Scaling your MSP Security Offerings with WhiteDog

Kirstin Burke:

Welcome to Sound Bytes I'm Kirstin Burke and I am joined by Shahin Pirooz and Brian Moody, the WhiteDog big dogs, and welcome guys.

‍

Brian Moody:

It's good to be here.

‍

Shahin Pirooz:

Fantastic.

‍

Kristin:

One question that we are frequently asked, you got the white you got the dog, "what is it WhiteDog is doing?" And we are not doing dog training, dog breeding...

So, we'd like to take a little bit of time to just kind of talk about why WhiteDog came into being, you know what's going on in the market and what is it that we're doing that is uniquely solving some problems?

‍

Shahin:

Yeah, the foundation for what we built was really grown through frustrations. We basically got frustrated with technology stacks, enterprise solutions, lots of claims in the market about this tool is the only tool you need to solve your security problems, gaps within a particular vendor that needed to be closed with multiple vendors, and then continuously evolving and changing threat landscapes that couldn't keep up with so constant evolution of the security stack. So that was really the core frustration that built this up and a lack of understanding in terms of the scale up and scale down for manufacturers: minimum requirements, contractual constraints that were difficult to manage.

‍

And coming from 30 years in the MSP space, we concluded that we need to do something better for the MSP community. We built an enterprise security stack that is pre-configured, pre-designed, built to scale, fully integrated, white labeled, that MSPs can take to market in their own way, whatever fits in their environment. So to fill gaps in their security stack, to take on the whole security stack, and it's literally designed to be consumed one node at a time, complete consumption based monthly contracts, all of the things that an MSP needs to do business designed basically to meet the way they go to market, whether it's long term contracts, short term contracts, consumption based.

‍

We have MSPs that have one node customers, and we have MSPs that have 30,000 customers. So it's having a solution that would scale up and down was one of the core requirements.

‍

And ultimately, the market wasn't solving the security problem. They, as many tools out there were saying, all you need is us. We were still seeing significant impact to the community, ransomware hitting and increasing every year, year over year. And, you know, starting from 2018 forward, we decided to do something about it.

‍

Kirstin:

Well, and I think that's interesting. I think we, we all agree that the whole idea of attacks and hacking, it's not if it's when. And so as organizations really reckon with that and as MSPs try to figure out, well, how do we adapt our businesses to really help our customers do that? That's a real thing. I mean, you take a look at just the things in the headlines, whether it's, you know, Change Healthcare or whatever, right? You can be very big, you can be very smart and have a lot of resources, but you're still going to be hacked.

‍

And I think that brings to mind, and we've been talking about this a little bit, this whole concept of right and left of boom. That's something that the market is talking a lot about. Boom, meaning an incident has happened. So boom. And so, you know, you kind of coined the term boom happens.

‍

You know, Brian, how would you see or how do you talk about what we're doing in the realm of we know breach is going to happen? We know something is going to happen. How and where is it that WhiteDog plays in that real life scenario?

‍

Brian:

Well, I think what's interesting about right of boom is most of the MSP partners that we're involved with are already at right of boom. So they're already doing that, that BCDR, that business continuous, that disaster recovery role. So they're involved with their customers doing that. But what we're hearing from most manufacturers is they have to focus on that. So the tool manufacturers are saying you need to focus on right at boom. And I would say we say they're already there. They don't need to focus on left at boom.

‍

And we actually are on both sides of boom. And I think that's the critical part is we're not going to prevent boom from happening. We were joking earlier, boom happens, right? So but we have the on both the left and the right side. And I think what we've developed in our overall security platform is, is that we are on both sides of them.

‍

The left side of boom is really about the proactive approach to security. It's how are we doing vulnerability assessment, doing external scans, doing monthly pen testing? Most tools that exist in the market today are very reaction based. They don't do anything until boom. Until boom happens.  

‍

And then boom happens, and then it's like, oh, my God, now everything goes to DEFCON 1 and everybody's reacting. But we think that it's incredibly important with security operations, with vulnerability assessments, with the human aspect, the proactive approach, to attack the environment, see that our downstream tools are working, and then assessing that data in order to constantly protect the environment.

