Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Welcome back to the MSP Security Playbook.
In today’s episode, we’re diving deep into one of the most persistent challenges MSPs face: balancing layered security with operational simplicity. From tool sprawl and alert fatigue to vendor bloat and agent overload, it’s a complex puzzle.
It’s easy to think more tools mean better protection, but is that the case?
To help us unpack it all, I’m joined by Ross Brouse, president and COO of Continuous Networks. With over 25 years in the industry, Ross brings a sharp perspective on simplifying security for highly regulated sectors like healthcare, all while keeping protection airtight and the user experience front and center.
If you’ve ever wondered how to explain cybersecurity without overwhelming your clients, or how to future-proof your stack without sacrificing visibility, this conversation is for you.
But before we get into all that, here’s Adam with this week’s threat briefing.
Threat briefing with Adam Pilton
Adam Pilton: Picture this: your client’s top salesperson gets a call from IT support asking them to install a new Salesforce tool. They click the link, and just like that, your client’s data is being siphoned straight into a cybercriminal’s lap.
In five minutes, I’ll show you exactly how that happens and how to make sure it doesn’t happen on your watch.
Here’s this episode’s threat brief. This one’s coming from a crew called UNC6040, a financially motivated threat group. Their sweet spot? Any company using Salesforce, so most of your clients.
They’re targeting US orgs, but the tactics work globally. Once inside, they don’t just grab data, they dump entire CRM databases: PII deal flows, customer lists, downstream credentials.
Then comes the extortion with the extortionist claiming to be affiliated to shiny hunters. And here’s the kicker. There’s no CVE, no patch. This isn’t about a vulnerability, it’s about trust, and they’re exploiting it ruthlessly. So, how does this attack unfold?
UNC6040 attacks explained
Well, step one is a phone call, an attacker impersonates internal IT then convinces employees into visiting a fake Salesforce connected app setup page and approving a malicious app disguised as a data loader. The link looks legit; it points to a fake Salesforce connected app. The employee authorizes it and boom; an attacker gets access to query and even exfiltrate sensitive information directly from Salesforce.
They don’t act immediately. They wait weeks later, sometimes months. A ransom demand lands “pay up, or your client’s data goes public”.
This isn’t a tech hack, it’s a trust hack and that’s what makes it so dangerous. So, let’s talk defense. Here’s what you need to do now.
- Lock Salesforce down
- Strip manage connected app to access from everyone except only the few that need it.
- Enable IP allow listing not just for logins but also connected app traffic.
- And next up: MFA, it’s a must have on everything: Salesforce, Microsoft 365, even LinkedIn
- Salesforce can help you too. Use Salesforce Shield to enable transaction security policies that detect suspicious activity and automatically alert or block it in real time.
- And of course, train your staff. Simply being aware of this attack is half the battle. And why not use this as an opportunity to demonstrate to your clients your value? Create a playbook that you can roll out to every client before close of business today, informing them of this attack and what they need to do and how you are protecting them.
This is your edge. We often hear that cyber criminals aren’t hacking in. With this attack they’re being invited by trusted voices. If you tighten the trust controls now UNC6040 fake IT calls straight to voicemail. Stay sharp and I’ll see you in the next Threat Brief. Jacob, back to you.
Ross Brouse says you should explain why IT is not just ‘a necessary evil’
Jacob Hazelbaker: Ross Brouse, thank you for your time today. It’s really good to see you.
Ross Brouse: Yeah, you too Jacob. Thanks for having me.
J. H: It looks like you’ve been in the business MSP space for a long, long time. Continuous Networks actually has been around for over 25 years, so you’ve seen a lot of changes over the years and a lot of changes in your company. I find that really interesting, man. I was also looking at your company and it’s great. It looks like you guys have slightly changed your brand repositioning recently. So I was really wondering what’s driving your current focus and how does this new approach better serve today’s security challenges that you see?
