 Tommy here from Orange Systems and the more we secure the perimeter of our networks, the more the target moves to be the person inside that perimeter. So today we're going to be talking about human vulnerability management. More specifically, we're going to talk about phishing and sending automated phishing emails. Now this video is not sponsored, but I want to disclose my bias towards this particular company I'm going to be doing this technical demo on. And that's because I'm an investor in them. So this is going to be about fin security. I am an investor. I am a friends with the people that own fin security Connor specifically, so we interviewing, but we're going to keep this demo fairly technical and show you why I chose to invest in fin. And it comes down to automating the human vulnerability management process, making this easier to do it at scale, whether you're an internal IT individual, managing a lot of your users, or you're someone like myself, an external company that manages IT for many other businesses. This is a tool I really like. It's a tool we use, but we're going to get technical and show you how fast and automated it is. It's rather clever how they set this up, but you know, you don't want to hear me talk about it. So we're going to jump right into the product demo here. How are you doing, Connor? I'm doing perfect. How are you Tom? You ready to talk about phishing? Oh yeah. I'm ready. And you know, I want to jump right into the product demo here because I like it because of how fast we can onboard people. That's what makes this cool. Oh yeah. So how fast can we get something attached to a Office 365 tenant? Attached to a three, I think we could get that done in the next two minutes. What I promise every person that I demo to is once you've set this up one or two times like you know what's going to happen, no more than 10 minutes to get a full security awareness program, reporting going out, hooked up to 0365, whitelisting already guaranteed, less than 10 minutes. Okay. I like that. I like the whitelisting guaranteed part. That's one thing I want to show off here. Okay. I'll make sure to get to it. Tell me when you want me to start. Start, man. The timer's going. All right. Timer's going. So here is your partner dashboard as an MSP. A couple of things to note. You can set up your top-level branding. So if you want that to filter into all of your tenants, whitelist, sorry, whitelabel everything, that happens by default. Everywhere you see a fin name and fin logo, imagine this year it's just by uploading a logo here. Perfect. So you can add admins and stuff to the tenant. I'm not going to get into that just yet, like MSP folk. Let's say we had a brand new client and you needed to get them set up. No deal registration process. Just click create a company and they end up getting created. So now we've landed at a five-step onboarding process that you can see here. If we complete all five of these things, our clients completely set up. We've done our job. So first thing, personalized, again, if you didn't set that top-level branding, you have the option of overriding it right here inside of the clients. And I'm in the client. I can override that individually, have the client's information show up instead of the MSPs. You can also manage company admins. Do you have any co-managed clients? Well, if you do, add stakeholders of the client right here in the user page. They'll only have access to this tenant, so they can manage it completely on their own or they can at least be a part of the conversation. And I think that's great for the co-managed stuff. That way you can coordinate with the internal IT teams that's, well, very near and dear to what we do. Oh, yeah. Very important. You always have at least a few clients that have the resources. They have an internal IT person or whatever and they want to be a part of the conversation. Yep. Let's pretend we did that. Now, I promise we'd connect to the O365 tenant to Whitelist. So here we go. The technical part. We've created a direct integration to the Graph API called Spanfilter Bypass and I'll summarize this for you. We don't use SMTP to send traffic. We use Graph API. So you just click connect. We are very explicit about what we request. Super important. Yep. Continue to Microsoft, pull up an admin of the tenant, verify we didn't lie to you and these are the permissions for requesting. Yep. Accept. And now this is going to route us back to Fin and then as soon as this is done, all right, we just Whitelisted all the traffic because we're using the Graph API to send every single email from our platform, phishing, training, reminders, notifications, reports, everything through the Graph API. And this does it without breaking insert name of your favorite filtering tools that you may have in place. So all the major filtering tools, maybe you have your email redirected them. You're not interfering with them for one. Second, you're able to drop these emails, these phishing emails right to someone's inbox because it's going directly to there, as you said, without sending SMTP. That is just a really important and great aspect of the way this works. Yeah. Biggest problem. One of the biggest problems MSPs have told us about is client makes a change in their environment or you make a change or someone along the line of the many tools that touch your SMTP stack, make a change that screws everything up and then you get a hundred support tickets. Well, with us, you don't need to deal with that because we just go right under the SMTP and we just drop right in the inbox through the Graph API. To me, that's just the innovation that makes us so much like less pain. It's also one of the things when you change mail filtering software, you don't have to go remember, oh, yeah, that's right. I also have to update my phishing and training program because it's got to have bypasses for it. Yeah. Yeah. We get past all that. So third step you could probably deal with as the owner of an MSP. This problem MSPs came across was some kind of miscommunication between the MSP, the staff of the client and then like the stakeholders and then the actual employees. That turned into a couple hundred support tickets in our larger clients. Hey, what is this? Is this phishing? What are we doing? Why are we doing