BSidesSLC 2019 - Three dimensional security – a graph and search approach to security and compliance

all right good afternoon everyone I'm really happy to be here to present you this topic right here is about three-dimensional security and how we leverage graph and search to approach a security and compliance problem and automate securing compliance my name is oricon I'm the CEO for life omec i'm or i've also founded the product called tubular Wang which is a security product what I'm here to talk about is how we used this technology behind the scenes this is how we operate security life omec how my team does automated security operations and compliance as well as the technology behind the scenes for Jupiter 1 the security product that we built now before I start you know I want to tell

you attention to you what this is what I'm gonna cover I want to talk about you know what is the root cause of you know our Evo or everything that's wrong today in the cyber space and what I mean by two-dimensional security and what I mean by three-dimensional and I want to give you a demo and do a little bit a little bit of a Q&A session at the end of it as well so I'm sure that everybody has heard of all the breaches right and I'm not here to bore you with that but I want you to kind of keep this in mind and think what do you think is the cause of these cyber breaches why do they keep

happening we know it's not going away is just gonna keep helping every everyday or or every week you can see something in the news but why is that we make this a live interactive anyone what do you think

resource this right so resources attentions one sec let me turn this back on well there are probably many things right so you you may hear people say that okay it's because of the users right so you can't fix stupid somebody's gonna do something done well maybe now somebody may say that it's because security is not compliant right because you know all the companies that were breached they're compliant they're PCI compliant they're certified and whatever but they still get breached so sure yes that that is true security is not compliance or it could be that you know the organizations that they foundation only just lack good security hygiene they're not covering the bases and and so on and of course like this

gentleman from mentioned it could be that just there's a lack of resource right you seek the good guys the defenders they just can't keep up there's so much happening and the defenders we have to do everything right all the time and the attackers only have to do one thing right that once but I will still ask why is that is that are those the root cause if there's one thing one thing that you want to think about that is the root cause even behind these what is the reason why is this so bad you know why is why can we let the users do what they want to do why is security not compliance you know

why is it so bad that the defenders have to do everything right and what's causing that now there's one thing and that one thing is complexity that is what drives all the problems that we see today in our digital environment and that is the reason why the defenders couldn't keep up and that is the reason why we cannot have continuous security and compliance it's not that we don't want it is not that we don't understand that we need it it's just the complexity inhibits the ability for us to get there the complexity is driving us so that we do not have the right visibility is we do not have the deep visible we're barely scratching the surface into

what we have now I want to ask anyone here to think about your organization and the resources the assets the data and the entities and everything that you have in your organization now who here has a complete picture and a deep understanding of everything that's going on right now in your environment nobody right I don't think anybody can really claim that it is it is a difficult problem it is it is the complexity that drives all the the reasons behind why the breaches keep happening and that's also why the defenders the analysts they cannot respond to you the instance quickly there's just so much to analyze and there's so much alerts and we have lar fatigue and and so on that that

prohibits us from focusing on the very meaningful tasks and all these are what they are they're advantageous to the attackers so knowing this what are we gonna do how do we solve this root cause right so the the security industry is very good at doing one thing it's throwing tools at problems when we have we know that you know things that happen with users right and you know we know that the the boundary is no longer at your corporate network what do we do we come up with a solution called MDM mobile device management or EMM right enterprise mobility management if when we say that our farmers are not good enough they're not blocking things at

the right you know layer three attacks we have what we do what do we do next-generation firewall every time there's there's a problem boom there's a tool or or what's the other way to do it add some resources at another expert to manage this this system what does that do at the end a day it adds complexity so this is a never-ending loop of not solving the root cause well if I say this out loud it seems simple and logical what do we do we have to do two things and number one is that we have to understand the complexity that we have we have to truly understand in a way that we're able to

track and see and analyze our environment as a whole and everything that goes on in the environment in what I call three dimensions I'll get to that point and second is we we cannot continue to add complexity we cannot continue to throw tools and processes and people at this problem it doesn't help it hasn't helped and it never will and what we need is more automation well did this is simple right this is this is easy to say but how did we do this practically now keep those two in mind and move on to the next topic which is what I mean by two-dimensional security this is actually pretty easy to to correlate and to understand and take any

compliance frame or take anything that you're doing today it is a checklist driven approach to operational security you have certain things in your environment it may be a user it may be an endpoint it may be a an instance in AWS that's your first dimension the second dimension is how is that configured what is the user doing right so those are the second dimensions the configurations and your resources now if they are configured according to your policy or according to the compliance requirement check that is the current approach and from an assessment standpoint from an author standpoint that's a survey based approach and Assessor will come in here and look at this list and see if you're

