyberCall again for you.

So I did have one kind of loaded question everyone can light up a cigar for. What is your overall take on the importance of MSPs and where they exist within the realm of cybersecurity? Where do they exist? Because I feel like this isn’t talked about enough. And I always, you know, I’ll talk to MSPs and during my presentation of my why is really, I feel like people get sidelined between IT and cybersecurity, but cybersecurity as an industry is not cheap and it’s not very inclusive in many ways.

But especially this disconnect from a business side, right? If we’re looking at the business side between IT and cybersecurity in those industries and where MSPs fit and what they can do and where small, medium business and small, medium enterprises sit that the MSPs are in particular supporting, let alone critical infrastructure, how do you view the importance of this? These are your people in a way, and where they sit in this realm.

Andrew Morgan: So I hope I’m gonna answer your question correctly. So just keep me honest.

MacKenzie Brown: No wrong answers, yep.

Andrew Morgan: So like the reason I do what I do, the communities, anything I can do to help MSPs, is because I truly believe they’re one of the most critical facets of our economy. Like literally, that’s how important they are. If you look at the amount of critical infrastructure that MSPs are responsible for, and even, let’s just take a step back, just because a business isn’t critical infrastructure, they’re still our economy, right? But what the government cares about, let’s just put a spotlight on that.

The government cares about critical infrastructure, right? We had, thank goodness, Executive Director Wales (thanks to your CEO, Jon) from CISA show up. You know what it is about the 16 sectors, right? So things like financial, water, utilities, et cetera, et cetera, et cetera. MSPs are the front lines to the majority of those companies, over 60 some-odd percent. So they’re incredibly important, number one.

The next part is most small businesses, most, aren’t going to say, oh sure, I realize there’s a difference between IT and security. They don’t understand that one is different from another. They understand accounting is different from legal. But from the fact that we have been involved in some semblance of their security, whether it be firewall, whether it be endpoint, whether it be email, we’ve now been thrust, because of threat actors not only focusing on us, MSPs, because they realize what a great target we are, but, it’s critical, Mac, that we educate and enable MSPs to improve the maturity of their security first internally, right?

This is something we talk about a lot and this is something Gary Pica and I talk a lot about on The CyberCall. He’s another mentor that I had the pleasure of working with for five years and learned so much in this business. He has a saying, you can’t give somebody something you don’t have.

And originally, way back in 2010 when we worked together, what he was saying, it was really around sales. So let me draw this analogy, Mac. Often MSPs would hire salespeople hoping they would fix their sales problem. But the owner had never figured out how to sell the right offering at the right price. So you’re trying to outsource something you’ve never had internally, you’ve never had discipline and an understanding around that, right?

Security and sales are so aligned, there’s something about them both, you can’t cheat the system. So we have to do security really well for ourselves first, because if we understand what it takes to secure ourselves—controls, policies, culture, on and on and on—then we’re able to relate that to who we’re talking to at our clients and sell them the right offering at the right price. So I don’t know, if I went off—

MacKenzie Brown: Right. No, I love that. I love the connection too, because if you think about executive level buy-in for large organizations and large enterprises, that’s something that’s not necessarily done across the board. It’s something that’s promoted, best practice is make sure you have executive buy-in for your security strategy. But we were talking earlier about the business side, and not a lot of C-suite really…They care about security, but they care about the outcome and the risk related to cybersecurity not being done.

But I have seen with the MSP space is, there’s almost an opportunity of where we’re sort of starting from scratch. It’s doing it the right way. Like you said, not just having culture, but having the education ability, having the framework knowledge, but a consolidated framework that everyone agrees on, having the camaraderie within the community itself so they know, hey, I can actually contact these other MSP partners or other MSP from an acquisition side, call them up for advice from cybersecurity.

There is a level that’s being done that while we are going back to basics, I think large enterprise fails at going back to basics. They just simply fill a seat with a new butt and hoping that person’s gonna resolve their problems, but they’re just repeating the same lack of best practices.

