The Cyber Resilience Playbook: Achieving Evergreen Protection

WhiteDog founder Shahin Pirooz shares a practical framework for cyber resilience that emphasizes continuous improvement over one-time fixes.

posted on
July 9, 2025
Transcript

Kirstin Burke:

Welcome everyone. We're delighted to have you here. And for those of you that pay attention to WhiteDog on social, LinkedIn, anything like that, we're going to tie our session today into some news. We've got we've been on the road a lot this summer. We've been to a lot of events, Pax8 Beyond, we've been to some ASCII events, we're headed off to XChange here next month. And Shahin's been talking a lot, speaking on panels but also to different MSPs and put together a really great presentation at an event a couple weeks ago. Really the, I think it was called the MSP Survival Guide to Modern Cybersecurity.

 

And the news today that we're sharing is we were voted Best Strategic Takeaway from the attendees that were at that event. And as we were talking about our topic for today, we thought, well gosh, if the attendees there thought it was noteworthy, let's share it with the broader public. And Shahin reviewed it with me. I thought wow, this really is good material to share for this time. And so Shahin, first of all, congratulations.

 

Shahin Pirooz:

Thank you.

 

Kirstin Burke:

But I'm kind of going to walk through just some of the topics that you shared. But overall, you know, why do you think this was so relevant to the folks you were talking to? You were there, kind of an AI theme and topic there. Why do you think this struck such a chord?

 

Shahin Pirooz:
Yeah, this was at the ASCII Chicago event and the general theme of the conference was AI. We had some time on stage and so I wanted to put together a presentation that talked about the good and the bad of AI. And, there was a couple things that I would say stood out. Number one, Microsoft was there talking about Copilot, the value of Copilot. And it was softly received. It wasn't as warmly received as I would have expected. And there was a couple of conversations about AI and technologies that vendors were pitching, the security tools that had AI embedded in them.

 

And then I followed a panel that talked about some serious blunders their companies had had with AI. In one case they had put very proprietary information into one of the public generative AI solutions, which is obviously going to make the hackles of any CISO go up. And so some of the guidance that was coming out of that panel was just say no to AI. And I was listening to this event because I was the next person up, and it struck me that I'm about to go up and tell everybody embrace AI and my peers are saying "No!" And so, I got up and I really highlighted the notion of AI is a double edged sword, and we need to be cautious of not just the fact that we could put proprietary information in the public's hands, but also the bad actors are leveraging AI to target and attack our people, our companies, our customers.

 

And the other side of it is that it can be a powerful tool. It can accelerate threat hunting, it can accelerate resolution, it can accelerate productivity of your individuals and your company. And that alone can create a differentiator for you, for your clients. Because we're getting to a point where if your people are not leveraging generative AI to respond to RFPs, to create documents, to create content, they're going to be much slower than your competition that is taking advantage of that and you're going to fall behind as a result.

 

So, my opening to the presentation was let's not put our head in the sand, let's focus, let's not be ostriches, let's try to take away what we ought to do to properly take advantage of AI. And also what do we need to be concerned about that are valuable, or not valuable, but real threats that are coming from the bad actors in the context of AI. So the talk track spun towards, here's some examples of threats and attacks that have happened that were AI generative.

 

You know, we're no longer seeing phishing email that is in broken English and obviously looks like a phishing email. We're seeing really good content coming out in phishing these days. Were seeing deep fakes both in email and in voice that sound like your CEO calling and saying send me money and really fooling a lot of people. These are all real things. These are happening and we need to be aware that these are happening. So what do we need to do? We need to educate our people. We need to make sure they understand these things are real and always get a second set of eyes on something you're doing where it's a financial transaction. Get a second set of eyes when you're sending proprietary information or documents. And, you said it best. If you wouldn't leave it on the counter at Starbucks, don't put it in public AI. So those were the general themes.

 

And, at the end of the presentation, we did a live Slide IO, basically back and forth interactive question and answer. And the first thing I did was ask a question that said, what are the biggest threats that you see in your environment? What's the one word that comes to mind when you think about your biggest threat? And it created a word chart which interestingly enough covered the three areas we talked about in the presentation. It was ransomware, AI, and compliance were the three top words, the three largest words, if you will. Then we asked some questions about what is the one thing keeping you up. And so it was a nice interactive. I think that the audience enjoyed the interactive. There was, unfortunately, a lot of the product manufacturers were up there pitching their solution instead of educating, which was really the guidance that we got from the ASCII organization. So I think there were multiple factors. It was relevant. It was talking about how to deal with AI, not hide from it. It was not pitching them on WhiteDog, but really talking about valuable security insight and actionable intelligence that you can take and go do something with. And it also engaged them. And they've been sitting there all day listening to pitch after pitch after pitch.

