Privileged Access Management - Security the 21st Century Enterprise

testing testing okay sorry about that anyway um several elements of their talk I I think you'll find Salient in here I hope so um I'll just give you a little bit about me been in it for about 21 years now uh so my it experience can officially drink alcohol um the last 10 really have been an infosec I would make an argument that it was actually longer than that but not really worth arguing uh focusing especially in identity and access management uh currently I'm the lead I am I say evangelist I'll tell you why in a second it's kind of a wishy-washy name but um there's a reason behind it for a Fortune 100 farming company you look me

up on LinkedIn you'll figure out who but um I'm also a volunteer high school speech and debate coach uh don't read anything into that that offers no warranty or guarantee of my performance um and of course related to my company the opinions expressed here are entirely my own uh but uh the reason I call it an evangelist is you know my job uh for my company is to craft the strategy within identity and access management but it's also to hopefully make people at my company care about identity and access management and uh hopefully by the end of this presentation you'll be caring as well so a Funny Thing Happened on the Way to this presentation uh I was

sitting in alen Hicks uh keynote speech this morning on data privacy when I receive a text alert from Bank of America my debit card has been compromised funny you should say that because that's the first thing I thought was oh that's ironic then I realized no it isn't it's a funny coincidence but it wasn't ironic um so anyway I just thought I would share that because I realized on my way out to the car before I spent 30 minutes talking to Bank of America about it they found my number on somebody's computer they don't even know who the merch merch is yet cuz I haven't pulled my business from them yet but um yeah they lock down the cart

everything's cool you know but you know it was certainly A fitting uh segue to uh and also give me an introduction to this story so so we're going to talk about what Pam is um why it's necessary um talk about some recent events and certainly the the Gotham guys have have really done a nice job of setting some of that up I'm going to dive into a little bit of some of the key breaches related to privileged access and then we'll talk about Pam as a program or a service we'll talk about things like the actual practice of privileged access management and it's a very broad uh term um how collaboration is critical uh within that area and then we'll look

through some use cases and then finally we'll look at how do you adopt a Pam program and some of the keys to success so first what is Pam it's not that that's my one attempt at a joke during most of this so um privileged a access management is a broad spectrum sometimes that term is interchanged with privileged identity management or privileged account management I like privileged access management because it's a little bit more holistic and especially as a practitioner uh depending upon the size of the company that you're in you may look at different opportunities within that Spectrum to leverage privilege access management that may not necessarily rely on tooling and I'll talk a little bit more about

that later but I'm not going to read you guys these definitions because I got a slide full of of you know but basically we're looking at three components to this privileged access which is the elevated condition within a system that lets you do the cool things on a system the privileged account obviously is the enabler behind that and then the use of privileged accounts should absolutely be managed within your organization and some Consultants out there I am not one of them um will tell you that really when you're doing identity management you should wait a while before you you start tackling privileged accounts as the Gotham data security guys you know uh scientist sorry uh explained uh you

should be doing it now and it doesn't mean that you have to boil the ocean and try and do everything but you should be trying to manage those accounts today and just to give you an example from a personal perspective how many of you have a network router at home hopefully everybody probably raises their hand if you have a computer with an admin account at home you now have the authority to have a privileged access management program at home just managing two accounts so you probably have a password management tool right you log those two accounts you get rid of the default password you now have a privileged access management program you multiply that times 95,000 workstations

that's a little bit of a different you know uh Endeavor but the point being is that you can start simple with this and I'll reiterate that as we go on the reason why this is so important and Gotham obviously demonstrated some of it is we've seen a bit of a shift in the use of the internet you know W with bring your own devices and and consumerization of it our strategy for security is changing you know we're moving into a new world the old world was you build a perimeter defense you get a really great firewall you throw in some nice intrusion detection and prevention and you know antivirus and whatnot you're good to go right most of the people in

