5 elementos imprescindibles y acciones obligatorias para la gestión de riesgos de terceros

Amy Tweet: All right, welcome everyone. Amy Tweet: I’m gonna throw up a quick poll question here while everyone starts to sign on and get comfortable. Amy Tweet: All right, there it is. Amy Tweet: Can you confirm that you guys see the poll question on your end? Speaker 2: I can see it. Speaker 3: Y. Amy Tweet: see it. Amy Tweet: Okay, perfect. Amy Tweet: All right, well, everyone starts to trickle in. Amy Tweet: We’re really excited that you’re all joining us today. Amy Tweet: Take a moment to let us know what prompted you to join our webinar, whether it’s educational for project research, If you have no idea where you’re at, um, you know, maybe stick around. Amy Tweet: You might learn something or maybe you are currently a prevalent customer. Amy Tweet: You’ll see a couple faces joining me. Amy Tweet: Um, as you can see here, we are joined with Dr. Eric Cole. Amy Tweet: He is the founder and executive leader at Secure Anchor Consulting and former CTO of McAfee and chief scientist for Loheed Martin. Amy Tweet: Eric is an industry thought leader and well known to many for the security space. Amy Tweet: So, we are very pleased that he is joining us today and I’m sure a lot of you as you’re coming in, have either spoke with him before or know a little bit more about Dr. Eric Cole. Amy Tweet: And we are also joined by our very own VP of product marketing, Scott Lang. Amy Tweet: You’ll hear a little bit more from Scott towards the end of the session as he shares more about Prevalent. Amy Tweet: But we’re again so happy that you’re here. Amy Tweet: My name is Amy Tweet. Amy Tweet: I’m in business development here at Prevalent and I am here to field any questions that you may have. Amy Tweet: So throughout the webinar, if any questions come up or concerns or comments, um, you can use the Q&A function or the chat function on the Zoom here. Amy Tweet: And as you all know, this is recorded. Amy Tweet: So if you have to hop off, you’re not able to stay for the whole thing, it’ll be sent to your inbox first thing tomorrow. Amy Tweet: So you can check it out when you are ready. Amy Tweet: Um, but without further ado, I’m going to pass it off to Dr. Eric Cole. Amy Tweet: Thanks everyone. Dr. Eric Cole: Amy, thank you so much and thank you everyone joining us today. Dr. Eric Cole: I I I sort of laugh at the topic because if you’ve done anything in cyber security, if you’ve watched the news, had a computer third party risk management I don’t think needs any introduction. Dr. Eric Cole: So if we go to the next slide just in terms of recent events from Solar Winds to CASSA this is basically the new battleground that we’re seeing from an attack perspective and just to sort of paint the perspective what I’m seeing out there is this activity of breaking into organizations over the internet has basically in the last 9 to 12 months have essentially commercialized cyber criminal activity. Dr. Eric Cole: These are no longer individuals. Dr. Eric Cole: I know I’m I’m dating myself here using the term scriptkitty, right? Dr. Eric Cole: Some of us could recognize that as one of the the original terms in the late 90s, early 2000s of essentially uh really smart folks after school or college hacking into systems. Dr. Eric Cole: What we’re seeing now is businesses, these are organized businesses that like many of our businesses are employees. Dr. Eric Cole: They have office buildings, they have benefits, they have vacation. Dr. Eric Cole: The only difference is their revenue generating activity is cyber criminal activity. Dr. Eric Cole: And what they figured out is third-party vendors is the trick and magic to exponentially increase revenue to basically reach out to more customers and get in touch with more people once again for nefarious activity. Dr. Eric Cole: But why should I go in and try to break into one company when I could go in and find a vendor that supplies software to not only that target but 20, 30, 40 other targets? Dr. Eric Cole: And now I break into that one third party vendor, compromise their software, let them do the work for us and distribute it out to all of our customers. Dr. Eric Cole: And then we just go in, activate our malicious code, activate our back door, and boom. Dr. Eric Cole: We’ve now just broke in to 40 customers by targeting one entity and one piece of software. Dr. Eric Cole: Now this concept of compromising and going after vendors is not new. Dr. Eric Cole: We actually saw a preview of this approximately six or seven years ago with the target breach. Dr. Eric Cole: If we all remember the target breach that was caused because a HVAC always I always got a smile and it just cracks me up when I talk about it. Dr. Eric Cole: But a heating, ventilation, and air conditioning vendor, basically a vendor that controls the climate in all their stores, had full access to every point of sale register and therefore every credit card transaction across all of the Target stores. Dr. Eric Cole: Now, in that particular case, they broke into a third party and they targeted one entity, one company in that case, Target, which at the time was one of the largest breaches. Dr. Eric Cole: What we then saw with Solar Winds is mainly focusing on government and a few commercial entities. Dr. Eric Cole: They went in and said, “Okay, here’s all of our targets.” Imagine putting it in a spreadsheet and saying, “What’s the software that they all run?” Dr. Eric Cole: And then saying, “Which of these pieces of software are the easiest to break into target go after that and use that as a mechanism to compromise a significant number of entities.” Dr. Eric Cole: Then Of course, we saw Colonial, which was largescale ransomware. Dr. Eric Cole: Then recently, in the last few weeks, essentially, if you could take Solar Winds and Colonial and merge them together on on one of the webinars I was doing is if the Solar Winds attack and the Colonial attack basically started dating, got married, and had a baby, right? Dr. Eric Cole: It would be Cassa. Dr. Eric Cole: And everyone sort of said that was really weird. Dr. Eric Cole: So, I I won’t actually Oops, I actually did say it on this webinar, right? Dr. Eric Cole: But but essentially say it was the merging of those two where you had a massive supply chain. Dr. Eric Cole: In this case, it was interesting because they did a double whammy. Dr. Eric Cole: They not only went after Cassa, which is a vendor, but it’s four MSSPs, managed system security providers that each then have thousands of customers. Dr. Eric Cole: So imagine this. Dr. Eric Cole: I break into CASSA and put back doors in the software. Dr. Eric Cole: It then goes out to all the MSSPs level one and attacks them. Dr. Eric Cole: Then all the MSSPs clients are then attacked. Dr. Eric Cole: So when you’re talking about wellplanned, executed and well thought attacks, that’s what they’re doing. Dr. Eric Cole: They have very clever business plans. Dr. Eric Cole: And in this case, it was a ransomware attack. Dr. Eric Cole: And once again, wholesale discount, right? Dr. Eric Cole: When when a CASSA first happened, they went to each of the