 

Kirstin Burke:
Well, and I think we talk about this all the time. There are over 4,500 security tools out there. And so when you're coming to something like this, probably the last thing you want to hear about is tool, tool, tool. You're looking for something to take away, to take back home and to try to roll out or implement in your organization. And so I think having something where you're hitting more on these salient points, on tips, on takeaways, you know, obviously that was probably refreshing.

 

What we decided to do instead of walking you through an entire presentation, which, if you ever would like to hear it or if you ever want more detail, we'd be happy to share. Shahin did put together key takeaways. And so what we thought we would do is just kind of a quick flyby on some of the takeaways you gave these folks and share them with the broader community. So I'll kind of queue you up.

 

But the first key takeaway that you put out there was cyber threats are smarter and faster. MSPs need to be, too. And one thing that you mentioned that you had talked about was really these MSPs being the first line of defense. And you know, when you've got this adversary that's out there really kind of trying to outwit you at every turn how do you pace that?  

Shahin Pirooz:
So, there's a large number of attacks that if you go back to the target breach that have been targeting the supplier ecosystem, so the supply chain. And the reason for that is typically if you're targeting, pun intended, Target, Target's probably going to have an advanced security portfolio, have better security on their systems and be able to block and tackle a lot better than a small company that might be doing their HVAC as an example. Which is how the bad actors got into the Target ecosystem. They compromised the HVAC supply chain the contractor that was managing their air conditioning systems that was connected to Target in order to manage the air conditioning system, and then they got in through those systems into Target and then work their way around.

 

So, in many ways MSPs are the supply chain for IT. So same thing happened in the Kaseya breach. The bad actors targeted Kaseya, which is a tool set that's sitting inside many MSPs. They compromised the platform and from that were able to compromise hundreds, if not thousands, of end to customers for these MSPs. So supply chain is a critical factor and the MSPs sit on the front line of that supplier. They're in the trenches fighting this battle but they're not well armed to do this because they're focused on maintaining performance, productivity, end user support, and the IT background that they bring to the table helps their customers to make sure their information systems are working properly and there are layers of security that they apply to that.

 

But, we've said repeatedly, there is no one tool that solves the problem. And every manufacturer of those 5,000 manufacturers that are out there want you to believe that their tool, their system, their solution is the only solution that you need and you won't need anything else. There is no one tool that will solve the problem.

 

So, when we say the threats are coming faster, the bad actors are being faster because they're leveraging generative AI to generate these attacks. They don't have to be brilliant hackers. All they have to do is use generative AIs that have been designed to help them create scripts and attacks and strategies that will compromise your environment quickly. And all they have to do is say, I'm targeting companies that are using ConnectWise or Kaseya or whatever. What's the best way to get in? And the generative AI will go and look for vulnerabilities for those platforms and say, here's a script that will take advantage of this vulnerability. It's that easy. Like anybody, your mom, uncle, grandfather can all go and do this in minutes.

 

So it's not a super complicated thing to do to become a bad actor. Those of us that have morals and don't want to hurt everybody, don't go do this. We work on the other side of it and we get in the trenches. So because they're accelerating the attacks by not having to learn how to do them, because they're creating automation in terms of once it lands inside the network, it doesn't need to call home and get instructions, it has the instructions embedded because the tools that they're creating also have the ability to change their behavior so they can avoid detection. Defense evasion is now becoming even more and more enriched by all the AI interactions that are happening.

 

All of these factors are fundamentally creating a problem where now the traditional technologies absolutely don't work right. Not just they have a hard time, they absolutely don't work because the attacks are no longer file based, they're 100% behavioral. And one of the things I said which was a little hard hitting at the event is if you're still using a antivirus solution that was an antivirus solution 20 years ago, I don't care that they say they're EDR, they're not. They're still a file based solution. For the love of God, please go get a real EDR.

 

Kirstin Burke:
Don't bring a knife to a gun fight.

 

Shahin Pirooz:
Exactly. So that's contextually, you have to get faster, MSPs, because the bad actors are leveraging AI to get faster. You have to be able to find technologies that can detect and defend against these adaptive malware that are out there. They're able to change the way they look and they're able to deploy in a completely autonomous fashion so they don't have to call home DNS protection. So, in order for you to keep up you have to go faster, just like the bad actors. That was the key takeaway on my first component.

