Threat Detection Across All Environments with Snowflake Data Security Lake

so yeah so we're here today we're going to talk about a use case that we think is really um coming um really front and center in in the threat landscape and that's uh utilizing a security data lake building now the security data lake and also riding on a an open xdr on top of that which so today i'm here i'm joined with shannon and um again i don't have an opening slide for shannon but i have one i always have one for me and these and i like to keep this casual so anybody wants to cut me off and ask questions that's fine or you know chat them and we'll make sure we get them answered

um but i've been around for a little bit i started out really a long time ago at a company called lanco which was in atlanta and i lived in atlanta for 19 years and lancope our product was stealthwatch it was a network analysis security base so if anyone remembers that and then we were acquisitioned by cisco and i spent six years at cisco and here more recently i've moved over to a company called hunters so our product is an open xdr so but i i did move to florida about a year ago and i do a lot of wildlife photography and i work on my i have a few saltwater aquariums in my house and that's really my two

hobbies and and anytime you guys want to get a hold of me here's my contact and we like i said we're i work at a small startup company now called hunters and it's so small that my email address is brian hunters.ai so pretty simple to uh yeah to remember and andy i'll pause right there if you want to introduce yourself or shannon if you want to introduce yourself and i know you're on yeah sure yeah thanks brian yeah my name is shannon taylor i'm the sales director for mississippi and alabama i'm based in huntsville my background is heavily in data management spending uh six years at informatica then a a couple years over at uh app

dynamics before the cisco acquisition and application performance management uh and then a year at two about two years in the infrastructure world with rubric for backup and recovery and i've been at snowflake now for a bit working on uh data and analytics from many different vantage points so very excited to talk about how snowflake enables these use cases really under the covers but more importantly the things you could do with hunters when you have access to infinite and scalable and dynamically scalable on-the-fly storage and compute what's possible from an ingestion perspective from a query perspective and then also from a long-term perspective being able to keep a holistic security data lake and even correlate that to other types of data

business data hr data whether it's operational or security driven just be able to manage that from that perspective and really trying to bring world-class analytics to the security space security for so long has been very siloed uh very individual syntaxes with different log systems but really trying to bring the the depth and breadth that we have from analytics perspective whether it's semi-structured data structure data or even unstructured data to be able to bring that to threat detection and to vulnerability management and other use cases so brian please take it away because uh hunters is the cool stuff all right all right well thank you thanks so i just have a little agenda here and and i have some slides i want to go

through just kind of set up and give you a background of everything i i try not to make it too boring and then i'll jump into the demo and and demo and show you what what it looks like and what hunter's xdr looks like last one to go over a couple things and you know and i'm not really telling you guys anything but just to kind of bring up to the front you know to kind of prepare your wrap your head around you know what the an xdr can do um but some of the challenges that everyone is experiencing is you know siloed data um you know having multiple and different solutions in your security

stack and having to go look at each security stack separately correlating those in a very manual process that can be very noisy very time consuming and just slow the whole time the response almost to where it's not as functional and and also because you're doing things very manually it's very uniformed in the decision so you know you might have a threat hunter working today that has uh you know more experience than the person um tomorrow and things are done differently and it's very hard to uphold standards if things aren't done the same way every time and that's what an xdr can really provide to you so there's a lot of key things here is like we're

going to ingest all the logs all the assets and have a single source of truth and that's where um you know any xdr is going to build out some sort of la data lake and we're in ours is we're building it out for you into a snowflake a security data lake that's your your data and we're going to analyze that and like like shannon said scale and burst uh and and be very efficient the performance is is really unrivaled and then also just the expense and having that partnership wrapped around all that data is really valuable so what is an open xdr you know now and i went and just got this this is just really a a standard

generic um definition and an xdr is really a cross-layer detections and response that's what it means but what is it really what's the value of that to you and the value is that we're collecting data sets from all different siloed sources putting them together looking at them as a whole and cross-correlating the different events that are happening to to come up with a faster detection automatically doing threat detections and threat hunting to bubble up the the really the grunt work of threat hunters and incident response teams to constantly be doing that that hunting and looking into all that data and letting you know what's important so the significance and i'll just i like to show this is really