individual customers and basically said, “Hey, you each have to pay a ransom. Dr. Eric Cole: Then they went back to the MSSPS and said, “Listen, instead of all of your hundreds of customers having to pay a ransom, we’ll give you a volume discount. Dr. Eric Cole: If you just give us a lump sum payment, right, we’ll then go in and let all your customers have their data back.” Dr. Eric Cole: So this is whether we like it or not, the new normal, the new battleground. Dr. Eric Cole: And if you’re focusing on cyber security for an organization, whether you’re a security engineer or siso or you’re running a sock, you need to make sure that you understand and are careful of the third party vendors. Dr. Eric Cole: As we used to say at the CIA, trust no one, admit nothing, and make counter accusations. Dr. Eric Cole: And if we go to the next slide, one of the rules, and I’ve been in cyber security for a long time. Dr. Eric Cole: I know many of you have been taking my courses. Dr. Eric Cole: It’s all about managing risk. Dr. Eric Cole: It’s all about balancing the risk. Dr. Eric Cole: Yes, we do. Dr. Eric Cole: need vendors to have access to our environment, but where’s the balance between the functionality and the security? Dr. Eric Cole: Where do we find that proper mix? Dr. Eric Cole: And to me, it’s always great to go back to the fundamentals. Dr. Eric Cole: And one of my favorite questions whenever I do webinars is I always love asking the audience, what is cyber security? Dr. Eric Cole: What is the definition of cyber security? Dr. Eric Cole: If You came home from work today and a neighbor, a friend, one of your kids said, “What did you do today?” Dr. Eric Cole: And you said, “I attended the most amazing presentation on cyber security I’ve ever seen in the entire world.” Right? Dr. Eric Cole: And they look at you and go, “What’s cyber security?” Dr. Eric Cole: What would be your answer? Dr. Eric Cole: And I love this because I know brilliant people that have worked in cyber security for 15 plus years. Dr. Eric Cole: And when I ask them, please define in one sentence or less, what is cyber security? Dr. Eric Cole: They can’t do it. Dr. Eric Cole: They’re like, well, you know, security and stuff, right? Dr. Eric Cole: Well, you know, cyber security stuff. Dr. Eric Cole: And I’m like, no, what is the actual definition? Dr. Eric Cole: So, here it is. Dr. Eric Cole: And it’s very important because it lays out what we’re trying to accomplish in any area, especially dealing with third party risk. Dr. Eric Cole: Cyber security is all about understanding, managing, and mitigating the risk of our critical data being disclosed, altered, or denied access. Dr. Eric Cole: So, when we’re looking at cyber security, we’re really going in and looking at three things. Dr. Eric Cole: Risk management. Dr. Eric Cole: What is the probability of loss? Dr. Eric Cole: We’re balancing risk. Dr. Eric Cole: We’re saying, what do we gain? Dr. Eric Cole: What do we lose? Dr. Eric Cole: And what’s the proper tradeoff? Dr. Eric Cole: It all comes down to our critical data. Dr. Eric Cole: Because let’s face it, it. Dr. Eric Cole: If somebody broke in and they didn’t access critical data or critical business processes, we would call that a minor breach, right? Dr. Eric Cole: It wouldn’t be a concern and it wouldn’t be an issue. Dr. Eric Cole: What goes from a minor breach that nobody hears about to a major breach that is all over the news and everybody is talking about is when significant amount of critical data and critical business processes are involved with the attack. Dr. Eric Cole: And then of course it comes down to what we call our CIA triad of confidentiality, integrity and availability. Dr. Eric Cole: And that’s coming down confidentiality is preventing detecting unauthorized disclosure. Dr. Eric Cole: Integrity is dealing with alteration. Dr. Eric Cole: And availability is dealing with denial of access. Dr. Eric Cole: So we’re trying to protect our critical data from unauthorized disclosure, alteration, or denial of access. Dr. Eric Cole: Now what’s interesting with that is Most folks that have worked in cyber security for a long time, traditionally the main focus in cyber was always on the disclosure, making sure somebody can’t get access to our critical data, which is important. Dr. Eric Cole: And when you have third parties that are assessing your environment, you want to make sure that you’re protecting the disclosure. Dr. Eric Cole: But of course, now with ransomware, the denial of access is also becoming a very big concern factor. Dr. Eric Cole: So you need to go in and say, “Okay, what is our critical data and business processes that support it? Dr. Eric Cole: Who should or shouldn’t have access? Dr. Eric Cole: And what can we do to minimize or reduce that overall exposure in that organization?” Dr. Eric Cole: And the one thing we have to always remember when we’re dealing with risk, next slide, is that in any practical sense, 100% security really doesn’t exist. Dr. Eric Cole: I remember I was getting back on stage page about 6 weeks ago. Dr. Eric Cole: Uh, of course with COVID for the last 14 months, everything was virtual. Dr. Eric Cole: I basically lived in the studio and my team uh has a little slit in the door like a a prison door where they slip me food and beverages. Dr. Eric Cole: But I I live here all day giving presentations, podcast, seminars uh because we couldn’t go on stage. Dr. Eric Cole: And about six weeks ago, I got to go back on my first live stage, which is awesome. Dr. Eric Cole: I love I love interaction, people energy that it’s good to have remote, but you still can’t get that I remember I’m giving my first live speech in over 14 months and there was a slide that said 100% security doesn’t exist. Dr. Eric Cole: Now I’ve given this presentation and I’ve used that slide probably over 40 or 50 times but on this particular occasion I don’t know why I questioned it. Dr. Eric Cole: I sort of looked at the slide I looked back at the audience and I said is that really true? Dr. Eric Cole: Is it true that we cannot not achieve 100% security? Dr. Eric Cole: So I held up my cell phone and I said, “Can we make this 100% secure?” Dr. Eric Cole: And somebody screamed out, “Well, turn it off.” Dr. Eric Cole: And I said, “Great.” Dr. Eric Cole: So I turn it off. Dr. Eric Cole: And somebody says, “Well, you can turn it back on.” Dr. Eric Cole: So another person screams out, “Smash it to pieces.” Dr. Eric Cole: And they said, “Great. Dr. Eric Cole: If I turn it off and smash it to pieces, have we achieved 100% security?” Dr. Eric Cole: And I kid you not, there was a person in the third row and he’s like, “You can glue it back together.” Dr. Eric Cole: And I’m like, “Really? Dr. Eric Cole: We’re really going to go there?” Dr. Eric Cole: And he’s like, “Yeah.” Dr. Eric Cole: And I’m like, “Okay, so what do we need to do, sir?” Dr. Eric Cole: And he’s like, “Well, poor lighter fluid on it and light it on fire.” Dr. Eric Cole: And he got almost a little too excited. Dr. Eric Cole: It was a little a little freaky. Dr. Eric Cole: So I said, “Great. Dr. Eric Cole: If I take my cell phone and I turn it off and I smash