R. B: We do focus on Healthcare, and they really don’t understand what IT is or what IT does, nor do they understand how to use IT from a strategic perspective. I know the way that IT gets seen, and it’s not just Healthcare, it’s in other industries as well. Is that IT is just this necessary evil.
And the idea is to get them to think about utilizing these technology capabilities that they have to drive the business forward, to become this sort of strategic advantage that they can build for themselves if they begin to understand it.
Most of them don’t want to understand IT, and the fact is it isn’t really their fault. It’s the fault of IT people, because we’ve done a really poor job of using language that they can understand.
You can see it on just about every technology company that’s out there saying some ridiculous term, like “the fastest, most cutting-edge way to”, you know, to “drive your clients’ ROI”. Whoa, okay. Yeah. I mean, great, I love ROI. But what does that even mean?
And so, these people they show up to work every single day and they struggle with all kinds of various different things. And most of the time that language doesn’t connect with their struggles at all.
Make IT simpler for customers to understand
So, why would they buy any of this stuff? Why would they begin to understand any of this stuff when the language that people in technology continue to use isn’t resonating? It isn’t connecting.
I was giving a presentation last week at a long-term care assisted living show, and there was about 180 long-term care administrators and executives in the audience.
And I was on stage about halfway through my presentation and I said, “Hey, raise your hands if you’ve ever conducted a security risk assessment with the help of your IT team so that you could sit down afterward, identify your areas of weakness or opportunity, and put plans in place to reduce your risk.”
And not a single hand went up. 180 people. Now, some of them may not have understood the question. That’s certainly a possibility.
But the fact of the matter is, if they were doing it, they’d know they were doing it. They’d know. They’d know because the people who were walking through that process would’ve illustrated those risks.
And so, this whole idea of why we came out with the taco brand and why we built this whole mentality is to make IT simpler for them to understand.
We know they’re not doing these things. We know that they are woefully inefficient, especially as it relates to the HIPAA security rule and that most of ’em think that HIPAA is just a privacy thing, a disclosure thing, a verbal or written communication thing.
The fact of the matter is that’s not where most of the breaches are coming from today. We know that in healthcare, in the last year alone, 74% of them have experienced some level of breach, and 91% of the time it came from email, it came from some sort of a phishing email that they’ve received.
And so, they just don’t have the proper culture that exists in these organizations to understand how to make this difference. Now, that’s not true for everybody. I have several clients where we have been successful in changing this culture. And it takes years. It takes years to do it. But that’s where the taco branding really came from.
Let’s make this memorable, let’s make this easy to understand and make it fun. Because especially in healthcare, they’re not used to this being fun. And now they’re starting to feel like “wow, this is not so bad. I could have a conversation about this.”
What’s a Frankenstack and how can you avoid ending up with one?
J. H: I love that you kind of describe it as expressing what’s often highly technical IT concepts, but in a more enjoyable, fun, and understandable way.
Something I else I’ve been chatting with a lot of MSPs about is that a lot of us have too many browser tabs open for all our different products. It’s a real pain point.
Tool sprawl and agent fatigue are huge issues in our industry. So, in your view, where do MSPs often go wrong when trying to build a complete security stack?
R B: I think that these Frankenstacks as I like to call them get built because you’ve got these MSPs that over time have just added on security tools that they either think is keeping their clients safe, or they are just building some margin or revenue in it for the client.
Like they go to a conference, they go, “oh yeah, this is a big problem”. They hear a vendor speak:
this is a big problem. We should go out there. Here, here’s some sales materials. Here’s a, you know, a battle card you can use. Take that in front of your client and sell it to ’em.
The client goes
oh, this, it’s a big problem. All right. Um, how much is it gonna cost? Okay, I guess you talked me into it. Here you go.
And then out goes the tool.
Evaluate. Ask the right questions
But who in your team is evaluating the tool? How does it connect to the business problems that the client is having? If it’s literally just to address risk, that’s fine, but what risks? Have you evaluated any of those risks?
And so, I think the big problem here, Jacob, is that these MSPs, most of them, don’t take the time to understand the problems that their clients are dealing with.