‍

So WhiteDog is on both sides of boom, and I think what we brought is that proactive approach to security which is the the security posture management the constant vulnerability assessment both internal and external and then something that we bring which is different than really I think any of our competition is that continuous incident response.

‍

Shahin:

To give a little more context to the right side of boom, it is the BCDR aspects happening, you have to be able to recover. So left side of boom is be proactive, look, monitor, threat hunt, boom happens, you need to be able to respond. Where typically I would say a lot of the tools fall short is incident response is not included in any tool. You can always buy it as an add-on or as a retainer-based approach. And a lot of MSPs do that. They have partnerships that they can bring in when it happens.

‍

With our MDR and our XDR offerings, we include continuous incident response specifically to address boom happens, and not only do you need to be able to recover from an encryption, but you need to be able to manage that whole incident response. So that incident response is part of our service, no additional charge, no retainers, it's just the feature.

‍

And to Brian's point, we're on both sides of the boom, closing the gaps in order to be proactive, monitor, identify, threat hunt, and threat hunt's the big piece on the left side of boom. none of these manufacturers are threat hunting. They're cleaning up the consoles, they're cleaning up the SIEM, but they don't actually threat hunt, which is why their tools are reactionary at boom.

‍

So the bad actors are inside the network for six months before boom happens. Who found them until boom happens? Not a single one of the market tools out there will find them on its own. You have to have, that's where the people side of it comes in, where you have people who are threat hunting constantly. When you see something fishy, when you see an event that looks funky, taking that and digging deeper and digging deeper and asking, you know, the six layers of questions that get to, this is a bad guy.

‍

And then, if the event happens, which we try to prevent, we never can make any guarantees that we're gonna prevent boom. When boom happens, you need to be able to not only do incident response, but also be able to recover if in the case of encryption so that you don't have to buy the encryption keys, you don't have to pay the ransom.

‍

Kirstin:

I would think from an MSP perspective also that, you know, at the end of the day, their goal is to delight their customer, right? And their goal is to likely be that one-stop shop for the customer to have a seamless experience.

‍

And so, the more you patch work tools together, the more potential bumps you have, right? Or this didn't really talk to this, so we missed it. Or this didn't really integrate with this or incident response. Okay, now we got to find it, stand it up and connect it into our tools. And I would imagine from an MSP perspective, if you're thinking about the service experience, and having a more seamless experience, a more comprehensive view that these things working together really add value to what they're trying to do.

‍

Brian:

Well, I would dive a little bit deeper into Shahin's comments about the whole response piece, right? So when boom happens, you need that incident response. And I think, you know, as our founder, the key thing that he drove and the key frustration is that response capability, that response work. And a lot of these MSPs, to deliver that experience, they're hearing from the tool manufacturers, hey, you just need us, right? Oh, hey, we're XDR. We're Extended Detection Response.

‍

And I think our frustration really came from the fact that, no, they're not extended detection and response. They're extended detection. So they're extending their detection into additional vectors, but they only have a response capability really at the endpoint. So our threats are coming from email. The biggest 93% of threats come from email. 80% of those threats require DNS in order to make that C2 connection and propagate. None of the XDR tools today do anything in those two vectors.

‍

So I think one of the things that we did and we developed was the ability to have a security platform that responded at email, responds at DNS, responds at the endpoint, and responds at the network. So it's true XDR. It's true extended detection and response. That response is the core key functionality.

‍

So if we really want to help our MSPs deliver that service experience, it's all about when boom happens, how quickly can you respond? And the complexities of these modern enterprises that even their smallest customers have, right? So think about that. They're no longer just in an office where you got a couple of folks, you know, there's a firewall, you know, they're sitting in a building. We now have cloud environments. You have extended SaaS applications. You do have on-prem, you have mobile.

‍

I mean, begin to build that enterprise stack of what we have to defend. And you truly need that extended detection to cover those vectors. But that response capability at every one of those vectors is critical when boom happens. And that's what I think helps our MSP partners deliver that service experience.

‍

Kirstin:

Well, I think it's interesting when you when you talk about the enterprise stack, right? I hear that phrase and immediately it like makes me anxious because it's a lot of stuff. It's a lot of technical stuff and it requires a lot of smart people.