it to pieces and I burn those pieces to a crisp, can we all agree that that cell phone is now 100% secure?” Dr. Eric Cole: Everyone agreed. Dr. Eric Cole: Excellent. Dr. Eric Cole: I said, “Okay, what’s the problem? Dr. Eric Cole: When we achieve 100% security, there’s zero functionality. Dr. Eric Cole: Zero.” Dr. Eric Cole: So, yes, we can technically achieve 100% security, but then that has zero value or zero device, which means when we want to go in and add functionality, you’re never going to be 100% secure. Dr. Eric Cole: So, I just want to make sure we recognize that that we’re dealing with third parties. Dr. Eric Cole: The only way to make third parties 100% secure is not allow any of them to connect to our network, not allow any of them to access any of our systems. Dr. Eric Cole: Well, I think we all agree that if we ran an organization where no vendor, no software, and no entity could have any access to any of our network or any of our systems, we wouldn’t be able to function. Dr. Eric Cole: We wouldn’t be able to run the organization. Dr. Eric Cole: So, here’s the most important part, the law of security. Dr. Eric Cole: The law of security is just like the law of gravity. Dr. Eric Cole: Whether you like it or not, whether you accept it or not, it’s always at play. Dr. Eric Cole: You can sit there and say, “I don’t believe in the law of gravity.” Dr. Eric Cole: And if you walk off a 10-story building, guess what? Dr. Eric Cole: You will meet gravity very, very quickly. Dr. Eric Cole: Right? Dr. Eric Cole: So whether you like it or not, whether you accept it or not, gravity is always at play. Dr. Eric Cole: And the same thing with law of security. Dr. Eric Cole: You don’t have to like it. Dr. Eric Cole: You don’t have to acknowledge it, but the law of Security is always at play. Dr. Eric Cole: And here’s the law. Dr. Eric Cole: Whenever you’re adding functionality, you’re reducing security. Dr. Eric Cole: Whenever you add functionality, you’re increasing risk. Dr. Eric Cole: Our job as cyber security professionals is to go in and balance it. Dr. Eric Cole: Is to go in and say, okay, by having a third party have access to our network, what is the functionality that’s needed and how can we minimize and reduce that risk? Dr. Eric Cole: to an acceptable level. Dr. Eric Cole: To me, we’re going back to one of the core foundational principles, which is least privilege. Dr. Eric Cole: How can we give entities the least amount of access they need to do their jobs? Dr. Eric Cole: However, this means we have to start doing analysis. Dr. Eric Cole: The way some, not all. Dr. Eric Cole: So, if you’re one of those folks that go, “No, Eric, we’re doing all of this.” Great. Dr. Eric Cole: I didn’t say all. Dr. Eric Cole: I said some or most, not all. Dr. Eric Cole: Organizations when they go in and buy a new piece of software, they set up a new relationship with a third party. Dr. Eric Cole: What do they do? Dr. Eric Cole: They assume they’re secure. Dr. Eric Cole: They directly connect them to the private network and they give them full access to their environment. Dr. Eric Cole: And I see this all the time. Dr. Eric Cole: So, we’ll cover this in more detail as I continue my presentation, but I just want to give you the three big risk areas when we’re talking about third parties and vendors. Dr. Eric Cole: First figure out what access they really need. Dr. Eric Cole: What is the minimal amount of access they require in order to do their jobs? Dr. Eric Cole: Only give them that access and manage and monitor to reduce or minimize the risk. Dr. Eric Cole: So I remember when I first started teaching one of the courses I wrote, security essentials, that at the time was one of the number one selling cyber security courses. Dr. Eric Cole: I when we taught the firewall module, I always had a simple rule. Dr. Eric Cole: Golden rule of firewalls. Dr. Eric Cole: All external connections must go through a firewall. Dr. Eric Cole: All external connections must be monitored, tracked, and analyzed. Dr. Eric Cole: And let’s face it, a third party, a third party vendor is an external connection. Dr. Eric Cole: So we need to make sure that we’re filtering it. Dr. Eric Cole: So once again, solid cyber security principles. Dr. Eric Cole: You go in and do a default deny. Dr. Eric Cole: So you put it behind a firewall, don’t allow any access. Dr. Eric Cole: Then because that’s zero functionality, we figure out what access is needed and we only allow that access. Dr. Eric Cole: We only put that minimal amount of access through that firewall. Dr. Eric Cole: So I always find when I give these presentations, I’ll often get back going, Eric, basically everything you said sort of things that we’ve known about in cyber security and is common sense. Dr. Eric Cole: And my response is and I I see this in a lot of areas but it is so true in cyber security. Dr. Eric Cole: Common sense is not common practice. Dr. Eric Cole: You can sit there and tell me filtering and not allowing third party vendors to have full access to your environment is common sense. Dr. Eric Cole: But if you look at Solar Winds and CASSA and of the others. Dr. Eric Cole: It wasn’t common practice. Dr. Eric Cole: It wasn’t something that was put into play. Dr. Eric Cole: So, next slide, please. Dr. Eric Cole: So, we want to make sure that when we’re going in, you actually understand what’s happening and what software is in your environment. Dr. Eric Cole: If you’re a cyber security professional, whether you’re an engineer, whether you’re a team of one, whether you’re a chief information security officer, let me ask you a simple question. Dr. Eric Cole: When was the last time you talked the contracts? Dr. Eric Cole: When was the last time you talked the legal? Dr. Eric Cole: When was the last time you signed off on a vendor contract for software or hardware to your organization, especially with the migration to the cloud which was greatly greatly accelerated because of the pandemic. Dr. Eric Cole: The role of cyber security is drastically changing. Dr. Eric Cole: It is moving from a very technical role that we saw 10, 15, 20 years ago where the security team was really responsible for setting up the firewalls, filtering, tracking, monitoring. Dr. Eric Cole: And now it’s much more of a strategic role where you’re interfacing with contracts, with legal, and making sure that there’s proper security language in all those contracts. Dr. Eric Cole: I review a lot of contracts for our clients and I’m amazed big companies that you would know of Fortune 100, the small companies, they’re signing very very significant multi-million dollar contracts and there’s no security language. Dr. Eric Cole: There’s no security metrics. Dr. Eric Cole: There’s no security expectations and heck, security is not even involved in that process at all. Dr. Eric Cole: But Wait a second. Dr. Eric Cole: If we’re purchasing software and we’re giving vendors access to our network, shouldn’t there be cyber security language in the contracts, shouldn’t we have an accountability clause? Dr. Eric Cole: Shouldn’t we have clear metrics and components in place? Dr. Eric Cole: So, when we’re talking