They’re selling them things that they don’t necessarily need. I’m not making the statement that you don’t need a good MDR. You do.
I’m not making the statement that you don’t need security training. You do.
You do need these things in place. There are some strict fundamentals that I wouldn’t sacrifice. But I think that you’ve gotta take the time to understand their workflows.
You gotta focus on what matters to them most, and you gotta do that first. Then you can start to evaluate against a specific set of controls, demonstrate the risks, and then use the tools.
Because these are, just as we call them in the HIPAA security role, they’re just technical safeguards. That’s your tools. And what tools do we need to actually plug these gaps and solve these problems?
And it should be answered after the fact. It’s gotta be driven by something.
Piling on tools kills operational simplicity. That’s a Frankenstack
J. H: Sometimes you have a balance between layered protection and operational simplicity. How do you find that balance? What helps you strike the right balance between layered protection and operational simplicity?
R. B: I think the lack of operational simplicity comes from just piling on tools, building that Frankenstack, as I call it.
I like to look at it as covering your gaps. And the only way you can cover your gaps is if you know what they are. So, start there. What are your gaps? Figure out what tools can solve those problems and use the fewest number of tools as possible.
The real game changer here is the culture that you build and the processes that you implement and wrap around everything that you’re doing. It’s how that culture gets built consistently.
Talking about these risks, making sure there’s people in the organization that are bought in and having these conversations with you. Wrap those processes into everything that you do, and the culture comes from there.
I’ve seen it happen with these clients of mine that I’ve really worked hard on doing this with. And I had a client say to me just a couple of months ago who we’ve been working through a risk management program now with them for, I don’t know, 14 – 15 months. And he finally came in one of the risk management meetings and he said
wow, this is so cool. I never thought this was even possible. Now I know that if we have a breach, this is the team. This is how we’re gonna handle it. These are the processes in place to make sure that this is the obtrusive situation that we could possibly go through.
Now I know what that fire drill’s gonna look like.
It was cool to see that kind of a transformation happen with somebody like this and be able to say that. Two years ago, he would never have said that.
Layered security doesn’t mean adding up different agents
J. H: What do you think about visibility versus complexity when it comes to agents? Because you can really dive in at all these different pieces to your stack and it can get real complex. How do you balance out the visibility versus complexity piece there?
R. B: Here’s the thing. We love our agents, right? We put so many agents across all these machines because they’re security tools and people have taught us to go out and tell our clients that security is a layered approach.
Gotta have layers, right? But what does that really mean? Again, I think that you have to be evaluating it against something. I think API driven is great. I think a cloud first mentality is really, really good.
But I think you have to have a way to verify all of that. What does that really mean?
So, some of the cloud tools that I work with will give me all of that benchmark. Like are we benchmarking against CIS? Are we benchmarking against the NIST cybersecurity framework?
Do we have a way to evaluate the gaps that we have in our security and if is there prescriptive advice that we can put in place?
You know, we’ve had access to Microsoft Secure Score for years and years and years, and while I would call that rudimentary at best, it’s still something that you can use to evaluate the security posture of your Microsoft platform.
So yeah, I think that you’re right. Not everything needs to be an agent. We’re seeing more and more of this stuff go towards the cloud, but there’s a lot of tools out there, and I’ve evaluated a lot of the tools and the best ones, the ones that I like the best, always bring it back to a cybersecurity framework.
They give me a way to evaluate. The gaps in the infrastructure and identify the risks that come from those gaps. And when I have that type of a capability, it makes the tool a lot more powerful. And I think it’s a great way to allow us to have fewer agents as we sort of become more cloud-focused and have this cloud first mentality.
Focus on a process, don’t just sell things to make money
J. H: Let’s say you’re advising a brand-new MSP. What steps can MSPs take early on to avoid getting trapped in this trend of bloated security stack? Especially those that are just starting to scale those newer MSPs.