this room probably say no and here's the reason why is that's really what your environment looks like you know what what I'll say with respect to that is you know especially with you know mobility and and bring your own device and things of that nature the business uh whether it's your customers uh whether it's internal customers whether it's users uh they're all asking for access from everywhere so that means that you're having more rules come in through those firewalls you're getting less promiscuous in terms of your intrusion detection in your IPS systems in terms of what you're willing to detect because a lot of them would show up as false positives or you're having to refine

those rules to become a lot more uh or less fuzzy so to speak and that's the challenge that creates this and that's why we say identity is the new perimeter I did not invite that say create that invent that saying I apologize um but uh I certainly find it appropriate so what we're going to take a look at um and I'll go through only a few of these some of them will hit closer to home than others some old breaches examples of how they tie into privilege access management and um and hopefully what we can do moving forward this probably resonates with a lot of people in this room because I suspect a few of you may live in South Carolina

I'm not going to go into great detail about what took place in that breach the only thing I'll highlight is one of the things that they identified in that breach you know it was an AP type attack where they sat there and they were promiscuous on the network looking for accounts you know just like the Gotham guys talked about uh they were looking for the those credentials that were easy to find what did they find they found something as simple as a backup account its sole task was to backup data on their respective systems most people would look at that and go that's not really a privileged account is it yeah it is it gave them access to 37

terabytes worth of gigabytes sorry uh 74 gigabytes worth of data that contained the data of all of the taxpayers in South Carolina that's all that account was so that's one of the things that you want to consider when you're looking at well what are my privileged accounts those are some of the ones that you want to take a look at and of course I have a little snarky commentary at the end that you know in exchange for the you know one of the things that I I thought was interesting um the gdes talked about with respect to the data breach investigation report you know they estimated the cost of the breach at $188 per person and that's a

general metric that's being used but what's the cost to an individual who has their identity stolen it's probably a little higher than $188 that might buy you some you know some identity theft service but um you know to be fair to the state of of South Carolina they're going to review whether they're going to renew that service at the end of the year um but I you know hopefully they'll they'll decide to uh take care of their taxpayers Saud aramco is another interesting example in the sense that this is a different type of an attack uh this was an Insider attack and the challenge Saudi ramco had that a lot of Enterprises out there have is when

they build workstations they build them all with the same admin password somebody inside that company happened to know what that password was guess what they threw a Trojan on there and was able to wipe out the dis drives of 30,000 PCS it's pretty disruptive um you know it wasn't as destructive as as it was originally believed they were able to recover a lot of the data because it was on servers as well but it was highly disruptive to to the workforce um and so that brings in the idea of you know as I mentioned earlier in the talk you know look at your local admin passwords um you know and especially with with Linux practitioners

one of the things you want to avoid is using your base account if you're sending email with that account you shouldn't be elevating the permissions of that account to do things you should be using other credentials to do that and that's one of the things that would frustrate a pentester because if I capture my email account guess what he's going to be ble to do send email I don't have any privileged access at my company that's native to my network account they're all tied to privileged accounts that we have a system that we use to manage that another good example of that for example is if you manage an active directory uh for a St your company um if

you're using your base Network credentials that has permissions as uh domain admin you really need to consider segregating those accounts because if somebody gets access to that account which could be had through a basic fishing attack and fishing attacks are just getting a little creepily good um you know you can compromise your entire network by doing that and I promise I'm not going to spend the entire talk trying to scare you um eBay obviously you know we're moving into the more recent weeks um eBay obviously had a breach and that was an example of what I just talked about where they did a spear fishing attack very targeted they did not just send it out to everybody because what happens

when you send it out to everybody oh this is a fishing attack they sent it out to very specific it users which you would hope would be more Savvy but they can get caught just like anybody else um and they were able to capture some credentials credentials that had privileged access and that's how they were able to compromise those accounts and who knows that may have been how they got my credit card number so that's just another example now the other thing and this is a critique I have of eBay eBay actually technically has two-factor authentication available but it's tied to the PayPal service not surprising they they want you to do all your your