it? What is it? What are we expected? It's like, okay, let's allow you. So we've created a process called welcoming where you can customize this at the partner level. Again, everything can filter down, waterfall down if you want, or you can customize it here in the tenant. You can have this come from your MSP or the client at FinSecurity.com and you can basically customize this message and say, this is what's going to happen. This is what is expected of you. This is what the training is going to look like. Here's a video of where you can access the training, how you can do things so that you never get those. It's a phishing email and it's just a button that says, hey, log in to complete your training. Those are the worst. Completely simple. You've let people know why you're doing this, what you're doing, which is like you said, a very key part because people, is this a real phishing simulation? Am I always an actual someone trying to phish me from an attack? Have the expectations set up here in an understanding because you've engaged with them. Oh, yeah. And all I got to do, I flipped this on real quick at noon every day, we'll look for new users that we pulled in through the user sync, which we're about to set up or new users you've added to the platform. And we can guarantee they will get this welcome email ahead of any fish, ahead of any training notification or reminder. And basically we can guarantee we've communicated those expectations to that end user for you. So just gets rid of so many issues that tend to crop up. Yeah. And this is that second part. You've tied into the graph API, but you're also able to see all those users that are pulled in through that synchronization you did with their tenant. So you have all the users without having to key them all in and figure out who's who in that list. And to go further, sync users with Azure, you can sync them as people add new users. It's just part of the process. Oh, yeah. We, I'll actually show you the magic there. It's probably the biggest time saving feature we've built because we built it all by hand using, you know, graph API calls. So you can manually import users, CSV, all that whole nine yards, or you can click this lovely blue button, continue to Microsoft. Again, very explicit about the permissions we're requesting. It is the smallest set of permissions we could possibly request. Read the groups. So get the work done. Yeah. Read the groups. Read the profile you've given us and connect the tenants together. And so what this is going to do is it's going to pull in all of our users and all of our groups. Biggest problem with that is sometimes you get shared mailboxes. People don't want to train shared mailboxes. So let's say you had security ops at your MSP or some other shared mailbox, you just do this great thing called sleeping. Our platform for all intents and purposes will now ignore that mailbox. If you make an update to that mailbox, it'll stay ignored. The only way you can essentially get that mailbox included now is by coming into the platform and unsleeping them. So you're never going to have to manage a user or a shared mailbox or a distribution list that you've slept by hand on the way in right here. Yeah. That just makes it simple. Same thing with groups. I tell you what MSPs that manage enrollment in tools for Azure users based upon the groups that they have access to. Imagine that group is right here. It's called phishing group or whatever or security awareness group. We can literally create a process where I'll just click commit so we start the syncing process. But if you have that enrollment in the group, we can guarantee we'll pull the users in. If you have campaigns running against that group, which you can set as a custom audience, we'll automatically enroll them in those campaigns and they'll automatically get caught up on all the training that they've missed. So literally all you got to do, go to PAX 8 or whatever, wherever you're getting your licenses from, set up that user, enroll them in the groups, never come to our platform again for any of that. It's all, all works. All automated. Yep. And every six hours, as you can see right here, we'll look for new updated and deleted users and we'll update our platform with what we find in your Azure tenant. Deleted users as well. I think it's an important part. So you're not, you're dealing with the off-boarding process, not just the onboarding process of users once this is connected. Yep. Absolutely. And then so you can see it here. That security ops, that got slept here. So the status is slept. They're not going to get welcomed. They're not going to get training. They're not going to show up in billing. Like that. And then here are the groups we pulled in. Beautiful. Yep. And now last step, training and phishing. So you can do modern training and phishing, select 12 fishes, select 12 training modules, send them out once a month, come back into the platform every time you need to re-up that or every time you need a new client, right? The thing was that we hated the most that MSPs had to do was you had to build a campaign in every client from scratch every time, no matter if it was the same, same exact campaign for every single client. I like continuous campaign creator. Continuous. That's important. Correct. So that's what I was getting to do. These, these, this is the old fashioned way. Right here. Right. Go to the phishing, go to the training, create your own campaigns from scratch. More power to you. You can do that. Yeah. Or you can click this bright view, blue, beautiful button and that'll ask seven questions that are basically identifying two things as we go through it. What unique risks might this company be exposed to as a result of how the employees work, as a result of how big they are? What unique compliance requirements might they have as a result of handling PHI or any PCI related materials or doing business in the European Union? What industry they're in? And then basically what this is going to do is this is going to create a set of phishing topics right here and a set of training topics that are both going to intelligently select the fishes that go out and the trainings that go out for these users on whatever cadence you'd want. And then the continuous part, this will never end. So