Article

Beyond Prevention: Detecting and Responding to Cyberthreats

Michael K Hamilton

The CISO
Back to the News Desk

[VIDEO] Watch "Beyond Prevention: Detecting & Responding to Cyberthreats" webinar or jump to your preferred topic below. 

In this webinar, CI Security’s founders, Mike Hamilton, CISO, and Fred Langston, EVP of Healthcare Security and Professional Services, cover the best practices to detect and respond to malicious activities in your network now that preventive controls are no longer sufficient. Mike and Fred also cover the priorities you’ll want to keep in mind for quick response, including how to use incident action plans and table-top exercises to reduce negative impacts to your organization.

You’ll gain deeper insights and actionable takeaways in the following areas:

  • A taxonomy of current threat trends
  • Predictions on where those threats are taking us
  • Managing the risks using a detection and response strategy that best fits each organization’s needs, size, and budget

Jump to:

2019 Trends, Predictions, and Call to Action

What Should We Do?

Detection and Reponse in Action

 

The following is the full transcript of the webinar.

Mike Hamilton:  00:00

Hi, my name is Mike Hamilton.

Fred Langston: 00:01

And I'm Fred Langston.

Mike Hamilton: 00:03

We're here to today to give you some predictions and talk about the value of detection response in managing the impact of what is now a foreseeable event. You can call it a cyber security breach. You can call it an incident. Doesn't matter what you call it, it's coming to your doorstep. You can have the help desk clean up a work station or the FBI can call and tell you your customer records are for sale online. Which of those impacts you end up with is up to you. Without any further delay let's jump in. First a little bit about us. Mike Hamilton and I have been in the information security business for about 30 years. The last 10 years or so have been in government. You can see that I've worked at the local, state, and federal level. Federal is not reflected there, was a vice chair of a Homeland Security government coordinating council. I go way back in time to an education in earth science. Fred.

Fred Langston: 00:58

I'm about same amount of time, almost 25 plus years. A long history in consulting for information security and back in the early or mid 90s I was on a working group at IBM that helped write part of the HIPAA security rule.

Mike Hamilton: 01:15

First let's talk some predictions. Before we do let me talk about where we are. Because I spent a lot of time in government this really resonates with me. I like to use government as an example because it encompasses a lot of what homeland security calls the critical sectors. There's 16 of these now, dams, water, finance, energy, health, et cetera, et cetera, et cetera. It turns out that your local government does a whole bunch of these. They do an amazing number of things that actually keep us alive. Water purification, waste treatment, traffic management, communications for law enforcement, public safety, et cetera, et cetera. I'm going to try and drive this as much as I can to a local level where everybody can kind of understand what the impact to them personally may be.

Meanwhile, here we are. Your local government does a whole lot of things for you and we are adding internet of things technologies for building energy maintenance, automated traffic managements, automated metering for water and power, et cetera, et cetera. What could possibly go wrong? Well let's look at a few headlines here. Here's what happens when there is a ransomware attack against a public sector institution. Everybody knows that ransomware is the worst thing that can ever possibly happen, right? No, ransomware is not the worst thing that can possibly happen. In fact, ransomware is another example of the cyber security industry's dumb words. This is disruption for the purpose of extortion. That's what ransomware is. If we think about this kind of disruption for the purpose of extortion applied to things like, I don't know, your clean water and your flushing toilet, all of the sudden we land in a very bad place.

What I like to do is package the messaging in a way that's easy to understand by non-technical folks. When we talk about impacts, what we like to do is talk about the three things that go wrong. The three outcomes that you want to avoid. Records disclosure, this is the one that ends up in the news all the time. We know that this costs somewhere between $150 and $400 per record to clean up in complying with the state data breach reporting acts and now 50 states have these. Theft and its pal extortion, that was where the ransomware would fit in. We know that this is $75,000 to $1.2 million in our region in the Pacific Northwest. It's multiple millions elsewhere. This has gone way out of control. Again, this is disruption for the purpose of extortion. Disruption for the purpose of disruption is also starting to occur. If you've done your business continuity planning, you know on a minute by minute basis. If you're ability to operate is disrupted, you know exactly what that's going to cost. One good thing to keep in mind is packaging things in simple terms, here is what we want to avoid, and assigning dollar values to each. That way we talk about dollar amounts of liability rather than scary Russian cyber buffer overflow.