the significance of having a a open xdr is that correlation of threat hunting and it's where we're we're being able to say and i'll go into a little bit more in depth in the demo but we're getting information from say an edr and then on the and then inside the cloud environment and we're correlating that whole malicious campaign about malicious activity together and maybe as each individual event doesn't mean as much but put together as a whole story as a whole campaign is much more meaningful and maybe is a lot more malicious than you once thought and being able to take put all that information into a security data lake like snowflake and being able to analyze

that very quickly and were able to cross correlate all the different entities and elements in any campaign and that's really the power behind um hunters and and an open xdr and i'll go more in depth in this and also having that flexible ingestion so even though we're we're analyzing the data we're putting it in um and we're we're running our our algorithms across in our detectors and correlated you still have access to all of that data so you can still run queries um into that data so maybe you know i like to say this this an open xdr has something for a tier one tier two tier three person so and it is your data because it is going

to that that security daily that we're writing on top of it so hunters uh what is the hunters open xdr and and i will i'll stop here and just say that hunters you know we are relatively new we've been around for a few years when we came out of and we were developed our headquarters is in israel and our founders came out of the unit um 8200 which is really the nsa um equivalent and they were cyber threat um adversaries um and they were commanders that managed their own set of servers so that's really how we're built we're built on top of that nation state threat hunting um and and we went back 10 years and

built all the different techniques and tactics and procedures in and then we're constantly adding and massaging those so our platform is we're taking your organizational context so those raw data feeds so it could be your your your endpoint data feeds your dns your firewalls your cloud environment and we're and we're running our algorithms on top of that almost like a second layer of analytics and then we're also looking at all of your existing alerts so you know what did your edr fire off on and we're we're we're taking that into into account and analyzing that and then we also um we we have our own threat intelligence feeds that we have been we have several of them coming in

like alien vault and tour nodes and you can also if you have your own subscriptions or you've kept your own and build out your own ioc databases you can you can put those into the product and we'll utilize those and i'll show you that um but really how we're we're functioning is um on the bot on the bottom of this slide is where we're taking in all of that all that information so it's kind of like that sensory layer those those logs that that data ingestion of your your cloud your firewall your edrs and we have a very flexible ingestion so this is where we're able to take all different kind of uh data sets in and we run that across a

unified schema and that's really what makes an open xdr very different from other siloed xdrs is because we don't look at the data siloed we after we run it across the unified schema we look at it as a whole stat and then we run it across our detection layers and then we're graphically correlating those and this is all done automatically we're 24 7 where we're constantly threat hunting and running down every leads and typically you'll see in a solution where they kind of have a noise governor and they don't want they only want the the certain leads to bubble up to alerts but what we do is we look at every lead amplify that signal

and then ask hundreds of questions and run those leads down to see if there's something there is there's something important that we need to we need to take to the next step and we do that so typically then this is not you know the whole set being an open xdr we pretty much take everything in but we do have we i like to show this slide just to kind of say what we typically take in is endpoint cloud and identity and those are like i think the pillars of an open xdr if you if you just have two or just have one we can't add value but of course like any other analytics engine the more you put in

the better it becomes um so typically you'll see that and then added on as firewall um human resource like adp logs or you know so we know if someone has been fired and someone badged into a certain building somewhere that they're now logging in to aws from europe um different things so we can take that in and our architecture here really just uh this is kind of a busy slide but really just shows you that um we bring all that data in those logs and those alerts and that data set and we're not only running it across our automated systems and detectors but we're also ingesting that and creating that snowflake data lake which is

very important um and then that snowflake delay can run you know any any you know in google or aws or azure and you can interact with that um separately and it is your date i think that's another important aspect to an open xdr you know it's not siloed it's not part of a product we're writing on top of it and that is your data and this why snowflake why do we choose snowflake why is that that a good partnership and it really is because of the performance and the the able to be able to handle and scale um so for you know small um deployments and then keeps growing or you know national environments or even global

environments we can scale to and so and i'll just put this in here that i i we we don't we we can re you know there's a lot of people build out sims and and that's that security day link is a lot of times similar to a sim and and we can see that there's a cost uh associated with the sim that we can help out um augment that but and some of our customers um we you know they're they're not they don't have a sim and it's something for us we can build this out for them and maintain it or they do have a center and we can augment that by putting this security information

into a separate uh data lake and therefore having separate resources dedicated to it and cost all right so that's it i'm gonna i i i don't know um on the the uh format here i don't know if there's been any questions asked but if you want me to stop and um before i do a demo if anyone has any questions i want you want to ask or shannon you want to add anything i think that's a good good spot yeah i'm just going to mention you know i think that's really important about being able to keep your data right this isn't piped into a product where they have access to it i mean you have access to all the raw data so