this will last as long as you want until you come back in here and delete the campaigns, and this will continue to keep your clients educated and compliant on these relevant topics and with fishes selected from these relevant topics here. Just dead simple start date. Yeah. It defaults to monthly, but we can actually go edit that and then look at that, our clients completely set up. Yeah. And if I wouldn't have talked, I think we did it like in 11 minutes, but I think Tom talked enough to cause the extra minute. It's really slick. Let's look a little at the reporting on this as well. Yes. We can kind of see what this looks like when people get fished. Yes. I can actually show you that. I'm basically showing you how to set up monthly reports or weekly reports. Imagine a world where you don't need to log into the platform to look at things or you can add your stakeholders and they get a PDF branded with the MSP's information, has an executive summary at the top and then a bunch of graphs and a bunch of tables explaining what users are doing and why they're doing. I will pull up a few things first in the analytics. There's a fully fledged analytics dashboard that shows you a few things. One, now this is all fake data. So ideally you want that downward trend to the right. This is essentially what your stakeholders would have access to if you added them as an admin. And then we have what is going on in fishing. So these are the tags that we have in our templates that are fishing folks and then these are the actual names of the templates and then probably the most important part of this is we have an actual table of every piece of information we've collected on not collected but every interaction they've had with our platform through fishing specifically. So Conard fin security has been sent 53 fishes guys clicked nine times. Poor dude, you know, someone probably has a social security number out there and you can see. Okay. What did they get sent? When did it happen? Did they complete their learning moments after the fact so we can even go into learning moments if you want, but then I can see, okay, this financial statement view template. This is one of our easier to recognize templates and I can get into that. But basically what we do is we have a mailbox set up where MSPs submit mail that they would like us to emulate on popular tools that their clients use. So if we go to our templates, we have Google set up Dropbox Atlassian Google activity, Microsoft team Shopify, security brief, SharePoint, I could go on and on and on. Right now we have 50. We had two new templates every single week. That's nice. Pulled up the Buffalo Wow. It means one because that's my favorite. I think this one, I think we did get somebody here. Yeah, I mean, it's got the blazin' on it. It's the hot sauce is it's like, how do you not click that it's order now. Yeah. And we actually will inject your real email here. We'll do a lot of what is this unsubscribed. I don't even know where the unsubscribe link is. Yeah, yeah, I've gotten fish with that. Actually, there's one in here. I think you got my wife with the Amazon one. So really, I did test my wife. As well when we were doing this. My staff passed well. They were hard to fish. My wife was way easier to fish. But these are really good templates in here that are already built in that you do not have to spend time creating. You just automate them, throw them on here, and it just makes life a lot better. And I'll even go one step further. Let's say you did want to create your own. First, we have text fishing. But second, this is a template that I've copied. We have this awesome button called Share, where this will share it. It'll create this little networking icon next to it with all of your clients. And then here's the really powerful part. Do you see these tags right here? Yeah. So our continuous fishing campaigns run on a tag-based system. We look at the allowed tags in the campaign. For each individual, we see what tags are fishing them on a regular basis and we'll select fishers intelligently based on that. If you share this template, you tag it properly with one of these tags. And that tag is in a continuous campaign. It automatically gets zipped up into the campaign. So you don't need to ever go edit a running campaign to make sure everything is up to date. The template's up to date. That you have new templates pulled into the campaign. It all just happens automatically. That's nice. So you just add a tag to that client and then that type of. And this is where you built these tags based on those questions that were answered when we were doing the onboarding. But they can always be edited and customized later. So if you go to, I think we have a few running campaigns here in our test account. I get all these fishes, by the way. I'm all trained up, let me tell you. Yeah, a few things. You can edit any campaign that's running. You can fill out a MabLib sentence just to change the way. So if you want twice a month on the first and third, you can be very granular. Now, we send intelligently. So this never means everyone's going to get the same fish at the same time of day right here. You can also select groups. So back to that group enrollment that I mentioned. If you had that security group, just create a group campaign based upon that group. And they'll automatically get enrolled in this campaign if they're pulled into our platform. Yeah, here's the tag. And that way you can target maybe a specific group because you want to really focus your training internally. And larger enterprise companies do this. They run these simulations against it sometimes on that basis because you want to make sure these users are really up there. Maybe you have a separate campaign very specific to your finance department with just business email compromise is huge in terms of what can happen in finance. It's like the very targeted group. Yes, and where we're moving with this is you can create not only role-based trainings and you can identify certain roles in your organization. We're moving towards what if we could automatically based upon graph API, some really cool new stuff, but based upon who those people interact with or based upon certain common titles that we're pulling in with that information, what if we could automatically