Legacy Systems and the Future of Manufacturing Security with Bill Rucker

Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo and have the privilege this week to sit down with Bill Rucker. Bill is a seasoned veteran of the IT and cybersecurity space over 25 years. He is currently president of Trustwave Government Solutions. And they just came out with a new report focused on the manufacturing sector and really look forward to diving in and getting a great snapshot and going deep on some of these issues. Bill, thanks so much for joining us. Thanks, Frank. It's a

pleasure to be here. You know, I want to start with your first sentence of

the report and that talks about how cybersecurity in the manufacturing sector is complex. And we all know 17 sectors. They all look a little different, but they all share some similarities. What I thought would make sense is to paint the scene, let our viewers know what makes the sector unique, different and any thoughts you'd like to tee up to begin with? Yeah, absolutely. And these threat reports are great. They come out

of our Spider Labs organization by way of a background, a little bit just on myself. So I've been with Trustwave since 2010. They acquired a company called Intellitactics. So I come up on 25 years this August with the organization. And then Trustwave Government Solutions became a wholly owned subsidiary of the organization in 2015. And that division purely focuses on the federal government. So also the DIB community and some of the SLED are people that have unique requirements like our federal government customers. Our organization looks just like the rest of the global organization. We have Spiral Labs organizations, we have managed services, we have delivery consultants. So we're just an arm within that that has all those unique requirements, has all the specific clearances, background investigations, etc. That we would need to be able to service that public sector environment. Because of that, we do work in the manufacturing space as well. So we have customers that, you know, may be involved with with shipbuilding. They may be building parts that go into very strategic things that our Department of Defense uses. And so they have unique requirements. Digging into these threat reports and we do more than this manufacturing. It's actually the second time we've done the manufacturing report. We did this in 2023 as well. So it's great to actually see the differences from what we did two years ago to now. And I'll talk about some of those differences and the biggest one is really the impact of the breach in that environment. The average cost of breach in 2023 for the manufacturing sector was about 4.6, $4.7 million. That's closer to 5.8 now. So it increased over 20% in just two years and it's actually higher than the overall average of breach, which is I think 5.6 million now. So there's definitely a threat there from that regard. And the biggest issue too in manufacturing is the legacy devices and the fact that there's now such a push to take OT devices and put them into. Net

em up on IoT. Yeah, yeah, yeah. OT SOC convergence and you know, I've been

to a couple events recently that really focus on the OT OIT environment and they're still really struggling with how do they take the telemetry of such a unique environment where it really was about production and uptime, not so much the resiliency in cybersecurity where the IT people have had in the past. So there's a lot of conflicts really on how that environment and how the traditional SOC environment will kind of work together. And because of that, it makes the manufacturing report pretty unique in that. And I think the other thing that we'll see is there's a lot of similarities around the actual cyber threat that's making the impact, you know, of the, of the attacks that we saw in manufacturing, 54% of those were actually US based industries. And that was up a little bit from what we'd seen before. But surprisingly, I think the data point that I thought that was really interesting is that 87% of those attacks all came from phishing. So across the board, whether we're looking at our education report we did, the public sector report we did, I think there was retail health care as well as supply chain fishing remains to be across the board. Right. Or number two, it's just, it's an easy access to. There's a reason people do phishing tests every month because everyone from the low level admin to the CEO will click on something if it piques their interest and there's a news event. So it's just a very easy way for adversaries to still gain access to environments. And that is consistent

across all the sectors you've examined, right? That we've seen? Absolutely. If it's not in

the top three, then it's a sector that wouldn't necessarily be deemed relevant, honestly, from a market perspective. And what about dwell time not to jump right in? Have you

seen big, big shift in terms of by the time a breach is noticed and how to remediate? Yeah, a massive change. I mean if you go back not even

that long ago, five years, it was still at 177 days I think was the. Was the dwell time. Now it's sub 10 days in the last two years. And that's really because of this, the explosion of EDR technology. So the telemetry that you have now, as a cybersecurity professional, especially as a cybersecurity service provider, from an MSSP perspective, the EDR telemetry gives us the ability to see things on the endpoint in real time, where in the past was really just leveraging almost the edge or sometimes if you were lucky, a log server. If they were really innovative and really mature, they might have had a SIM solution. But you weren't able to see something go directly to the endpoint, pivot and then kick off a threat hunt and see where else that had gone. So the dwell time now is much better for the good guys, but that's just made the adversaries get better. Right. And smarter and pivot or.