be it json avro parquet orc xml mqt whatever format the data may be in semi-structured structure or even unstructured um you can ingest it into hunters and it's going to live long term in snowflake and at a really reasonable cost when you look at what the cost would be from a lot of licensing of other products that are in the hundreds of thousands of dollars a terabyte you know snowflake is 23 dollars a terabyte per month compressed at 5x so when you look in the data and analytics world why we've grown as much as we've grown uh dramatic savings in terms of long-term storage most of the time storage is less than five percent of your actual bill

and then the only other thing you look at from a snowflake perspective is the compute and since we separate the storage and compute there's no need for capacity planning and there's never any concurrency so you're never going to have one individual job or query that bogs down your entire environment because everybody has the compute that they need so whether it's an operational team that's looking at this data or it's a threat hunting team looking at this data no one's going to slow anybody else down or stop any work because everyone has access to this much compute as they possibly need and all teams have access to the data and often even outside security use cases 30 to 40

percent of the data that you're looking at whether it's an analytical use case a business use case an hr use case it's the same data so it really helps you unify that data in one spot and then use it for as many uses as you need go ahead brian all right all right oh um it's okay i mean it sounds like the format here is uh open interruption yeah that's great yeah yeah i just wanted i just wanted to encourage all our listeners um people who are are watching the upcoming demo etc um i mean this is a uh just an opportunity to sort of inject i mean questions or i mean i'm assuming comments are welcome

uh anecdotes uh pain points um uh similar experiences i mean share with the group i'd like to picture this virtual engagement um more like a giant round table if you guys are cool with that i think that's how you picture it too like a giant round table more than a stage in a projector um so yeah it's a little different than some of the other talks you've heard today so i just sort of want to throw that out there and maybe as you watch the demo it'll spark something and um i heard them correctly they're open to the interruption so you know go for that uh otherwise yeah yeah thank you please please show us a

demo love demos yeah all right well i'll start the demo and again anyone wants to interrupt i can only take my my voice so long at a time so please interrupt and ask questions if you want um but so this is the this is the ui and so this we kind of come in here we can see in this case we've taken in uh 28 terabytes of raw data and those ingestions are coming in from all types of uh sources so we have aws crowdstrike windows event logs um z scaler octa any even adp and zoom and so we're taking that information in and and i'll show you in a little bit how simple and easy that is to do

um but we take it in we we start analyzing it and we have detectors and so in this case we've we've taken the 28 terabytes of data and we've bubbled up 900 leads now these aren't alerts these aren't even things that maybe you don't even want to want to look at right because these are just simply leads that we're going to now start running down and doing that threat hunting across those and then we're going to take those and say hey we've determined through our algorithms through you know what's going on that these are hot means and those hot leads are where we really start scoring things so on the detector side these are where hunters has built all these

different hundreds of detectors that's looking and sifting across and we've broken it up into the different site you know the different environments so you have your cloud your enterprise so if i click on here we have taken those and referenced them across our detectors across the uh the miter matrix attack matrix and we can see by default that the information the data that you're sending that we're ingesting that you're sending to us we already have those turned on and this is what we're able to to plug the holes in or give you visibility into based on the data that we're receiving so in this case like here account manipulation we have three different detectors that

are looking for that you know here's what the the description is you can actually go in and we can kind of drill down get a little bit different view show you what the algorithms are that are that are looking at this information what's going to trigger it and we even go so far as to give you um the ability to um fine tune and add any rules typically i don't see customers or people using this do that they just kind of set it and forget it but if you have a specific use case that you wanted to really uh zero in on you can do that but like in this case say here we we've got

cloudtrail and vpc logs coming in from aws and say hey we do have a laugh in aws so if we turn those logs on we can show you well now we just added three more detectors for public-facing applications and then we have this again broken up into the different environments so like you know here's here's the enterprise which is going to show a lot more um and again we if you go down and say you know let me if i turned on you know say a panned firewall you know that's going to end up turning on 19 more detectors so we by default we show you what's covered but we also give you the ability

