Archives For assessment

Discover three things we did to make a lunch & learn succeed – converting prospects to customers.

Continue Reading...

SIEM viewpointWhat The Lazy MSP Companies Aren’t Showing Their Clients

Assessing Risk is the fastest way to land new logo business in the MSP arena. And if you want to build a long term, profitable business, you’re MSP is going to have to go MSSP…

(Note: I’ve purposely left out the heavy technical jargon to make this readable by sales – if you actually do the engineering work, you’re probably wanting a more technical deep dive. My goal here is to help sales reps sell the one thing that will overcome any IT budget objection.)

While 90% of the tech companies I speak to CLAIM they do security (on their website), only a handful actually do.  If you want to set yourself apart, learning to discover urgent issues (already present) on your client’s network will do it.

Over the past several months I’ve written numerous articles on how to sell, deliver, and convert assessments to long term annuity business.  This one last step in the actual assessing process is arguably the most important.

You Can’t Just Look At Perimeter Scans and Configurations


In this YouTube video (published by Alienvault – below), the speaker is explaining the dangers of connecting to Tor or using BitTorrent, as examples of traffic symptomatic of botware. Check out 0:48 in the video below for more threats he uncovers…

These are the urgent issues you need to move deals forward!!!!

Traffic patterns also reveal reconnoissance efforts underway by hackers – thieves gathering information to be used in a future attack.

You also want to know if malware is already installed or in the process of being installed through phishing attacks or web-threats of any kind…port scans in most cases will not do this.

The problem is, most assessments I review in my coaching calls show nothing regarding traffic or connection activity between workstations and the outside.  Why?

Because it’s not easy.

In other words, the MSP providing the assessment is either too lazy or too cheap to do it, or just doesn’t know what they’re doing.

If you sell (or use pro bono) assessments, with the goal of opening new doors in the accounts you serve, make sure your professional services team understands the importance of traffic analysis and has the tools to do it….

Lots Of Data, No Connection, Equals Meaningless Data


Today’s technology is great at logging data…but not so great at drawing out intelligence.

That is unless you know SIEM…Security Information & Event Management.

The ability to take all of that data from AV software, UTM firewalls, IPS devices, etc. and make sense of it has been a road block for just about any company short of large enterprise…

Until now…

There are several options including some UTM firewalls, products like AlienVault and Arctic Wolf (positioned for mid market), and BlackStratus’ recent entry into mid-market and SMB…Cybershark (Which can be white-labeled and offered with full SOC services – with little of no investment!)

With SIEM now available as a cloud offering, there’s really no excuse for not doing this.

Key Point in the video below (at 2:35) – None of this information is actually interesting unless you can get the analysis, and make the data actionable.

Unfortunately, most SIEM technology won’t really do this for you (Even  though AlienVault and others claim to). In the end, you (The Rep) must read the report and see if your client is going to be moved by it.

If not, rewrite the execute findings as a separate report – more to come on that in a future post.

This takes us back to an earlier article on QUESTIONS TO ASK…The most important part of the interview process is in gathering the mission critical data offered only by executive management.

MTD, RPO, Etc…think Business Impact Analysis…all security issues are disasters and should be viewed just like Disaster Recovery…But you’re competition isn’t doing this.

Key Moment In The Video (3:50)


At 3:50, this video shows actual malware infections being installed – not only is this type of activity undetectable with simple observation, your Network Patrol Product is not going to see it either!

Only with something that looks at host intrusion does this become evident.  The good news – once you have an MSSP offering installed to do this type of analysis, it’s easy to justify keeping it there – this is annuity business that self-justifies.

Check Out The Entire Video Right Here

But Remember, this is not the most important tool – your QUESTIONS are.

Armed with the intelligence that comes from talking with executives and other asset owners, this information suddenly makes sense in helping a client determine their true threat levels, while providing you with the justification you need to move forward with MSSP.

Copyright 2017, David Stelzl

For more insights on how to sell assessments and larger security deals, check out one of the only books written to resellers and MSP providers on how to sell Security: The House & The Cloud…

plug and playSelling Security is Not The Same As Selling Insurance

You can spin security a million ways to make it sound like there’s a return on investment, but you’re only kidding yourself.