And more incidents and more incidents. And so the, the threat hunting aspect that has

evolved out of that has helped lower that dwell time a little bit more. Every threat hunt we've done with this new platform, regardless of the fact if there's an EDR solution or a sim, we found something that was unknown to the environment and unknown to those devices. It's just there's things that you just can't necessarily detect if the adversary has a really good or smart approach. Yeah. And we recently had Rob

Lee, who CEO of Dragosan and he was talking about new malware specifically targeting the OT sector. And we had Tom Fanning on talking about some of the IT OT convergence issues. And you had mentioned and I want to sort of peel the onion a little bit here and hopefully not cry if I peel too much. But I mean culturally there are big, big differences between the IT environment and the OT environment. And you capture that I think very well in the report. OT very focused on public safety, traditional emergency response and security. I think preventing three mile aisles, it focused a little differently. How does that impact sort of that IT OT sets of challenges and specifically in manufacturing where you do have legacy devices, some of which are 30 years old. So what are your thoughts there? So great data points. And you mentioned

one of the technologies dragos in this space. And so I was just recently attended S4 by 25 and it's just a phenomenal OT event that they have annually and you'll have everyone from Nozomi and Dragos and Clarity. So the major Players in that OT space are there. And there's a lot of discussion still on how do you take those relatively newer technologies, I mean, all of them are two or three years old, right? Maybe four at the most, and integrate them into the contextual adaptation into the SoC. Right. And so the biggest challenge on the manufacturing and that folks like those companies have is that 73% of OT devices are still unmanaged. Right. So from an endpoint, which is staggering, if you think is staggering, I mean, so the visibility you have of what's truly going on right outside of maybe just HVAs or potential high value assets in your environment is pretty scary in that regard. And you have scenarios where something that you might consider the least likely to be a problem, like a camera, for example, in your environment. We've had organizations in the Spiral Labs groups to where they've gone into an environment to do a penetration test. And it's been a very secure environment. Impressive things are locked down. There's technology on the endpoint, the firewalls are up to date, the right ports are turned off, and yet they look at the rest of the environment of what's open and they find a network of cameras. And those cameras are very well organized all the way down to whose office is what. And then you can actually off and hike vision. So camera's a concern

all the way. To where you could type in titles and you could type in

CEO, cfo, coo, go right to their office. And if you're patient and you have screen recording, you can capture their password by just looking at the keyboard. Right. Depending on the angle of the camera. So we were able to compromise a very secure environment because of an OT flaw. Right. They just had this camera system which they just deemed, you know, a security control for, you know, physical security. And it became a major IT threat. Do you know anyone who's sort of, and I know you

have experience in SoCs and most people think of a SoC in an IT environment. You also have OT SoCs. Have you seen anyone combine those where you get true visibility? We have two very specific and unique pilots in our current customer base. One's

a little bit more advanced than the other and they are a very, very large OT environment utility. Initially not in the utility in the transportation space. They initially had merged kind of their cyber operations, next generation SOC and OT together. Those plans changed a little bit when they realized just some of the challenges that would exist to try to do that on as one. So those kind got split apart. You go fast forward a year into them really revolutionizing their sock. Getting automation and integrating AI ML and having kind of 24 by 7 eyes on glass. All advancement for them now is okay, what can we do from an OT perspective? And they're making phenomenal progress. None of it's as fast as us as a solution provider would want or they would want, but there's just inherent limitations still on how do you get the right telemetry from everything? Because some of your apples and apples, right. Some of the OT technologies work in certain environments, but not in others. And so you know, where one provider might provide context on X part of the environment, they can't see Y part of the environment. So getting a collaborative to where those telemetries and really that common event format comes into a SIM or some type of automation where you can correlate and do something value with that data, that's where it becomes very difficult. We've been doing that for cyber data sources for decades. Long time. Right? Yeah, but, but