doing what you're doing and again this is this very two-dimensional approach to security now what does this do this is not unnecessary this is great this is a good step forward but it answers one set of questions to answer to what it answers the what you have how's it configured and the what questions but what it doesn't answer is the so what so I'll give you an example if you notice that a user in an employee of yours or user account that does not have multi-factor authentication enabled is that doors are bad maybe I don't know well it really depends so that is the two dimensional approaches you say okay of course it's probably bad right we want

users you have MFA enabled this is so fundamental now everybody should write if if you don't have an MFA enabled in your user you should probably just stop listening right now and go do that right now but on the other hand is it really a drop everything and fix it type of problem you don't know until you dig further if that user is in a sandbox demo environment that is contained and has no access to anything else important maybe it's intentional maybe it's not that big a deal if that user is an admin user that has access to a production environment of course you better drop everything to fix that right now so what it lacks is this third dimension which

is the context and the relationships in your environment what's connecting the dots in your environment and that's what's lacking and that's the problem is today that makes the attackers win as you see here the attackers day thinking graphs they thinking this kind of connected model and the previous session talked about ready mean I'm pretty sure that's what they think about is how one thing leads to another right once they gain access to something how does that become a you know a beachhead for them to you know elaborate their axes were elevate their privileges to gain access to anything else they thinking graphs but defenders say thinking checklists and that's why attackers win and that leads to the main topic today which is

how we use graph and search to address this problem so when I say graph it is not pictures but it is this computer term graph is a label property graph more specifically that represents ideally everything that you have in your environment now if not everything or most everything is is good right multiple aspects of your digital bar your digital operations that includes these following things your infrastructure for example your AWS accounts the resources within your AWS accounts your development environments your developers your source code repos and your end-user devices and what they have and how many trainings they've received and so on so forth the applications you have in your environments and of course the security

controls and findings like you know identity access management tools your security scanning products your security agents you know servers and endpoint agents and so on so forth now that's what I mean by this graph model well go deeper into that and what this graph model has and this is what we've built for our internal operations and uber one as well is a set of entities and relationships when I say entities the entities is a node a labelled node in the graph a vertex in a graph that represent each entity represents a single resource within your digital environment it could be a user it could be a person an employee it could be an access key it could be a data store a

workload and things like that so there's a host set of entities that will represent your environment now each entity has a set of properties and these properties represent its state and its configurations there are some common entities or common properties that would apply across all entities there are some examples of those for example the name the display name how they're displayed and the summary description classification risk status and so on and so forth and there are a set of other properties that represents the status whether it's active if it's publicly accessible if the resource has been validated if it's temporary set of timestamps a set of tags and notes associated with all those entities now

then specific entities would also have their own specific properties I'll give you a couple examples I won't go through all of them like a datastore a datastore could be in the in the form of an AWS s3 bucket a database instance or a EBS volume it could be a type that is entirely not in the cloud it could be an on-prem file server as well and some certain properties associated with that could be the location of it whether that data store requires encryption and the actual encryption algorithm the reference to the key whether it is encrypted and whether it's public and so on so forth and some other examples a function write a function a server list function can be

a lambda function adjure or Google Cloud function and each one of those would have its own set of properties like image version runtime and so on so forth couple other examples like host but these are pretty self-explanatory and a person it's got the first name last name email address title and those type of things associated right so once we have a set of these entities defined in the graph these are you have your two-dimensional view right so you have your you have your resources and you have the configurations of them now we're moving on to the third dimension which are the relationships how we define relationship in this data model is a set of abstract verb right so these

are verbs that are generically describing what those resources are very similarly I forgot to mention that these entities privilege that you saw there's the type of there's also the abstract label class for these entities like datastore is the label and the s3 bucket is the actual type of that entity the relationships are these verbs for example an AWS account has AWS instances right so that that represents the relationship or a VP C or a network within AWS has contained subnets right so that that's another different set of relationships some other example would be a user is a person a user that represents a digital user account is actually the employee or that person these are some of the examples

now you can also have things like a vulnerability that exploits or a an attack that exploits a vulnerability which impacts an application where a co repo right so you can you can continue to you to chain and to connect the dots using these relationships so give you a couple examples here's a simple one which is in this example there are three users octa is an identity provider you can have an octa user that is this person you can have a github user that a source of this person and or you can have a I am using AWS that is also this person so this is a one-degree relationship right now let's expand this a little bit and see what else you can