So how exactly do you sell something that many people think they don’t need more of, and that really has no ROI?

I just wrapped up two training days with Brian NeSmith, President and CEO, and his team at Arctic Wolf, a security operation center that targets small and medium businesses.  As always I’m sure I learn more than anyone at these meetings.  And I have to say, I’m impressed with the technology and the team.

Arctic Wolf is exactly what small and medium businesses need as they move toward more IoT, mobility, and BYOD.  This morning as I’m wrapping things up and getting ready to head home for the weekend, a few key principles are on my mind…these are foundational mindsets every sales person must have if they want to sell security or managed services.

  • Security is not a product. Even if you are selling a product, don’t present it that way.
  • Every small and medium business needs more security. Specifically, they need the intelligence and insight into what’s going on in their network as they create and use data.  According to Gartner, 80% of these companies are working without any realtime detection element. Even if they have the UTM firewall, they probably don’t watch it. And if they did, they wouldn’t understand it. That means every one of these companies is a qualified prospect.
  • If budget comes up, something is wrong. Security is sold based on high impact of a likely event. Most decision makers won’t understand their risk, so start there. That means you’ll need to gain access to those decision makers early in the sales process – but not to show them your corporate presentation. Instead, talk to them about technology trends like IoT that will be used to grow their business.  That’s what they want to hear…then transition to the security risks that come with new technology.
  • The sale requires justification. Justification comes with getting them to see they have urgent issues – risk. Most assessments, like 90%, show urgent findings.  That’s justification. If you still can’t close, you are either talking to the wrong people, or hiding the urgency in the language you use. Be bold and upfront – be clear. People from China are potentially in your data!
  • Whatever you do, don’t get bogged down in the technology and how it works. This discussion can come later with the IT people – but the sale is made at the business level, and should be conceptually made before diving into the weeds.

For more on how to effectively sell security, check out The House & The Cloud…you can get it here for a limited time for $1.00 – free shipping, and no strings attached.

$1 HC Book Ad


assessmentOne Thing to Look For In Your Next Security Assessment…

If You Want To Convert To Projects & Managed Services

Are you assessing your client’s data security? More importantly, is your assessment turning up urgent issues.  A week or so ago I posted on finding urgent issues – The Bot is your client’s number one enemy.  Do you know what you’re looking for?

We’ve become lazy. Too many security assessments depend on scanners to find open ports and missing patches. But as I mentioned in a recent post, missing patches are not urgent. However they may be one of the reasons your client has bots on their network.  But if you can’t come up with any bot activity, it’s kind of hard to get the client to see why the patches are so important.

$1 HC Book Ad

More On How To Close Security Business!

So Exactly What Are We Looking For? How Do You Find A Bot?

In the House & Cloud book I recommend using a pro-bono assessment to build justification. If the company you’re calling on sees value in you, there may be an opportunity to actually do some business. If not, you can’t expect them to just sign up and try you.  The assessment is the perfect service to both build justification and rapport.  But you had better find something urgent if you’re going to unseat the competition.  The Bot is your answer.

This is especially true in the small and midsize businesses. They lack the sophisticated security technologies needed to detect and stop the installation of botware on their computers. So chances are, if you look, you’ll find it.  So what is a bot?  It’s software, from an unauthorized user, used to gain access to your client’s computers. It comes in through email and infected websites, or downloads.

Your job in a pro-bono assessment is simply to find evidence of bots (or something else that just as urgent.) Don’t worry about over analyzing what they are and where they came from. If they exist, it means botware can get in, and the company is not properly detecting and stopping it. You job is not to prove an eminent disaster. Bots are bad, even if they are dormant when you find them.