at some point that needs to happen. Does it? I mean, if you're, if you're briefing an executive or the C suite, at the end of the day, a visual, a picture can say a thousand words and more and it can actually justify budgets too. So until you can sort of articulate and communicate and visualize some of these issues collectively, I think we're, we're not as far along as we would hope to be. Is that fair? Yeah. And you hit on one of the. Biggest, and I'm biased and I'm leading the witness, so you hit on one of the biggest. Please feel free to shoot back. The OT skills gap, I mean let, let alone the,

the cybersecurity skills gap. The OT skills gap is, is massive. Right. And a couple of the data points that we had in our report that we pulled out, there were just over 4,000 unique vulnerabilities of the 25,000 public exposed vulnerabilities that were specific to manufacturing. Right. According to a report, out of CISA, 3,800 of those were deemed critical vulnerabilities. On their kev list. Correct? Yeah. And that's 15% of of the known of the overall list and the majority of the of the list of vulnerabilities. So to say that it's not a critical threat would be, would be an understatement. The one thing that's interesting is, you know, I consider myself from 25 years in cyber to know quite a bit about that. And so when I went to the first OT, I had been to dedicated OT event in 2024 you know, I was like, ah, this will be, this will be straightforward. I'll understand this easily. I remember walking out of the first two sessions going, I don't know anything about, about ot. So it's definitely been a journey for us. And the fact that we now have multiple assessments that help people. Where are you on your OT journey? Where do you need to get to? What would we recommend based on what we've seen and kind of where is it going? Because all of the major providers are adding some level of OT context to their cyber plan, but the telemetry from the people that have been doing OT for a while is getting better and better, and it's getting more and more security usable context where in the past was really, am I up, am I breathing, am I alive? And that's still going to be their priority. Historically. Right. It's

uptime. But when you can shut off a valve and poison a water treatment center,

you know, that's when the real life happens. Absolutely. And you know, this may be

a bad analogy, but I look at it similarly to FEMA and CISA within the Department of Homeland Security. One's a little more emergency response preparedness, resilience. Resilience should be the banner around everything. The other is going to be more cyber threat hunt, edr, all the, all the bells and whistles that come around cyber. And you see some of the same challenges in companies, and sometimes it's through a chief security officer, sometimes it's through, through a chief information security officer, and rarely do the two fully come together. And I just have to think that's the future. Whoever figures out how to do that and articulate it and ensure that the cultures are aligned to meet the mission objectives of an organization, whether company, government, whatever it is. That's sort of where I think we need to be. I agree on that. And it is different for

manufacturing versus government too, because you think about the number one threat outside of how they get compromised. So the result of that phishing becomes ransomware. Right. And when you look at the threats of ransomware into those groups, one of the challenges is do they take the threat from a cost perspective and mitigate it? Because they've done all the right things. They have secure backups, they've put all those controls in place. Nine times out of ten, they haven't. So that's why you see a lot more of those ransom paid in certain market segments than others. And especially where you need to

be up 100%. And honestly, the general public, many people outside of it, cybersecurity maybe

10% of them knew what ransomware was until Colonial Pipeline. But all of a sudden you're in a line of 50 cars trying to get gas and they're saying there's no gas because there's a, you know, there's an IT issue or a cybersecurity issue. I mean, that was an example where it really brought the public kind of into the fold and they saw for the first time what the impact of an actual ransomware or cybersecurity attack on a very vital production all the way up and down the east coast could actually have. Absolutely. And when you think of manufacturing in particular,

the intentions as well as the methods or the tactics, techniques and procedures of the adversary are going to be a little different because it is that OT dependency. And I do think that sometimes gets lost in the shuffle and the sector as a whole is lagging, comparatively speaking. Your report has underscored. Would you agree with that? I think you would since it was in your report. But I'd be curious what thoughts you have there. And I don't mean to be negative in terms of lagging, but it is behind other sectors. It is. And some of the things that have been