about third party risk, you can’t protect what you don’t know. Dr. Eric Cole: So, the first and most important component is cyber security needs to build a relationship with legal and contracts. Dr. Eric Cole: So if that’s not something you’re doing, you need to set that up. Dr. Eric Cole: Next, you need to have a referenced architecture because let’s face it, there are going to be vendors that are going to need access to your environment. Dr. Eric Cole: You’re going to have to allow them in. Dr. Eric Cole: So shouldn’t you have a standard way of doing that? Dr. Eric Cole: Shouldn’t you have standard operating procedures? Dr. Eric Cole: If every vendor is allowed to connect and is treated as an except exception your environment becomes an exception-based environment and you can’t protect that. Dr. Eric Cole: So you want to have a referenced architecture and what we do with our clients is it is something the vendor has to sign off on because if we’re going to go in and let a vendor come in, here’s our reference architecture, here’s what we allow, here’s what we don’t allow. Dr. Eric Cole: Can you work within that? Dr. Eric Cole: And if the vendor says no, then we look for another vendor. Dr. Eric Cole: But here’s the problem. Dr. Eric Cole: It’s security engagement. Dr. Eric Cole: is too late. Dr. Eric Cole: One of the golden rules of security, you have to always remember if security negatively impacts the business, security is wrong. Dr. Eric Cole: So if you’re thinking of going in and purchasing a $2 million piece of software and security says, “Wait a second. Dr. Eric Cole: This is too big a risk, too big an exposure. Dr. Eric Cole: Here’s some other options.” The business unit will listen or they should listen if you’re doing it correctly, but If they already wrote a check, if the company already spent $2 million and the vendor is there to install it, that train is going down the track and if you try to get in front of it, you’re going to get run over. Dr. Eric Cole: You need to get in front of that train when it’s stopped at the station. Dr. Eric Cole: So, you need to engage early and let them know these risks are unacceptable because once the check’s been written and the software has been purchased too, little too late and the exposure is too big. Dr. Eric Cole: So, next slide. Dr. Eric Cole: So, you want to make sure that when you’re going in that you’re covering some of the key areas. Dr. Eric Cole: So, now as I start to wrap up my section, I sort of have the what’s hot and what’s not, right? Dr. Eric Cole: Uh areas, sort of the five key things to pay attention to. Dr. Eric Cole: So, first, what’s hot today in the last several and some of this stuff is the last couple of months. Dr. Eric Cole: Some of this started after Solar Winds and some of this started just after CASSA. Dr. Eric Cole: This is like hot off the press. Dr. Eric Cole: What’s hot today is heavy segmenting and filtering connections from all third parties. Dr. Eric Cole: Highly segmented environments essentially going back and learning the lesson from Target. Dr. Eric Cole: After the Target breach happened, we actually and we still today have a huge retail market for my company. Dr. Eric Cole: Essentially what we did after Target is we went into large number of retail organizations and at every one of their stores we dropped in a switch that essentially segmented the store from every other store and put every register known as a POS point of sales system on every isolated segment. Dr. Eric Cole: So now even if somebody breaks into headquarters they can’t get into the store and if somebody breaks in to the store they can’t actually get into registers and if they get into one register they only have one not all. Dr. Eric Cole: So this idea of highly segmenting and filtering is very important and to me I always laugh because in cyber security we love coming up with really clever names and most of the time it’s things that we’ve been doing for a long time. Dr. Eric Cole: So like this idea of zero trust network right and and people always go Eric what do you think of zero trust network? Dr. Eric Cole: I’m like I’ve been teaching that for 25 years before you called it that, right? Dr. Eric Cole: So essentially the idea is assume no trust, right? Dr. Eric Cole: Isolate, minimize, reduce. Dr. Eric Cole: Another way to look at zero trust, which I’m a big fan of, is lease privilege. Dr. Eric Cole: Only give an entity the least amount of access it needs to do its job. Dr. Eric Cole: Let it do its job, but stop everything else. Dr. Eric Cole: The problem is what we used to do, which is not hot. Dr. Eric Cole: anymore is principle of most privilege essentially giving you full access and trusting everyone. Dr. Eric Cole: Now, here’s the issue. Dr. Eric Cole: It’s much easier and simpler to trust everyone. Dr. Eric Cole: Hey, just come on in. Dr. Eric Cole: Come on in. Dr. Eric Cole: I’m going to have a party. Dr. Eric Cole: Everyone can do anything they want on the system. Dr. Eric Cole: But here’s what you have to look at. Dr. Eric Cole: You’re going to pay the piper. Dr. Eric Cole: You either pay now or pay later. Dr. Eric Cole: So, I always go to clients going, “Eric, if we’re going to go in and really start segmenting and filtering out all third party connections, that’s going to require extra work and effort whenever we bring on a new vendor.” Dr. Eric Cole: I said, “Great. Dr. Eric Cole: Give me a number.” Dr. Eric Cole: And he said, “Okay, it’s going to cost us 60K. Dr. Eric Cole: Every time we bring on a new vendor, it’s going to cost us $60,000 to set them up, segment, and filter that we wouldn’t have to do if we trusted everyone.” Dr. Eric Cole: I said, “Great. Dr. Eric Cole: How many t new vendors do you bring on a year? Dr. Eric Cole: And they say 10. Dr. Eric Cole: And yeah, I’m using easy numbers to make the math simple. Dr. Eric Cole: I said, okay, so you’re saying that doing this highly segmented zero trust model is going to cost you about 600k a year. Dr. Eric Cole: Great. Dr. Eric Cole: If you don’t do it based on the current threats that are out there, there’s an 80% chance that you’ll get compromised and you’ll have to pay a $5 million ransom. Dr. Eric Cole: And there’s all data behind this. Dr. Eric Cole: I’m not just making this up. Dr. Eric Cole: There there’s data to support all of this. Dr. Eric Cole: So now I go to the executives and I say, “Okay, you have two options. Dr. Eric Cole: Option one is keep doing what you’re doing. Dr. Eric Cole: Trust everyone doing what’s not hot anymore, but keep doing that and there’s an 80% chance you’ll have to pay $5 million and lose trust with your customers.” Or option two is you can spend 600k now to minimize that. Dr. Eric Cole: Which option would you like? Dr. Eric Cole: That’s the correct way to do cyber security. Dr. Eric Cole: The problem is many security departments, they don’t cover that first piece. Dr. Eric Cole: So they go to their executives and they say or they go to their vice presidents or their other departments saying we need to spend 600k a year to secure the environment. Dr. Eric Cole: And everybody says, “Well, if we don’t spend 600k and we spend zero, we’re