Bot Symptoms – Like Burglars, They Make Noise

When a bot hits a computer, that computer becomes a zombie.  The bot software is installed and begins to execute it’s function on that system – a set of instructions to do something. That “something” is often detectable! While no one can physically stop all bots, early detection and response is the key to minimizing the impact.  Some of these symptoms include:

  • PCs begin communicating with known Command and Control Servers (C&C). “In the traditional botnet, which includes a C&C server, the bots are typically infected with aTrojan horse and subsequently communicate with a central server using IRC. The botnet might be used to gather information such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to start sending spam or begin a DDoS (distributed denial of service) attack,” – WhatIs.Com
  • IRC stands for Internet Relay Chat. While there may be some good uses for this type of traffic, chances are your SMB client is not purposely using this method of communication. So if IRC traffic is detected, you should assume there is something wrong.  Further investigation may be needed, but it would be out of scope – so report it as being “highly likely” symptomatic of malware.
  • There may also be DNS requests coming from these systems in an effort to spoof…or there may just be reports of slow computers that are bogged down by running these background processes.  Of course, this may just be a cluttered Windows Computer in need of repair.

How Do You Detect A Bot?

Most of the assessments I review never mention botware or zombies. They only talk about patches and ports. The scans they are using have little or no information that the client will find interesting.

While it is possible to run some detection tools on each PC,”polymorphic viruses” have pretty much defeated traditional AV technology. Your client may need some education on this before moving ahead.

The alternative is to look at the network.  As we mentioned, IRC traffic is probably not authorized traffic. So that’s the first thing I would look for. While it is possible to use a packet sniffer here, network switches make this more difficult – basically you would be looking for unencrypted keywords sent on IRC channels. IRC runs on port is 6667 by default, but the entire port range (6660-6669 and 7000) must be checked.

If you have the ability to access firewall logging, mass mailing can be detected over SMTP from a central location. This is often a sign of botware being using to send spam.  Is spam urgent? Yes! It’s illegal in and of itself. But chances are it contains something worse such as illegal pharmacy marketing or worse, child pornography.  Make sure your client understands what would happen if they were suspected of distributing either one. For one, their family would be ruined long before they could prove their innocence.

If endpoints on the network are simultaneously hitting a single external site, that can also be a sign.  This would be true if the C&C had instructed these bots to launch a distributed denial of service attach (DDOS).

Note: Don’t bother checking server and email logs for this type of activity. Bots don’t go through the normal channels of communication and will not show up in your client’s log files.

This May Sound Technical But It’s Not

In most cases you have someone technical working with you, if you yourself are not that technical. If you’re in sales and you don’t really understand the urgencies listed on the deliverable, neither will your client.

There are a few terms here that border on bits and bites, but with a few Google searches you should be able to nail down these terms and be able to communicate them in simple language to your client.

There’s a enormous amount of business waiting on the other side if this blog post. Learn these few concepts, locate the urgent issues in your next assessment, and be able to share the results (business impact) with your prospect. The rest is easy.

…quod erat demonstrandum

Copyright 2015, David Stelzl




The Future of IT - Trying to manage mobile devices they don't own.

The Future of IT – Trying to manage mobile devices they don’t own.

Managed Services is Quickly Commoditizing

Yesterday I met with Bob Howard, founder of Contact Science (a firm specializing in telephone prospecting productivity). We were exchanging ideas on prospecting – specifically in the SMB managed services business. The SMB managed services business is quickly commoditizing – becoming a price per box sale just like the PC business a decade ago.

That’s bad news for those who have been working to build this economic engine over the past decade.

But it’s not over – it’s just changing.

What Does The Future Managed Services Provider Look Like?

I guess there are many answers to this question, but undoubtably, security is central to the long term SMB business requirement. There are some offerings that are pure security management – but I don’t see the SMB company hiring multiple companies to manage their systems.  They need one – and it will include both the commodity and the security.

SMB Security is extremely relevant.  Note, I am not talking about firewall management – that too is a commodity. Anyone can provide this.

Last week I spoke to 24 business owners in Tennessee. One single sales rep was able to pull in 24 lunch & learn executive-level attendees – mostly new logos, for a single event. The results? 100% of them moved to the assessment stage. This was not a product dog and pony – it was an educational event put on for the benefit of small business owners.  The hosting company ended the session by offering an assessment; every business owner saw the need and jumped on it.  Security is in high demand – when presented correctly.