easy to do for a long time aren't easy to do in the OT world. And you look at something that major programs in the federal government, if you go back and think about the CDM program, for example, all the way back to 2010 and 2011, one of the initial goals of that 15 years ago was asset inventory. Where are all my critical devices? Which ones are high value assets? Where are they? How can you defend and protect what you don't know exists? That's really the forefront of where OT is on the manufacturing side. Because again, there are unknown or unmanaged devices today. And there's not a really good approach to asset inventory from ot. What qualifies? Right. Is it everything up into, including door badge systems, all the way down to a valve and a water system? There's a lot of work that needs to be done to define what's critical and what's not. When it comes to what are we going to integrate into the soc, what's relevant because you have to have the telemetry, has to have actionable intelligence. Right. We used to have a lot of folks on our, in our cybersecurity work in both the civilian government, the DoD, they look at a specific screen and say, okay, that's great, I see lots of trends and bars and stuff. But where's the. So what? Where's the actionable thing that tells me what to do or not to do or what step to take next. That's extremely difficult to do when you have potentially life's on the line, production lines going down and that changes the game. No, that sums it up I think very well. And

at the end of the day, the adversary gets a vote in all this too. Right. So what we may think is essential may be a vulnerability that's being exploited as part of a broader campaign. Right. And they only have to be right once. And they only have to be right once. And they are clearly thinking cyber as one instrument and tool in a broader campaign effort. Especially when we're dealing with state actors, nation state actors, the Chinas, the Russias, the Irans, the North Koreas and and I like to say what we see overseas is often a movie coming to a theater near you here. So it has relevance. Those are their practice fields. They are.

And again with systems that are connected in ways that we don't fully understand and may not fully understand what the mapping of connectivity from one OT system is to another, one system's compromised and then it goes into an actual managed OT system and that that has connectivity to your IT environment. So a something that would seem like a non credible target all of a sudden, massively credible. And now you're on the network moving laterally and if you're able to. Again, we talked about the phishing, you know, if you have credentialed access. Yep. And you can live. You talk about dwell time. I mean that's a hard one to measure because if you're a credentialed, if you have credentialed access as an adversary, you can kind of move at free will. With the exception of some of the anomaly detections and things are out there, you can do a lot of damage in a very short period of time or put things in place that allow you to come back in very easily and then you exit and you know, nobody knows the difference. Exactly. And that was the big takeaway

from Volt Typhoon. Living off the land and pre positioning. And when you think of OT devices and when you think of manufacturing, those are pre positioned could have little value in a traditional ransomware crime, even espionage perspective, but can have massive implications in a campaign. And the ability to get credentials from the average user environment so that

it's. About upping the credential. Right. You can absolutely elevate privileges if you have the right level of access when you go in, but the number of active and current credentials that are for sale every single day One of the things that we do when we meet with. Do you do Deep Web Darknet? We do, yes. We have some folks that live in certain parts of the world in certain forums. Right. And then we do a lot of Dark Web research, either proactively for our customers or on demand through threat intelligence as a service platform. And that's unique because that's a very curated threat intelligence solution that's really built for the segment and the market and the mission of that entity. Right. So if they're in the energy space, if they're in the energy space and a government entity, we'll look at very specific things up to including kind of what their domains are and then what are the users of that and where can we actually find that domain on the Dark Web? I've yet to see a single threat intelligence report where there wasn't thousands of credentials on the Dark Web. And we find on average that 15 to 20% of those are active credentials. Wow. Still employed same username, same password. Yeah, that's a scary thought. And as

bad as that is, I promise you, that's still only the tip of the iceberg. Depends which chat rooms you're in and which where on the Deep Web darknet you are. But that is a scary. That is a scary thought. But it is exciting

that we're able to, able to get that to illuminate and be able to warm those folks. I mean, because a lot of that, sometimes people are aware because their threat intelligence teams are much better than they used to be, but other times it's, it's just a misconfiguration, it was a mistake, but it's out there and people know about it. And then they put it out there for other folks that maybe want to do bad things to actually find and then leverage as a way to infiltrate an environment. So the more we can do that work to share, and that's a big part of it is the information sharing on it. And the data that did Net provides us, the data we provide back to them. Same with CISA's JCDC and those collaborations, those are all advancing the cyber game because now we're able to take that back to customers we provide services for. We're able to share that back to our partners that were in their supply chain. It is a team sport. At the end of that, you have to be able to share that information regardless of, you know, being a coopetition or competitor. One of the other providers need to share will