safe. Dr. Eric Cole: They’re assuming something that’s not true because we didn’t provide the complete data set. Dr. Eric Cole: So what’s also very hot is do the complete data set. Dr. Eric Cole: If you keep doing what you’re doing today, 80% chance of 5 million. Dr. Eric Cole: If you want to minimize that at 600K. Dr. Eric Cole: Now honestly, when I speak to execs, I don’t care which option. Dr. Eric Cole: If you want to accept the bigger risk, that’s on you. Dr. Eric Cole: You’re the executive team. Dr. Eric Cole: I’m just giving you the full perspective so you can understand understand where that’s coming from. Dr. Eric Cole: So, next slide. Dr. Eric Cole: So, it’s important that when you’re doing your analysis, you’re always presenting accurate information. Dr. Eric Cole: And remember, you can’t manage what you can’t measure. Dr. Eric Cole: We want to take cyber security from this ambiguous term to clear, measurable metrics and service level agreements. Dr. Eric Cole: I go into a lot of companies. Dr. Eric Cole: So, how’s your security? Dr. Eric Cole: Good. Dr. Eric Cole: How do you measure good? Dr. Eric Cole: What does good mean? Dr. Eric Cole: Does good mean you have an 80, a 50? Dr. Eric Cole: I mean, what what are the numbers and data sense that are there? Dr. Eric Cole: So, we need to go in and stop doing the old model which thinks cyber security is only a technical role and not integrated into the business. Dr. Eric Cole: Any business that signs a contract for anything that can impact cyber security, which I would argue are most things, but definitely software and hardware. Dr. Eric Cole: You want to make sure there’s clear security metrics in the contract and service level agreements. Dr. Eric Cole: And here’s what you got to do. Dr. Eric Cole: You have to commit. Dr. Eric Cole: I’ll often go in and I’ll say, “Okay, you have to go and say any software that’s running on a common operating system, when new patches come out, you will apply that patch within 30 days.” Dr. Eric Cole: It’s clear. Dr. Eric Cole: it’s measurable. Dr. Eric Cole: Either you do it or you don’t. Dr. Eric Cole: But I always get people going, “Oh, but Eric, we we don’t want to commit cuz what if it should be 35 or 40?” Dr. Eric Cole: So, they end up putting these things in there that you should take reasonable measures to protect software. Dr. Eric Cole: What the bleep bleep is reasonable measures? Dr. Eric Cole: I mean, we got to stop playing games. Dr. Eric Cole: We got to stop this thing where, oh, we don’t we don’t want to commit or we don’t want to push people too hard. Dr. Eric Cole: Why not? Dr. Eric Cole: We need to start measuring this. Dr. Eric Cole: You either sign the SLA that says you will apply all patches in 30 days or if you won’t, we don’t do business with you. Dr. Eric Cole: Right? Dr. Eric Cole: We do this in other areas, right? Dr. Eric Cole: We do this in legal. Dr. Eric Cole: If you’re not willing to follow very specific rules, they won’t do contracts with you. Dr. Eric Cole: So, we have to go in and start recognizing that cyber security needs to be measurable with metrics and implement SLAs’s to protect and secure that environment. Dr. Eric Cole: So, next slide where we go in and we start looking at the third tip. Dr. Eric Cole: This is once again I work with a lot of vendors. Dr. Eric Cole: I love vendors. Dr. Eric Cole: Vendors solve problems. Dr. Eric Cole: So I just want to be crystal clear here. Dr. Eric Cole: Vendors are not the enemy. Dr. Eric Cole: I don’t want you to think, oh, Eric hates vendors or vendors hate the enemies. Dr. Eric Cole: But we also have to remember that vendors protect their data and it’s our responsibility to protect our data. Dr. Eric Cole: And trust me, vendors don’t want the liability either. Dr. Eric Cole: So the old model of, oh, we trust all vendors and vendors are always going to do the right thing. Dr. Eric Cole: No. Dr. Eric Cole: Only give them the access they need. Dr. Eric Cole: If you don’t need access to all the data, don’t give it to them. Dr. Eric Cole: So it’s getting very hot and it’s something that it took these big breaches to get to this level where data classification is now a new norm. Dr. Eric Cole: So if you don’t have data classification in place at your environment, and you know me well enough. Dr. Eric Cole: I’m never going to go in and say you must do it. Dr. Eric Cole: Here’s what I’m going to say. Dr. Eric Cole: Look at everything that’s on your current 12-month road map, and I want you to prove to me every one of those items is a higher priority than data classification. Dr. Eric Cole: If you’re telling me that everything you are currently doing over the next 12 months is a higher priority than data classification, don’t do it. Dr. Eric Cole: But if you can’t. Dr. Eric Cole: And you’re like, “No, no, Eric, all these items are much lower priority. Dr. Eric Cole: Data classification needs to be the top method.” Dr. Eric Cole: Look at any of these breaches. Dr. Eric Cole: Why were they in the news? Dr. Eric Cole: Because the data wasn’t properly protected. Dr. Eric Cole: If somebody broke in and they couldn’t access your data, you wouldn’t need to pay a ransom. Dr. Eric Cole: If somebody broke in and they didn’t get any sensitive information, you wouldn’t have heard about it on every news panel. Dr. Eric Cole: So the difference between major minor breaches and what we hear about in the news is not whether somebody got into an organization or not. Dr. Eric Cole: It’s the amount of critical data they got access to. Dr. Eric Cole: It’s all about protecting and securing your data. Dr. Eric Cole: So next slide. Dr. Eric Cole: So we need to make sure that we have good clear mechanisms in place. Dr. Eric Cole: The next part is you’re responsible for your company. Dr. Eric Cole: security. Dr. Eric Cole: Stop playing the blame game. Dr. Eric Cole: Stop going in and coming up with excuses. Dr. Eric Cole: Stop thinking that it’s the vendor’s responsibility to protect your organization, that it’s their priority and if you have a breach, it’s their fault. Dr. Eric Cole: I mean, last year, I’ll have to be honest with you, when the Solar Winds happened to me, it was embarrassing. Dr. Eric Cole: I mean, you have these big tech companies And instead of owning their security and saying, “Yep, our bad lesson learned. Dr. Eric Cole: Let’s move forward.” It was all this blame game of, “Oh, the attacker was so sophisticated or was their problem or and it was blaming everyone else.” Dr. Eric Cole: I’m like, “Own it. Dr. Eric Cole: You’re responsible for your organization security. Dr. Eric Cole: You should be performing security assessments on all thirdparty vendors. Dr. Eric Cole: You should be going in and doing spot checks. Dr. Eric Cole: You should have performance reports. Dr. Eric Cole: If your letting a vendor into your environment, they are part of your security and you need to evaluate, assess and determine whether they are helping or hurting your overall security. Dr. Eric Cole: Now, if we move to the next slide, the next one is we really have to remember that prevention is ideal but detection is a must. Dr. Eric Cole: You are going to get