Versus there is a level in the MSP space I’ve seen where they are invested in foundationally doing it the right way and they also have a community to lean on for that, and that’s been lost on the large enterprise side. It’s just more so, it’s like a wild safari hunt. Versus this is just, everyone’s at the watering hole drinking and not fighting each other, and I love that. I do love that, that’s a little sentimental. Good answer, very good answer.

All right, so we talked a little bit about The CyberCall and your favorite guest. Congratulations, John Strand. You will be getting an award in the mail. The next thing I wanna discuss is really my favorite topic right now, getting everyone hyped up, is Right of Boom. So tell me a little bit, what is the ethos of Rite of Boom?

Andrew Morgan: Yeah. So I can’t talk about Right of Boom without talking about my business partner, Ryan Weeks. Ryan is the heart and soul of content, the former CISO of Datto, and I think one of the most brilliant minds I’ve met. And again, another person that just cares. He’ll spend hours upon hours, days, if he can help somebody. I’ve seen him do it in an MSP, multiple MSPs.

And so I came to Ryan, who was one of my co-hosts at the time on The CyberCall, and he still is. He’s just doing some things where he’s in and out right now. And I said, you know, Ryan, I got something. I have an idea, but I also have something that’s bothering me. I said, well, something that’s bothering me is that I’m trying my hardest, you know, to help educate the MSPs on security. There’s no security conference that is vendor agnostic. There’s no security conference that’s strictly there to help educate, both on the technical side of security and the business side of security. I said, so I have an idea. I said, I kind of framed things out.

I was fortunate that one of my favorite people of all time, Sounil Yu and the Cyber Defense Matrix, who talks a lot about left and right of boom, I was fortunate to keep my eyes on the domain right of boom. I got it, which was all a stroke of luck, I think, but anyway, just discipline trying to get something.

And so I said to Ryan, here’s what I’m thinking. Here’s the conference I want to do. And he said, I really like where your mind is. He goes, I just have one piece of advice for you. Don’t make it suck like every other conference.

MacKenzie Brown: Oh yeah, I can attest to that for sure. Especially the small new ones. The first year—well, I never went first year—but that is probably, you were probably under a lot of stress, I don’t know. You can kill the first year of anything.

Andrew Morgan: And I think, you know, Ryan’s point is there’s a lot of great conferences out there, I didn’t mean to be derogatory. But what Ryan was really trying to say is like, let’s put some forethought into this, let’s have a journey. You know, he goes, most conferences, there’s a talk about this and then there’s a talk about that. You really want the MSP to go on a learning journey and come away with something, come away with tangible things that they can do, right?

So the common feedback out of most conferences, someone will say, yeah, I got pages and pages of notes and 52 different ideas. But we wanted to say, well, what’s something that you can walk away with and do something, right this minute? Like we went deep and wide, as you know, last year with BlackCat, the threat, as an example. So I hope that explains—

MacKenzie Brown: Yeah. No, it does. I wish I would have brought like, I don’t, I wish I had it to pull it out. I still have last year’s threat brief of BlackCat, but to put it in perspective for the audience, maybe we’ll be able to find a digital version and put it up. But they really, they detailed, they took the time for this to detail out all of the TTPs throughout the attack path related to what BlackCat does. And it does impact significantly on the MSP space too, some of their techniques with, you know, downloading RMM tools to devices and kind of, this is where we’re seeing for lateral movement or remote access opportunities.

But it was detailed to the point where you as an owner or the security leader, you can leave with that, go back to your organization, say, hey, we’re going to go through this entire attack path, almost like a tabletop, and we’re going to talk about how we’re detecting this or how we’re mitigating it and what our overall response would be with the outcomes of what this group, this bad guy group is doing. I think that’s fantastic.

So looking at the structure of Right of Boom, I love it’s a one-track mind in a sense, because no one wants to bounce around or look at an agenda and bounce around to 20 different rooms. That’s exhausting. Because then you’re definitely going to miss good stuff in between. But also, like you said, the tangible takeaways. For you guys, you have, tell me about the structure of Right of Boom and tell me a little bit about the artifacts, maybe even this year’s artifacts, that you’re leaning towards providing for people.