The Future Security OfferingBlog Subscribe Ad

So what does the future MSSP offering look like? If you look at what’s happening in the enterprise space, it’s significant. CISOs are recognizing that they can’t really keep the hacker out. They also see IT control fading as end-users bring their own computers to work (iPads and phones), accessing thousands of unapproved apps. Corporate data is everywhere – and in many cases, stored and transmitted in clear text.

New technologies are popping up to manage this new intractable world. Companies like RiskIQ are searching the web to analyze a company’s attack surface – finding anything online related to that company, and discovering data outside the firewall. They can also look for rogue apps sporting a company’s logo – apps that are not necessarily part of that company’s program.

Yesterday, WSJ Reporter, Rachael King wrote a piece on cloud apps and security brokers entitled, Companies Sniff Out Employees’ Cloud Habits. Interesting article. This technology helps companies find the apps their end-users are using, and enforces policies around them such as blocking or encrypting data destined for the cloud.

In my latest version of The House & The Cloud (2nd Edition) I invited guest author, Steve Rutkovitz (Founder and President of Choice Technologies) to write a chapter on managed security services he is offering through small resellers to provide compliance and event correlation.

All of these are growing needs. As Mike McConnell, former Director of National Intelligence under George Bush, put it, “We need predictive security” intelligence. He talks about having the people who possess the trade-craft to analyze the data and respond accordingly. The SMB can’t afford this. The programs I’ve referenced above are targeting large companies with big security budgets. But through cloud and managed offerings, the SMB can have it. Just as CRM, before cloud apps like Salesforce, was once an enterprise thing (remember using Act installed on a DOS computer), the new MSSP for the SMB will bring enterprise class services downstream at an affordable price.

Not Everyone Will Make The Leap

There’s definitely new business to be had. But not all will make the leap. Just this week I was talking with a colleague over breakfast at Starbucks. We’ve both had opportunity to work locally with a Charlotte-based SMB reseller. My one and only engagement with this company was about 5 years ago. Even then I could see this day coming. Their offerings were behind the times. They hired me for 2 days to help them outline a growth plan. At the end of two days they agreed to move forward with it. However, I was never able to get back in touch with the owner.

My colleague reported a similar experience with this same company.  The owner of that SMB reseller had made the investment to get a plan – twice. Yet, he was not taking action to implement. At some point over breakfast, as we shared ideas, that SMB reseller name came up – they’re going out of business.  Why? My guess is they were too busy to consider the future. Now it’s too late.

© 2015, David Stelzl

P.S. Keep up with the trends – join us for month interviews with industry experts with the SVLC Insider’s Circle (CLICK TO LEARN MORE)

John SileoIdentity Theft is Misunderstood By Many Of Your Clients

Last Friday I had the opportunity to interview John Sileo, one of our nation’s foremost experts on Identity Theft.  This was part of the SVLC Insider’s Circle online events…if you’re an active member you have access to the entire interview posted on the membership site.

We gained some great insights through this interview. John gave us actionable information – ideas to take to small business owners, as well as those responsible for security in the larger accounts. ID theft is still the biggest problem. There’s lots of intellectual capital being taken, but ID Theft is bigger in terms of volume and likelihood for most of your accounts.

John Sileo revealed some issues you need to know…in summary:

1. Small businesses are liable for their bank accounts. If someone steals money out of your personal account, chances are your bank is going to cover that. They’ll take the hit! But of course we’ll all pay for it in banking fees. There are no free lunches.  But if a small business account gets drained, that small business owner is on his own!  Most small business owners have no idea…

2. It’s going to take over a year for the business owner to discover he’s been hacked. Most of them are waiting to see if something will go wrong. If they don’t see it, the assumption is everything’s okay. They need someone to show them. It’s stealth, and they won’t see it.

