Transcript
I've been working with power customers for many years. Actually, next month is my 20 years working in the industry, so it's pretty exciting and security is really where I shine. I love to talk about security and I love to talk about the ways that people can fix issues on their systems, and I hope today will bring a little bit of extra information to you so you can make some informed choices. So we'll talk about the risks, malware threat predictions, share some tips for creating a malware defense strategy, talk about the benefits of native virus scanning, and I want to share a little bit with you about how PowerTech Antivirus can help. Alright, so of course we first have to talk about the risks and talk about what the threats are so that you understand why you need to care and why security on IBMI is going to be so important. So just to kind of give you a little bit of a picture of the threat landscape so you understand what this potential is. The IP connected devices are anticipated to reach 27 billion by 2025. That's a huge landscape for threats to be attacking, and so it just is going to get bigger. Every organization is going to have some expansion of some sort where those IP connected devices are now creating new vulnerabilities. There was a 61% increase in phishing attacks over from 2021 to 2022 with 255 billion phishing attacks. And that was as of November 10 of 2022 so not that long ago, and yet that is a huge number. So those phishing attacks are very often the beginning of what the downfall of a company and they become compromised during an attack. We look at malicious emails, the average number of malicious emails sent per day as of December 2022 was 3.4 billion. So it's no wonder that security is a huge concern. We are all under attack, and it is constant. FBI's Internet Crime Complaint Center, their reports of complaints went up substantially from in 2021, but 847,376 complaints. So that's huge. There is no shortage of threats. So when you become a victim to one of those attacks, the downtime following ransomware attacks, average of downtime for that is about 22 days. So not only are you dealing with potential downtime, but it can also impact the bottom line and it can have financial threats as well. One in six firms surveyed they were not able to get a ransomware attack. And so they're saying that they're not going to be able to get a ransomware attack. So they're saying that the attacks that they encountered actually threatened the survival of the business. So it is huge. It is something that's not going away. So we really need to figure out how we can start finding ways to implement little changes, sometimes big changes, to make sure that we're going to be attacked and how much is going to be compromised. We actually did a data security survey in 2022 at Fortra, and we were polling the CISOs of organizations and 43% of those CISOs reported that ransomware was seen as the greatest threat to their environment. Biggest threat there over 40%. Business email compromise and phishing attempts was also fairly high on that as well as a danger to the enterprise and the data. So the fact that you have management support for a lot of you on your security initiatives is actually not surprising because it is something that they are looking at. So it's a matter of ensuring that we actually incorporate the IBMI into that conversation so that we know that we are protecting that as well. It's very often, this is the core server for the business. It's the crown jewels for the company and ensuring that it is protected, even though it is often assumed to not be as vulnerable, is really important. When we look at the motivations behind the attacks from 2021 to 2022, there wasn't a huge change. All of the same motivations. Cyber crime actually was down a little bit. 2021 was, we were still really reeling from from COVID and the pandemic really had an impact. So things have shifted a little bit, but cyber espionage is still right there, just over 10%. But hacktivism, cyber warfare, think about the global climate. There's a lot of state sponsored attacks as well. So, you know, anywhere where there's money to be had, there's going to be a huge motivation. And I think that we continue to see that with cyber crime being the biggest motivation. It, unfortunately, is really easy for these threat actors to get at and actually launch attacks, because the underground marketplace provides a very easy place for not only the threat actors to pick up malware, ransomware toolkits, DDoS, attack vectors, Trojan horse bank robbery, but to actually launch attacks. And so, you know, there's a lot of ways that these threat actors can get at and launch attacks. So, for example, the ransomware, the ransomware banking apps, all of those are easily and readily available for just a matter of a few dollars. And when you look at what the ransomware industry has raked in, it's pennies on the dollar for what they're getting out of it. And so, you know, if you look at what the ransomware industry has raked in, and they've collected it, it's an easy way for them to sell it. So credit cards, your access to your accounts, gift cards, as well as cash out services, those are all readily available as well. So not only are they having an easy way of being able to find ways to attack you, but they're also able to offload that and make money off of that side of it. So, you know, there's a lot of ways that ransomware attacks can be easily and readily available to attack you. So, you know, I'm going to leave the attacks continuing because it's too easy. So, you know, the ransomware attack in 2022 is actually $2.5 million in US, so it is a huge business impact and can have long reaching effects. And then when we look at the ransomware attacks that had business disruptions, 61% of those attacks had at least a partial business disruption. So not only is it costing money, but it's downtime. So you can't sell your goods, you