see from this relationship map now what you see here is that the actor user is assigned a multi-factor device and access key and you can also see that the I am user is assigned a MFA device but it also has that user also has a a key which is an access key in I am you can also see this example that the there's an access role in AWS I am rel that belongs to different AWS account that trust this I am user here so from this simple example you can already see the extent of how you can kind of drill down and and extend the relationships and see use this as an analysis tool for

understanding what you have and the complexity of your environment now at this point you may be thinking well this example is actually extremely simple now there are there are many things that are connected writing this complex environment of yours how big can this graph really get right well we've actually done some analysis of actually some of our customers and in our own users so we've done some benchmarking on some of the data that we've collected now for a small organization like a very small start-up five employees a single AWS can there could be three hundred and forty plus entities in this exact example and over thousand relationships and and up to a huge enterprise with

thousands of customers or thousands of employees could have ends up with you know a quarter million entities and over a million relationships and what does that look like I'll give you an example what does this look like this is a very specific example graph with 1348 entities and close to 3,000 relationships the graph looks like that how do you understand this but that is the reality right this is a this is a fairly small organization this is the reality of what we're dealing with that's what we have in our environment now try to make sense of this yourself in your head it is near impossible without some tool to assist you to understand the full context of what's

going on and not to mention that in today's cloud environment things change constantly what you just understood a minute ago could have changed the next minute so how do you keep up with this complexity so first right so with it that established that now we there's a way right if we can build this graph that's great we that this graph represents what we have the second challenge is then how do you understand it that brings me to you the search and this is what the attackers do anyway what they do is they focus only a subset of your environment to analyze the sub graph so we have to have a way of querying and searching the graph in

order to come up with a a sub graph that you can focus on and get a deep understanding of that particular subset so what's the end result of this the end result of this I'll show you in the demo as some examples of how this works but the end result of this is you can then operate security and compliance as simple as asking questions so imagine a google-like experience you come to one place and this place has the entire understanding of your infrastructure in your environment all you gotta do is ask those questions questions like who has access to my data who has administrative access the users with admin access do they have MFA enabled our my device is encrypted our

my data store is encrypted right those type of questions should be easy to answer and should be easy to analyze if you have the full graph and you have a capability you cert and query that graph so what else can you do with it right so once you have that then there are more a lot more advanced analytics and automation that you can do I'm mentioning a couple of use cases here one is you can automatically determine the ownership from events and when an event comes in you can capture from that event information the principal that triggered the event and assign an implied owner of the resource that that that event impacts or it creates an

example being AWS cloud row events when you have a create incidents event that came from cloud trail and that event is associated with a principal and you can kind of determine implied that user who created that resource is probably the owner you can do event correlation by based on the validity of the existing context so this is a far better approach than using sim right so a siem secured information event manager because what you have right now is a persisted context you always know where you have your current environment when an alert comes in when a event comes in you can always correlate not just to some other random events that may happen within that window of time but what you

currently have what is the current state of your environment you can do a learning-based on the risk level you can do in the individualized alert notification you can do automated vulnerability management and use this as part of your DevOps pipeline as gates in your deploys so there are many things that that can be done now with this type of analysis in automation how do you build something like this right so how do we build something like this and this is what's behind the scenes of that the two that we've we've built well there are at least a few things that you're gonna need as these sort of five thing there's probably more than that but

these are the high-level things you're gonna need some sort of a graph database right so this is a graph behind the scenes you're gonna need a way to get data in here and continuously get the data in here and you're gonna need a way to find the data to query in search like I mentioned before and you're gonna have something to visualize it and then at the end these advanced analytics and automation that I mentioned you're gonna need some sort of a workflow integration to enable those so let's talk about each one of those in a little bit more detail the graph database well there are many options out there so here are some examples neo4j is a probably the number

one popular one out there and there's a couple of open source solutions listed here Janis graph or in DB and also Amazon Neptune which is what we use for our product now what about getting data this is very tricky it seems like it should be simple right all these are cloud enables SAS based solutions there's api's why don't we just write some scripts and talk to the API is and ingest data it sounds simple it sounds easy but in reality it is very challenging we've been doing this for over a year now and it is very challenging to get done so you have some components like this right you have your data source some API is that you talk to

you you have you're ingesting via some sort of integration to convert the data and synchronize the data into the graph and which is triggered by some sort of scheduler on a time-based window or a triggered by certain events well cool and then you have to have some component you persist the data to your graph or maybe capture that additional ancillary data in some sort of a raw data storage during s3 or or some other form of data store now you also have need to have a component that can that can do the analysis of the relationships and map out the relationships not just within a single environment itself but more importantly across environment like resources how is one resources from one