breached. Dr. Eric Cole: You are going to get compromised and it’s all about timely detection. Dr. Eric Cole: Cyber security the goal of cyber security and I wish every executive understands this. Dr. Eric Cole: The goal of cyber security is not to prevent all attacks. Dr. Eric Cole: The goal of cyber security is not to stop all attacks. Dr. Eric Cole: It can’t be done. Dr. Eric Cole: The goal of cyber security is timely detection and response. Dr. Eric Cole: You’re going to have breaches. Dr. Eric Cole: And this idea that treating cyber security like accidents, illnesses, and robberies. Dr. Eric Cole: Those are things that happen to other people, they don’t happen to us, just doesn’t work. Dr. Eric Cole: And as I said, I was just recently doing a live presentation and after I got done, there was a panel discussion and because my flight wasn’t until later in the day, I stayed for the discussion. Dr. Eric Cole: And they’re going in and they’re introducing the panelists and the first person gets up and says, “I I’m a for this organization and entity. Dr. Eric Cole: And I just want to report we’ve had no breaches and no attempted attacks over the last 24 months.” Dr. Eric Cole: And the person almost started doing like this hero thing. Dr. Eric Cole: And you saw the audience, they want to applaud. Dr. Eric Cole: Woo! Dr. Eric Cole: Like everyone gets super excited. Dr. Eric Cole: And I’m just sitting in the back of the room like, “What’s going on?” Dr. Eric Cole: And then it gets worse. Dr. Eric Cole: The next panelist gets up there and they sort of and they sort of go like this. Dr. Eric Cole: and they look up at the audience and they’re like, “We’ve detected three attacks over the last 12 months and and you almost heard like people want to boo, this person ashamed and they’re looking down and I’m in the back of the room and I have to be honest with you. Dr. Eric Cole: This was the most galactically stupidest thing I’ve ever seen. Dr. Eric Cole: The person who was arrogant and ignorant enough to claim they’ve had no attacks and no breaches for the last two years, I’d fire them on the spot. Dr. Eric Cole: And the person that actually detected attacks in a timely manner, I would hire and give them a raise. Dr. Eric Cole: But we still and I was shocked have this perception that attacks and breaches are bad. Dr. Eric Cole: No, they’re good. Dr. Eric Cole: They’re going to happen. Dr. Eric Cole: Now, if you have a breach and you don’t detect it for two years, bad. Dr. Eric Cole: But if you have a breach and you detect it in two hours and minimize and control the damage, that’s awesome. Dr. Eric Cole: If you say you haven’t had a breach and you did and you’ve ordered for two years bad, right? Dr. Eric Cole: So, we need to open and recognize that attacks are going to happen and we need to focus more on the response and work with our vendors as partners as opposed to believing they don’t happen and blaming vendors when it does happen. Dr. Eric Cole: So, now if we go to my final slide, as I mentioned, it’s really about zero trust, understanding, authenticating, verifying, and validating all connections. Dr. Eric Cole: lease privilege, lease privilege, lease privilege, and verify, validate, and inspect and make sure that you understand what the risks and exposures are. Dr. Eric Cole: And now that we’ve gone in, and I love doing these uh joint vendor podcasts because I just laid out the problem and the challenge, and now I’m going to hand it off where we can go in and look at the solution. Dr. Eric Cole: So, so please everyone rise and put your hands together. Dr. Eric Cole: as I welcome. Dr. Eric Cole: Now, you might recognize Scott Lang. Dr. Eric Cole: He actually starred in the original Batman movie, and today he’s often called the Obi-Wan Kenobi of cyber security. Dr. Eric Cole: So, please put your hands together for Scott Lang. Dr. Eric Cole: Now, Scott, you got to say that was your best intro you’ve ever gotten, right? Scott Lang: Best intro, most inaccurate. Scott Lang: And I wish my kids were here to hear that because they’d be over the moon. Scott Lang: Especially the Batman piece. Scott Lang: I I I don’t know what to say about it. Scott Lang: Ant-Man. Scott Lang: Yes, Batman. Scott Lang: I don’t know. Scott Lang: Thank you so much, Eric. Scott Lang: I really appreciate it. Scott Lang: Um, folks, you know, as we kind of consume all of the advice and the commentary and the observations and the analysis that Eric talked about in the last, you know, 40 minutes or so, I want to come back to a couple of fundamental precepts. Scott Lang: And that is number one, um, I mean, you can never get a complete picture of what your third party’s uh, security operations and control controls and procedures and stuff um are unless you perform some level of assessment against them, some some level of security assessment. Scott Lang: And second, that typically happens uh periodically. Scott Lang: Maybe it’s once a year, maybe it’s upon contract renewal with with a particular vendor. Scott Lang: Um maybe you have it set up to to happen more frequently depending on the criticality of that vendor and how uh they interact with your systems and data and whether or not they’re they’re touching private data, whatever. Scott Lang: But with those two fundamental principles in place that you know understanding or or getting a picture of what a vendor security procedures are and uh filling the gaps in between the annual assessments um I think we can agree that conducting that activity can be a colossal pain. Scott Lang: Um they’re probably spreadsheet driven you know maybe you have a solution in place maybe you’re using a GRC tool maybe using a security scanning tool something like that but um you know chances are you know it’s probably spreadsheet driven and you’re emailing it back and forth with vendors and third parties if if if uh the program’s a little bit less mature or less sophisticated than than some of the larger ones. Scott Lang: There’s a lot of risk in that. Scott Lang: Um well, you know, manual effort, manual work, you know, you get the get the idea. Scott Lang: But the outcome of it really is outdated data and you know, doing some sort of a manual process where you’re collecting intel via spreadsheet uh or or getting some, you know, uh delayed scanning information on on vendor security risks or or cyber breaches or incidents or whatever um just introduces you know more risk. Scott Lang: You know another challenge that that we see as you begin to develop a program to assess those third parties on a more programmatic basis is that there’s a lot of different people involved in the equation in any enterprise. Scott Lang: You know Eric mentioned this during uh during his conversation you know it or infosc is probably going to own the assessment process for third parties because you know systems and data are involved but your procurement team’s going to want to know some things as well. Scott Lang: You know, are these are these folks, you know, they have good reputation and a good financial history? Scott Lang: You know, what is their ESG stance? Scott Lang: Uh, for example, that’s a hot topic of today. Scott Lang: You