can't bring in your customers, and you are effectively dead in the water. So really the impact can be catastrophic. With IT disruption, we found in the survey that 45% of environments, they actually have a change in their IT security strategy after malware impact happened. And very often, almost 42%, they experience system downtime. So huge disruptions and costs with that as well. So impact can be far reaching and can linger for years. But hopefully, there'll be more changes before the attacks. And that's really what I would like to see is to minimize the impact. So everything we can do to prevent for these things from happening, the better. Going back to Fortress 2022 data security survey report, we actually asked what the confidence levels were of the CISOs to a number of different statements. And so one that actually made me feel good was that there was a high confidence, 82% agreed or strongly agreed that their organizations have made positive progress to securing their sensitive data. So that's good. There's been some work on that. Cybersecurity awareness training has had positive and substantial impact. That, again, was a high response rate for agree and strongly disagree or strongly agree. So the one that starts to concern me as far as the bottom, that if they feel their organization is winning the battle against cybercrime, they're not quite as confident. It's less than half agree or strongly agree that they're winning that battle. But we do see that they are confident that the senior leadership is starting to understand the threats and that they're confident about their cybersecurity program. So there are some positives with this, and we are making some headway. But I really feel that there's more that we can do to win that battle against cybercrime and make sure that we are not leaving the systems vulnerable. So one of the key elements here is effective prevention and detection. So in order to do that, you have to have a plan in place. So creating an action plan, ensuring that everybody who's involved knows what their part is in that action plan is critical. Employee education plays a big part in that. Making sure that your employees know what to do if something happens or if they receive an email, question it and be suspicious of it. So ensuring that they know and don't assume that because somebody doesn't have direct involvement with your IBMI security that they can't impact the system. So every employee needs to be educated on what the threats are and what to look for. Limiting access to users plays a big role in this and ensuring that when you are attacked, good prevention there is to not give users access to everything. So the less they have access to, the less that's going to get damaged in that attack if they are in fact the attack point. Making sure that you're applying security updates can emphasize that enough. Regardless of which device we're talking about, security updates are essential for maintaining those security patches and making sure that in fact your devices are all ready and current. Anti-malware protection plays a big role in this as well. So ensuring that you have things in place and anti-malware comes in many, many layers. So it's not just one layer. You're not going to just put just a simple lock on the door. You're going to have a deadbolt. You may have an alarm system. You're going to have all of those things that have to be a part of that. And then make sure that if you have a compromised device, they are able to detect it. So ensuring that you've in fact know when something is compromised is critical to dealing with it quickly and stopping that attack from continuing. And our survey, we found that 78% report that anti-malware or antivirus endpoint security solutions are the most effective for preventing and blocking malware and ransomware. So having those tools in place, because the reality is we have to give users access to our systems and devices. So what we have to do is put that layer in to actually prevent the attacks from happening and restricting the ability for them to be able to actually damage the systems. A couple of predictions here. Machine learning is going to actually fuel the arms race between the defenders and the attackers. So the more technology we have, then the more we're going to be fighting to maintain control of it. Probability of ransomware attacks will decline. And actually I just found some data on that, that there was actually a 40% drop in ransomware revenue for 2022. So huge drop. There was a huge increase in 2020 and 2021 over previous years. So I'm not sure if that was the blip or if we are finally getting to where there's enough law enforcement agencies going after it. People have learned that not to pay that ransom. So what unfortunately is going to happen with that is that the focus is going to shift to higher net worth individuals and cause more business disruption. They're getting less money, so they're going to increase the volume of their attacks. Over 2022, there was actually an increase in the tens of thousands of malware strains used in attacks against thousands of companies. So the attacks are going to continue. They're not making the money. So unfortunately, that may mean that the attacks are actually going to get more frequent. Serverless apps are going to save time and reduce business costs, but they are going to actually, unfortunately, offer an increased attack service. So there's going to have to be some consideration with that. Companies are looking to make more money may actually gather up personal data with or without our permission. So that means that our data is personal data as an individual in the marketplace. As a consumer is more valuable. And so those threat actors are going to go after our data in many ways that may not be ethical. And of course, our children are going to have a lot of risks, their privacy, their online history, future employment, hiring decisions can be made