3. The assessment process is broken. John shared a story from his recent visit to Starbucks. While sipping on a latte he watched as a man left his system to visit the restroom.  John was able to film the entire thing, including the guy’s screen – which was open for everyone to see. He was a government contractor accessing confidential information through a secure VPN. That VPN session was open and accessible while he was powdering in nose in the men’s room! Assessments don’t find this kind of stuff, yet it’s happening every day.

4. John personally experienced the loss of his own business years ago. He shared how his technology reseller business was compromised when someone ravaged through a trash can outside his office. Using unshredded documents, perpetrators were able to convince the banks that they were  “John”. They took out loans and bought stuff using John’s identity. It took about three years to recover his name – but he still lost just about everything he owned, including his business.

5. In our interview he revealed that 60% of the ID Theft going on happens at the small business level.  50% of these companies will go out of business once they disclose the breach (which is something they most likely will have to do.)  If they don’t disclose it and the media gets word – the damage multiplies.

ID Theft is big. If you’re in the managed services business, you need to be in the security managed services business. This week, Aegify, a provider of security managed cloud offerings is hosting a session on Growing the Managed Services Business. I’ll be addressing how to add security, what security to add, and how to take it to the market to address the issues mentioned above.  Register here and join us:

Yes, I want to learn about selling MSSP services  << Get your seat here!

If you would like a copy of John’s session, I did record it. Anyone who joins the SVLC Insider’s Circle will get this program, plus my latest book on selling security…and several other bonuses worth over $500, free.  You can sign up right here:  Learn more about the SVLC Insider’s Circle  << CLICK.

© 2015, David Stelzl

magnifyingglassWhat happens when you do an event, offer a complementary assessment, and then the opportunity goes silent?  This happens sometimes.

(By the way, if you’ve not done events where lots of people are committing to a next step, join me next week for Making Money w/ Security and I will show you exactly how to conduct a demand generation event.)

This week I am in Chicago working with a company on event follow up.  The goal of our last executive security event was to educate business leaders on what to be doing in their companies with data – specifically, how to be thinking about security and making sure their organizations are doing the right things to keep data safe.  On the heels of the event, the hosting company offered a complementary assessment to those attending – 100% of them signed up…the offering was valid, simply because it is true that all companies need more help with security.  My job was simply to show them, in a way that moved them to action that afternoon.  Once signed up, you can expect several things to happen…

1. Your contact doesn’t have the authority.  If you find that you can’t really get permission to go in, once your prospect has signed up, chances are you invited the wrong person.  An IT director might agree that an assessment would be prudent at this point, but may not have the authority to do it.  Make sure you have the right people attending.

2. IT pushes back – even though the President of the company invited you in after the event.  Yes, the president can invite you, only to have IT people reject you.  The problem here may be that the President doesn’t understand the need to question what IT is doing.  This might just be fear on their part. In this case you need a way to raise their emotion back to the level it was at in the event.  One strategy is to work toward meeting the president, with the agreement that you won’t proceed with assessing unless you first gain agreement.  By working at the executive level, you just might be able to raise enough support among the leadership team to get someone to put IT back in their place.  I find that Presidents are more likely to want to keep everyone happy – where a COO or CFO is used to telling people what to do.

3. You get delegated right off the bat.  If your contact immediately pushes you down to the next level  – all is not lost.  If it’s still an executive position, no worries.  Proceed with the meeting and use it to identify other asset owners.  Use each meeting to gain more support from key influencers – not IT people.  Once you have it, agree to meet with IT.  If you are sent directly to IT, try this.  “We’ll do this however you like, however in the past when we have strictly dealt with IT, we find that….”. Remember, you are liable for what you propose.  If you end up working with IT first, don’t complete the process until you have worked your way back up.  Go broad if you have to, but eventually you must move up.

4. The account is too small to justify the time – when this happens, figure it out on the phone, not in a personal meeting.  Conduct your interview by phone with some simple questions, give them some direction, and send them on their way.  If you offer them some value, but don’t engage in an actual sales process, you really haven’t lost anything and the attendee will likely be happy.  It’s a win/win.

There are many more strategies here – each road block demands a response…I’ll be covering this in detail in next week’s class.