AWS account relates to resource within another AWS account what is that cross account relationship how does users within octa relate you users in your AWS environment how does the your code repos relate to you your projects or your application that you deploy into your cloud environment and so on and so forth these cross environment relationships needs to be mapped out some of the challenges that we saw like I mentioned this is not that trivial one is we got to get the data right and we have to get it right not just one time getting it in one time is fine but we have to do it consistently and continuously there's a lot of the updates we have to make sure

that every time something changed we need to be able to update the data in the graph accordingly and accurately and when things are deleted right when things are created right all those changes the the diffing process is pretty complicated now there are specifics from the data provider we'll have to consider like Rea limiting the authentication model is they using API keys is it an app that we have to install in the providers like a github app or is it using a Soomro like in AWS you assume Road trust relationships and so on so forth all those has to be figured out and of course the computer resources required to analyze the environment for especially when it comes to server lists

or limitations on how long a lambda function can run and and so on so forth and there are details that come from an entity may come from for resources how do you map all those details of one particular resource that may carry information from different providers like a host is a good example you may have various type of host agent that contains information about this host device how do you aggregate that information from different entities into one right all those are challenges that we had to solve and of course data migration when a time comes and the fact that there are just lots of different data sources and engrams to cover the scope that you may

have so this is getting data in and then finding data now once you have the data in graph and you may also have this data you can index how do you find this data there are two ways that you need to analyze this data one is a structure way that you can analyze the entities their properties and their relationships well it depends on the graph database this could be done via either the Apache guanine language or sparkle or cipher which is unique to new 4j those looks pretty complicated as you can see from this particular snippet there in the box now of course there's also unstructured Cori now you need to be able to index

your data the properties of those entities you need to be able to do a full text search and you may need to be able to query the raw data at the right events that you've ingested all these are very challenging and what's more is you can you may be what you do this individually and independently how do you combine them in a meaningful way so there is a intuitive easy to use search language but also precise this is more difficult than a search in Google right because what you're looking for in Google is you type in some search terms or a bunch of results you can analyze those but in this particular case you are driving alerts you're driving your

you know compliance evidences based on those quarry results it has to be precise at the same time it has to be flexible well we'll show you an example later on now once you have this query language how do you display that right you need to be you have to visualize the sub graph right the visualize the results there are a couple things that you can do here with neo4j they they provide a browser that you can use to look at the data and there's various type of software that are basically graph viewers on top of graph databases or there are JavaScript components that you can use to write your own we actually did our own with

some of these components the last thing is this integration with workflow and automating the workflow so what can be done here will be a set of rules alerts there needs to be an engine that supports rules and alerting and there needs to be integration with things like JIRA you know create a ticket update a ticket you know send notifications you slack or you know email of course or you know paging somebody when an incident happens with Pedro duty and maybe even automatically trigger security scans of a scanner as part of the vulnerability automation so these are all the things that needs to happen in in this in this graph based security tool right make sense so now with that I'm gonna try to

do a live demo let's see how this how well this goes of the platform

so this is what we built and you know hope luckily that you know of course as I mentioned you can totally do this on your own with those five or six different things I mentioned were and we've actually released this as a SAS product for anyone to use and of course there's is not completely free but you also don't have to build it yourself now again the idea is to make this simple right to make security a search problem this is why when you first come in here you just present a search bar you can start typing things and and find things in there but before I do that I want to just show you real quick you

know what data is integrating here that you can you can look for stuff now this is our own account on on cuber the one on this security platform you know we've integrated six of our AWS accounts you know a bit bucket our calendar to a couple of github accounts and octa and very code and you know d this is the extent of our integration so far now once these integrations are configured i just want to show you real quick the assets that are brought in right this is this is a two-dimensional view of the things that we have so I'll draw your attention real quick to you the lower right and in there's account and there

are nearly 8,000 assets where entities that are ingested automatically from these integrations now this required absolutely no manual effort and then we record no menu entry of any of these nearly 8,000 data points at all now each one of these is associated with its own set of properties that you can see the details of them and there are also labeled accordingly for their class like I mentioned before there's things like database you can filter on these classes and you can see that these are the different types of databases that were ingested right so these are the specific types and labeled with the abstract concept of this is a database same goes for users I think these are users right