One more thing. We're going to lean into open source intelligence here, also known as the news. We use a lot of headlines to kind of buttress what we say we've been doing the IT Security News Blast for 10 years now. We'll tell you at the end how to subscribe here. If you want to get about 20 curated articles, headline, money quote and original link with no creepy ad tracking we'll tell you how to sign up for this. A lot of people make this their morning coffee reading.

Fred, you want to tell us about a few of the trends that are underway?

Fred Langston: 05:23

You bet. I'm going to talk about a whole bunch of the different threats that we see all the time. We not only read about them, but we have clients calling us weekly and sometimes more often, for every one of these types of threats that we're going to talk about here. We'll start with ransomware because everybody's pretty familiar with that. It was supposed to be a year when ransomware was going to start tapering off and other attacks were going to become more prominent, but from what we're looking at and seeing in the headlines it's not tapering off. Ransomware is still at a full clip, is still causing huge disruptions. We're seeing it moving across other types of environments. It's not just your IT and data center and your computers in your office. It may move to other things, like medical devices or cars even may be part of a ransomware attack. We also see the business email compromise attacks as a continuous stream of threats that don't seem to be abating. We see people using standard email, so it's not really hacking, it's more like fraud when you're doing business email compromises.

But they're using very advanced kind of phishing style attacks where they pose as a particular member of your staff, commonly a CEO or somebody in a position of power. They then send out emails under the guise of being that particular employee, asking you to buy 100 Apple gift cards and ship them to some specific address. One thing to note, this sounds very simplistic, but just yesterday there was a report of a major US charity organization that sent out $1.4 million in a business email compromise. This can be a major catastrophic impact. It's not small losses that you may expect when you think about something like this.

Let's talk about how phishing sites now are starting to become more prominent than attacks via malware. One of the things to note, you may ask why is this happening. Well basically it's a lot easier to set up a phishing attack than be an uber hacker, put together a very complex set of exploits, and run the back-end infrastructure to run that attack. Hey, I'm just going to send you an email that's going to trick you into going to my site, downloading and installing the malware. I don't have to be a hacker almost at all to make that happen. What are they doing when they get these phishing sites and they're stealing accounts and passwords to go with it? They're using it for another type of attack called credential stuffing. You may have heard how you can go to things like pace/bin and sites that people will post giant data bases of accounts, user names, and passwords together. They're taking these huge data bases posted online and they're just blasting this information at every account they can see online and hoping that some of them are successful in compromising a particular account. We had a client this week that was suffering from this exact type of attack. We really don't have much that we can tell you to help on this other than make sure your employees are not reusing passwords in the business environment that they're also using at other accounts out on the internet.

Mike Hamilton: 09:00

Let me just tell a quick story about this and connect this with the IoT business. It says bot driven credential stuffing attacks. We've actually seen this. We have a customer here that I don't think we want to name. But they called us up and said, "Hey, we are having our accounts pounded and people are getting locked out and can you take a look at this for us. When we looked what we found was it was indeed a credential stuffing attack. They were trying to reuse disclosed credentials that had been found elsewhere, bought on the Dark web. This stuff is readily available. We found that this was all coming from compromised MikroTik home routers in Brazil. This bot driven credential stuffing attacks, this is getting to be a bigger and bigger deal. Because this is so automated and comes so quickly the symptom that you're likely to see is everybody in the organization getting locked out.

Fred Langston: 10:05

Cryptocurrency mining, another one you've probably heard about. The Department of Homeland Security this year predicted that cryptocurrency would be the biggest threat to systems here in the US. It's probably turning out to be an accurate prediction. Basically, what they need, what they want when a cryptocurrency attack happens is they want that processor. Unlike most of the things that we expect where they're trying to extort you or steal your data, this is different. They're going to use your resources against you, or for their own benefit I should say, and take those resources away from you to mine crypto coins. One of the areas that people commonly don't think about when they think about this, they forget that it's not uncommon to try to take over AWS or Azure accounts. You get a bill at the end of the month for $12,000 because you had somebody attack an account there and is running a cryptocurrency miner within those environments. These are also very common to see on IoT type devices because they're poorly secured and they also are a perfect platform to do crypto mining because they have a processor and they have a network connection, the two things you need to do that kind of attack.