to if you added more um data what else we would add to the mix so and then if i go down here into the leads this is where you know we start scoring things and you know from zero to 100 we've moved it up in this case we've taken that all those terabytes bubbled up those 900 leads and then presented these hot leads and said hey here's things that we're going to start analyzing and looking at so in this case here's like a security utility tool on a suspicious download or there's an ioc that's been found or there's a bits job that's going on and we're we're looking at those and we're alerting on that and giving it and it's

a fluid system so what i mean by that is um say you know that event is is situational aware and so say you're in it and you start up in map you know 10 times a week well we're going to look at that we're going to score that but it's going to be a lower score than say you work in um you know the accounting department and you've never turned on bitmap and this is the map and this is the first time we've seen it we're going to score that higher but then we take it one step further and this is really where we start adding this really value and that's those hot stories and this is the page i see people

analyzing and that's where we're cross-correlating between the different solutions and if you go over here into the stories page so we can see and i have one i like the demo here that i'll go in and so in this case right here this was a fishing attempt um by a users by his name's larry miller and if i go in we can see that there's really just um there's four different events that would have occurred that in this campaign and it started out with um a crowdstrike agent telling us that hey this person went to a low reputation url but really and this is from the raleigh event log so this isn't anything that they've

alerted on um and also the score was only an 18. and then a few minutes later someone actually logged in to uh azure and it was a risky uh sign-on as they as they bypassed the multi-factor authentication and again that's it we only scored a 56 and if i scroll down here you'll see some are 25s and some are 50s but as we cross correlated and put the story together we also score the whole story as as a whole and it's much more meaningful so we were able to take this crowdstrike agent this edr and associate it with the email address that was used to log into azure and now we know that this is all one

campaign this is all coming from one computer or one person and so if i go in i can i can look at this in a few different ways i can go in and start if some stories get really long i just want to look at you know say i want to look at all the low reputation domains people went to or the risky sign-ons right and then if i scroll in here i can actually start drilling down and look at each one of the the events that occurred and pop those open and i can show you all the different entities and elements in each one of these and then and you can start drilling in

you can start you can pivot over and start doing a manual investigation if you want and you can notate this or just copy something to the clipboard but if i click on this on the site here and this table comes out these are all the questions that we are automatically asking um and you can see how we're we're gaining all the different elements and the entities and and recognizing what the situation is for each one of these events so if i hit expand you can see all the so this is where we found out hey this is the username is larry miller and this is his you know ip address that he's calling in from here's his internal

ip address here's his email account and we even show you the logic so these are the logics that we're asking um in an automated fashion on all these different leads and then as we put this together we actually show you so i'm gonna pull out and and it's a very important aspect of this cross-correlation so we'll show you the map and let me let me hide this so in this case right here you can see the different correlations um and how we put this together so if i look right come over here you can see that here's the crop here's the crowd strike low reputation uh url and how we started crossing this but i like to look

i'll do a little cleaned up map look and most of the customers i see hey you they don't necessarily use these maps but i think it's good to go see what it is they typically stay in that story view um but right here crowdstrike went to this agent this agent id went to a low reputation uh url and we in that that agent id is associated with this user name larry miller and then a few minutes later there was that wrist and sign on azure with this email address that's also associated with that username so now you can see the crossing of the correlation and how we're putting this together from on-prem to cloud and then a little bit

later he made a snapshot and then of volumes and then mix put some code in to exploit that and drive that and take that out of the azure environment so that's something this is very simple what we do and very powerful to be able to do that and then from here if you want you can you can start creating your store you can add to a report so we could go here and add this to report or create a new report let's see what that really looks like if i go right here we would start showing it would bring over all the information the elements the entities that were pertinent with it the risks the the

summaries and then it brings in that story and then also the timelines and the important events that happen in each one of those timelines you know where it came from and then down here on the bottom was these were the sources that we use to create the story to give you the visibility for this campaign all right but then you do have a way of just starting a manual investigation right so i could go in here and just say you know type in and if i do that i can go and it will pull back anything that we've learned about this element any correlations um so you could put an ip address here you can put a shell command line here

whatever you want this is where you're kind of interacting with that raw data and i kind of say this is like that layer too because this isn't like pure just we're giving you the the we we do expose just the the the snowflake command line so you can start doing your own queries if you want but this is kind of like that layer two where we're pulling back all the different things and then here are all the drill down questions we've asked about that element we do give you the visibility into um all of your endpoints or your cloud environments so like right here if i and i and this one is a demo system