here you can see their octet users bitbucket users github users IM user and so on now they use chef their own properties associated right so again this is the two dimensional view of of the things now let me go back to showing you the more interesting ones now what can you do when you start asking questions like one example would be you can just start typing things in here and say ok you know there s sa truce you know in what are the inbound ssh using my environment now i show you all these and you can see this in a graph view and this is the sub graph that you can start to analyze or

you can see ok this is how the SSH connections are happening across the thousands of entities within six different AWS environments that we have another example will be easy two instances right so other ec2 instances connected to the internet and again here are the instances returned you can see the single graph and as you see here there are a security scanner and there are some VPN servers exposed to the internet right so this is a way for you to see in an interactive way what's connected and how things are connected in your environments this particular one is a security group where you can see the some of the properties are searched associated with that and you can

actually interact with this graph or you can expand it and see what else is connected within the security group right so this is again as a way for you to see and understand your environment based on simple questions and queries

any questions or anything anybody is particularly interested in may be seen

well so the question is you know how do you correlate ec2 instances and the EBS volumes right so now these are the questions I typed in and was asking by just typing the keywords I'll type in something specific like find AWS EBS volume so this this simple query right here is it starts with finding of the volumes and and also to add on to your question maybe you might be interested in saying okay are there volumes that are not encrypted right so I can actually extend this quarry and find things like with encrypted is not true and it should hopefully return me a subset hope

in the indie environment so you know these are somebody well hopefully this is correct right they're a bunch of entities that are in here the volumes that are not encrypted now to your second part of your question is how does that relate to the instances right now you can do things like find AWS instance that uses AWS EBS volume now this will just find the instances that are using these volumes right and and again you can see this in a graph and see how they are connected right so this one is there's a lot of them right now and you can see how these instances are using these volumes now you can also see that

you know I can reverse this query and I can actually find EBS volumes that are not being used by anyone now this will find me you know volumes that are not being used by any instances right so so you can use kind of simple queries like this to analyze your environment and find you know miss configurations and understand the relationship across the board

there's there's no limit to how many verbs that this supports it's it's it's driven by the data model that's defined all right so when the data is ingested that these relationships are mapped out using these verbs so as long as that relationship relationship has that verb label you can call reusing but using it right because you know for example you can actually find do things like find I'm gonna use an example in hearing our biblical account find biblical user that is not person right so here's an example of how you can find user accounts that are not mapped to interactive users right this must be a system user of some sort one API user of some sort right and

you can also do things like you know find users that have assigned and the fate devices and and things like that or you know admin users right you know who has been assigned I mean access you know those type of things that you can also query in the environment so and again this really depends on the amount of data ingest it and the amount of integrations that is within this environment the more there is the more powerful that you have and the more visibility that you can gain into your environment some other questions

now we've there's also a set of here here's some examples of all the questions that we we can ask her these are just some templates examples there are many things right you can find things about your users you can find things about your applications you can find things about your networks and even your employees right who are the new hires and other IP collisions in your environment so this is not entirely limited to just security analysis you can do operational and network type of analysis of your environment as well by using these questions and queries

any other questions

so any other thing that you might want to see as a quarry yeah

yeah you can you can do a couple of things right so you know one thing is there are some designated entities that you know one would be the route the route is your route organization now when you do this you can start exploring right so there's that's why the graph is interactive you can start exploring what you have right so this expands into you know different accounts and different users right that's one way and you can just do these kind of generic things you can do fine account and you can again you know just navigate graph right by expanding graph and start seeing what relationships there might be in in your graph right by navigating these graphs

as you can see here then you know these relationships are highlighted so you would you see you know what those you know relationship verse verbs are right so here here's an example that says trust make sense

oh yeah so the question is you know can you do a query like find anything that trust anything sure this may take a little longer to run that let's see could be a pretty massive graph there's a lot of trust going on in the environment

come on if it doesn't work as your fault oh it didn't work there's too much there's too much going on right what we can do or to make this a little easier is this right so we're gonna do fine access road at first something oops excuse this easier way

there's a lot right so yeah so there's a lot going on and which which does show you there's a lot of data behind the scenes and there's a lot of relationships going on behind the scenes right whether with this amount of data you know close to 8,000 entities there's probably you know 30 or 40,000 relationships going on in this environment ah that's a good question right how does data get updated before time so there are the primary way today that data get updated in the platform as this right now is on a schedule right so every 30 minutes or so it will go retrieve data from the source environment for each integration and it would do a comparison to see what