They've weaponized IoT to a point now where we have entire botnets built around it. The Mirai botnet in particular, very famous botnet that basically was successful by using stored or shared user names and passwords and default user names and passwords. There is a massive data base of products out there. Literally was reported to be billions of products that have these embedded, shared or the same user names and passwords. They're well known. It's trivial to take over these IoT systems, things like cameras and doorbells and those sorts of things. Once they're taken over, they’re used for a couple types of attacks. We mentioned crypto mining but there's also denial-of service attacks. Denial-of-service attacks are designed basically to take a particular set of hundreds or thousands or even millions of these bots, use them to send network traffic at particular targets they want to attack. And then they take them offline.

A famous example of this was a gentleman, Brian Krebs who has the Krebs on Security website. He was actually describing how an attack was happening. Well the bad guys decided they were going to shut him up and they were successful launching a three-day attack out of Mirai against Brian Krebs's website. Interestingly enough when people go to launch these attacks you go on the dark web and you go to sites that look almost like Amazon. It's almost like you're purchasing something off Amazon. You pick the number of bots you want to point at it. You pick the number of targets you want, how long you want it to happen and it gives you a price. Basically, it's like ordering something at any eCommerce site.

Mike Hamilton: 13:21

There's a lot more in terms of extent threats today. Here's just a few examples, commercial malware companies and the Pegasus Spyware that's being sold to governments around the world for surveillance and frankly making sure that human rights organizations don't see what they want to see. Hardware vulnerabilities, Spectre and Meltdown are the ones that we know about, there are many others. These cannot be fixed. When you are compromised by one of these it's nearly undetectable. We all know that there is a big third-party problem right now.

Let me talk a little bit about this nation state collateral damage. I think a lot of people on the webinar today know the story of the WannaCry attack, which was a global ransomware attack, which turned out to be the country of North Korea actually stealing money from people. The sanctions have hurt them pretty badly. Right behind that there was one that we called NotPetya. It also looked like a global ransomware attack. When we finally pealed back the covers and did the attribution what that was the country of Russia poking the economy of Ukraine. They did that by backdooring a tax preparation software company and inserting code into their product. When they decided to pull the trigger, it turned out that there were enough companies using that software and in the supply chain of larger companies that the collateral damage started to accumulate. Maersk the shipper, Merck the drug manufacturer both went down for three weeks. Maersk is claiming a $300 million-dollar loss, Merck something similar. They were not the targets of the attack. They were collateral damage. Today nation state collateral damage, when you are not even the target, has landed on your doorstep.

Here's a few predictions based on a lot of things that we see happening. Some of these are pretty easy to make. Distributed denial-of-service is going to become an extortion tool. One thing I'll follow up with what you said about Brian Krebs, Fred, when you get a distributed denial-of-service attack, and you are being hosted in a data center, that data center doesn't want your business anymore. They will eject you. That actually happens to Brian Krebs. Operational technologies now firmly in scope for disruption. Recently Norsk Hydro, an aluminum manufacturing organization in Norway, their operational technology, not exchange server, web server, routers, switches, firewalls, but I have a computer screen and I move my mouse and a big pot pours molten aluminum into a cast for example. That's operational technology. It includes robotic manufacturing. It includes port operations.

Speaking of port operations, I think ransomware is going to affect the transportation sector in a big way as well as some of these others it already has. Maritime ports turn out to be a gigantic economic vulnerability for us. Watch for that. Our economy is going to get poked just like Ukraine did. There are some good things happening too. We're seeing executives treat this whole cyber security business as risk to the business more than just a big scary thing that they want to hire somebody to make go away. Automation is going to start to help. I don't think it's there yet. I think security will eventually become a competitive differentiator, as I wrote in a paper about 15 years ago, it took me 15 years to be right about it, but I think I'm getting right about it.

Fred Langston: 17:11

I also want to point out a really interesting development in the legal space. One of the companies that was hit with NotPetya is Mondelez. They're the giant food services company. They have tons of products that you buy at your grocery store. They went to their cyber insurer to make a claim about NotPetya and their cyber insurance company said, "You know what? You're not covered for this because we have an out for something that's considered an act of war." One of the most important cyber security lawsuits and cases is now in court to determine whether that exemption for an act of war is actually a valid statement on the part of the cyber insurer. This will really be a case that determines how cyber insurance covers these types of events going forwards. It's hugely important and impactful.

Mike Hamilton: 18:03

We're going to have to watch that. Good point, Fred. All right, what do we do now? Clearly there's a whole bunch of bad things lined up against us. There always has been. I think in today's world, especially when we're talking about nation to nation acts that end up crushing business, we've got to think about what we're going to do here. Here's what the evolution has looked like. Way back in the 20th century we used to talk about building that shell around the network and preventing compromises from happening. Keep the bad guys out of the network. Like I alluded to, today we talk about managing the risk of this foreseeable event. Clearly with all of these things happening this is a foreseeable event. This is going to happen.