transactions so they keep your money as long as possible but um they do have it but they don't make it publicly available in a in a fashion that would have if these credentials were compromised uh would have allowed you to uh keep moving forward but that's kind of a separate talk about two-factor authentication and then finally um I I just thought this one was amusing um and you guys may have heard about this these Canadian teenagers that found an old ATM manual online which of course the manual says this is the default pth password and shock of shocks a bank actually still had the default password on some of their ATMs and you know that just again you

know this I guarantee you if that was my bank and I don't think it was um because I don't think Bank of America is in uh Canada but uh if that was my bank I'd be pulling my money out of there pretty quick so that's just a bad operational practice and that's one of the challenges that that I'll talk about with respect to the the practice of privileged access management is this has to become part of your DNA this is not because this is one of the struggles I run into at my company we're rolling this project out and they think it's oh well I'll just get all my accounts on there and I'm done that isn't how it

works every time because you know okay well you're right when are you rolling out another server oh I've got 10 on order for tomorrow okay all of those servers need to be secured and managed so it's got to become part of your operational practice and I'll talk a little bit more about that in a second but what do what does all of this tell us first of all as you guys will probably agree the threat landscape is changing daily uh one of the things uh you know that has been noted is that the compromise of privilege credentials and obviously GDs commented on this as well uh is a key stage in nearly all attacks uh and that came from the Cyber sheath

report they they phrase it a little bit differently but they walk through the life cycle of an AP and elevation of privilege is like the fifth stage in that and that's ultimately what you're trying to to do with respect to privilege access management and that's why I call it access management as opposed to identity management because you can gain access through a variety of methods um you know as I mentioned this is a critical attack Vector they've already mentioned the the Verizon dbir I definitely recommend taking a look at it they actually improved it considerably this year it was a little harder to read in previous years and uh I think they got some creative Consultants to to

really kind of jazz up and it's a lot more readable now one of the things I did find interesting and admittedly this is from two years ago but um a company called cyber Arc who's one vendor um in the pamm space uh did a survey and they found that 43% of respondents either didn't have a Pam practice or they weren't sure if they did which I thought that was interesting if you don't know if you have a Pam practice um and these were like directors of it that were responding uh I I'd reevaluate you at their job role um so let's talk about the practice of privileged access management and like I said a little bit earlier you

can run the spectrum of of of how you're doing this at a smaller company the idea of going out and buying an expensive product to Vault all your passwords may not be practical and that's one of the reasons why I call it the practice of Pam because you can do other things to introduce controls that aren't real expensive typically they're just manpow which that may be an issue by itself but you know that's something you have to manage but ultimately Pam as a practice is designed to answer basic questions who has this elevated access to a system when was it used where was it used from this is especially useful for companies that offshore or Outsource some of their

IT services which is a very common practice you may want to limit the use of that account only to that organization and so as part of your controls around that account you may Ensure uh that those users are the only people that have access to that credential and then finally what was actually done and that's what we call session logging and I'll talk a little bit more about that when we get to the use cases the other thing I want to emphasize and I I I mentioned this a little bit earlier the technology of the tooling is only one part of the equation you know as Justin mentioned in the the pent testing talk you know one of the things

that they're constantly doing is looking through those mmap logs and adding the human intelligence to how they're using those services within that particular Network and that's exactly what a hacker is going to do so within your Enterprise how you use those accounts are going to vary and as a result the controls that you introduce are going to vary as well and also take into consideration the fact that people are also part of that process in fact I saw an article last night that talked about the human factor is the one that usually causes most

breaches Pam is most assuredly a collaborative effort and some of that may seem obvious because obviously security has to work with the rest of it in the business to do that um so while it is self-evident how you interact with them is important you know one of the you know first you know the goal should be to clean up all of your privileged accounts but again trying to boil the ocean can be a bit of a challenge the other challenge is I got an email last week that that I I appreciated his enthusiasm but he he basically asked me um if I could tell him all of the privileged accounts that were in his division of the company