there's not very many here but like if you have a you know a thousand endpoints the deployed or ten thousand you'll start seeing how this really um and you can so and a lot of times i'll go here i can sort by and you'll see some windows sevens and a lot of customers still you know and then i can kind of drill down into those and see the users and i can even take it as far as saying hey show me all the windows 7's that did a command line executable and just kind of bubble all that up um we do go in and have show you all the leads and you can start drilling down

and this is where it kind of starts getting a little more i would say moving up from layer one to layer two even the layer three um fret hunters so we again break that up into the different environments so if i go like say aws or let's just get right here to uh the enterprise and if i can scroll down you'll see all the different leads that we've scored if they're if they're scored high if they're in a story um and if i come in i can start so let's say like right here since let's um let's look for okay let's just do this one some binary temporary folder so i can drill down there's two of them that's going off

and it kind of breaks those up again i can drill into this i can see what all the questions that were asked about this you know we've already we say hey you know this is really some this is bad um and then you can also let's go into one that's these bit jobs i can um pull this out into a separate tab so i can start sifting through the the larger data set and not just by each different element so i can if i wanted to you know just like i can say hey sort this by device name i'll pull this up here so it gives me that and i can start drilling down start seeing the questions

and start drilling into that a little more granular into that data and then how we get all of this data in is very simple so we this is just our ingestion um if i get here to the global sources that's all the different feeds that we're taking in ioc so this is all comes with the product and then this is where if you have your own subscriptions you can add those to it or your own data set but if i go back to the organizational sources so you i could click on let's just say aws so let's go and log in and start taking in aws so you'll just give us you know access to an s3 bucket that's

going in typically through a cross account rule and then you just choose what you want so let's just say it's you know let's say it's cloudtrail and then on what the format is and then really a really unique feature is we're able to go back in time so say you had an incident and you wanted to go back and you have those logs back for the last you know three months you can just pick that date and then it will bring all that data in and run those analytics on top of that in chronological order so you can see how it played out so i think that's a very powerful and then as you're bringing this data in

we're um building out that snowflake data lake for you and we have that right here and you'll see like you know your name and the account number it's under and you'll put that right in and that's all part of the solution so it's not we could we'll maintain it for you and build it out for you on a go forward basis so any questions

all right rachel's brian they're speechless i mean i'm i'm enjoying what i have a chance to hear and listen to can't be honest and doing a little conference stuff in between but uh i mean usually usually what it means when you don't get any questions is uh like it's it's pretty clear uh people understand what they're being seen and then and but maybe they're having trouble relating or not sure actually exactly what it's gonna do for them or how to how to take it to the next step i mean as we get near the end um track one will kick off the afternoon keynote at one o'clock and we'll do a little housekeeping so you got plenty of time but maybe that's

sort of my question is uh you know what's what's next maybe what can i do with this um maybe uh some anecdotes and information some experiences you had to sort of relate it would be uh be cool for me to hear um and i'm just i'm just hit by an idea of thinking out loud a little brainstorm if anybody else has got some questions or thoughts i mean jump in throw it in the chat make a comment share your thoughts please

so i i i will reiterate that one thing that a lot of people have a question when they see this is you know how you know again like you just kind of mentioned how's this going to benefit me and how do i get started um or why do i need this right and so we kind of talked about the the being able to automate a lot of the threat hunting and cross-correlating with the events um but one question a lot of people ask is well if if i already have these alerts going off then what is this adding and that's really where if you come in and and go let's just go down here to

crowdstrike you'll see that there's two different feeds coming in there's raw events and typically those are you know 10 times more than than the actual detections that are going off so we have our analytics running on both of those and then we're cross-correlating against all the other solutions that you're bringing in and we do point those out so if you go to the leads you'll have leads and then alerts so the alerts are those alerts that are native to each individual solution so you can see that there's there was 82 crowdstrike alerts and there was 26 you know microsoft alerts and things like that but then all the other leads are coming from those raw events

that we're we're looking at and so i think now more than ever a really big use case for this is the hybrid environment of cloud and on-prem and how do i get those logs in and look at that as a whole and that's something that we do um really well and so we're able to you know look at and pull in telemetry from aws and azure you know and you're on-prem you know and your firewall and see if things are moving back and forth so i just had a i just uh we did a i'm started with a poc last week with the customer and they had um there's a a a new uh piece of malware