on based on that and the educational system. Identity theft compromises. So all of this information is out there. And I think we're going to have multiple generations down the road that are going to see that this information that was compromised now is going to have a lasting effect later on. So, not great news, but I think that I'm happy to see a drop in the revenue. That means that there's less money in it for them. So hopefully, this will start to peter out and with the law enforcement FBI actually busting the high ransomware group. Alright, so a lot of responses from this and so regulatory mandate mandates are very common for dealing with. Oh, there's been a problem. So let's throw some more rules at it. So those regulatory mandates can definitely come into play. So, if you have that data, you create it, the confidentiality and integrity. It is compromised in a ransomware attack. So if that data is taken off the system, it's compromised. It's no longer confidential. If the integrity of it, if it's damaged in an attack, again, that's compromised. It is compromised in a ransomware attack. So if that data is taken off the system, it's compromised. It's no longer confidential. If the integrity of it, if it's damaged in an attack, again, it falls under that security standard. Protecting against reasonably anticipated threats or hazards to the security or integrity of this information. I think that the statistics show that the damage to the data form and malware attack is a reasonably anticipated threat. It's not if, it's when. I'll go back to that. Implementing security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. In order to reduce risks, you have to take action. Sometimes that action is adding layers of control. So adding antivirus or anti-malware protection is one of the ways to reduce risks. So ensuring that you are addressing that. For the Gramm-Leach-Bliley Act, the LBA explicitly says for protection of non-public personal information, that you're required to ensure the security and confidentiality of customer records and information. Going back to security and confidentiality, if it's compromised, it's definitely wasn't held secure and confidential. And to protect against any anticipated threats or hazards to the security integrity of those records. Again, anticipated threat is that malware attacks are going to happen. So making sure that you are meeting those requirements to protect against unauthorized access or use of that information that could result in substantial harm or inconvenience to any customer. So making sure that you're protecting that personal information from those threats, we know what those threats are. Now, some of you may not have watched any of my previous webinars or haven't had conversations with me in the past. And you may be thinking that we're IBMI, we don't really have those anticipated threats. Unfortunately, ransomware and malware does impact IBMI. So you actually can see here is an example of a customer who had probably worst case scenario of a ransomware attack on their IBMI. The integrated file system, which is a file structure that is actually over the top of your native file system. The integrated file system allows for Windows stream files to be stored and very often shares are created over that IFS. When that happens, it makes this the file system vulnerable. This particular customer ended up with half a million files encrypted by ransomware through the unfortunate practice of sharing the root directory and allowing an all object user profile to map that drive. And when that user was attacked by ransomware on their PC, it saw the IFS root share as just another drive and was unfortunately allowed to continue for a 72 hour period. So literally attacking the entire integrated file system and holding it for ransom. Now, some flavors of ransomware, they actually drop copies of themselves to further infiltrate into an environment, hoping you won't see it. And the only thing that you can actually open is that one file. So you go ahead and click on it and it actually will start the attack again. So this particular case, they had 248,000 copies of ransomware on their system. So huge impact two to three weeks down trying to recover and piecemeal restore their integrated file system back. So it is unfortunately a reality and it is an anticipated threat that should be dealt with. Now, you know, it's like, well, okay, so we've got this threat. This customer had a really bad day and this bad thing happened to them. But we do see that unfortunately, it does happen time and time again. So a couple of examples here, the Windows Explorer screenshot in the background, that particular company had a development system that it took them about a week to recognize that they suddenly were not able to get to the system at all. And with that, that ransomware attack had encrypted almost half a million files on that system as well. So the availability of the systems can be compromised very quickly. And it's definitely something that should be considered a real threat to the environment, real threat to the company and should be dealt with. All right, so I'm going to give you guys some tips for creating malware defense strategies. So all those things that we're concerned about, right? What are we going to do about it? What are the things that you can do to actually make the system more secure, make your environment more secure? So protecting the power system, of course, is why we're here. And with the IBMI and the AIX operating systems, unfortunately, they act as a bit of a typhoid berry where they don't show symptoms of infection necessarily, but they can act as a very happy host. And anybody who's actually accessing the system can become infected from those files in the IFS or in the AIX folder structure. Linux, unfortunately, is a flavor in its own that we actually often see there's a huge increase in malware that is specific to Linux. So all of these