division had probably about 15,000 users and probably about 800 systems and he was asking me if I could tell him what all of his privileged accounts were um and you know uh I wound up setting up a meeting with him to to deliver the bad news and that answer was no the good news was there were other people in his in his division that were collecting that information but one of the key things that comes out of this is this is not an IT service where like a pent tester type service where I'm going to be doing perimeter security and seeing if you guys are doing what you're doing what I'm enabling as a security professional are

controls that I need you to use um and I'm also going to work with you in a collaborative fashion because I don't know how you use a lot of those accounts uh I don't know how you use those systems I don't even know a lot of the applications that you are using so I'm darn sure not going to know what the privileged accounts are in that particular area because it could be at the application layer it could be at the web layer it could be at the OS layer it could be at the hardware layer saw an article the other day this motherboard manufacturer apparently stored their default passwords in clear text and all you had to do to find out what the

password was especially if it was the default password uh was scan on this particular port and pull this object and even if they had done the smart thing and changed their password uh if this motherboard hadn't been patched they could very EAS easily have had uh Hardware level access to a server and like I said I think there was about 30,000 servers that were potentially compromised by that so like I said earlier you know one of the keys with respect to this is is to make privileged access management part of your security DNA and not just within your security organization and that's where you know I talked about the Evangelical piece most of my time uh at

work is actually spent talking to the business and helping them understand uh how important PR access management is how to enable it within your organization I'll sit down with them with a particular system and let's take a look at you know each layer within the OSI model and potentially how they could be at risk especially for some of the more sensitive areas so let's take a look at some of the the use cases for Pam and these are by no means exhaustive um but these are the two biggest ones um that I would encourage people to use especially if they have the finances to afford the tooling the first one looks at uh password access and basically what I

call this is the vaulting uh use case and simply what it is is you may have a system that you cannot you know access or record you know either V RDP or telnet or SSH you can't record what happens with that privileged account a good example is like a web application where you may have an admin login to the web app and you can't record what they do um ideally and I think some of the vendors are moving into this space they are increasing the capabilities to do that but let's assume that situation exists and so this administrator of this particular application logs into their privileged access service and this is designed to be generic there's no

product specific to this but they're going to log into that privileged access server um they're going to discover okay uh I have 15 accounts that I have access to he's going to check out that account and it's going to copy that password into his keyboard buffer he can then go to his web system uh copy that password in uh do what he needs to do from an administrative function and then when he closes out that application he goes back into the Pam system and checks that password back in what should happen in that scenario is the Pam system will then go out and change that password so while he did have the password in his

keyboard buffer for a period of time that password is no longer valid now you have to be careful with that obviously with like system type accounts because you might wind up breaking something but if it's specific to an admin user account this this is an effective way of achieving some of those controls what I'm not crazy about with this one is you can't really record what happens you can look in the background with respect to the logs but it requires a little bit more effort the more elegant solution is the one at the bottom related to session access or session recording what happens there like it says you're going to log into the Pam system again let's say he's going to um

you know administer an SAP account on the Linux back end of a box um he's going to log into Pam he's going to select that system he's going to check out that system which is going to initialize an SSH session and uh that session as soon as it's initialized begins recording so you can have every single keystroke that's taking place within that system the system will then record that session uh it will basically archive it once it completes and ideally you keep it for as long as you need to to sustain regulatory requirements but the great thing about that system is it's fully auditable you can know exactly what's taking place especially if you're offshoring some of those capabilities

you can know exactly what they're doing and this isn't necessarily from a security perspective you also might find some bad operational practices about why how they're moving data and things of that nature uh that might uh assist you in improving op operationally some of the other Pam use cases that can exist uh one very common one is script management uh in larger Enterprises or shoot even smaller ones um what happens frequently is you may have a script script that's designed to execute a function and within that script unfortunately is stored credentials that probably have not been changed from the time that they were created um some of the Pam tools out there and I won't name because this