trump the need to know. And in many of these cases, as long as you're not compromising obviously sources and methods. But I think that that is still a cultural challenge for some in our intelligence community. And then you've got other civilian entities that are responsible for sharing and the like. But to me that's where the real. That's where the rubber hits the road and all the talk about public private partnerships, I like to say long on nouns, short on verbs, but we've got to go beyond just the information sharing to the action. And that's where nothing like being in the same foxhole fighting the same fight against a particular adversary. And do you feel, do you feel, have you seen anything from an adversarial TTP or tactics, techniques, procedures, perspective where let's take China, Russia off the table for a second, maybe Iran, North Korea as well. They're all very different too. But are you starting to see human enabled technology where human and technical and cyber int and cyber means are combining from a criminal perspective? We've always seen that. And if you go way back to Trustwave's legacy,

right in the PCI space or the payment card industry, we saw that type of threat being from a financial criminal perspective quite a bit. Now the aspect that we see the most from a criminal aspect is just truly the ransom groups, right? So when you look at ransom Hub and Play I believe are the two that were identified as the top two ransomware groups or adversarial groups that were threats in the manufacturing space. They're all uniquely different. They all do have their own kind of methods and unique TTPs on how. They act, which is actually really good insiders utilized. That's

what I was really getting at there with human tech. And so on our side

we probably haven't seen that as much. It's certainly something that our customers ask us about, but it's always a secondary. If you don't have 24 by 7 eyes on glass and your ability to actually defend threats after 5pm and before 9pm the insider thing is important, but not as important as some of those other big rocks. So it's all about that maturity journey. Some are definitely way more advanced and we help them kind of with that insider threat program and the monitoring of that and how they can kind of report that up, especially in the, in the dib space on the government side. I don't want to say it's an afterthought, but it's certainly not the focus for most of most of the ones we're engaged with. They really want to get agnostic to. How they just want to Keep it. How can I get, you know, my MTTA and my MTTR under 15 and 30 minutes so that I can actually be an operational soc next generation. Right. And leverage all of these new kind of hybrid operations and having global threat operators, you know, anywhere in the United States, so that I can quote, unquote, follow the sun, but be conus and have a platform that allows me to do that with an actual, an analyst that knows what he's doing. And I think there's still this stereotype of kids in hoodies drinking

Jolt soda, which hasn't been around for years. So it shows you my age going back to the old hacker. Twice the caffeine and three times the sugar. Exactly. But in reality, that's sort of where I think most. But, but these are, these are criminal syndicates and they're run like companies and they, and, and, and the consequences of going south is low for them. I mean, the threshold, the bar is very low. Very few are, are, are actually prosecuted. Many are provided safe haven in countries we lack extradition authorities with. How do we square that circle? That's a little bit of a policy question. But you know, in the NDAA and for transparency, we did a big report on transition priorities. We called for designating ransomware gangs and state sponsors of cybercrime. So basically to get to the lack of extradition set of issues akin to where you have state sponsors of terrorism. But again, that's not going to necessarily operationalize all that. I'm just curious what we think we can do because otherwise it's a bit of a fool's. We're always reacting. True. And you know, I, when I think

about it, I separate typically the criminal versus the nation state, and that's what. I'm

talking criminals now. But you can't separate the proxies. Right. Because many of these actors are provided safe harbor. Well, and many of them use the same tools or they

sell their tool to the same. As long as they're there to do their bidding

when they want them. Vice versa. Right. And to give them that level of protection,

I think it comes back to. And again, policy aside, I think it comes back to the data that we have independently could actually move the needle quite a bit. Right. So that public private partnership of information sharing that I kind of referenced earlier, we have data and IOCs and things that we see globally. And every pen test that we do, it's just over 2 million hours a year in penetration testing. Every incident response, breach investigation we do, we get additional data and metadata and IOCs we probably don't at the level we could make sure that all of that information gets to some repository that I don't really believe exists today. So that information, again you're talking the volumes are almost incomprehensible. But that would allow us to get better telemetry, better data on some of these threat actor groups. So when you start talking about the ability to at least know who they are and where they are, how we actually get them, how we take them down, what the policies are to make that happen are different. But today many of those act in a way that we don't really know who they are or where they are. We think we do in many cases. But it's so easy to obfuscate who you are and where you are. From a cyber perspective. Absolutely. And I hate to say it, and I don't want to