‍

But the interesting thing is, you know, with our MSP community, we have a one node, one seat client, right? So very small business, one practitioner who says, I need this security stack. I don't just need antivirus. I don't just need I to protect, to fully protect what I am doing, this is what I need.

‍

And so it's interesting that it seems like there's this push to, a market push, saying, you don't need the stack, you need us. But in practicality, what you've just talked about, you absolutely need the stack, whoever you are. And I think our being able to give MSP community that ability, you have one or two size, you know, one or two people businesses, you have a thousand people business, whatever it is, you can cost effectively give them that robust solution that they need.

‍

Shahin:

At the same level of security regardless of size.

‍

The interesting thing about the enterprise security stack is a lot of vendors now focusing on this concept of right of boom. They're guiding MSPs to focus on the right of boom because they solved the left of boom. One particular comment I heard that enraged is probably the right word is, if you're building an enterprise security stack, you're taking your eye off the ball, you should be focusing on the right side of boom, we got the left side. And this particular company was basically a SIEM. Not even MDR, but just the same. They call themselves an XDR. But literally, they were just the same that collects telemetry from your EDR, your email, your network or whatever.

‍

And the aggravation I had with this context is you absolutely have to have an enterprise security stack. I don't care if it's for one person or if it's for 30,000 people. You have to have a security stack that covers the layers of security. And the layers are email, DNS, identity, endpoint, and network. Those five layers have to be protected and you need to be able to respond in them. You can't do that with an EDR tool. You definitely can't do that with a SIEM. The SEIM's only going to tell you there's a problem. It's not going to do anything to solve it.

‍

So when you hear something like that, this is, you know, we built this out of frustration, but the frustration hasn't stopped. There's a whole conference dedicated to the right of boom and it's all about put your energy into right of boom, incident response, sorry, BCDR. But, the idea is to try to shift the focus of these managed service providers are very hard trying to protect their customers off of the left side to the right side so that they will buy the security tools.

‍

A tool will never solve the problem. Ten tools will never solve the problem. An integrated enterprise stack will solve the problem. And that's fundamentally what we've built. We've taken and productized an enterprise portfolio of tools, both commercial and open source, and made it accessible one node at a time.

‍

Kirstin:

So I would imagine, these MSPs out there are sophisticated. You aren't an MSP if you don't know your technology stuff, right? So smart people, great relationships. I would imagine in some of your conversations, you've heard one of two things. Either, well, I could build this, right? I mean, what's so special? Or, well, I've already invested in some things. So yeah, sounds good. Sounds great, so whenever I can move everything over to you, I'll call you back. So how do we work in those, you know, I guess what's the response to this scenario? Well, I could go build this myself.

‍

Shahin:

The short answer is there's no magic here. You could go build this yourself. If you haven't attempted to build this yourself then you don't understand how hard it is, and what it takes to, not just build the stack, because building the stack once is not unattainable. It's not easy, but it's not unattainable.

‍

But then the constant continuous updates, refreshes, technology evaluations, does this tool still do what it was supposed to do? Did that manufacturer market-ware me or is it real? And constantly changing technologies and then you got to figure out if the new technology will actually fit in the stack and work with the other tools in the stack.

‍

And then you've got ecosystems where there's a bunch of aggregation of tools through a distributor that you feel they ought to work together, but they're not. They're totally this separate, distinguishedly separate technologies, and you're dealing with the same problem. So when you build an enterprise security stack and your people have to look at 30 consoles, that's a problem.

‍

Kirstin:

Well, and I think the assumption is your people. How many people do you have to dedicate to this?

‍

Brian:

Well, this is the point that you just made, these five layers, right? And I hear you talk about all the time, you set these five layers up. Security is in no way a set it and forget it. And the piece here that we just mentioned is people, right?

‍

You can stand all of this up and without the security operations, without the security operations center, without the people doing the analysis, technology, machine learning, AI go so far. But you talk about this criticality of a security analyst seeing something. And as a human being, he goes, well, what if I go left? Machine learning, AI, they're not going to go left.

