Transcript
Thank you everybody for joining us today on this webinar. We're going to be talking about the SOC's biggest blind spot and the risk that it poses to your organization. Some intros are in order as well as an agenda. My name is Hank Schless. I'm Director of Product Marketing, obviously here at Lookout, and I'm joined by my friend Alan Phillips here. Director of Product Management, Alan. And today we're excited to walk through things. We're going to keep it pretty, you know, pretty tight here, pretty quick, but also hope to deliver you some really actionable information here, insight into really why we see mobile as that blind spot within your security operations center. So to do that, we're going to do a quick overview of how the cyber kill chain has evolved and what that means for the mobile threat landscape more broadly, why visibility is key. That's really the name of the game here. And then Alan will take us through a quick demo and we'll go a little bit along how Lookout helps with all of the challenges we'll be talking about today. Sound good to you, Alan? It does. Thank you. All right. Giddy up. All right. So a quick overview about Lookout. We were founded back in 2007. We were actually the first mobile security provider. There's a fun story behind that that I will share with anybody when we have more time, but we have grown over the years and are now a recognized market leader in mobile threat defense or mobile EDR, depending on how you look at it. We have the world's largest mobile security data set. This is telemetry for more than 230 million mobile devices and 375 million apps, along with billions or countless web items that helps with some other parts of our solution. Because of this, we're able to provide protection for everybody from small home office folks all the way up to the largest sectors of government and all of the enterprises in between there. What this does is that it helps us drive really an AI-driven mindset here at Lookout in terms of how we approach protection for our customers. We have the world's, as I said, that world's largest data set, which enables a level of threat intelligence about the mobile threat landscape that really can't be matched by anyone else. This is also backed by people who have hands on keyboards as well. We're very AI-focused, but at the same time, we understand the importance of having a world-class research team to help drive a lot of the protections that go into our solution and providing that protection for our customers. Because really when it all comes down to it, it's about protecting your endpoints. It's about protecting your data. And more and more these days, iOS and Android devices are key for multi-factor authentication, for access to data anywhere. And they can also be a really early warning sign for threats going on across your organization and the fact that you may be getting targeted elsewhere that you might not see yet. In terms of how things have evolved, attacker's tactics have evolved outside of that traditional Lockheed Martin kill chain. A few of these steps will look familiar, but we call this the modern kill chain. The first is that recon has evolved. Now all someone needs is access to a LinkedIn sales navigator license, maybe a sales prospecting tool that gives them access to the corporate hierarchy and everyone's phone numbers, and then access to data that's been leaked in things like breaches or even something very public like social media. And suddenly they have all the information they need about an organization, its structure, and the people within it to be able to socially engineer them. What we see is that social engineering is much more focused on the mobile vector these days. The reason for this is that there are a few things. One, we are trained to react to things on our mobile devices much more quickly and just more naturally. These devices are generally, as we've talked about, a blind spot within, whether it's a SOC team, whether you just have your general security org, or the IT team in general. Some folks say, well, we manage these devices and that's fine, but realistically, mobile device management is not a security product in the same way that security products aren't management products. So because of that social engineering, its efficacy across mobile devices, we then see getting initial access with credentials that they have swiped from mobile devices, which then allows them to hop into your infrastructure, hop around between apps, between platforms. Everything as long as they're authenticated through your MFA solution or your SSO solution, they're able to pretend like they belong, which is a big part of this. And then finally, we all know the story here, it turns into some sort of extortion and a very, very bad day for your team. One way we look at this is that when it comes to those first couple steps, this really should be, as Alan put it a couple weeks ago at this point, and a phrase that I've been using all over the place recently, mobile really can be your canary in the coal mine. It's your warning sign, it can be the early indicator that something is going on, and a lot of what we're going to talk about today is going to show how that's the case and really help guide your team in terms of where they can look and how they can get to that information. So I'm going to do a quick overview of the Mobile Threat Landscape. This is all information that is in our annual Mobile Threat Landscape report, which we just released a couple weeks ago. It should be linked in this webinar below, and it will also be sent out as follow-up, so you can read the full report if you have some time. Some key stats from that, we found that there were over 4 million mobile-focused social engineering attacks in 2024 across enterprise users, across our fleet, and what was really interesting was that more than double of those interactions happened on iOS versus Android. We'll look at a chart here in a second, but this was the first year where there was truly