Andrew Morgan: Yeah, absolutely. So again, in taking a step back, you know, this learning journey, right? We wanted to make sure that, yes, there’s this technical side—and I think there’s this misnomer that it’s just a tech conference for security. So I’ll send our security guys. That’s why there’s the business track.

And then when I say there’s a business track, it doesn’t mean you go into a different room, MacKenzie. It means as we move through left to right of boom, putting in all the mitigating controls and policies as we move into the left of boom, there’s corresponding business, we go back and forth. So if we look about how a threat actor and their TTPs work and how they’re attacking, we have to build defensive capability, we have to understand how to package that, we have to understand the people and process to deliver that in our own MSP, and sell it.

So this is not just a, Hey, our security guys should be there. This is about how as a company, are we going to not only defend to understand what the threat actor is doing, but then, how are we going to actually build the blue side of this, you know, our defensive strategies, and go to market with them?

So there’s got to be something thought out, right? If we’re going to look at attack patterns, and now jumping into 2024, we went very deep into BlackCat last year. This year, we’re going to zoom back out and look at threat briefs from Verizon, DBIR, from Palo.

And 2023 has been the year of really nothing new. And let me clarify that. I’m paraphrasing Philippe Langlois from the Verizon Data Breach Report, who was on The CyberCall. We asked him like, what are threat actors doing uniquely? And he’s like, sadly, nothing. Sadly, nothing. Meaning he’s like, if you look at what are the top attacks, it’s credentials. It’s stolen credentials.

MacKenzie Brown: Yeah. They don’t need to come up with anything new. They don’t need to be more sophisticated. People aren’t doing the basic sh*t right now.

Andrew Morgan: Exactly. So we’re going to look at the top attacks this year and look at it left to right of boom this year. And we’re going to double down on the business track. It was our first attempt last year and we thought we did okay. This year we really want to double down and that’s why Brian Blakely is leading that entire thing. And one other piece of that I don’t think you’re aware of, I’m telling you in a second.

But we’re going to look at the top attacks, everything around credentials and social engineering. We’re going to be looking at web app vulnerabilities. And what are the things that people are getting popped over and over and over? And if we can focus narrowly, Mac, into these top three to five attack patterns, man, if we just got good enough there, we really wouldn’t have to worry about too much else, if that makes sense. Because there’s only so much as MSPs we can focus on and prioritize.

So the other thing I’ll say is that we’re gonna start to let the cat out of the bag is, we are bringing in two CIOs for commentary on every session. So we live in a myopic world thinking, oh, this would sell or that would sell, as an example. But would it really? What’s the perspective of the buyer?

Now, the next twist about these CIOs, one is the CIO of the County of Santa Barbara. So we’re going to get the SLTT perspective that a lot of MSPs deal with, right? Municipalities. We’re also going to get a CIO of a large, you know, decent sized mid-market contracting company. But here’s the twist though: Both of these CIOs had very successful exits as MSPs.

MacKenzie Brown: Wow. Okay. I thought you were going to say they’re both like black belts or trained in jujitsu and you’re going to make them fight.

Andrew Morgan: Yeah, they may. They are two well-known names out there. One is a gentleman named Chris Cherwin. He was the CEO of Landspeed and had an incredibly successful exit from his MSP. And he’s been the CIO for the county of Santa Barbara for several years. He has several hundred reports. His CISO, Gary, and I’m drawing a blank on his last name, will be with us as well.

And then Bill Long, who was involved with Infranet for many years, at WebPoint, he was an owner, he got merged or bought—I forget the exact transaction—with Infranet. He was there for about five years as COO. He is now the CIO of Barnhill Consulting.

And so we’re gonna get this multifaceted view. We’re going to get a technical view session. We’re going to get a business view session, and then we’re going to get the view of the buyer. But the buyer can see both sides. The buyer can see it from the MSP’s side, the buyer can see it from the buyer as the actual buyer today, and give very different perspective wearing both hats. So that’s a little insight into Right of Boom ‘24.