know, risk managers, the vendor management team, legal and compliance are going to want to know uh specific controls around how they protect access to data uh to address GDPR requirements or the privacy regulations, CCPA here in the States, uh, and more. Scott Lang: So, it’s a super complex process. Scott Lang: Um, What ends up happening is you get a lot of outdated data that you know really can’t take good action on and you get all these different cooks in the kitchen uh and you know we find that there’s far too many people to try and satisfy in the process. Scott Lang: So you know moving on to the next slide you know what what our customers tell us you know before they become our customers you know when we’re engaging with them in in in sales cycles is that three things really end up happening with their current approach to thirdparty risk. Scott Lang: First is they’re always behind. Scott Lang: They can’t make good dis good good decisions and they can’t be ready for what’s happening next or to be able to scale for the future. Scott Lang: So, you know, as we kind of move on to the next slide, what we offer is a very prescriptive approach to address um thirdparty and vendor cyber risk across every stage of that vendor’s life cycle or that relationship uh with you. Scott Lang: I’m kind of very briefly walk through each of these seven steps very briefly uh each one of these seven steps and I think it’s interesting thing that Eric talked about how important it is to engage with legal and contract folks, you know, while you are, you know, assessing third parties or understanding the cyber risk posture of your of your critical partners because that can inform, you know, SLA and performance discussions. Scott Lang: Um, that can inform, you know, metrics that you can, you know, apply into the contract and, you know, can help inform whether or not you want to, you know, renew with these folks in the future if, you know, their their controls are are substandard. Scott Lang: So, you know, from a um um you know you know for each one of these seven steps of the of the cycle as we move on to the next slide. Scott Lang: Um sourcing and selection is typically the first step you know in the process where you’re trying to look for a vendor you know measure their security controls determine some inherent risk and more. Scott Lang: Um you know what problem can do is help you um by providing a repository of completed vendor risk assessments backed by real-time threat intelligence data. Scott Lang: data. Scott Lang: So, we’ve got a library of something like 10,000 completed vendor risk profiles that you can, you know, download on demand uh review and then incorporate uh into your own, you know, sourcing and selection decisions to see, you know, okay, these guys have good controls around this area. Scott Lang: They’re a little weak here. Scott Lang: You know, we may have have some further review to do once you’ve made a sourcing and selection decision based on, you know, what you find in that library or repository. Scott Lang: You know, we automate the intake and onboarding process. Scott Lang: Uh so, you know, whether build it through an API connection or upload a spreadsheet or uh distribute a intake survey around the the organization. Scott Lang: You know, we could help you consolidate all of your vendor information into a single repository so that everybody is looking at the same data. Scott Lang: That’s the critical takeaway here. Scott Lang: Everybody’s looking at the same system and the same data and making decisions based on that same data instead of looking at a bunch of different siloed uh tools across the enterprise. Scott Lang: And third, after you’ve kind of found your vendors and onboarded them. Scott Lang: You know, you score your inherent risks. Scott Lang: You know, we provide an automated inherent risk and residual risk scoring mechanism uh which will then help to dictate what path you go down in terms of assessing the vendors in the future, what types of questions you want to ask, um what you want to do with the answers and more. Scott Lang: And then fourth, assessing and remediating. Scott Lang: And we’ve got a library of 75 plus pre-built questionnaires, a custom questionnaire option. Scott Lang: Um and then all of this stuff flows into the single risk register uh with built and remediation guidance so that you can say okay you know these folks have this particular risk we recommend X Y and Z action like I mentioned a minute ago it’s all moot if you don’t have any real time uh intelligence so those periodic assessments are essential but a lot happens in between those assessments so we thread in um you know continuous cyber reputational financial risk indicators and information from you know 567,000 sources or something you’ve seen like that uh and that all feeds into the risk register and helps you raise risks uh and um you know adjust risk scores dynamically and and and make good good risk decisions from there. Scott Lang: Uh next is measuring SLAs and performance. Scott Lang: You know we’ve got uh you know mechanisms in the prevalent solution that helps you uh define what your um SLAs’s what your KPIs and KIS are going to be with your vendor and then measure progress toward those. Scott Lang: Now you know what’s great about this is it’s completely transparent to the vendor as well and they can see, you know, where they’re living up to their expectations, their contractual expectations, where they might be falling short. Scott Lang: Um, and again, legal, procurement, security, risk, you know, all these teams have access to this information that kind of unifies all this together. Scott Lang: And then the last piece of the puzzle here is um is offboarding and termination. Scott Lang: You know, that I I think is the one step in the vendor life cycle where there just isn’t enough discipline applied. Scott Lang: Um, you know, when you start to kind of wind down a business relationship, there’s awful lot of things that happen to hap have to happen from a contractual perspective. Scott Lang: You know, is data destroyed? Scott Lang: Are connections uh eliminated? Scott Lang: Are accounts deleted? Scott Lang: You know, all this information um all these tasks have to be completed. Scott Lang: We help to automate that uh in your relationship with your third party uh so that you know you can come back and then prove to the auditors or you know demonstrate after some sort of an incident that uh no you know you followed all the all all the proper processes. Scott Lang: Uh next slide please. Scott Lang: You know ultimately the outcome to this is you know, I would argue three-fold. Scott Lang: Uh, number one is um, you know, w with the different intelligence that we provide and the comprehensiveness of the platform, you know, we just help your organization be a little bit smarter in how they approach the assessment and the monitoring of their third parties. Scott Lang: Um, you know, that discipline and programmatic approach is fully automated throughout the life cycle. Scott Lang: So, you know, you can see where your vendors are at at whatever stage, you know, of their relationship with you, what tasks need