double. It's interesting thinking about how enterprises generally lean towards iOS given the uniform nature of the ecosystem they can control versus Android, but obviously when you look at geographically, Android's more popular in certain parts of the world, like Europe, for example, versus the United States. We also detected more than 427,000 malicious apps on enterprise devices and more than 1.6 million vulnerable apps. So these are obviously massive risks to the organization, again, something that you would want to understand is present within your mobile fleet because of the potential risks they pose. In terms of device risks, this is, you know, as we start thinking about visibility in the context of our conversation today, device risk is really important. In the same way that you would want to know that one of your employees' laptops is out of date or doesn't have a password on it and you want to be able to enforce that information or enforce that policy, you want to know the same thing about your mobile devices. Really what each of these things lead to is remote and physical access risks, right? This can lead to exploitation of device, taking it over as a root user, installing info stealers, malware, whatever it may be. Exploiting permissions is a big part of it. And then also just having access to the data that is either stored on or accessed by the device. So these are all, again, just understanding what's going on within the mobile infrastructure, within your mobile environment, being able to take action against it. This is just the graph showing over the last, we're looking at the last five years here, the percentage of enterprise mobile devices that have encountered phishing attacks over the course of the year. So as you can see here, the numbers, you know, they fluctuate as numbers do always with these things. But 2024 was the first year, as I mentioned, that iOS was actually more than double Android in this situation. So it's an interesting trend. It's something to keep an eye on. And I think it's a little bit of proof where, yes, iOS devices are easier to manage. They do have that more uniform environment, but they are not bulletproof, despite what some may say. So a real quick overview of CryptoChameleon, who is an active threat actor that we are tracking here at Lookout. They leverage the modern kill chain. We first discovered their activities when they were targeting the FCC, which is a federal organization here in the U.S., about a year and change ago. What they do is they target organizations with custom SSO pages, usually pixel-perfect Okta login pages. They leverage this format of the orgname-okta.com in their outreach in most cases. And what they do is they actually get on the phone with the individual and walk them through pertaining to be IT, if it's enterprise-focused attack, pertaining to be support, if it's a more consumer-focused attack. They actually get on the phone with them. They are based in the U.S. and the U.K., so obviously they are native English speakers. They sound like Apple support. They sound like anybody who could be walking you through this. They're very calm about it. We've heard some of that. And these are some examples of the text messages that they send. This is one that was targeting an individual for their Coinbase account. So they build that trust by asking for you to reply in order to verify that it was not you trying to log into this account. Then they send you a link. This is an example of the FCC Okta page. So for those who aren't aware, and obviously most of us probably aren't, the Okta URL is usually orgname.okta.com. So in this case, they're making one small change that you might not recognize. And they've been incredibly effective in what they do. There's been a bunch written up about them after our research was released. Definitely worth a look. All right. I'm going to take a breath here and hand it off to you, Alan. Thanks. All right. So we're going to talk about traditional EDR right now versus mobile, right? One of the things I think we've noticed in talking to a bunch of the security teams out there is there's a distinct lack of visibility in a mobile, right? Hank already mentioned the canary in the coal mine. But if you're not looking, you're not able to analyze your exposure, you're not sort of understanding what's at risk. And when you start thinking about the number of users who have a mobile phone, which is probably all of them, and they're all using it for something work-related, are you really paying attention to that side of your fleet, that side of your mobile workstations? Because essentially those things in your pockets are at this point. Hank's already touched on social engineering and phishing, right? There's a hell of a lot more uptick on hitting mobile devices around social engineering and phishing. It makes sense. You roll out of bed at six o'clock in the morning, you start reading, you start clicking. And it's a lot harder to review what you're clicking on and seeing in spite of all the training that we give on this is bad. Don't click this. Don't enter that. It's on your phone. You're sort of used to interacting on your phone. It's a good place to come in. So, now you've got, I don't have a lot of visibility. I've got an uptick on social engineering and phishing as well as other things that we'll take a look at. And now you also have to consider a balance between security and privacy. So, as we go through this today from a lookout perspective anyway, there is a balance, right? You can choose not to look at everything if you want to, right? That's still an option. And that just kind of leaves you in a straight up MTD world. But if you want to know what's going on, then this is where you have to start thinking about, OK, what data do we need from our mobile EDR to go into our SOC environment so that we can look, see what's happening and use the data in the right way. Now, the good news is, even from a GDPR perspective, you guys, the data control is. It's a question