MacKenzie Brown: I love that. And I feel like those perspectives help too, because when you go to session after session after session at a conference and you’re taking great notes, you almost need to pause and just wrap it up with a key takeaway. And having two people from private and public side of the world to be able to say, this was my takeaway. I think that really wraps it all up nicely for the audience.

And this year, why Vegas? That’s my next question. I feel like you reach a level of dopeness in conference land when you’re all like, all right, now we’re going to do the Darwin Awards. We’re going to send every single one of you to Vegas and see what happens.

Andrew Morgan: I wish I could tell you there was this master plan, we’re gonna go to Vegas. No, it’s not that way at all. So Mac, let me start with the why or how we ended up in Vegas. So year one, we were in Tampa and we had about collective between attendees of about 250 or so vendor attendees. So that was year one. Year two, we had a goal of 500 MSP attendees. We hit just under 600 and with sponsors, we were around 800, you know, somewhere in the 750 or so.

Well, this year with a goal of 750 attendees and probably 200 plus vendor attendees, being in March, you know, we’re a February/March conference—

MacKenzie Brown: A less stinky time to be in Vegas, which is nice.

Andrew Morgan: Not only that, but it’s cold in a lot of places.

MacKenzie Brown: Yeah, we need a break.

Andrew Morgan: So not a lot of people want to go yeah, take us to Minneapolis in March. Probably not gonna win a lot of hearts and minds.

MacKenzie Brown: I would politely decline, yeah. I mean, for you I wouldn’t decline, but I would not be happy about it.

Andrew Morgan: Yeah, you wouldn’t politely decline, you would just decline.

MacKenzie Brown: Yeah, I’d be like, I’m going to come in virtually for any presentation you need me to do, but I’m definitely not showing up with my snow boots. Yeah.

Andrew Morgan: Exactly. So really, and it’s fascinating, the conference business is booming, absolutely booming. So not just in our industry, right? In all these industries, post-COVID, people have lost their mind. So in terms of conferences, these have become destinations.

So when we looked at the size and looked at the time of year, and a venue that was really important to us, Mac, I have to say this, was not only a venue that could keep all of our attendees together in the learning journey, right? Well, knowing we’re gonna be about a thousand people, one of the big things that we like to do is encourage not only the attendees, obviously, to sit through the learning journey, but the sponsors. So we want them to be part of this as well.

The other thing is in the technology pavilion, let’s face it, you cannot put on a conference of this size and scale without sponsors. So we wanted, in the technology pavilion, everything to be there as well. So all the food and beverage and everything. So we needed two massive ballrooms, and that’s how we ended up with Vegas. Yeah.

MacKenzie Brown: Mm-hmm. I love that. That’s how I always end up in Vegas. I’m like, I feel like I need a massive ballroom for my personality right now. That’s perfect. I love that.

Okay, so what can people expect this year? If you’re going to really get them hyped up, and I know you guys have already sold a crazy amount of tickets and the pre-days, right? Like, most of those are sold out. I think there’s still space in our pre-day. But tell us, tell our audience a little bit about what they can expect.

Andrew Morgan: Yeah, so well, your pre-day, because you’re the diamond sponsor. So you have up to like 120 people, right?

MacKenzie Brown: Yeah, I’m terrified. I’m a little terrified.

Andrew Morgan: So that’s why your pre-day is not quite sold out yet, but you’re getting close.

So what’s interesting is, what we wanted to do for platinum sponsors and above. And we’ve, this has become kind of a thing with Right of Boom is, they get to put on a pre-day event. And they don’t, no one charges for it, or their pre-days. We do have some technical ones that you do pay for, but there’s various ones. I’ll let you tell a little about yours, Mac, cause I think it’s really cool.

But for example, I think SaaS Alerts is really interesting. So Chip Buck is coming, their CTO and founder, who’s a phenomenal technical mind, and he’s bringing in Beau Bullock of Black Hills, who’s arguably one of the best offensive cloud minds out there. He’s written like, insane types of tools that he’s open sourced for red teaming and for the offensive side of cloud. Yeah, he’s phenomenal.