sound defeatist, but for now the initiative does remain with the attacker. So we've got to flip that equation at some point, but we're not there yet. And I think we're getting better and better and better. But if you look at it just from an outcome perspective, it's not a rosy picture. True. I mean the adversarial threat has

certainly never been greater. But if you look at our ability to respond today versus two years ago, five years ago, ten years, it's volumes and volumes of improvement on what we're able to do today across both government and industry. Our ability to respond faster, just seeing the dwell times go down 90 plus percent, it's not enough, of course. Right. Because again, they have to be right once, they have to be right every single time. And that's nearly impossible. We always talk about it. It's not a matter of if, it's just a matter of when. Right. From a compromise perspective, sounds

like the old counterterrorism business. But the ability to, to have the playbooks in place,

the ability to have run the tabletops and the instant response exercises, ability to have already know who your strategic third party partners are when it happens. Right. Everything that's right of the boom, we're really getting better at that. And how to communicate it

to shareholders, internal, external and the many stakeholders to include shareholders or publicly traded. I

think that's one of the most critical parts. My board sits in on our tabletop exercise. Awesome. When we do that annually, they want to actually understand it. And then you know, if there's discussions, it's at a level of the exercise where there is going to be law enforcement or cyber insurance or those type of things engaged there's always. At what point do the members of the board get notified and what level of communication do you do that and how do you do it? And so if I go back to, you know, I've had that same board Ish for, for almost a decade, they weren't sitting through my tabletop exercises, you know, five, 10 years ago. Right. But for the last three or four, they sit in every single one. So that, that definitely changes the mindset, their approach to, you know, how secure are we as a service provider? Because that's, that's my brand at the end of the day too. So if I'm compromised, how are people going to trust me with being a solution provider to their. Absolutely. And, and that's beyond just the internal external. You don't

want to be exchanging business cards when the balloon goes up. Right. You want to also know your partners, whether law enforcement, national security course, public safety, you name it.

Who are those points of contact, who's in your system. Trust matters. Right. It's still

the coin of this realm and every other realm. And how do you contact them?

Right. You got no email or your systems are down. How do you actually let your employees know what's going on? How do you let you know your, your key partners know what's going on? You know, one question I want to go back to

and then we're, we're unfortunately running out of time. I could sit down for hours. As you can tell, I've never had an unspoken thought, but the skills gap issue. Sure. And in the IT and cyber environment, it's massive. And it's only larger in the OT environment because they've never necessarily thought of themselves in this orbit and world. What can we do? I mean, Idaho National Labs does some good work. They have an OT Defender program. It's career paths where cyber and security at least can be part of that. Do you have any thoughts on that? Because we've, we've spent a lot of time working on OT and actually training that workforce. But those numbers are onesies and twosies, comparatively speaking. Yeah. You mentioned in L and then nrel, I think

partners with them on a similar scenario though. So it's the challenge that we will continue to have. I mean, I think on the cybersecurity gap, I think last I saw it was. It still said it was like 4.8 million was the standing cybersecurity gap. Right. I've never seen the OT portion of that. Right. Do we want to

see that? Yeah. We actually need to know it though. We do. And so Is

it? Is it? Ignorance isn't going to double it, but. It'S going to be a material thing. The problem is even though there's that, that skills gap. Right. And so you look at all the college of Engineering and Cyber security programs that have started around the United States in the last three to five years. Yeah, tons of those. Right. Like Auburn, a bunch of other ones that didn't exist five plus years ago. So I do believe we're making a conscious effort to educate the next generation of folks. Right. To be able to understand that. Where it'll be interesting to see is where, where will the importance of the OT aspect of that overlay that I haven't seen yet. It's definitely been cyber security. This is a great profession. You can get a job right away. Pen testers are in demand, become a threat hunter. These are things that are actually pretty. Exciting and there are career paths, but not on the

other side and not integrated. Yeah. And it's not an it. You're going to the

college of Engineering with a focus in cyber security. So it's the level of, I guess respect's probably the wrong word but like the level of respect of going into, you know, cyber security is different now. Right. Especially when you associate with the college of Engineering at most of these schools that makes a big difference. And the owner