operating systems are vulnerable and will unfortunately act as a host because we don't ever think to check them for a problem because they don't have any symptoms, obviously. So first thing, implement and enforce your security policies. So you should all have a security policy at your organization, and you need to make sure that the security policies apply to the IBMI as well. It's not a unique, it's part of the environment and needs to be treated accordingly. You have to remember that viruses are only be able to spread to the files that users have access to. They're not going to be able to get to something you don't have access to. So the less a user has access to, the less damage there is. So thinking about users with all object authority, if they have all object authority, so does the malware. The malware doesn't have its own authorities, it doesn't have its own file access, it uses what you give your users. And if you are too generous with that, it will expose and actually create a situation, not unlike the other customers I've worked with. When we're looking at IBMI, the root directory, unfortunately, ships with some pretty wide open authorities. Basically, the root directory has a public all authority. So making sure that you are evaluating these and do they align with your security policies. Consider maybe providing users their own working directory that can be secured accordingly, so that a user only has access to a single location in the IFS as opposed to the entire IFS. So that if there is damage, it is limited, right? We're talking about trying to minimize the damage zone. Keeping technologies current and patched is another critical component. Viruses are often going to target known vulnerabilities. And so, you know, we look back at the 27 billion connected devices, and any one of those at any time is going to have a potential vulnerability. So you want to make sure that everything is kept up to date. In your environment, servers, especially need to be kept up to date and applying those patches in a timely manner. So if you get that notification, get it on your radar, make sure you have a schedule and plan for having to apply patches to security for security vulnerabilities. Don't react, be more proactive with it. Make sure that all connected technology remains current and patched. So, you know, those workstations, those phones, those printers, all of the devices in your ecosystem need to make sure that they are in fact staying current or patched and that you have a plan for that and somebody is responsible for actually following through on it. Shutting down unused and unnecessary services can, again, lower the risk factor there and take away some of the potential vulnerabilities and ways that attacks can get to your IBMI. If there's no valid reason for a service to be started, don't have it auto start. I do see this quite frequently where there is an auto start for, say, example, FTP. FTP server starts after an IPL. Okay, well, are you using it? Well, no, not really, not very often. So don't auto start it. So taking those out can help reduce the potential backdoor attacks to the system. If you do have a service that you need from time to time, start it when you need it and then make sure that you end it when it's done. You also want to consider that a lot of these interfaces, such as FTP, HTTP, and so forth, are not secure protocols. So you might want to look at using more secure alternatives to the current services you're using. FTP, for example, again, it sends everything in clear text. So your credentials are potentially compromised. The identity of your server is potentially compromised. The data that you're moving on and off the system is potentially compromised. So each of these can potentially create that exposure that can be taken advantage of another way. So we really want to make sure that you're not unwittingly giving away some of the secure information that you thought was protected. You want to make sure that you're restricting access to those services. So services that do have to be started and are actively available, make sure that you're granting access to those to selected users on an as-needed basis only. So just because the service is active doesn't mean everybody needs to be able to use it. ODBC, for example, does everybody need to have ODBC access? Do they all need to have FTP access to your servers? Probably not. So making sure that you only allow those select users that you know cannot do their jobs without it to be able to use those services, it greatly reduces the exposure there. Think about, consider controlling the functionality within each of those services. Does every user need to be able to run a command through ODBC? Probably not. Does every user need to be able to put files on the system through FTP? Probably not. So each of those things should be restricted based on the user, based on which service they're allowed to have access to. And if they really need to. And restricting the access beyond your object level security. So very often object level security is pretty wide open. You're at the mercy of your vendors and your third party applications as to what the authority is on those database files and those libraries. So what you can do is actually add layers of additional control through exit programs to restrict that access beyond the object level security. So user may have read-write authority to the database, but when they come in through one of those services, you can restrict it and say, nope, today through this doorway, you don't get to do this. So it can also establish effective control over those powerful users. So those all object profiles with an exit program, you can actually restrict the fact that they can delete the operating system. So effective restriction is going to help in those cases. Avoid oversharing. So, you know, this is, we know people who overshare. And with the IFS, we have a tendency to overshare as well. Those