Kaseya is doing a really neat thing around Vonahi. Nine Minds, Arnie Bellini will be there. Nine Minds is one of his companies with a guy named Robert Isaacs, and it’s an AI platform. So they’re going to be doing some interesting things on LLMs. I know ConnectWise has a pre-day. I’m trying to think who else. Toyl, and a few others. So that’s the pre-days and everybody gets to pick a pre-day, Mac, if they want to.

What I’m absolutely pumped about is we’re bringing in a former Navy SEAL Brent Gleeson, our keynote speaker, he wrote Embrace the Suck. So he’s doing a pre-day workshop on leadership, but wow, what a motivator, like he is phenomenal on stage.

MacKenzie Brown: Is he going to do a book signing? I feel like—

Andrew Morgan: We could ask him to.

MacKenzie Brown: We should ask him. I would love that. I know Sounil did one last year, and I was like wiggling my little tail, walking up to him. Like, hi, I actually have read this, and I do want you to sign it for me, please. Which was fantastic. He’s so good.

Andrew Morgan: He’s awesome. So, yeah, Brent, why I thought it was so applicable is he teaches about leading through adverse conditions, Mac. And, you know, if there’s an incident, which arguably we’re all going to be involved in at some point. And what he teaches about the highest level of leader to the lowest person in the totem pole in an organization, everybody’s going to have to learn to lead at some point and through an adverse situation, you know, somebody that you would seemingly not think was going to rise to leadership, may.

And how do you teach that? How do you get prepared? All people and all facets of your company. And so that’s really around day one. And we always have our evening on day one of backdoors and breaches led by John. So if you wanna see the Sam Kinnison and Robin Williams of cyber, come on, learn all about incident response through a card game. So yeah.

MacKenzie Brown: I love that. That’s gonna be really good. I hope they bring the expansion packs too, because there’s the cloud expansion pack in particular, I think everyone would really enjoy.

Andrew Morgan: Well, that’s Beau’s thing and he’s the one that created it. The big takeaway this year, like I said, is the detail, the level of detail Ryan Weeks is putting into the technology track and Brian Blakely is putting into the business track.

I put something out there, Mac, that each session, the MSPs are going to walk away with something tangible. It might be a checklist, it might be a script, it might be a plan, but we’re tasking each speaker to bring something tangible that every MSP can use right away in their business. And so does that give a kind of an overview?

MacKenzie Brown: It does, especially like the artifacts, the things that you’re talking about, the tangible items they take away. That to me is the big differentiator of this conference and a lot of many that I’ve been to. You can get great notes, you can even get copies of the presentations, you can go back and watch them over again on streaming, but ultimately it’s like, what do I do with this information? And I know for one, like we’re working on what Blackpoint’s gonna provide as an artifact of hunting packages and RMM scripts and things that are useful for them to take away and to implement to some degree. So that’s my favorite thing.

And the small plug for our pre-day that’s not quite sold out, but to be honest, over 100 or 120 people terrifies us because we’re doing a CTF challenge. So we don’t want things—the things that go wrong in the CTFs are always like the little things like outlets powers out or the Wi-Fi is going out. It’s never the easy things or the hard things as far as making sure the data is actually populated for people.

But we do have a fun CTF that’s being built out, or that is built out, because we’ve already tested it and blown it up a bit more, and we’re gonna make it even more challenging and difficult, but putting people in the shoes of an analyst. So we’re really gonna be training them. Like, hi, welcome to Blackpoint SOC. We’re gonna train you right now in your new position of a hunter. So get ready and you know, it’s gonna be exciting.

But we also partnered up with CIS, so Phyllis Lee is gonna be joining us, and we’re gonna do some fun little after-action and align it to CIS which is also something I took away from this Right of Boom last year is, again the frameworks and the the things that people use for tools, let alone those takeaways those artifacts we’re talking about, but everyone is so on board with CIS and they always find ways to tie it back to it and to make it relevant.

And it’s almost like the thing that I don’t see in the overarching cybersecurity community, but in this is with the MSP space, everyone has a universal language they’ve just decided upon, and we are sticking to it. And I find that is so helpful, especially when it comes to frameworks and building out security programs. Like let’s just focus on one, and then CIS thankfully maps to everything else that we’re concerned about. So that makes it easy too.