‍

So sticking all this up, and we talk about this all the time, it's like sticking the guard tower up. If you don't put a guard in it, they're over your wall before you know it, right? Because no one's watching. So the human aspect of this and the full security operations is where the expertise comes from. That's really where our IP at WhiteDog comes from. It's that security operations 7 by 24 that we bring to our overall platform. But that's the critical point. And if you look at the cost associated for our MSP partners of staffing to this, and you said, hey, are we talking to our MSPs? The MSP is evaluating how much it costs them in order to support these 30 consoles.

‍

And so our partners that have moved to us have said, wait a minute, my engineering team now has never become more productive and strategic because they're not now dealing with all the fodder and the telemetry coming in. They're not monitoring that. We are. And we're feeding to them strategic security initiatives, strategic vulnerability that they can now go address in their customer. So it's made their team more efficient, more effective, and more strategic with their customers.

‍

Kirstin:

Well, it goes back to what we've talked about for 15, 20 years, which is core versus context, right? So all of us are in business for a reason, because we feel we do something uniquely fantastic, right? And so then you have those things that you need to maintain the business.

‍

So I think for these MSPs, right, if it is your jam that we're going to build all of this security stack, we're going to staff it, we're going to monitor it, if that's your jam, then absolutely you don't need us. Because to you, that is what uniquely defines you. But if you're an MSP that is saying, hey, you know, security is critical for our customers, but where we really shine is here, then it would seem that you need to think about where you're investing money and resources.

‍

Shahin:

So if you think about the stack that was built, so the WhiteDog stack is about 40 commercial technologies and 10 open source technologies. Sure anybody can go and pile that together and make something similar, but really the magic that starts to come in is the things that Brian was talking about.

‍

It's the integration between those things that glue the software, the products we write to pull it all together, the correlation rules, the threat engines, the threat hunters, which are people which are very difficult to train and build. And so all of that comes into play.

‍

It's this big, it's like, if I give you, and Brian said this before, so I'm gonna steal it from him. If I give you a set of ingredients and I'm going to make a beef stroganoff and I give you all the ingredients that make that stroganoff, we will not have the same two dishes when we're done. Even if I give you step-by-step instruction.

‍

Brian:

Mine is definitely going to be better.

‍

Shahin:

He's been saying this for years. We still have not had a bake-off.

‍

Kirstin:

We're going to do this on one of the next SoundBytes. We're going to have a bake-off.

‍

Shahin:

But, but that's, that's really the, you know, it's, and it doesn't mean one is better than the other or worse than the other. Like I said, you can build this stack and it might be a perfectly good stack.

‍

What you won't build is the multi-tenancy, the white labeling, the 24 by 7 operations in such a way where it's like you don't have to worry about those things. You won't build the tools and engineering team that is constantly doing shootouts. You're going to take your analyst, your people who are doing customer support, people who are doing customer engineering and pull them in to do those shootouts because you can't have a dedicated team. It doesn't make sense. So those things are what start to come out.

‍

We just recently signed a new partner. And he said, I get it. I can do this myself. I have done it myself. But what I realized is I don't have to. And that's the real distinction here is it's not, we're not, we're not creating magic. We didn't come up with something super unique. It's not, it's anybody could do this given the time, money and resources is the short answer.

‍

Kirstin:

Well, and it sounds like this is where the parts, the sum is greater than the parts, right? And the parts are all there, but in the way that we have curated it, packaged it, support it, price it, that makes what WhiteDog is doing unique in the market.

‍

Shahin:

It is, and we don't have the technical debt that our competition does. Because if you look at a tool manufacturer, they built something at some point in time, maybe 10 years ago, maybe five years ago.

‍

And if you look at every single let's just pick endpoint security, every single endpoint security technology that has been king of the hill is gone and forgotten. There's only three people we really talk about anymore these days. And in five years, they will be gone and forgotten. And there'll be three new we'll be talking about.

‍

And if you put that context in your mind and you realize that, holy cow, every three to five years, I have to change tools. And because there's 30 tools in the stack on average, there's 20 to 30 tools is what the market says in a proper security stack. So if every year I'm changing a tool, I'll never catch up if I just change one tool.