shares should be created sparingly and only where needed. There was a time when their IBMI actually shipped with a share of QIBM directory. And that's terrifying. And we've seen infections in those directories. So, you know, that's not a good idea. You really want to make sure that they're only created as needed. Make sure that you're doing a regular review of those shares and eliminate any shares that are no longer needed. You know, I like to say, ask yourself, do you know who's using the share? No. Okay, that might be a good reason to actually remove it. If you can't think of a business reason for somebody to have access to it, take the share away or restrict the authority on the share. And if something breaks, you'll know that was actually using it. But it's more terrifying to me to not know what's using it than to know what's using it and allowing it to continue. I'm going to say this, and I repeat this a lot, and it's a very common phrase for me, don't share your root directory. Root directory shares expose the entire system. The Qsys.lib, which is your operating system, is underneath the root. So when you create a root share, you've exposed the entire system. You know, I'm encouraging removing these shares, and this is a big one. It can take some work, but the benefit, it far outweighs the extra work that it's going to take to back that root share out. For those shares that you do create, you might consider setting them to read-only wherever possible, so that in the event of a ransomware attack, for example, the files aren't encrypted and deleted. You still have to think about the read-only does give someone the ability to get the data. So it could still create an exposure, but your damage is going to be minimal. So it does help, but it's not, again, the magic. The only answer, the silver bullet there, so to speak, of removing the exposure. And of our scan engines, so making sure that you're keeping those scan engines and signature files up to date. So virus scanning does largely rely on signatures, so you have to make sure that they are updated frequently. So ensuring that you stay current and that the engine itself that's driving that scanning is also current. So this is definitely something where it should be automated and that this is a process that's built into the day-to-day activities of your security administrator on the system. Once you have updated, making sure that you're keeping your virus definitions up to date, your signatures up to date, your engine is current, make sure that you're actually scanning for viruses regularly. So scanning the IFS is a critical component for not only meeting some of those regulatory mandates, but also to ensuring that the system's not a host to malware. Even if you don't have a government entity telling you that you need to protect your server, as a business, you should want to protect your server because it is an integral part of the business. And this is where your core server, this is what keeps the business going. So ensuring that you are dealing with any reasonably anticipated threat, this is part of that. Virus scanning should be done natively on the server. So using other tools to try to scan non-natively, it creates some issues. I'll talk a little bit more about that here in a minute. You'll want to make sure that you're automating those scans so you don't have gaps in protection. There's always a window of vulnerability. So any layer of protection has a vulnerability. And if there weren't vulnerabilities with those layers, we wouldn't be having this conversation because things would have been stopped a long time ago. Unfortunately, these threats are so rapidly evolving that it's a matter of trying to just stay ahead of it. So making sure that you don't have gaps in your protection, use on-access scanning. So making sure that you're scanning as files are consumed by your users so that they're not opening infected files. IFS acting as a host, user goes and opens it, it launches against their PC, and now you've got cleanup again. So really want to make sure that you focus on vulnerable directories as well and scan those more often. For example, if you've got a folder in your IFS that you have a vendor or a customer or a business partner that uploads orders or shipping forms, anything like that, that is being populated into your IFS, those directories are vulnerable. You want to don't ever assume that the other person that's giving you the file has done their due diligence and has scanned those files. You need to scan it because your business is the one that is potentially at risk. Auditing goes a long way for giving the ability to look back to see what happened. So enabling auditing is going to be extremely helpful. Watch for system-critical directories that have changes. So if you've got an audit trail of that, you'll be able to readily identify who did it and go track down why it was done. Failed logins are another big one. So any failed logins, it might be a fat finger on a Monday morning, but if you start seeing multiple attempts for the same user, maybe against multiple servers, that could indicate that there's actually a hacking attempt going on. So having those failed logins audited, you'll be able to see this happening and hopefully be able to deal with it before it becomes a big issue and before that profile is actually used and gets in. Authority failures, anybody who's trying to run a program or access an object they're not authorized to. Again, your users know what they're supposed to do and typically you give them an interface that only gives them access to what they're supposed to be able to get to. So if that user's activity deviates, it should throw up a red flag. So having that information available so that you can see it when it's happening is a critical part of being able to head it off before it becomes a bigger issue. And then auditing changes to system values and security configurations on your