operator needs to be there or it will be the Rodney Dangerfield of, of cyber. And it can't, it can't afford that. And I think there'll be more funding in

and around that. So my, my, my son's currently looking at colleges right now and one of the things that was interesting is the number of college of engineering who actually wants to get into cybersecurity that were providing funding. Right. And say hey, this, this school, we're going to give you X because of that discipline. That wasn't because of his grades, wasn't because of where he lived or his background. It was because of the, the fact that he was going into a specific field. That's a great sign for me to be able to see that that's the response coming out of the university and scholarship for service. All these initiatives are essential. Before I ask my

last question, I can't let you go. AIML. Where do you see it fitting in your 2 minute version, your elevator pitch? Good guy, bad guy. Gosh, it's interesting. So

it will revolutionize the soc. What we've been able to do with ML in security operations and hybrid kind of SOC as a service and MDR has, you know, we've been able to do in six months what took us three years. Wow. It's just there's so many known scenarios, known incidents that you can effectively automate. You know we, we refer to it sometimes as Tier zero analysts, some other folks do that as well. That ability to, to leverage that information and those large, large language models is, is phenomenal and will continue to change the game. The AI aspect of that to be able to not only see the situation but see a situation that also happened that's similar to it and take action based on a runbook and traffic light protocol will take the security operation center to where honestly tier 0 and 1 and almost part of 2 can be automated to a degree within a majority of an environment with the exception of critical assets, high value assets. U.S. companies ahead. You think of

the rest of the pack or is that getting close? I think we do a

very good job on that. I mean there's certainly concerns around mostly. Because of application

or you think it's the LLMs? I think it's mostly because of we've been doing

certain things very well in a very manual process from a SOC perspective for a long time. So our runbooks, our playbooks, we've been there, done that, kind of know it. So the ability to take all of that context, all of that knowledge, all of that metadata and data and put it into a place to where we can leverage it for automation, I think that gives us a benefit from a Vandy's have been doing cyber globally. Right. From that perspective the AI piece of it will continue to evolve. Right. I think leapfrog other from both the Blue Defender perspective if they're

smart, but also adversarially. Right. Well and so the flip side to this coin is

everything that we can do faster, better automated, the ability for I think about the social pen testing from a social engineering standpoint, the fact that you can now pick up the phone and call someone and through the app sound like Frank, yeah. Giving you a call. We've got the show, we're doing that. And you cannot tell me that this. Says yes or no and they got it and they're using it. And whether that's credential harvesting or sealing identities or the ability to just have someone take an action or make a configuration change, that will continue to be an issue because again, they have to be right one time. They have to get one person to.

Make one mistake, one misconfiguration, just like spam. You can send a billion, all you need is one or two and it's good day Right. There's one or two. Nigerian

prince. And you're in. There you go. Bill, what questions didn't I ask that I

should have? Oh, wow. I think from us, you know, I kind of touched on

earlier, it's like, what, what can we do to. To continue to move the needle to get better? For me, when I think about. About cyber and the partnerships, it comes down to that particular word. So I think about public private scenarios for us, the ability for folks to truly tell us where their, where their pain is from a cyber perspective that, you know, in the past, people have been reluctant to, to kind of expose and say, hey, I've been compromised. Here I have this weakness there. Our best relationships, where we've had the most phenomenal outcomes with our customers and partners is when people are transparent and we take that same approach. Hey, here's where we can help you right away. Here's what will take a while on your cyber journey. But there's always immediate help for those folks if they're transparent, because they're all trying to solve some challenges that are not always easily solvable. But through partnerships and some of that transparent sharing, we can make a difference. Right. And it's every single one of those small advancements will move our security needle further down. And I'm really glad

you underscored. At the end of the day, technology will always change, but human nature remains consistent for good or bad. And it's going to take people to have trust and actually work together to get things done. Bad news doesn't get better with time.

Right? So let's talk about what the challenges are. If it bleeds, it leads to

it. There you go. Bill, thank you for spending so much time with us. Thank you for fighting the good fight, and I'm glad you're in it. So thank you.

Thanks, Frank. Real pleasure. Thank you.