R.B: I think you’ve gotta manage to a security framework. Take the time to understand what you’re gonna use right outta the gate and have some process for it.
Don’t just go start selling things because you’re making money. If you let the money drive your decision making, you’ve got your priorities in the wrong place.
Whether you’re a small MSP or whether you are just starting out, you’ve gotta have that process in place and start to build that culture in your own organization: “How am I gonna have these conversations with my client? How am I going to tie it back to the things that they actually want? And how am I going to teach them what good looks like?”
You know, we go through this process and every single one of our sales discovery calls, where we evaluate verbally, we let the clients self-evaluate themselves against a set of best practices and standards. We call it our cyber score assessment. The whole purpose of the cyber score assessment is to help a prospect or a client uncover pain that they were unaware they had.
When you go through that process, it helps not only them to understand where they are weak potentially, but it also helps them to understand how you look at it and evaluate it.
And most of the time when I do this, the reactions I get from people are “wow, we didn’t know that. Our MSP didn’t tell us that. We don’t have those types of conversations. We had no idea.”
So, you’ve gotta have some way to drive that process forward. And it’s a process and a culture that you build so that you can do these things consistently over and over and over again.
J. H: That’s really fascinating. So you developed what you call a cyber score assessment that helps to identify pain points in your new and current clients.
R. B: Exactly. Yep.
J. H: What kind of questions are in that process, if I can ask? Like what’s the focus of it?
Get used to proactive care in cybersecurity
R. B: We have different versions of them. It depends on if it’s a fully managed client, if it’s a co-managed client, if it’s a healthcare client, if it’s a virtual CISO client.
So we have different approaches and a different set of questions based upon the type of client or the services they’re potentially looking for.
But we touch on areas like general infrastructure, we touch on cybersecurity, we touch on backup, and we touch on compliance. We touch on overall IT strategy.
The way that it works is we ask them these questions like
how confident are you that you have the right tools and processes in place to protect your organization from a ransomware attack?
And if they don’t know how to answer that, we have guidance that we can provide them and say “what we’re really looking for here from a best practice is X, Y, Z.”
That helps to clarify whether or not they’re on track with that type of a, that type of a question. And then they evaluate themselves. They just give themselves a score. We’re able to tally that score up and then ask them questions after the fact: “Were you surprised by it?”, “Was there anything that caught you off guard?”, “Anything that you didn’t know?”
And it’s really helpful to go through and do that discovery and shine the light on things that they were unaware about. I work in Healthcare, so to bring up the analogy I say “Why do you go to the doctor every year? You do it to get your blood checked, your vitals checked.
If there are certain things that your general practitioner is concerned about, they send you off to a specialist. That specialist can then do other diagnostic tests, uncover things that maybe you weren’t aware of. Now you might have woken up feeling just fine today. You might have felt, oh yeah, I feel good. There’re no problems.
But how do you know that you don’t have a terminal illness? How do you know that you don’t have some sort of a health marker that you could start proactively getting in front of now before it becomes a really serious problem later?”
So, we’re used to proactive care when it comes to your health.
We’re just not used to proactive care when it comes to technology and security.
J. H: I love the way you frame that. It’s funny ’cause in my current role I was actually also given this analogy. As a salesperson, you want to think like a physician, you’re there to identify their pain and see what it is. But you came up with this assessment thing, which I think is something I’ve never heard of in MSP really formalize in that kind of way, especially since you have ones for different kind of offerings. I think is really unique and could help a lot of MSPs.
Don’t talk tech, don’t talk cyber. Talk risk
R. B: It’s prioritization of risk. That’s the conversation.
Risk is the universal language. Don’t talk tech. Don’t talk cyber, talk risk. And when you talk risk, people who are in decision have decision making authority. They understand it.
Now, I’d be careful if your approach is co-managed IT and you’re talking directly to IT people, then yes, my experience has always been that IT people love to talk IT.