‍

So I've got to be changing tools continuously. I have a team of five people, their entire job, is nothing but evaluations of tech. So that's, that's an impossible set of assets to put together in a company that's also trying to make money, also trying to deliver services to their customers, and they're having to pull the customer facing resources in to do the evaluations.

‍

Kirstin:

So Brian, you're the channel chief. I'll say, I've just heard what Shahin said. I'll bite. Okay, you got me on the bone. But I've already invested in some things, right? I mean, I'm supporting customers and doing what I do. I believe some of these tool manufacturers. So how do I proceed?

‍

So I've spent this money. I'm not just going to throw it away. I can't just rip it out. What are the options I have for integrating with WhiteDog and kind of moving you in? Is it all or nothing? How does that work?

‍

Brian:

It's a great question. It's what we hear from most MSPs. So you've heard me on previous Security Bytes and discussions talking about no one has nothing. I've never walked into an MSP that says oh we don't have any security tools whatsoever, right? I mean they are already doing something. And so we're getting these comments back like love the tech stack but I've already got that endpoint tool.

‍

So I was just on the phone this morning with an MSP and an MSSP, so they have two divisions of business. They're kind of in this financial, you know four or five hundred customer size MSP, and he was running through his stack with me and he got done he goes boy that's a lot and I said that's a lot. And then I put our slide deck up and I went through our platform and at the end he looked at me he goes wow that's a lot.

‍

But the key piece is, he says, I'm not doing this. I'm really interested in this Internet threat protection piece. We're not doing that. I don't do incident response. I was looking to partner someone that did incident response. Oh, wait a minute. I'm doing endpoint. But you sound like you bring so much more to endpoint.

‍

So we have a methodology to help our partners evaluate integration of our tools into their tool sets. So we call it the integration roadmap, and it's a analysis and a financial analysis of tools, of actual contracts, subscription dates, and what we do is we we help you evaluate what you've built and it's, you know, if you've built something that you love and you're confident in and your customers are getting that security experience by all means keep it. You might have a few key areas where we fill in a gap for you.

‍

I have some partners that really love their cyber stack. They've done a really good job in building that, but they're, you know, on the SASE side or the secure edge side, they're very weak. So they take advantage of our SSE platform because they're great. So we're not an all or nothing company. We built this company from the ground up.

‍

Our founders said, listen, I want to help MSPs. It was built to white label. So each one of our tools you can actually take individually. And then over time, we help you do an integration analysis to look at tool capability, functionality, cost, does it make sense to move? And if it does, that's your business decision to make. You have the flexibility to make that decision. We're not telling you you have to. We're presenting the opportunity to say, listen, we are providing all of this back end, the human aspect, the management of the tool and the service. You then can decide for your business if it's best for you to continue on the path that you've chosen, or if you look at optimizations that we might bring to your business.

‍

So that's how we've been kind of working and integrating. And as you mentioned, the partner that signed up with us, he was doing most of this. And he said, I recognize you guys have implemented and put tools together but I don't have to now. He said, I don't have to anymore. So that's a value to my business. So the decision really is our partners.

‍

Shahin:

And that integration transition roadmap is specifically designed to understand what are you spending on what those contracts come to term. And then we build the TCO with a timeline that shows here is opportunities for you to make those transitions based on your existing contracts. Here is what you're spending today and what you would be spending with us for a similar set of services.

‍

And that, that entire roadmap is a tool set for somebody to build a five-year plan for transition. It's not an overnight change if you don't want it to be. But we have partners who have come and said, I'm on annual or month to month contracts. I'm done with my security stack. I'm not using company XYZ as my distributor, I want to come to you. And we're going to go to market together. And every one of my customers has to have XDR. And that can happen too.

‍

We just recently had a conversation with another partner who said, I'm putting this in every one of my customers. And I don't have these two functions. So we're going to roll that out. And then when this, when the endpoint tool comes up for renewal, then we'll swap that out too. And it's, we're getting it repeatedly over and over again. And the transition roadmap was specifically built to help understand contextually when you make those shifts and changes. So what does, what does it make sense to start with? And when do you transition?

‍

Brian:

And the value is for us, no annual contracts. We bill monthly. It's consumption-based. So it really is built for the way an MSP operates their business. So we're not requiring you to sign up for that annual contract to lock you in.