server. So IBM provides you a whole bunch of system values that you can use to protect the integrity of your operating system and the system itself and the file systems. So if somebody makes a change to that, you should know about that. You should know who made it, when they made it, what it was, what it is now, so that you can figure out what's happening with it. Is somebody trying to set it up in order to do something inappropriate, nefarious, or damaging on the system? So it goes a long way. Think of this as your black box recorder for the system. You hope you never need it, but having the data available is going to be a big part of that. So monitoring is going to help with staying on top of all of those things that you're going to be doing. So monitoring scan logs for infections. So if there is an infected file in your environment, you need to know about it and you need to react quickly and make sure that you deal with it so that it doesn't become a bigger outbreak. Monitoring your scan and update jobs. Make sure that those scans are running when they're supposed to and that the signature updates are happening as expected, so that you know that those extra precautions you've taken and those extra layers of protection you put in place are actually doing what they're supposed to do. And then, of course, monitoring those audit logs. So you start gathering that information so that you know what's happening in your environment. But if you never go back and look at those audit logs, you're not going to know there was a problem until it's huge and it's going to be a massive effort to recover from. So doing proactive monitoring can go a long way for staying ahead of a problem and heading it off before it's a huge outbreak. You might actually even consider using a SIM to track those events in real time. If you have a SOC or security operations center, getting that IVMI data up to that SIM is going to be critical for the whole business to be able to react quickly and deal with outbreaks before they become the bigger problem. Consider getting good and frequent backups as well. So good backup practices are definitely a necessity, making sure that those backups are in a secure place. Very often, threat actors will go after your backups and destroy those so you can't recover from a ransomware attack. So making sure that you're not backing up infected files. The only way to know that is if you're scanning to make sure there's no infected files on the system in the first place. You have to consider that any data that's replicated is likely to also be infected. So unfortunately, high availability solutions are really good at replicating even the bad stuff. So somebody does in fact have IFS ransomware running on their PC and it's attacking your IFS. Unfortunately, those changes are going to be replicated. So developing and testing a recovery plan for when you get hit with malware before you're hit is critical because this is a different fire trail than it is for a system disk died. Recovering from malware is definitely different. There's different things you're going to have to do with shutting down specific services and being able to pull the files and identifying what was impacted and who was involved in it. So this is going to help you recover quickly. Those backups are going to be essential for that. A lot of people don't think about backing up their IFS, but critical system files are in the IFS. It's not an optional file structure. So very important that you've got that as part of your, in your toolbox. All right. So this is just a list of those defense tactics I just ran over. So you guys will have that to go back and reference just to kind of give you the short version summary of it. All right. So let's talk about the benefits of native virus scanning. So I think this is important because there is a knee-jerk reaction to say, oh, well, we already have virus scanning in place and we'll just use our Windows-based solution to scan our power system. This actually comes with a series of concerns that can be avoided by using a program that's built for your, specifically for the operating system. So with a Windows-based scanning tool, you're going to actually, unfortunately, create some security vulnerabilities. Some of the things I mentioned already have been to remove those root shares and to not have users with all object authority be able to access those shares. If you're trying to scan a server with a Windows-based program, you're going to have to do exactly what I just said not to do. So it will actually create a vulnerability again. And if that particular workstation that that Windows-based scanning program is running from is compromised, then your entire server is exposed all over again. So using native scanning eliminates that creation of that undesirable share and the high authority user being able to use that. Stability issues are another concern. Lost connections to the server, power goes down, any pop-up messages on the PC. I don't know if you guys see those ever. Blue screen of death comes up. But those are always a concern and the scanning is going to stop. And unfortunately, with a non-native tool, the operating system doesn't even know that you were doing it, let alone where you stopped. And so it's just not going to be very effective in being able to scan the entire system. Reliability, of course, is another problem where the non-native tools are not going to be able to work with the operating system to be able to know if it's already scanned that file, if it needs to scan that file again. And so with native scanning, it's fully automated. You don't have to worry about did this start up this time. It's already going. It's on the server. It's doing its job. Performance is also a concern. You've got all those files are being moved across the network. And going back to security vulnerabilities, when that data is being moved across the network, it's not encrypted. So you actually