As we think about managing this risk, it's important to point out the terms in the expression of risk that are relevant here. There's really only two. I've seen integral calculus used in risk assessment equations but it's really unnecessary. There are two terms. There's the likelihood that a bad thing is going to happen. What's that bad thing? It's what we pointed out in the beginning. It's unauthorized disclosure of protected records, theft and extortion, or service disruption. That's it. Think about those are the bad outcomes that we are trying to prevent. Then there's the impact term. What happens when that bad thing does become true? What we did was we assigned some dollar values to this. Those are important to keep in mind as we go forward.

There are two terms, the likelihood of a bad outcome and the impact of that outcome. When we think about this, how do we buy down this risk? There's really two ways to do it. When we talk about the likelihood of that bad thing happening, we put preventive controls in place. Preventive controls are designed to make bad things not happen. We have intrusion prevention systems and application firewalls, not as many as we used to have, that's kind of an old thing. URL filtering, email security, dropping all the links and the bad attachments on the floor. There are other things that go in here. There's really a lot of things that we put in place to prevent those outcomes. If we want to buy down the impact term, that's about detection and response. Detective controls are where we invest. There are some examples of some detective controls there. It's not just about the detective controls, it's about the human beings that evaluate the messaging coming off the detective controls.

In particular you know that an intrusion detection system works like antivirus. It's a signature-based technology. It's got a big data base of things that it doesn't want to see. It's watching the network wire. When it sees the pattern of the Zeus Financial Trojan go by it raises an alert. As a result, an IDS system is always going, "Look at me, look at me, something's going on, look at me." Providing those human investigators to ensure that we are correctly investigating the things that we should turns out to be the hardest part of this. As we know those human investigators are in short supply. They cost a lot of money and they're very difficult to retain because they know they can change jobs every six months and double their salary.

Fred Langston: 21:36

I'm going to talk a little bit about what everybody I think is looking at as a savior in this industry. I'm kind of here to tell you that while it's a great development it's certainly not going to solve all our cyber security problems. That's AI and machine learning. The things to really understand about this, while they're great advances, they have positives and they have negatives associated with them. One thing I always like to say is while we're spending a ton of money developing AI and machine learning solutions so are the bad guys. The bad guys are extremely well funded. We're talking China. We're talking Russia. We're not talking about a small group of hackers. We're talking about people who can throw millions or billions of dollars behind this.

They're developing AI that can be used in attack scenarios. They're using AI or attempts to retrain our AI in a different way to not recognize their attacks. We know AI and Machine learning is only as good as the data you train it with. You need really good data to feed to it to come up with the ability to do positive analysis. The problem with that is the bad guys are also feeding these same systems sitting on our perimeters of our networks with bad data. They know that they have somebody that they really want to go after they're going to slowly be trickling particular traffic at it that ultimately will train that system not to look at the things that they're going to be throwing at it at a later point.

They can use that machine learning as well as us and they can use it against us. They can recognize your picture. Machine learning can recognize your speech, your picture. Machine learning now, something known as deep fakes can actually produce your own voice and speech or a picture of you doing things that you have never done. We're really stepping into an entirely new area with the capabilities of AI. Can find insights a human can't but it also doesn't have the ability to explain how it came to those conclusions to a human. While it may be telling you something it can't tell you how it came to that conclusion.

Mike Hamilton: 23:51

Just as an aside, as I go through all the news for the news blast I have read several articles, and a few have ended up in the blast, about how AI is being trained by rooms full of low paid people in other countries who are using just empirical detections to feed back into a machine and they're calling it AI. Buyer beware I think is my point.

Fred Langston: 24:14

There's one other kind of problem to it. That is while we are trying to solve people problems with machine learning and AI it's actually creating new people problems. It's harder to go out and get an AI engineer and hire one and retain one than it is to get somebody who's a good SOC analyst to work in your security operation center. What we see most is that detection and the response to things that we detect is a major gap that all organizations, to some degree, suffer from. We know that the average days until an asset compromise is detected is 205 days and, in some industries, and verticals it's even longer than that. It's kind of frightening to see that over two thirds of victims, their first understanding that they have been hacked is when the FBI gives them a phone call and says, "Hey, we know you guys are hacked and you have a problem." Of course, you can probably surmise that 90% or almost 90% of those people aren't compliant with regulations when these attacks actually happen.