of making sure your users are educated and you're only getting the data that you think is super important for your roles. So, from there, what does that look like? So, there's a lot of information out there. You've got to understand your operating systems, right? We think about it from a vulnerability standpoint. The models of devices out there, they get updates monthly, sometimes more often, right? And I can't remember how many, and Hank, maybe you do, how many iOS updates there were just last year due to security issues, right? But we know Android Security Patch Levels come out monthly. iOS comes out regularly. So, you need to understand, what's the breakdown of your operating system prevalence? What's going on in your world? Are you tracking those vulnerabilities as well? Are you looking at the current state of a device? Are you looking to see what's going on for threats? So, understand what's happening in your fleet. And as we look at the APIs that we'll talk about today, you'll see that we're going to give you the tools to at least be able to track what is happening, whether it be, here's a state of a device, or here's an operating system that right now is what looks like Swiss cheese in terms of vulnerabilities. Maybe you should modify your security policies to allow for that. Real-time, right? Just like anything else, the more things that you have access to in real-time is great. So, if there is a threat going on, is it a one-off? There are multiple people being hit with the same thing at the same time, because that starts to become a bit tricky, right? And if one person downloads something dodgy and installs it, that's one thing. But if you get 50 people going to a particular website and they all end up installing the same thing, that's something else, especially when you start dealing with the bad actors who are cross-referencing both Windows and mobile. They're using the same infrastructure, right? So, how do we pay attention to these things? And then, what do you do? You're seeing that Lookout's blocking a certain domain, right, from the mobile devices. You may now pivot out of that. Sarah, I want to go make sure that my Windows device is blocking that. So, you can go check firewall logs and things like that and make policy changes. The flip side, also true. You turn around and you find that there's a domain that you're not happy with and you want to block that across all your traditional endpoints. You can do that, but now you also need to be able to tell mobile. So, having the ability to do that as well, hey, we want you to go and block this domain because we're not happy with it. All of these tools allow you to trust but verify, right? It's one thing to say, hey, we don't have to worry about mobile because we've got this MTD on there, but how do you verify? How do you validate? How do you go and sort of correlate when people are trying to circumnavigate the controls you have in place? How do you know those controls are appropriate and whether they need to be tweaking? These are the sorts of things that you have to go look at. And God forbid something goes wrong and something's missed across the board, you need to be able to go back and say, okay, how do I piece all this back together, see what had happened so we can lock it down and make sure it never happens again. So, first of all, there's going to be a fair amount of noise, right? I'm going to show you a bunch of things. So, you're going to get a lot of events. It could be a new device has joined. It could be a new device has a threat, or it could be an existing device has a threat, or an administrator made a change. So, when we talk about our events API, you're going to see there are three main categories. There's device, there's threat, and there's audit. And that will allow you to sort of break these things up, put them into different buckets as you need to, but then specify those events that you really care about for different reasons. And from there, you can generate your alerts. So, you've got mobile devices perhaps going to visit domains that you're not happy or domains with an extension you're not happy. I'm not going to pick on anyone today in this webinar, but there are certain country extensions that people get twitchy when they pop up. How can you see that, right? How do you know that if I blocked those domains, somebody else is still trying to get there? Is there an app trying to get there? And getting those alerts that people are still trying to go, even though they're blocked, is an issue. But what happens if people are going there or if there is a piece of malware that's installed on a mobile device? Now you need to go and say, all right, there's an alert. Did we fix the problem? Well, tell me more about that thing that was on the mobile device. Do I have to worry about something else going on? Was it that one off? Was it just on my mobile? Or is there the potential that this could be part of a larger scale campaign against my organization? So, how do I look at this cross platform and correlate all the data and know what's going on? Even if it's just like I see a bunch of social engineering going on over here, and then all of a sudden over there, I see a bunch of people trying to hit on our IDP servers or hit on our login points. So, that's what we're going to help you. So, how do we dive in and do this? From a lookout perspective, we have a pretty intense infrastructure going on here, right? We have a security graph that allows us to go out, keep an eye on what's going on, right? Hank even mentioned this. We've got customers from small businesses worldwide, all the way up through the advanced and premium version customers who have got multinational corporations using our software to protect their end users and themselves, of course, by extension. To do that, we have a look at a mobile census. We've got web crawlers. We have to go out and we have partnerships with web stores to take a look at apps as they get uploaded, try and chime in and say, you know