isn't a vendor recommendation some of the tools out there can actually manage those credentials for you uh and how they're executed and uh give you a lot more control over that area the other thing that you would typically do in that script function uh area is down who has access to those scripts so again that's another you know if you tilt the uh Pam AIS on its head you know that's another control that you can put in place that isn't necessarily related to tooling I've already mentioned local workstation uh admin management you know one of the things that a lot of larger Enterprises are trying to do you know especially with Windows 7 and Windows 8

is you can yank uh local admin access from the users um and one of the things that you can do in some cases this might be a little expensive for smaller organizations is you can put their local admin account on the Pam tool and yeah if they need to install software that's great you go to this service you check out the account you go in you do what you need to do and then you come back and check it in and it changes the password for you that's another way of securing it Saud ramco would love that service right now another you know this is one that you could almost do a talk by itself but

with the move to the cloud um and this is a challenge for some of the vendors in this space is how do you man privilege accounts out in the cloud if you don't necessarily have direct access for them from your network um there are some vendors that are specializing in this space um so they might be worthy of consideration you know another uh use case is virtualization platforms so it's not just all of the virtual PCS or virtual servers that you have on a host you also have the root uh admin account on the ESX devices or or whatever virtualization platform you're using and as I mentioned at the bottom look at all the hardware platforms you can look at

the the routers um you know if you're a Manufacturing Company you've got tons of skat devices that are probably out there a lot of them are still running with their default passwords as well uh hopefully they're air gapped to prevent problems but uh some of them may not be and so you know like I said this list is not meant to be exhaustive and one of the things that I would encourage you to look at if you are working with anybody on this initiative is you know get creative in terms of where you think those accounts and uh controls could be so with respect to the adoption approach it's broken out into two components uh one is the pre-engagement

phase and and this is what we encourage I say we within my operational duties um what we try and do is we try and deliver a lot of information well crafted for the business owner or the application owner so that they can begin to gather that information on their own so before they even start to talk to us we may Orient them with this is what a privileged account kind of looks like but it's a little bit of a jabber walk because depending upon the uh application it may look different um so we help them understand how you might look for that do an inventory of those things um then do a prioritization because some of the systems that you

look at depending upon the data that's being stored it may not be critical to you right now to secure that particular system but if this contains the financial data of your company that's probably going to be one of the first ones in line you know if there is documentation of current access process C es you certainly want to get that what we have found is a lot of companies the documentation what documentation um so you certainly want to encourage them to do that when possible uh take that list of candidate systems you know begin to prioritize them and then hopefully you know if they already have existing processes you know look at revising them because this is

the opportunity we're now delivering the potential of Tooling in the instance where it's going to be used how can we optimize some of those processes so that's getting again back to the idea that this isn't just about hey we pushed a tool out you can use it now now we're secure There's an opportunity to adjust those processes that hopefully realizes some efficiencies because one of the challenges that you're going to get into with adoption is if you just drop the tool in and say use this it's going to make their life harder how many it people want to make their life harder I have yet to meet one the second phase is the engagement are on boarding uh

stage that's where the uh security organization will sit down with the customer take take a look at the inventory and the target systems set up a schedule for deployment uh you know because there's a good chance they they manage a lot of uh independent systems and then they'll start in a test environment you certainly don't want to throw this into production because you will run the risk of breaking systems if you if you don't do it properly uh so you know definitely when you're acquiring a Pam uh Tool Set uh I would encourage you to definitely create a test environment uh and actually I what I encourage you to do is don't put all of the dev test and production systems

in your production environment put your test and Dev in your test environment that way if what if you're breaking something in test people don't tend to get as in as much of a panic and then finally once um you've done all that testing there's a good chance you may update some of your processes based on your experience with the tooling because this is going to be the time that the customer is going to get a chance to use those tools and uh they may make some suggestions and you may fire some suggestions back on how do you add additional controls uh instead of maybe using a particular tool um or other potential updates to the processes and then finally you're