Mike Hamilton: 25:18

Shocking.

Fred Langston: 25:19

Shocking. All right, next slide please. There we go. The key metrics here, the things that we want to keep basically as metrics to us to manage our detection and response is something ultimately that is called dwell time, which is the sum of two things. One is the time from when a compromise is detected and then the second component is when it's detected to when it's been fully remediated, and the organization has recovered from that. Put these two together, you have something known as dwell time. This is the number one thing that can minimize the impact quotient of the risk equation Mike was talking about. We've spent so much time over the last 30 years focusing on that, "Let's prevent these things from happening," and forgetting about how critically important that impact component of the equation is. The one way that you're going to affect that, the number one way to affect that is to minimize dwell time, get the bad guys out quickly, detect them fast and having good detection and response is basically the approach that you're going to use to do that.

How are we going to improve detection and response? Well we can try to push it off onto IT. It's not something that they're really good at. It's not something that they're built to do but its kind of is one of those things where people shove it over and say, "Let's just hope those guys can do this," and add it on top of all their digital transformation projects. Now they're 24/7/365 looking at logs and alerts. That's probably not maybe the best approach here. We might try to designate an authority, push it out to other people. Try to have them maybe work together to federate this approach. We might want to push it to the help desk or the service desk. They're the people that are the front line for this but they're also not people that are designed to be experts or even to recognize when something is reported whether it's really bad, it's maybe not bad at all, or how quickly they need to respond.

We can go out and use interns. You can maybe take the long path and plan to train people up and spend a couple years getting there. Or you can outsource it. There's a whole nascent space vertical that Gartner calls managed detection and response. Companies that do this do only this and do it 24/7/ 365.

Mike Hamilton: 27:53

Let me just add one thing to that. There is one option that isn't on this list. When I was the CISO for the city of Seattle we actually did federate incidence response across about 30 agencies. There was always somebody I could tap on the shoulder out there. That took a lot of work to put that structure in place. The option that's not on here is you can build your own SOC operation and you can hire enough analysts to populate that SOC and provide the coverage that you need. That is phenomenally expensive so we didn't even add it to the list, but I thought I should bring that up.

What is managed detection and response? This is the way that you add technology to human beings to sift through the millions and millions and millions of alerts that come off the preventive and detective technologies that you already have in place. There are seriously millions per day. You will hear organizations, especially the ones that have recently been rapped on the knuckles ...  City of Atlanta for example. We experience two million attacks per day ... No, those were not attacks, that is the background noise of the internet. I'll talk a little bit more about that in a second. Using technology to home in on the small subset of all those alerts that are the ones that are the most likely to be real and then having human beings investigate whether or not those can be confirmed as actual incidents, that's the trick.

Managed detection and response does that by focusing these analysts in a single place and making them available to all of the organizations that want this managed service. This is now extremely popular as an alternative in to taking on the job yourself. Fred talked about, "Make it IT's job." Most organizations do exactly that. They make it IT's job. When that happens, IT is drawn away from the digital transformation projects that are all going on. For example, that smart city I talked about. There are all kinds of activity around that. If we impede IT from moving forward with those digital transformation projects so that they can chase all of these ghosts you're doing both IT and security poorly. That's where managed detection and response comes in. It just takes all of that off your plate and provides you with actionable information.

Making some risk-based choices here, first of all consider background noise versus targeting. The background noise of the internet, what most people report as here are the millions of attacks we get per day, are not that. These are the low hanging fruit shotgun blasts that go out across the internet. They're looking for grossly unpatched internet facing servers and different ways of getting in through tricking users and things like that. In order to address these, you don't need artificial intelligence and machine learning. You need to do the simple stuff that we're all supposed to be doing. If you don't patch your systems and you don't train your users, you should not be buying artificial intelligence. You need to back up and start doing the stuff you are required to do.

You can invest in new prevention strategies, buy even more point products to throw on your network and believe that they're going to be this magic automation that makes the problem go away or you can invest in detection and response. Because business has started to treat cybersecurity as a business risk, it makes more sense to invest in detection and response to buy down that impact term that we talked about. Also Fred talked about regulatory compliance being not attainable for 90% of breached companies. If you're doing that simple stuff it's all in those regulations. That simple stuff will raise your risk bar to the point where organized crime is not such a problem, insiders are detectable, and you are going to have a greater likelihood of avoiding those bad outcomes we talked about, records disclosure, theft and extorsion, and service disruption.