 

Kirstin Burke:
Well, and I think that leads so well to the next point, which is what your predecessors at the event we're talking about. You've got AI that can endanger and you've got AI that can empower. It can do both. How do you use it with purpose? And I think that was your next key takeaway which is, how do you work with this?

 

Shahin Pirooz:
So, we need to separate the contextual AI I just talked about, which is in the defense and in the attack world. The panel before me was talking about don't let your users access AI. But I think we've clearly articulated that if you're not letting your users access AI you're going to fall behind in productivity and your users will not be able to, by users I mean the employees of your customers or your own people, you won't be able to respond to RFPs as fast as the next MSP. You won't be able to create documented collateral as fast as the next MSP. Your customers will have the same challenges in terms of how they go to market.

 

So the notion of putting our head in the sand and hiding by saying just put a policy in that says you're not allowed to use ChatGPT as an example is not the right answer. The right answer is proper security awareness training around what is intellectual property that belongs to the company. How do you prevent that from getting into an AI solution? Taking advantage of systems, if you're a Microsoft shop, like Copilot so that your users don't have to go and invest in their own generative AI externally and you can put policy as controls around the data that say anything that is tagged proprietary, please don't ingest, please don't include your IP in your data analysis.

 

So, given no control and no guidance, just like in Jurassic park, nature finds a way. Your users will go and do what these individuals in the panel before me described. They will put a large amount of proprietary data into ChatGPT. The particular example was financial data because they were looking for trends and they wanted the generative AI to show them trends over the last seven years. Great idea, horrible implementation of that idea because now all your financial data for the last seven years is in ChatGPT's archives.

 

So, fundamentally, this notion of AI is a double edged sword. It can empower in terms of performance and productivity. It can also hinder in terms of getting your data out in the public where you don't want it. But similarly in the security context it can empower you by being able to respond to attacks faster, but it can also hinder you if you don't take advantage of those things because the bad actors are taking advantage of it.

 

Kirstin Burke:
Well, we've both been in this business a long time, and I think then the rub against IT kind of is like, well you get in the way of business. You want to do things the way you want to do and you get in the way of process. Or you get in the way of progress.

 

And I think IT and security as a market, as people, as teams, have worked so hard to be relevant, stay relevant, and help lead the business that if you make that decision around AI to say, well, just don't let it, you're pushing yourself back to that area where people start bypassing you anyway because it's like they don't get it. They're not relevant and they're not helping us. And so you got to find a way to get, you know, to stay where you want to, which is, hand in hand with the business units.

 

Shahin Pirooz:
Agreed. A perfect example of that was we had, in a previous life, a customer that we were brought in to, and that organization was an MSP. It was an IT organization we were working at. And this customer was frustrated. The CIO was frustrated because his users were complaining about productivity. They didn't want to come into the office, they wanted to work remote. Because in the office it was harder to work than it was from home.

 

And when we got in and did the assessment under the guise of we're doing a security assessment so IT doesn't get excited, we found that IT had implemented so many restrictive controls for these users. In order to use WI fi, you had to get on WI fi, which gave you access to nothing, then you had to VPN into the environment. And that VPN connection got you limited access to use OWA only. And then from OWA you would get, there was some permission. It was like 16 steps before you can access files and data if you're sitting in their office, never mind if you're trying to work from home.

 

So, we technologists can, with the best of intentions, create so many hurdles in the guise of security and the guise of protecting information and IP that we prohibit the company from being innovative and moving forward and accelerating and being productive and being competitive.

 

Security should not be what makes decisions about how the company goes to market or does business. Security should be about once those decisions have been made, how do we protect those decisions best? And far too many times we end up becoming the roadblock by saying, no, you can't do that. And that just can't be the answer.

 

The answer has to be, okay, our people are going to be productive. They're going to be productive at home, at Starbucks, in the hotel room, and in the office. And they should have the same level of access and capability in all of those locations, and they should be just as secure in all those locations. Traditional security doesn't allow for that. And the siloed approach to we are living in a walled garden and we live in the center of a castle does not support that.

 

Having a distributed edge that says your people are your edge and building security design for that is the only way to get to that. And our security ecosystem is starting to understand that. A lot of what we're calling zero trust is all about enabling that distributed edge ecosystem so that people can get to what they need to and do it securely. I think a lot of the zero trust implementations are weak and poor, but the idea is the right idea.