going to deploy into production that's when you're want to going to want to go into some type of hyperare mode to make sure everything's running as you expect so what are the keys to success on this first one I mentioned and it should be somewhat obvious because one of the first questions I get asked when we talk about privileged account management for an organization is well where's my you know break the glass in case of emergency because if your system's down I can't get into my system it's the first question that usually gets asked well the answer to that is Fault tolerance if my system is always available and when I say always available I'm not talking five NES I you

know if a system's down for 10 seconds they're going to survive um because it's just access to that system that that may slow them down but you must have a highly resilient uh deployment um the second piece and I not stress this enough you must have senior leadership support within your company and I know that says for a lot of different security initiatives but this one in particular is extremely Salient because if you call up the manager of your Linux Administration team and you say hey Ted um I've got this project I'm rolling out and we're going to be enrolling all of the Linux systems into this and in the interim it's probably going to make your

life a little harder and it's going to slow you guys down a little a little bit he's going to say that's great Lance um I'm really busy with projects right now so I'll probably get you get back to you sometime in 2000 and never um and the second component of this and this is true of a lot of different areas but particularly with respect to Identity and access management if you can tie it to policy it gives you that cudle when you walk into the meeting if you need to use it obviously you want to use the carrot first before you bring the stick um if you can tie it to policy and have the senior leadership management it it

will make your adoption rate uh go up uh considerably because ultimately Le senior leadership is saying guess what this isn't optional and then um you know I've mentioned this before focus on the process first have the Tooling in mind as a component within the process but uh you know focus on the process first uh be creative um you you're organization is is different from other organizations obviously you have a lot of the same pain points but how you use data how you use accounts is going to vary within the organization so be creative in terms of how you create those controls uh when you are selecting a vendor um as I mentioned consider the cloud implications challenge them on how

they're tackling Cloud infrastructure um to ensure that your you know the service that you're acquiring can take that into account because if it can't and you're leveraging heavily on the cloud you might be falling short of the the value realized in the product you select I also recommend highly eating your own dog food first that's true of most it initiatives but start with your own key privileged accounts within your team um that's one of the things we did and we found a lot of things we didn't like about the tool we bought uh so we wind up having to go back to the vendor and go you know how do we account for this and it required that we start

getting creative with some of our controls and that was knowledge that we could pass on to the business when we engage them and then finally and I mentioned this a little bit earlier don't think I think you're too small for this um you may be at a company of 50 employees and have you know a minimal of it infrastructure that doesn't mean there aren't aspects of privileged access management you can't be doing today to help protect your company because I guarantee you their cost for a hit is going to be a lot bigger than the cost that eBay sustains in terms of its impact eBay may be saying okay you know we're going to take

a hit for $300 million well when they're a 12 billion company that's a drop in the bucket but for a smaller company that maybe is only4 million in business you know that's a much bigger impact that they could be taking on I kind of blew through those slides a little bit but um I definitely wanted to leave a lot of time for questions

so yes

sir is having local accounts local accounts in all system

technicians that are out in the field that need to do this and that tools that are out there just doing that go out manage all that there are tools I mean that that that's part of the vaulting capability that you'll find pretty much across the Spectrum with any of the the Pam products that are out there uh and can automatically connect as long as they have connectivity to that device if it's local that's where again you have to get creative and like one of the things that I encourage is if they're deploying servers say for example from a template obviously it has the same admin account every time you deploy that template the first thing in

your operational manual should be all right I updated this uh local admin password to you know this 64 character password and you can make it that long because if you go to the Pam tool it's just going to copy and paste it and you don't have to worry about it and that way it's a lot stronger password um but that's one way that you could achieve that uh if connectivity isn't available if it is I would encourage you know a vaulting solution in that scenario um and then one of the things that can happen is even without that worker's knowledge they can change that password periodically and the user none the wiser that make sense I I think the other thing I want