So, you’ve gotta change your game a little bit. But when you’re talking to a CIO or a CFO or a CEO, when you’re talking to these C-suite of decision makers, that conversation should be rooted in risk, not in technological terms. And when you do that, it changes the entire conversation.
And that’s what the cyber score was designed to do – uncover that risk.
So, you find the biggest ones and you prioritize them. This is how you demonstrate value. Then you just have to have good tools in place that are able to continue to drive that value forward so that they understand what that process looks like.
You know that I always say price is only an issue in the absence of value. Everything through your process should be driving value for your client. When you consistently do that, they stick with you long term and they continue to grow.
The MSP Hot seat: All-in-one or best of breed tools?
J. H: I, I love your perspective there. That’s something I think has helped your MSP a lot.
Ross, it’s been great talking with you. And before we go, I have one question from an MSP. We call this the MSP Hot seat. It’s a question from an MSP and they said
we’re struggling with tool integrations. Should we prioritize an all-in-one solution or go with best of breed tools?
R. B: I would always say from an MSP perspective try to focus on channel-only tools.
When you get into selling enterprise tools, they can price check you. They can go and do their own due diligence on things that sometimes can just put you in a really bad position. I have worked very hard to find channel-only tools that focus on working with companies just like me.
And I love to be able to go to my clients and prospects and say “you can’t buy this. They won’t sell it to you. The only way to buy this product is through the channel.”
And of course, sometimes that creates some doubt: “Oh, well, are they any good?” And I can say “well, look, here’s their credentials. They’re SOC2 certified, they’re FedRAMP, they’re whatever the situation is. They’ve got these certifications and these commitments to cybersecurity behind them”. I’ve even said to some people “oh yeah, it was started by former members of the NSA” and that was enough for them to go, “oh, wow, okay, great. That’s fantastic. I love it. Now I’m sold.”
So, you just have to know your client. You have to know what it is they want to hear, you’ve gotta understand that before you go in. I don’t think you should spend any time trying to decide between prioritizing an all-in-one solution or best of breed tools until you understand your client.
That being said, there is no substitute for having a single agent and a whole bunch of tools that all come with that single agent, because agent fatigue sucks and the more agents you have to manage, and the more, security companies you have to work with, the harder it gets to go through. It’s a bad position to be in. So the fewer agents, the better.
J. H. Well, thank you Ross Brows. It was really great talking with you, and I really thank you for your time.
R. B: Thanks Jacob. I really enjoyed it and I hope this is helpful to the audience.
Find the pain point and keep clients engaged
I really enjoyed today’s conversation with Mr. Ross Brouse and it’s really interesting that he focuses so much on the pain points of his clients and less so on. It’s really easy to fall into the trap of creating this shiny solution on your own with no feedback and then saying “Hey, potential customer, would you like this shiny solution I came up with?”
So instead, what Ross is doing is he goes through and chats with the customers, his potential clients, and identifies what is it that they find really frustrating and painful in their life. That’s a really, really good approach to the MSP company that he runs. And I think that’s really useful for new MSPs who are just starting out.
What I also found super interesting was the way he keeps clients engaged. He focuses on making it entertaining and fun. I think that’s super useful because as he pointed out, a lot of clients come back not because you’re offering this particular thing. A lot of different MSPs out there are often the same solutions.
Instead, he keeps clients engaged. He keeps them interested. He keeps them motivated to book that next meeting with him. I think that’s super good approach. Keep them entertained, engaged, address their actual pain points instead of preemptively providing a solution for them to choose from.
I hope you enjoyed today’s episode with Mr. Ross Brouse, I certainly did. MSP Playbook signing off.
Thanks for spending part of your day with us. If you found today’s insights helpful, be sure to follow the show on your favorite podcast platform and leave us a review. It helps other MSPs find the playbook and level up their security game.
Got a question you want us to tackle in the MSP Hot Seat or a topic you’d like to hear more about? Drop us a line. We’d love to hear from you.
Until next time, stay sharp, stay secure, and keep building the future of your MSP business.
Find all previous MSP Security Playbook episode here.