are exposing the data on the network because you're taking it off of the server itself. So it can create just multiple layers of problems that at that point, you might as well not do it. So we have a tool, Powertech Antivirus for Power Systems, that actually runs natively on these servers to allow for secure, stable scanning. So virus protection for IBM Power Servers, IBMI, AIX, and Linux. So making sure that you've got protection without those performance issues, not creating any additional security vulnerabilities. You're going to have advanced heuristic analysis. You're going to have advanced heuristic analysis running on the system that is going to have flexible scan options using industry leading scanning technology powered by Trellix, formerly McAfee. And you're also going to have a complete audit trail so you know exactly what's happened. Everything's going to be logged on the system itself. So these are files that are on the system. Having a non-native tool, you really don't have that. You lose that connection between the files and what happened. Without having Powertech Antivirus in place, the scenario that we've talked about where a server is infected and it's hosting the malware, any Windows clients connecting are going to become infected. Very often what happens is that the cycle repeats because you clean up the workstation, but you don't look back for the source of the original infection. Oh, it must have been an email or, oh, maybe it was a website. And in fact, it turns out that the very server that you think is immune is actually the host that is recreating this over and over again in the environment. To break that cycle, Powertech Antivirus allows you to scan the IFS natively, two ways, back scanning and on-axis scanning to make sure that the infected files are found on the server quickly and that they are quarantined so that they are not actually getting out to those workstations. So you stop that cycle and any infected PC workstation that is accessing the IFS is not going to be able to infect those files either. So really taking it down to the server level to add that last layer of protection at the server itself to ensure that it's not part of the outbreak and it's not impacted by the outbreaks. With the native antivirus detection removal, the Trellix commercial scan engine provides a host of benefits that you don't get with open source tools. So you've got the ability to decompress and scan those compressed files to make sure that you're finding files, infections that are very often hidden inside of compressed files to get through your defenses. It is able to detect macros and script viruses. So very often a delivery method for ransomware is inside of a, say, for example, a Word document. The user gets a pop-up that says, you must enable macros to fill out this form. The unsuspecting user says, okay, and they enable the macro and that actually will kick off the attack. So important to be able to scan for those. It detects encrypted and polymorphic viruses as well. So trying to hide those viruses by encrypting them and then having those launched by a particular action by a user. Those can be identified as well as new viruses and executable files, Trojan horse programs, worms, other kinds of malicious software. And it's easy to upgrade. So with this technology, you're able to load it. It doesn't require downtime on the system. So an important piece of that is to have that commercial backing. Additionally for IVMI is that we have enhanced ransomware protection. And so the unfortunate side of IVMI is that those attacks very often happen on a Windows workstation and the malware itself never actually gets to the server. So in order for you to scan for it, it has to be on the server. So Partick Antivirus Ransomware Protection on IVMI provides you the ability to monitor the traffic coming from those workstations and watch for those threats. So and watching for access patterns that are suspicious and then being able to actually block an attack. So this is actually screenshots from a customer that had Partick Antivirus with anti-ransomware protection in place a couple weeks ago. They had a workstation that became infected by ransomware and it started attacking and Partick Antivirus blocked that attack and that user's access was cut off so that no further files were damaged in this attack. So it is a current real and present danger to your systems and being able to stop this activity before it has widespread damage is critical. So this has really been a huge benefit for customers to be able to know that they are not only ensuring that their system's not hosting, but they're also not going to be impacted in an attack. Really boils down to is leveraging comprehensive protection. We've got to break the cycle on this and ensuring that the servers of record themselves are protected. You would never set up an environment without a firewall around it. You would never set up an environment for your employees that didn't have antivirus in it. So on the server itself, why would you leave that the weak link? So making sure that you've actually done every layered approach you possibly can to protect the business and the servers is critical. I really appreciate that you were willing to join us today. It's really a conversation that a lot of us are like, yeah, well, yeah, the statistics, but it doesn't apply to me. And I just really want to make sure that you understand and can make a knowledgeable decision about the threats and so that you are actually taking the actions that you see best for the business. So if you're interested in taking a closer look at Powertech Antivirus, so certainly it's a conversation we can have. There's a lot of different tools in our suites that can assist with multiple facets of securing the IBMI. When it boils down to malware, Powertech Antivirus is a great place to start. Great. Thank you and appreciate your time. Thank you, everybody who attended.