what? Here's a problem you may have missed. Here's something you need to be aware of. And that all ties into our graph where we've got the ability to analyze, categorize, and sort of tile this thing together so we can make the right decisions when it comes down to helping protect you and your users' devices. So, now you've got the graph that rolls into MES, right? We're all familiar with MES, I hope, at this point. So, now you've got the modern endpoint protection. You've got the different modules, which we're going to touch on, and we have sort of touched on as we go through, but I'll show you some data, hopefully, from most of these. But also, there's threat intelligence, right? And we talk about that in other webinars where you can see threat intelligence in our console. And even if you're a small business customer or just an essentials and advanced customer, you've got a lightweight write-up of that, which gives you information that can maybe trigger some more questions. Premium customers obviously dive in and they get a whole lot more information about those threat intelligence write-ups that we do. And of course, our focus is your iOS, your Androids, Chrome OS, right? Your iPads. And depending on how you want to do it, we cover your deployment mechanisms and help you balance that out. So, starting from here, mobile EDR. And we're going to show a lot of this, so I'm going to sort of touch on it real quick. Starting the outbound data stream, you have the ability for service end events to send data to your SIMs or to whatever data store that you want. And again, that could be an admin made a change, a device state changed, or something happened, whether it was a web threat or a phishing attack, or someone installed malicious data, or maybe just an operating system has now crushed that threshold where now it needs to be updated so the end user has been informed. So, outbound data so you know what's going on and you can build your alerts off this and separate these things into different buckets as you wish. There's also searchable data, right? We talk about reducing your attack surface. And one of the age-old sort of parts of that is patch management. But if you don't know the current state of an operating system, you don't know what CVs are within that operating system, how are you going to go back and look? You may also want to go back and look at old threats, old alerts, and you have that ability also within this API data set. So, that's what's going on on the right-hand side. And then to sort of complete that loop at the top there, where you've gone ahead and said, all right, we've deemed that this particular domain is a bad one, we want you to block it. If you're an advanced customer, we give you a mechanism to upload up to 15,000 entries into a deny list and premium customers can take it a whole step further and get 150,000. So, this allows you now to get feedback from us, look things up, and make blocks yourselves on what is going on. Now, that's our current state of our APIs. What we're currently also working through now is the concept of a web activity feed. Now, remember we talked about you've got to balance privacy. This isn't for everybody, but you may have rules that say, all right, we're going to take this data, we're going to put it somewhere else, and we'll look at it if we need to go back and review it. But you've also got that thing now where it's like, Windows or your traditional feeds, as I'm blocking these domains, how do you know that Lookout's blocking it? Can you go and see, hey, has any mobile device been to that domain recently? Where are they going? So, you'll be able to take a look at that. And again, it's going to be locked down with yet another API key, and we'll touch on those shortly. But that will be available to our premium customers to give you that ability to go in and chase down what's happening. All right, so we move on from this and just sort of touch on these things, right? We have our mobile intelligence APIs, hopefully you all caught the webinar earlier this year, where we talk about what we've just released. So, service and events is one form, but we'll touch on that when we look at the demo and the various different things that are going on. So, if we go to our next slide on this, you're going to see in the console that Swagger files are there for you to look at. And so, what I'm going to do right now is I'm just going to stop with the slides because they're boring, and we'll go take a look at a demo. Okay, so here what you've got right now is in our MES console, if you're running a version high enough, you'll see external APIs. These live under system, and they're right here. Here's your external APIs and all the definitions for these APIs, including how to authenticate and how to get at them from curl commands, for example. So, when you look at this, you'll see OAuth2 token. This is how you get your authentication token to access the APIs below. The API keys themselves, application keys, are generated above. Pretty self-explanatory. I won't dive into that too much. You generate a key, and then you can access these endpoints. First endpoint that I'm going to touch on is the events API, and you've got a couple of choices here, right? You can just subscribe, and then you get events as they happen. They just flow in. You grab them, but when they flow in, you can filter them. You can say, all right, I want to register just for device events, just for thread events, or just for audit events, right? You can do that within this, but you can also just check in periodically. You can reach out and say, all right, give me everything since this date time, or give me everything now, and then everything. Once you get that, every event will have its own ID, and you can turn around and say, well, give me everything since that last ID. You don't have to worry about overwhelming yourselves, because the data of this is only available for 10 days, so there's only going to be so much you can get out of this. Just