Go ahead, Fred.

Fred Langston: 32:38

I'm going to cover the problems we see with IoT. We all know that that's a burgeoning problem, especially around security. One thing that we find most interesting is you can't install things like agents or security software on 99% of IoT devices. The only controls you may have is a good monitoring and detection program on the network where you're watching the type of activities coming and going to these IoT devices. We know they're highly insecure. We need to do things to make sure that we're protecting ourselves since we're throwing these on our networks at an increasing rate every day. We need to have policy. We need to know what should be going on our network. I see things like Alexa getting thrown into medical care giving environments. That's an instantaneous HIPAA violation. These things are getting put in by regular users. You may not even know that these technologies are being deployed. You have to have a policy. You need to have approval. You need to know when these things are being deployed and you need to know every one of them that's on your network.

You need to segment your network. You need to isolate these systems so when they get infected, and chances are they will. As we mentioned many of these have almost no security and cannot be secured so you need them on a segment so they cannot impact your critical systems and your systems with sensitive data. You need governance to make sure that people understand that, hey, we don't want this particular technology on your environment, and we need ways to reduce the impacts for these. That is having good managed detection and response. We do have a couple tools there on the right you may want to try out. You can go take a quick risk analysis on how your IoT risk may be. There's a little white paper there on how to hack a camera, and it can show you how easily these particular attacks can be undertaken.

Mike Hamilton: 34:41

Real briefly I want to drill down a little bit and tie together a few of these things. We talked about the fact that analysts are hard to come by. We talked about the fact that managed detection and response focuses and centralizes those analysts in one place for the benefit of a number of organizations. Because we are in that business, we need to make sure that our analyst capacity stays in front of customer demand so that we can always have a sufficient number of eyes on customer data. Here's what we do. We use the public infrastructure security collaboration and exchange system (PISCES), which is something that we developed as a nonprofit. What we do is we monitor down market cities and counties for free in collaboration with the PISCES nonprofit and with Western Washington University, soon three more universities and we're talking to all kinds of other people about this. It makes sense because we need the infrastructure protection for those down-market cities and counties. They make your toilet flush and your water drinkable, but they don't have the size of a general fund to pay for technology, to hire people, or even pay for a service.

What we do is we use a reduced functionality version of our monitoring stack, deploy that to smaller cities and counties. Rather than collecting information and bringing it back to our SOC, Western Washington University has built curriculum around it. Students are training on live fire. Yeah, they get a university degree, possibly a certification, but more importantly they have the experience of sitting down as an operational analyst looking at this live fire against critical infrastructure in their own neighborhoods. When they come out of there, they are instantly hireable. There is actually a lot of competition for these resources. We're doing our best to hire them all here but turns out they're really good.

Here is an example of some of the research that came out of the very first quarter. This is by Karl Hubbard, who now works for us. What I want to tell you about this is that Karl submitted this poster to a competition in New Orleans. There was no funding for him to attend. He was talking about his experience with the PISCES project and what they had learned in one quarter of reviewing the data that they were collecting. The poster took second despite the fact that he was not standing in front of his poster to explain it to anyone.

To wrap. You don't have to run faster than the bear. The bear is out there, and the bear is aiming indiscriminately, but you don't have to run faster than the bear. You need to do the simple stuff. Remember that service disruption for the purpose of extorsion is happening at an epidemic rate. When we talk about the inconvenience of locking up a work station and having to go get a back up, that's one thing. When we talk about the control systems that operate the services that keep us alive, that is completely different. Focus on detection and response. We've all over bought preventive controls. Focus on detection and response. Hold your vendors to a security standard too. In the third-party security world, everybody's looking at everybody else and saying show me your security papers. Be prepared to have security papers. Lastly, I'll say policy and procurement are tools that you can use for security.

When you buy things with the requirement that they are secure out of the box, that there's a plan going forward, you'll be notified of vulnerabilities and patches will be provided we start to get into this competitive differentiator space where vendors hold up there hand and they say, "Buy from me. I'm more secure than my competitor." That's a good place to be. You can force that through your procurement process.

Thank you very much. I'm Mike Hamilton.

Fred Langston: 38:38

And I'm Fred Langston.

Mike Hamilton: 38:40

This is how to get ahold of us. Thank you for watching.