going out called bulldog and what it is it's really for the cloud and it tries to exploit and get inside a cloud environment and pull data out um and what we found is inside the ui after just running for one day was they actually had six on-prem max infected with it that were probing their azure and aws and actually had gotten into one s3 bucket so that's kind of how you'll see where it was such uh slow and low and it had just been put on any ioc list two days prior so it was really all it wasn't quite a zero day but it was almost there nothing was firing off on it um and

we were able to cross-correlate that and come back and see where it went what was um guard duty what was cloudtrail saying about it and then and what was our and we had actually put the story together that's how we knew it we had put one we had put our hot story together and it was actually when i went here it was only four different events but when you went over here and you could see it was actually six different internal workstations that were doing it hey brian you have a question uh question is my company and and i in general i'm hesitant to send our logs to a cloud service what can you say to convince someone

who's hesitant to use a service like hunters on snowflake yeah so we did get that i mean you know not everyone you know the the cloud is not adopted by everyone yet and i think that's one of the the uh hesitance is is you're sending it somewhere else um but i i would say that the the in the manner that the information is sent so again now we're talking there's and there's two ways and two repositories one is it's already in the cloud so when we get access to that information it so it's it we reside in the cloud and we can pull that information across and it's typical you know it's always encrypted and then you know through

um a tunnel and then when it's on prim we can do it a few different ways and it depends on a lot typically what type of data is so through an api or through um or through where you control it and you're putting it somewhere for us so eventually it's going to get to an s3 bucket for us so however you put it there so and i like it when the customers create their own tunnels push it up to us on a scheduled basis so they control it and they control everything and then once it's in the cloud and once it's in snowflake and and i'll let shannon answer more in depth but you know it is

encrypted it is keyed those keys are maintained and changed out periodically um and and there's you know very a lot of controls around access and and permissions yeah um if y'all aren't familiar and i know that some folks may not be as familiar with snowflake especially from a traditional data analytics perspective but we've grown to be the world's largest analytics and data provider just in four years uh the largest on aws azure and gcp a lot of people heard about our ipo last summer it made a lot of noise but you know security and compliance and governance is really the key to snowflake it was built that way it was a purpose-built platform from the

ground up to take advantage of the scale and the separation of storage and compute in the cloud not just bolting on other technologies not just having to rebuild clusters and wait for those to come up but actually scalably move up and down uh by that moment so it's a large multi-tenant environment we're actually data blind from the snowflake perspective uh but also from a security compliance perspective whether it's you know sock one sock 2 pci dss fedramp moderate hipaa high trust anything you can imagine right the world's largest businesses are running their key important pii phi pci customer data through snowflake from the world's largest financial institutions to aerospace and defense to consumer to you name it um security

is really something that we lean on laid into and love to have that conversation and logs and security is really a place where a lot of companies start with snowflake and then also go from there if they're not already have initiatives around the marketing side of the house or the analytics or data science side of the house which is the other areas where we play really heavily traditionally but yeah i'd love to share more information there but there's a lot online around our compliance and governance and the role-based access controls the dynamic data masking everything that's built into snowflake and it's all delivered as a service so there's nothing there for any of your teams to manage

it's just there to be able to load data query data and connect your tools and when i was at cisco i came out of the dod and fed space and i was there for long enough to see the adoption of the cloud and so and being you know making sure that everyone's fed ramped and sock two certified and so you know i think that's a question you should always be asking um any vendor that's in the cloud is you know how who else is using your product and how is it being secured so it's that's a very fair question right it's that's good yeah it's and i know your your background brian with cisco cisco

actually was one of the first global enterprise companies to use snowflake for this exact use case so you can actually google that and find it it's there and there's a lot of other large organizations that are using snowflake just for security uh even outside of linux i am so i'm going to go um drop off um i'm going to move to the other track so we're not going to start the other one for about 10 or 15 minutes i've got some things to take care of and i'm excited that the last thing i got to hear was the security of the product i think that's that's pretty important especially you see supply chain compromise and

other issues happening where people are having trouble because of the thing they're using um so yeah i'm glad to hear that you guys have considered that and are actively defend so that's pretty cool so i wanted to give an extra thanks um i love the presentation i think you guys did a great demo uh we appreciate all your support not just the b-sides but um mac issa we appreciate you very much thank you thanks guys appreciate it yeah thank you bye