to be performed, who owns what and then what the risk is and and and what reporting looks like as well. Scott Lang: Next, it’s unified. Scott Lang: You know, we bring together a lot of capabilities uh as well with the whole objective of knocking down silos and making this, you know, a solution that’s sticky for not just you and security, but also procurement and legal and and other teams and more importantly prescriptive. Scott Lang: You know, the the worst thing that we or a vendor like us can do is just throw a solution in your direction and have you kind of make it custom and figure it out yourself. Scott Lang: So, you know, we’ve been doing this for 17 years. Scott Lang: We’ve got a lot of prescriptive guidance built into the solution and and help and you know, remediation recommendations uh based on, you know, you know, what we’ve seen before that can help guide you, you know, through this process. Scott Lang: So, next slide, please. Scott Lang: Honestly, that’s all I wanted to share with you today uh from my perspective. Scott Lang: Just a quick commercial on prevalent to let you know that, you know, everything that Eric talked about today um is, you know, implementable, actionable, uh and available in the prevalent platform and you know we can really help you add some discipline, some rigor and some automation to your third party assessment process to really make some of those cyber security defenses real. Amy Tweet: Thank you Scott and thank you Eric. Amy Tweet: We have some time for questions and we have some that came in throughout our presentation. Amy Tweet: So for the next few minutes here if anything comes to mind if you have any questions for Dr. Eric Cole or for Scott Lang regarding Prevalent um please take a moment to use the Q&A function and I will make sure they get relayed. Amy Tweet: So I’m going to ask first question. Amy Tweet: I think this is for Eric. Amy Tweet: This came up as you were speaking. Amy Tweet: Um, how do MSP and MSSP offering fit into your vision of not giving anyone complete access to a network? Dr. Eric Cole: Uh, so once again, it always comes down to the data flows and the design. Dr. Eric Cole: So when you’re looking at a manage system security provider, yes, they do need access to logs, they do need access to information, but do they actually need access to the actual databases and data stores and data information and to me that’s that fine line that’s missing is I can go in and give somebody all the visibility into the records the accessing it and many times you can even filter out so there’s nothing sensitive in it but that’s a lot different than giving them full access to the database the data stores and all the information so I think we got to recognize that when you’re looking at a server or a system it’s not all or nothing there’s a lot of different levels of granularity You need to say, “Okay, they only need this.” Dr. Eric Cole: And then limit, segment, and reduce it. Dr. Eric Cole: And the good news is all of this functionality is built in and available in most of these solutions. Dr. Eric Cole: It’s just nobody turns it on because it requires a little more work. Amy Tweet: Thank you. Amy Tweet: And I know a few people have to probably hop off as we get towards the end of the hour. Amy Tweet: So, I’m going to quickly put up one of our last poll questions. Amy Tweet: And I thank you all again for hanging out and um with us. Amy Tweet: So, our last poll question, are you looking to either augment or establish a third party risk program? Amy Tweet: in 2021. Amy Tweet: Take a moment. Amy Tweet: Yes, no, I’m not sure. Amy Tweet: Um, we are here to help as Scott mentioned. Amy Tweet: So, I will leave this up as I ask one of our last questions I believe is for Eric as well. Amy Tweet: Okay. Amy Tweet: And they mentioned they like this the network segmenting at target, excuse me, the firewall must have some um traffic open. Amy Tweet: So, does the segmenting really keep other corporate zones from a spreading breach since port 443 and some others are likely open to designated intern IPs? Dr. Eric Cole: Uh so so there’s two levels. Dr. Eric Cole: When you’re looking at a traditional firewall, yes, you’re talking basically ports and IP addresses where it’s all or nothing. Dr. Eric Cole: But when you’re looking at a lot of the technology out there today, you can go a level deeper. Dr. Eric Cole: You can actually go in and look at what’s actually flowing over that. Dr. Eric Cole: Is it really the transactional data for SSL? Dr. Eric Cole: I think we said 443, or is it an attacker tunneling over that protocol? Dr. Eric Cole: So today we want to go a lot deeper. Dr. Eric Cole: and not just say, “Well, we’re trusting the port. Dr. Eric Cole: Look at the data. Dr. Eric Cole: Look at the flows and make sure that’s okay.” Dr. Eric Cole: The other thing I would say is I would push back on that because I’ll often get from business units and entities, I need I need I need I need and in reality, you want you want you want you want, right? Dr. Eric Cole: Do you really need that access or is it just something you want to make life easier? Dr. Eric Cole: Right? Dr. Eric Cole: It’s a discussion I have with my kids all the time between need and want, right? Dr. Eric Cole: They’re quite different. Dr. Eric Cole: So, I would also push back when vendors or other entities are saying I need to have all this access. Dr. Eric Cole: Is it really required or is it just a nice to have? Amy Tweet: Thank you. Amy Tweet: So, all the questions I’ve had so far from the audience. Amy Tweet: Um, and I’m leaving that poll question up. Amy Tweet: So, if you take a ch um a second to answer and let us know, you know, what you’re looking to do, we’re here to help. Amy Tweet: Um, as Scott mentioned, you know, we want to help you get on the train at the train station. Amy Tweet: Actually, as Eric mentioned, instead of in front of the train when it’s coming at you. Amy Tweet: So, we’re here to help you do that. Amy Tweet: So, if you do have any questions, you’ll see on the screen there’s info at prevalent.net. Amy Tweet: You can reach out to us there. Amy Tweet: Um, or follow us on LinkedIn and Twitter. Amy Tweet: Also, myself, Amy Tweet, and Amanda Fina, my colleague. Amy Tweet: We’re happy to um connect you with a product expert if you’re looking to dig a little bit deeper into how we can help you. Amy Tweet: Um, is there anything uh else from Scott or Eric here while we have you on? Scott Lang: No, nothing for me. Scott Lang: Thanks, Amy. Amy Tweet: Okay, great. Amy Tweet: I really appreciate both of your time. Amy Tweet: I learned a lot here and I’m sure everyone else did. Amy Tweet: Thank you everyone who joined us. Amy Tweet: I think one last Oh, yep. Amy Tweet: So, the slides will will be shared and recorded and this whole session was recorded will be sent to you first thing tomorrow morning if you did register. Amy Tweet: So, this will be at your disposal. Amy Tweet: But thanks again for everybody joining us today. Amy Tweet: We did learn a lot. Amy Tweet: Thank you, Eric. Amy Tweet: Thank you, Scott. Amy Tweet: I hope you guys have a great rest of your day. Amy Tweet: Thanks, everyone.