‍

Shahin:

But we also recognize if you're an MSP that does have annual contracts, we give further discounts beyond the partner tier level if you decide to pay annually.

‍

Kirstin:

So just another way to work the way they are.

‍

Shahin:

More margin.

‍

Kirstin:

So you both have alluded to total cost of ownership. This sounds expensive. Just going to say it, right? I mean, you hear enterprise security stack. You hear 40 tools. You hear lots of people. How do we stack up, pardon the pun, how do we stack up to what folks are doing today?

‍

Shahin:

So let me let me just talk about XDR for a second. Let's just pick our XDR portfolio. Our XDR portfolio includes detection and response in email, DNS, endpoint, network, and we're about to add identity at no increase in cost to our customers.

‍

So all five layers protected, plus we add security awareness training, continuous incident response, cloud security posture management, external security posture management, breach and attack simulation, all of that for the price of any MDR solution out there today. I'm not going to rattle off names, but for the same price that you're just paying for an endpoint tool plus somebody managing that tool for you, you get that entire stack plus continuous pen testing and incident response.

‍

Kirstin:

So it sounds like cost is equal to or less than what I am paying today for a fraction of what I get. Is that a good summary?

‍

Shahin:

It is. We have one partner who is basically, his words, tool-wise, license-wise, I'm saving 20% over what I was doing.

‍

Brian:

That's right where I was going.

‍

Shahin:

And I wasn't doing as many things for that 20% savings.

‍

Kirstin:

And so you just rattled off, if you had 11 fingers, all the different things that someone gets in an XDR solution. How do I roll this out to my customers, like is it complicated, is it lengthy, is it two months, six months? I mean, how do I push this out to my customers?

‍

Shahin:

So we have a 30-day onboarding guarantee. We give you one month's contract value as a credit if we don't get live. So the first month's free if we don't get live in 30 days, assuming we're obviously the delay.

‍

We've built this as a solution for MSPs. It's very simple. Almost every MSP out there has some sort of RMM solution for doing software distribution. So we create the packages, we configure the backend environments, we configure the portal, we set up the policies and rules so that we do a little bit of dialogue that's why it's 30 days, otherwise it would be a week. And so the making sure we don't stop the customers business is a couple of conversations. What's their core tool, do they have something proprietary, how do we make sure we're not blacklisting something that, or not catching something that they wrote themselves?

‍

So unique tweaks and things. And this is part of the it's not that hard to do this. It's not impossible to do this, but there's a lot of moving parts to make all this happen. We do all that work and smooth it out so that the MSP doesn't have to.

‍

The MSP's lift in doing this is pushing the software. And for that XDR stack I talked about, it's two agents.

‍

Kirstin:

Well, this is a lot, you guys. And it sounds like, I mean, from the conversations we've been having and just the response that we've been getting, I think it's a challenge for MSPs out there because the market's so noisy and so many people say the same thing.

‍

And I think when we're given the opportunity to tell a little bit of our story, to talk a little bit about what we do and how it's differentiated from what you're hearing from the market, we start having people either cautiously raise their hand or say, I'm all in.

‍

And I would suggest to anybody that's listening, any MSP out there, if you are in any of that realm of raising the hand a little bit, raising the hand a lot, this is your guy. Brian would love to talk to you. And if nothing else, have a conversation. Let's talk about what you've got. Let's talk about what you're doing. Let's talk about where you're trying to go.

‍

Worst case, you get some information and you get educated a little bit. Best case, you save a lot of money, you dial up your security stack, and you can get that done in 30 to 60 days.

‍

Brian:

It's worth the conversation, and it's more and more partners are coming to us. We just returned from the Orlando Xchange conference just a week or so ago, and it was amazing how just the conversations, again as I mentioned, I talked to someone today and he wasn't thinking what he thought after our presentation. And he said, I now want to bring core product in. He goes, this has shifted my paradigm a bit.

‍

And that's what I think the conversation's about. It's worth having the conversation.

‍

Kirstin:

Well, thank you, gentlemen.

‍

Brian:

Thank you.

‍

Kirstin:

Nice to see you. Nice to see you all. Thank you all for joining. We'll see you next time.

‍