 

Kirstin Burke:
So this kind of again leads to the next takeaway. We're talking a lot about competitive advantage and how your security solutions and your IT solutions can help or hinder that. And one of your takeaways from your presentation was that compliance can be a competitive advantage as well. Which I would say a lot of people would scratch their heads and go, what? Because similarly, to be in compliance or to try to align your processes or your business with that can often be seen as a real slowdown. So how did you talk about that?

 

Shahin Pirooz:
I've held the philosophy, starting probably about 20 years ago, that security should not lead the architecture, compliance should lead the architecture, or the controls more accurately, and security should be implementing those controls from an architectural perspective to meet that compliance. So compliance led security is the key way to think about how do we secure an environment and closing gaps that are created from a compliance perspective.

 

So why it's relevant is the government is now starting to create some heavy guidance around, and it's not requirements yet but it will be very soon, around companies that are delivering services to anybody, who will be delivering services to anybody, who is delivering services to the government.

 

Kirstin Burke:
It’s a lot of anybodies. It’s everybody.

Shahin Pirooz:
Yeah, so it's layers and layers. You could be three levels away from touching the federal government and you're going to have to implement CMMC. You're going to have to implement GDPR. You're going to have to have PCI in place and they are also enforcing, slash forcing, that the supply chain risk assessments are critical and you have to secure your supply chain and you obviously can't secure them, but you can mandate that they have certain controls in place so that you can meet your regulatory concern.

 

So why is this an opportunity? Because MSPs are dealing with customers who are dealing with the federal government, and they can help them achieve CMMC more quickly by having the right tools, the right control, and the capabilities to close those control gaps.

 

What we bring to the table is that whole ecosystem. Our GRC platform lets you quickly identify which regulatory concerns apply to the customer. Our control mappings allow you to say, against the CSF framework, here's the controls that you need, generate security policies for that customer.

 

And then the outcome of that is, here's the products and services that we have that close 50 to 60% of those control gaps. So very quickly you can get somebody across the line. And I say 50 to 60% because there's a lot of controls that are human control, which is you have a policy that says people who work remote have to do X as an example. So it is a tremendous opportunity for MSPs to jump ahead of this and help their customers achieve these regulatory requirements that are coming at them.

 

Kirstin Burke:
Well, you can't protect what you don't know. You can't build compliance around something you don't have visibility into or understand what risks someone is willing to take on or not. And so I think that, to your point, that's where it all begins. And for an MSP to really be able to get their hooks into that, you know, what are the assessments you use? How is it that you can, easily and quickly, you know, because from an MSP perspective, they don't have a lot of the resources, a lot of the tools.

 

So how is it that we can help them put something out there that's quick, that's easy, that doesn't cost their customer a lot, that really gives them value and helps them understand, where is it that my next investment is best served? Which is kind of in line with your next takeaway.

 

Really it's about layering. It's about layering, it's about being proactive, it's about being resilient. And rewind all the way back to the beginning where you said there's not one tool, there's not one flavor, there's not one way. How is it that these MSPs given the resources they have, can really get access to a layered system that they can manage?

 

Because if something doesn't stay evergreen, if something comes out that's better, you know, how is it you can have an ecosystem, a layered ecosystem that stays current, but then, the element of being proactive often requires people. How do I build that people model into my MSP model that's probably already taxed?

 

Shahin Pirooz:
Yeah, I'm sure most of you are tired of me saying if you have a SIEM without a SOC, you have a guard tower without a guard. You will not see the bad actors in your walled garden until after they breach the walls. And that's not helpful. It's too late. They're in, they're causing damage, they're taking your data.

 

So this context of layered support is really around the notion that you, if I give you an example of a very simple attack, a well-crafted email is written up and sent to a user that has them go and grab a document and they click on the link, takes them to a questionable DNS site. In that DNS site it looks like it's an Office 365 login. To get access to a Word document, they put in their Office 365 credentials. It's not Office 365. They then get redirected to a Word document which has malware embedded in it, which downloads to their machine. They see the document and it looks like something that they've been communicating with one of their partners with and they start taking action and replying.

 

And now the bad actor has their identity, access to their system, and they are now on your network. And if you don't have systems that are preventing that malware from running, that user account from being privilege escalated, that system from being able to move laterally throughout your network, you're done. You're going to get hit with ransomware in a matter of weeks.

 

That was five tools. Email, DNS, Identity, Endpoint and Network. You need a minimum of five technologies to protect against [threats]. That's the five layers that we always talk about. Now you could have traditional email gateway solutions and security awareness training and phishing training doesn't block these things. We see over and over again, 50% of customers are getting hit with attacks even though they all have these things. I just talked about.