create that role-based training for you and enroll them? It's like, here's our finance phishing. It's like, OK, what's different about this? Well, we also do some invoice scams. We also do some credit card scams. We also do some business email compromise. With that one cool thing about that connection to the graph API, we can actually simulate if one of your internal accounts got compromised or if a third party account at some other company you work with got compromised as well because we can now send traffic, it's not going through SMTP, from that account. And so we can actually get really specific as to how we're attempting to phish people because then we actually give them really actionable training after the fact that ends up helping them change your behavior. Yeah, that's just great. This is, it automates a lot of this. It makes it really simple. And the analytics and final training parts that you can do from here is being able to create those action lists of what got done, have a provable track, so to speak, that these trainings were gone through, and ultimately make sure that we've went through the full human vulnerability management training process with people to figure out if they will follow the process as expected. I think that's the part that people kind of miss too, is you can put processes in place. All right, if someone sends an email, this is the verification process, but people are people. And sometimes they don't follow the process. So this helps put that extra verification at the steps in place will be followed if that's not especially when you directly say, I'm going to send these people an invoice. I'm going to see if they follow the process. Do they call their manager or whatever their process that they're supposed to be going through is. You have to verify that. You'd way better off doing it with a thin phishing email of a fake invoice than someone paying a fake invoice. Which honestly, I deal with that more than I deal with ransomware is the fake invoice problems and things like that. It's just, it's a huge issue. Oh yeah. And that's, that was our thought. I mean, you and I were talking about this before we hopped on and started recording this is, our goal was to actually fish the employees first, like to actually think like that malicious individual would to target an individual in a way that gets them to fall for the business email compromise. And then what we're able to do after the fact is give them very tactile information. These are the four things we had to do to make you believe that this was real communication. Here's how you could have recognized each of those four things next time. Our goal is to build a habit. And when we, you have a habit, I have a habit. Every time you were just talking about John's video on the habits that he has, right? Yeah, habits that he has for people getting their YouTube compromise and things like that. John, you have a video. Great video of how phishing emails even do get through. I'll leave a link down below because it's just really great technical deep dive into following a phishing link and what level of obscurity they're willing to go through to get that through all the filters and possibly take over a YouTube account. It was very targeted attack hit a lot of YouTubers. And we already know a few of them that have clicked on it. So it's pretty serious. Oh yeah. And then this is just an example report. Again, that executive summary, this is typically where they stopped. All right, phishing still going on, training still going on. Oh, half my users got phished. Somebody should deal with that. And only 75% are up to date on their training for the past year and for this month. And then we just have some actual information. This should be, again, a trend line going down as you continue to work with us, up to date on training for the last 12 months, up to date on phishing and completing learning moments over the last 12 months as well. And then we just included this, users to watch. So if a user is getting phished or not completing training, they'll show up here. It is an MSPs job to tell the client, hey, these are the people that you need to have some kind of intervention. Come to Jesus moment, whatever, knock on their door. You have the control over these people's lives. You are the direct report. I can't step in as the MSP. I mean, you can, but we'd really prefer the stakeholder or the HR manager, whoever gets this report. Says, hey, I think we have, yeah, Will Chocolate. Hey, why didn't you complete your training? Oh, well, we got busy, pull up the link right now. Let me, you know, do it today. Something like that. We want you to give you that actual information and then let you move on from there. This was great. We managed to get the onboarding done other than time talking. I would say in 10 minutes, we'll still qualify that. The people who are interested in signing up or whatnot, we have a link down below if you're interested in booking a demo, checking this product out. It's, I like it. It's obviously, that's why I invested as I said in the beginning of the video. But hey, check it out for yourself. If the demo didn't convince you, maybe you want to talk to Connor and go through a demo, depending on how far in the future, maybe Connor's grown so big, he's got an entire sales team staff you may have to talk to, right here in September 22, there's a chance that he might help you with the onboarding. I do most of the demos so, and I do most of the onboarding. And that's, yeah, hand-to-hand combat style. I'm the one that's there to make sure you all have a great experience. Absolutely. And the last thing, because I probably should have mentioned in the beginning, but I really wish we didn't have to do fishing training, but we do have to do fishing training because that's a world we live in. So that's all there is to it. In a perfect world, every system would work fine, but then I wouldn't have a job, so. Yeah. Yeah. I don't think any of us would have a job. Yeah. All right. Links are down below and thanks. Thanks. Appreciate it, Connor. This was a fun demo and we'll do some business videos together to talk more about selling this and just the bigger topic of human vulnerability management. So look for those videos coming out in the future. Thanks. I can't wait.