I'm sorry you had a

question

absolutely and the other piece that uh most of the the Pam tools out there will have is workflow surrounding that so especially for more sensitive privileged accounts you can put workflow behind it so if you do want to reset that password even even if the notification because they're not going to send the password to your email um the good news in that scenario is is it would send you a link to go back to the Pam tool and say like say for example I had to go to my boss to get approval to reset the password on This Server once my boss approved it I would then click on the link that would take me into the Pam tool I can now

check out that account again so what we're trying to get out of is the business of passwords really all together we know that's not realistic so if we can control who knows what that password is at any given point in time and you know going back through the use cases that's where the session management is so valuable because they're initiating that session they have no awareness whatsoever of what that password is now I'm going to put a caveat on this because we are at a hacker conference there are ways to figure out what that password is you know because if you're in an RDP session where the server is pasting it there's a good chance your client may see what's

going on if you're paying attention to the TR traffic um so that's why adding that additional password control especially for highly sensitive accounts once the admin session is done go ahead and change the password you know um that way you know when your auditing team comes calling and they will um you know you can say we have this control and we have this control and they're going to walk away satisfied yes sir so you had mentioned early on just briefly about two Factor off you consider two Factor off to be part of your initiative or is that separate I think it's intrinsic to it uh especially given the the distributed nature of the organization um I if

you're you know Outsourcing to you know a company in Ireland who's going to do a lot of your remote Administration for you uh having another factor to get into the Pam system is is extremely valuable and again most of the tools out there will do that I wouldn't buy a tool that didn't support it uh and you can do that for through a number of functions you could use pki so that only managed devices are coming across um or you could use tokens things of that nature but uh I I would recommend it especially for the more sensitive accounts yes

sir absolutely I mean any F I mean here's the challenge you want to get into and and security is always about you know convenience versus security right um it depends on what you're doing and the data that you're protecting you know if you talk to DOD their use of smart cards it's been extremely successful for them uh if you talk to a small 50% company whether they want to do Biometrics they're probably going to say yeah we're not there yet but they might you know maybe invest in some RSA tokens you know something along those lines um you know I think it particularly depends on who you're collaborating with but you know to me if

passwords are the only way that you're getting access to a system in most use cases you need to look at another factor of authentication to go with it it's just you can avoid so many headaches it's not foolproof I have no delusions in in that sense but uh it improves your chances of surviving a breach exponentially yes

sir um well I'm GNA briefly do a plug for uh my friend in the back of the room uh from Wicked systems uh they uh they certainly help you out in that regard there's a there's a lot of vendors in that space they have a pretty novel approach to it that uh I particularly appreciate unfortunately my company didn't get there fast enough but uh uh but uh you know there there there's a lot of good players out there and uh great opportunity to plug one of our key sponsors of bid so I didn't want to miss that chance and Nick will pay you your $10 later yeah you get a free token anybody else I I think the one last comment I want to

make was specific to the GDs presentation you know they were talking about you know when they're doing pen tests and they're looking at uh servers that have j boss instances or you find a u a WordPress admin module on one of your servers which I wish I didn't believe that but um I've been in this business too long um that's the critical piece you know there's one piece that has to be remediation obviously their job is to find the vulnerabilities but that gets back to you know the ATM vendor who's still using the default password from 25 years ago um that's where that piece and I talked about that collaborative uh aspect of it if you're

in a large enough company that uses a methodology for systems deployment whether it's sdlc iil devops whatever it is get that aspect into their operational profile so that they're not only um managing it and enrolling it within the system but it's starting at the very beginning of that system development life cycle because the more that you can achieve at the front end of that and get in at the beginning of the project it's going to make their lives so much easier down the road so some of that operational overhead that you get by remediating with privileged access management actually diminishes over time because it's already built into the process for deploying that system any other

questions well thank you guys very much for your time I appreciate it