don't lose track of it, and don't disconnect, at least not for too long, right? Because then you'll just have more data to plow through. So events API is structured there. There's also the ability to go looking for smishing alerts directly, right? Now you're pulling. This will stream all these alerts out to you, and you can look at them as they happen, but you can also come back and query. I want to have threats or alerts that match a certain set of criteria you've got, and you can also do it with devices, and I'll show this off a little bit. And then down here are the different vulnerabilities that you can gain access to all the vulnerability endpoints that you can take a look at. Skipping through some of the configuration APIs to the threat feed API, we mentioned this at the top. You have the ability to create a feed, and then you upload a CSV file to that feed that will contain the domain and the action that you want, and you can either do it by appending to the existing one or completely overriding what was there before. So the choices are yours. So again, from there, we're just going to take a step out of this, and let's have a look at what actually happens with some real data, because this makes a ton of sense, right? You've got an access token request, so this points to an OAuth2 token endpoint. I'm going to send my key in, and I'll get a brand new token back. I've already scripted this thing up, so it will simply allow me to play from here. Now, I'm going to jump down to OSes first, but we'll go by use case, and I'll start with operating systems. So I can hit ascend on this. So now I've got a list of all my operating systems in my fleet. So now you can see exactly what's going on in your environment right between the two. So it's broken up between iOS and Android. So if there is a device enrolled to my MES console, you're going to see the operating system here within this screen. So you could now turn around and say, all right, well, I want to know the operating systems associated with a particular version. So I make a call looking for everything within 17.6, and sure enough, I've got 233 vulnerabilities associated with that OS. Or if I want to go by Android, I can do it by Android security patch level, and we'll pick the one at the beginning of 2024. So again, that's well over a year old, but you can get the idea, right? You can roll through it. You can see what's happening. And you can even pull back individual CVE details if you really need to. So from an operating system patch level, sort of paying attention to what's going on, you have the ability to do that. Now, we talked about streaming events. You do have same thing, right? You open up an HTTP connection, and then every five seconds, you're going to get a heartbeat just maintaining that connection. But that might not be what you want. You might turn around and say, well, I don't have the capability to handle, at least immediately, a server send event. So give me everything since April 1st with a type of threat. So I'm not going to get audit events. I'm not going to get device state change events. This is just me saying give me all the threats. So I do a send, and then all the information rolls in from here. So I've got all sorts of different classifications. What's happening in the world? And again, the only thing to be aware of is going to close that once you've gotten it, so you don't get that heartbeat every five seconds. So let's keep going and have a look at some other things that we want to look at. Let's have a look at all PCP threats. What's happened in my world? What sort of things have I blocked? So since I set this up, last six months, these are the phishing and content protection threats that we've happened. You notice they're all resolved, right? So the phishing ones, we block it, it's resolved. Unlike other threats where you might have a device that's installed something or is out of compliance with one of your policies, those are going to stay open until they close. So in here, this is a phishing threat, or we could go looking at smishing. How many smishing events have happened in my environment since we rolled out the feature? And I can see in here, I've got four. Not huge, but it's just a test environment, right? I've got a couple of CR fraud. I've got some embedded phishing URL. And if I want to, if there was a specific one, I could roll into here and say, just tell me specifically about that one threat, because every threat, whether it be a operating system out of date, you've got malware installed, there was a phishing alert, there was a smishing alert, all gets a GUID. And they are all tied into a device GUID. So all of these things are related. So anything you see, in many cases, you can go back and look up based upon at least the target of what's going on. And we can see in here that there was an alert, went to this device, and it was CR fraud detection. So we could go look up that device and say what's going on. Other things that we've got that we can sort of think our way through is show me all the devices that currently have a high-risk threat, right? And I've got in here, I've got smishing permissions not accepted, right? I've got denial listed apps. These are all my high-risk threats that are out there. It's like, okay, I can drill into those, or I can now turn around and say, look for specific users' devices. If I know that I've got a troublesome user, and she can be. Or we can go into device filters and say, just show me every device where it's currently got a threat status of high, right? So I send that off. And if we look at this, here I've got a device GUID, right? The enterprise it belongs to. If you're an MSSP and you're trying to manage multiple of these, this enterprise GUID will allow you to differentiate between your various customers because each customer would have their own tenant. But I can look and I see, okay, I've got a high-level threat. What exactly is happening, right? So for here, what I'm going to do now is I'm going to go