Andrew Morgan: Yeah, absolutely, absolutely.

MacKenzie Brown: Okay, so if people want to—last little bit of information, if people want to sign up, what do they have to, where are we at, is it still open? Can people still attend? Book their tickets now?

Andrew Morgan: Yeah, you know, the urgency is really the pre-days, Mac, many of the pre-days are already sold out. One pre-day I didn’t speak about that is selling out also is the one with John Strand, Ryan Weeks. This is a paid one. John Strand, Ryan Weeks and Chris Gerritz.

MacKenzie Brown: That’s amazing. Ryan kind of talked about this a little bit too. That’s gonna be, it’s like an extortion one, I think. It’s gonna be super spicy.

Andrew Morgan: Yeah, they’re actually gonna do one, I think it’s really fascinating, on how MSPs can spot gaps in their security stack. What things can they do, for example, if they’re looking at their EDR, how do I know it’s getting bypassed? What other measures can I put in place? That’s an example, right? Because we rely, these are Ryan’s words, we blindly rely on technology, right? If you think about why Blackpoint? That’s what you guys do so well, right? Because we know technology fails. We know defenses fail, right? We read about it every day.

So if you go to rightofboom.com, yes, we haven’t sold out yet. We did last year, Mac. We did last year. But like I said, it’s really the pre-days. If I could encourage people, because the majority of them are included in you know, you can pick one with your admission.

The other thing is Mac, the hotel rate we have at MGM, $135.

MacKenzie Brown: That’s insane.

Andrew Morgan: Yeah, for an amazing room.

MacKenzie Brown: Especially when you know you’re gonna go get Starbucks down the street for like $20 for a latte. So yeah, you gotta save where you can when it comes to Vegas, that’s for sure.

Maybe, you know what you should consider, maybe I’ll ask if Blackpoint can do this, but those little hangover kits, those would be really helpful.

Andrew Morgan: You think we’d need those?

MacKenzie Brown: I mean, I personally need them, but I’ve learned that apparently the MSPs have like iron stomachs and livers and I do not, but give it a couple more years, maybe I’ll be a professional at this MSP conference game.

Okay, so one last question outside of just signing up. If you could give advice to attendees who are clicking the button right now and they’re putting in your information, you know who I’m talking to because we’ve been talking about this and I guarantee you’ve already registered as you’re listening to me, but what is one piece of advice you would give them before attending the conference, whether it’s a state of mind, packing extra underwear, like what would be that advice you want to give them?

Andrew Morgan: That’s brilliant. I would just say number one, come in with an open mind. Be ready to learn and it’s a community, so we’re all there to help one another. And I would tell business owners, yes, we are known as a security conference, but there is a very big play on the business side of this. Cause again, like I said earlier, if we’re not selling this, we’re not protecting anybody, right? We’re not helping anyone if we’re not selling the right offering at the right price.

MacKenzie Brown: I love that. That’s perfect. This is gonna be a big one. I’m so excited. I’m so excited for this year. This is gonna be good. When is March? How far away is that? Like I’m already counting down the days.

Andrew Morgan: We’re excited. It’s gonna be here before we know it.

MacKenzie Brown: Well, this could be some good takeaways from this episode. Thank you so much, Andrew, as always, for just being such an incredible person and resource and friend in this community. And I’m just, I can’t wait, everyone, take your time to go to rightofboom.com–you are a winner for grabbing that domain, you’re not kidding there, I know what it means to be able to make sure you get the right domain name— and register and come sign up for, I think we have some spots left for our CTF.

I’m not trying to push people to sign up, though, because I am terrified of 120 people all logging into some fun sandbox environments we have.

But ultimately, make sure you register, sign up, and we’ll see you in Vegas. Thank you, Andrew, for today.

Andrew Morgan: Thanks for having me, Mac. It’s a pleasure.

MacKenzie Brown: Awesome. Bye, everyone.

Explore the resources we have to offer!

Sharing information keeps cyber adversaries at bay. Stay sharp by checking out our library of blog posts, on-demand webinars, threat research, and more.