 

Malware, 80% of malware needs DNS to function. If you are not blocking that, just at the firewall, if you're not blocking it, no matter where the user is, you're letting 80% of the malware function in your environment.

 

100% of attacks are there to take your identity. Every single attack, the first thing they want is identity so that they can use that identity to get access to your active directory, elevate privilege, create new accounts and then start moving. There is usually a bastion host that gets dropped into your network. That malware that becomes the point of entry into the network and from that they start moving laterally throughout your network.

 

So all five tools are required to provide visibility across those. But if you have these five tools and there's nobody looking at them on a consistent basis, that's that guard tower without a guard. In a typical enterprise security stack, there's 20 tools because those five tools alone are not enough. There's a lot of overlapping coverage across those tools, and there's a lot of functionality that you get from having that overlap.

 

In WhiteDog's stack, we have 60 technologies because 20 is not enough. We expose that in a productized way that takes best in breed technologies from different commercial solutions and open source solutions to make a single product because we think that the product is missing capabilities all by itself, and it needs more to do the thing that we say in the market that we do.

 

So to answer your question about how does somebody implement a layered solution that is evergreen and continuously improving, come talk to us because that's what we do. You can do it yourself, there's no magic here. We're not creating any genius kind of thing that doesn't exist in the world.

 

All we've done is taken amazing system integration capability and built an enterprise stack that is composable, enterprise security stack that is composable, continuously evolving and improving, and it's evergreen because we do shootouts every year in every single category. And if some tool is no longer effective, remember that every security tool has about a three to five year lifespan before the bad actors have outpaced its efficacy or the technical debt in the platform can't keep keep up with that any for whatever reason, if the tool is no longer effective, we change out that technology and put the best in class solution at that time and place.

 

So the real only way to get that on a consumable basis is what with us. Any other way you do it, you're licensing, doing contracts, doing the implementation, doing the integrations, doing the configuration, training your staff, all of those things you have to do yourself versus you can have a turnkey, up and running in 30 days, enterprise security stack that you can take to your customers white labeled as your own.

 

So I didn't say this in that presentation because it was not intended to be a sales pitch, but I'm sorry I'm pitching you guys, but the real answer to how do you implement the layered security stack that is continuously evolving and improving, is you build a WhiteDog. So if you don't want to go out and spend five years building a WhiteDog, come talk to us.

 

Kirstin Burke:
Well, and I think if we look at the last takeaway, every single thing that you've spoken about up until now, and I think in your presentation you talked about it from a client perspective, but I think it relates to MSPs too. It's like folks out there, client or MSP, want partners not providers, not tool set, but a partner who understands their business, who understands what they're trying to do, who understands what they're using today and what risk they're willing to take on. And that is not a one size fits all. And I think the other brilliant thing about WhiteDog is it's not an all or nothing.

 

You don't have to take on this entire portfolio that we built, but you can take a look at what is it that I have, where have I invested, what is it that I need next? And you can move in and out of that platform as much as you need or as little as you need, but all of it is there to ensure that you have got that security posture that you need, period, without any technology debt. So maybe there were a few other points you made on this partner versus provider that as we wrap up, just might be interesting to our audience?

 

Shahin Pirooz:
Yeah, I think you hit the nail on the head. It was, the conversation was exactly what you're describing is and on multiple levels, it's when we're talking about AI you should be leading the charge with your customers and talking to them about the advantage of AI in their business, not just how you're using it to accelerate security, accelerate awareness, accelerate performance and capability. But how they can take advantage of it to increase productivity in their business against their competition. And that notion of rather than just selling them technology and managing it, but you're in there talking to them about strategic differentiators that set them apart from their competition and how they can move the needle forward with very little investment and time because you bring the expertise and knowledge to help them.

 

Kirstin Burke:
Well, Shahin, thank you. And again, congratulations. We're delighted that an audience of the size that you spoke to felt that what we have to share, and the insights that you had, is the best value in terms of the presentations they had. And that's really what we try to bring to the table with any of our partners, with anything that we do, whether it's on the technology side once you're working with us, whether it's on the enablement side, it's really our goal to help MSPs deliver the level of service to their clients that maybe they can't do on their own, but really desire to do. So, thank you and thanks to all of you.

 

One last thing we'll mention to you. Shahin did offer this group of folks a checklist, so things to think about as you move forward, just a takeaway. So if any of you listening are interested in that checklist just let us know on LinkedIn, send us a note, and we will get that off to you. But thank you for your time, Shahin, and thank you for yours, and we'll see you in August.

Let's talk!

We’ve Got a Shared Goal, To Secure Your Customers