say, all right, tell me just all the threats associated with that device. So in this particular case, I'm actually going to say for this device where the risk level is high, tell me what's happening. So I can pull in and right at the very top, I have a application and it's a Trojan. So what we're going to do is we're going to go back into our console. We're going to take a look at this a little differently. I'm going to capture the SHA, but then I'm going to pivot back into the console just so that we can take a look at what you could do next. It's one thing to know this is going on. Typically, now you're going to raise up a ticket. You're going to go reach out to the user and say, you need to get that thing uninstalled, or maybe you've got other workflows that you want to use to get them out of the way or maybe deny them access to corporate data. But what can you do if you're in the console? So I go back and say, all right, I want to tie in. So we know it was this user. You can drop in. You can see the risk. You can see that as a high level risk, it's still open. And you can see what's going on, or at least at the high level, why we decided it's a threat. So now, as a security person, you want to say, well, tell me more. If you're running MES Advanced, you're going to be able to look at this now, and you're going to be able to say, OK, this is what I know about this application. It's on one device in my fleet, so that's OK. But what if you'd gotten 40 of those alerts? You would have seen them all pile up in your scene, but you could also come in here and see how many you're having. Now you can pivot out. You can go to the research console if you're a premium customer. And this is one of those values from premium, because now you can dive in and say, OK, there's a lot going on. Now I'm going to shortcut a few things here just for the sake of it, but I can go into behaviors, for example. I can see the different things that are happening within this component. I can drill down, take a look at everything that's going on. But let's go down to host names, because host names are fun. And I mentioned earlier that perhaps you've got multiple uses for this. So first of all, is this the only app that Lookout knows about? For those of you familiar, the research console lets you look at their entire corpus. So it's like, well, nope, multiple apps targeting this, and they're all bad, hence the malware. So I'm going to go get another opinion. I'm going to grab this. I'll go to VirusTotal. VirusTotal, what's going on? Tell me what you think is happening. All right. These guys, too, are saying this is malicious. We'll go to another one. We'll go to the open thread thing on level blue. Why not? Pump it in again. I've got an IP address. What are you telling me about this? So, yeah, not pretty. And if you look over here, there's a lot of Windows malware tied to those endpoints. And so we go, okay, now what we've got is we have a piece of mobile malware, also using the same infrastructure as Windows malware. This is why we start thinking, hey, you really need to be aware of what's going on in your mobile world, otherwise, what are we going to miss? And if we look further into this, you can see, okay, this is the threat group that's going on. So from this, you've got an indicator from a mobile device that somebody is doing something. And then you go and correlate it, see what's happening in the other side of the world and say, okay, you know what? This is also tied to malicious activities, also on Windows. Now, if you think back to what we did here, we pivoted from sort of the thread itself. We went into the research console, and we sort of looked at what's going on. But maybe you don't have access to the whole console. Maybe you're just a researcher. So copy it from here. So if you just have a research role, so you don't have access to the rest of it, you can just come into here now, say, show me the application that Lookout just flagged as being malicious. So now what we're going to do is we're going to search the corpus for that SHA-1, and there you go, right? So it ties in. So you don't necessarily, as a premium environment, right, you might have IT in one place, you may have security in another, where security is really worried about the day-to-day threats, and if you want to go drill in more, you can do this here. So a bit for everything. All right, awesome demo, Alan. Thank you so much, because it is true what it says on this slide before we jumped in there, demos, because guess what? Docs can be boring. So I think that's most of it, Alan. I know we have just a couple more things here. I know we're coming up close on time, so I'll just say to folks, if you have questions, send them to us afterwards. I'm not sure we're going to be able to get to them at the end here, but Alan, I'll hand it back to you. Outstanding. So at the end of the day, right, we've gone through, we've looked at all the data you can see, and again, as Hank mentioned right at the very beginning, the canary's in the coal mine, right? Mobile will give you indicators as part of an overall campaign. You should be watching them anyway. You don't want to be these guys, right? They're all sitting there and looking around going, what happened? They've been paying attention to their little phone at the front. They might not be in this situation. So hopefully you got some value out of this. You understand the tools that we've got available. We're going to continue to grow that tool set. And as Hank mentioned, if you do have questions, please reach out to us. We'd love to hear from you. Yeah. Thank you everybody for joining us today. Alan, thank you for the time and the demo and all of your insights as always. And thank you folks for joining. We'll be sending some follow-up afterwards, like I mentioned, with that threat report and a couple of the resources. And yes, please do reach out to us with any questions. So thanks so much for stopping by today. And we hope to see you on our next session.