changed and update a graph and update the properties and create new entities update entities and update relationships and so on now where what we actually are actively working on is to to make that event-driven whereas remember I saw I show two triggers to the integration one of them is to schedule and the other one is events so what that means is were counting just events like clouds of events and security alerts and use that as a trigger for updating the graph right so get the context from the event and get additional context from API calls to update a graph no sir and then another question

right that's that's a that's a good point so let's see so an ID right so let's just say in an event you saw an event with this ID in there and the event itself may not have enough information to show okay what is what is this about right so all you got is an ID so what you can do is this I'm making this full text search right so you can you can simply enter this string and it will find exactly that item for you based on that ID and then of course you can if you want to analyze it as part of say instance response right if this is part of the source that triggered and

Security Alert or triggered a security incident you can start seeing this and you can start expanding and see the relationships that this entity has from that you know now this can also be combined with with the rest of the query right one example would be you know our developers do this all the time you know we actually ingest certain information about pull requests from the from the repos so I can actually do things like you know chari which is a developer that opened PR Oh show me the PR said this person opened all right this is a this is combining the full-text search because I didn't have to know you know Charlie has a I don't know what his I hope he

doesn't mind me showing his information here arming the public and you know this is his user name is not charlie right so but but what this what this did is a it's basically a full-text search and it finds this entity and the relationship associated from from that point on right so the core language we've build is actually quite flexible it they can do allow you to search keywords and ask questions and allows you to do full-text search of any property values and allows you to do very precise quarry using define something that has or you know that relates to you something else you know with that type of close to natural language not exactly natural language

but feels like natural language type of quarry in a precise way and also like you see here a combination of them right at the same place all right

that's right I don't have a demo built for that but I can describe how that works right so we have ingesting x' with Verico for example right so which is a vulnerability scanner you can come in here and do you find vulnerability right so there is someone but these are the test ones they're not quite real but the idea is we we have api's public api's that's accessible for for the platform and by the way I don't know if I repeat a question the question is how do we use this in a DevOps integration type of scenario so the idea is to use Jupiter 1 as gates for your DevOps pipeline for your deploys so when you're doing

deploys we do this today with our jenkins and we would query the jupiter one api and say here's the code repo i'm deploying keep in mind that we have that integration with github and bitbucket so we know exactly when you say disco repo ok yeah we we see it right here and and and then you can you can just send the API or Cori and say you know fine vulnerabilities that impacts this repo and use that right you can also do certain things like you know with severity equals five or you know equals high or something like that and use that as a decision point for your deploys right and while we're further building out which is not in this current version

right now is a more full-blown vulnerability orchestration process where within Jupiter 1 you can query things like given a repo hasn't been scanned recently when was the last time it was scanned if it wasn't scared goat rigorous can't and if it has been scanned what are the vulnerabilities right those type of again you know questions type of interaction to help you drive a decision as part of your develops automation now another benefit of that is you know we we just went through this we we use a particular vendor and then we are in the process of switching to another scanning vendor now imagine that if we build a whole set of automation with certain tooling right and if you

decide for whatever reason that this vendor is not working out you have to switch to another provider what would happen you have to rebuild your automation you have to rebuild your tooling but in the case with integration with Jupiter one you don't have to because we would add track those interactions with the integrations between kubera one and those downstream controls and providers you would have one place to talk to you and if you ever choose to change your vulnerability scanning tools you don't have to do a thing but you reconfigure your integration which you don't want everything else remain the same alexxa enabled that's a good that's a good point yeah that's that's something that

we actually are looking into doing maybe not right away but sometime down the road hopefully later this year is to actually build a true natural language layer on top of the quarry so you can come in here it may be a Lexus a neighbor or you can just talk to it you know through the web app and ask questions directly that way yeah absolutely yeah there's a lot of thing that we we plan to do and that's on a road map of this and you know we build this as our internal solution and you know saw tremendous value that we're using so we decided to say you say hey you know why keep it to ourselves right

so you know let everybody else use it as well so anyhow so the I'll just conclude and the key thing is there is so much complexity we have to have some sort of a graph oriented way of understanding the environment and some sort of a capability for us to search quarry and automate the knowledge that you gain from this environment that you have right so there's one thing that's pretty famous saying by the strategists is you can protect where you what you can see right that's exactly what right now with the cyber breaches the complexity makes you not able to see and therefore not able to protect alright thank you so much