Video: Vulnerability Prioritization Workshop: How to Take an Intelligence-Driven Approach | Duration: 2332s | Summary: Vulnerability Prioritization Workshop: How to Take an Intelligence-Driven Approach | Chapters: Vulnerability Prioritization Workshop (9.36s), Introducing Vulnerability Intelligence (115.11s), Intelligence-Driven Vulnerability Management (323.34s), Operationalizing Threat Intelligence (715.085s), Threat Map Prioritization (1102.375s), Q&A and Conclusion (1836.05s)

Transcript for "Vulnerability Prioritization Workshop: How to Take an Intelligence-Driven Approach": Alright. Hello, and welcome everyone to our vulnerability prioritization workshop. I'll give everyone a few moments to find their seats, get their beverage of choice, and we'll get started momentarily. Awesome. Well, I think we can, we can go ahead and get started. Thanks again, everyone, for for joining our vulnerability prioritization workshop. We're gonna walk through how to take an intelligence driven approach. Before we get into our agenda and meeting our speakers, just a few quick housekeeping notes. First of all, the recording will be sent out to the email you registered with. So if you want the slides, if you want the to, you know, go back to the specific section that you really liked, that recording will be coming out, hopefully, within the next twenty four to thirty six hours after the webinar concludes. If you don't receive that, please reach out to us, and we'll make sure that you get your copy of it. The other point to make is that we have a bunch of experts across vulnerability management, vulnerability intelligence collection, engineering. Please do take advantage of them. Reach out at any point in the chat or q and a function. We can make sure to get through any questions throughout the presentation, and we'll also have dedicated time at the end. So please don't be shy and make sure to ask any questions that you might have. With that, we can meet our speakers. So I will introduce everyone. And since we are talking about, vulnerabilities, I'm gonna ask everyone for the, their icebreaker of what sweet treat are you most vulnerable to. So I'll I'll kick it over to Tom. Hey, everyone. Tom Davis here. I'm a senior solutions architect of RecordedFuture, and the, sweet treat that I probably would give a CVSS rating 10 would be, mango sticky rice. Whenever I'm in Thailand, if I don't have mango sticky rice every day, so they won't get to it. It's a plain sweet fruit. I'd call it healthy because it has fruit in it, but I'm I'm happy to battle that one. Pass it over to Adam. Yeah. Hi, everyone. I'm, Adam Hirsch, also a solutions architect here on professional services. I've RecordedFuture working with Tom. Let's see. I'd have to say, as of recently, it's gotta be cherry Coke. Probably putting down, like, one or two of those a day, you know, over the past weeks. But, we're tapering it back. We're we're mitigating that a little bit. Well, the, one of the pods and I'll turn it over to you, Christie. Hi. I'm Christie Simmons. I'm the product manager and engineering owner for the vulnerability intelligence module here. I'd say I'm vulnerable to most sweet treats, but I think maybe maybe the strongest one is, mint Oreos. Okay. Awesome. And I'm Sam Langrock, team lead on our product marketing team. And I can't can't resist any any fresh baked chocolate chip cookies. That's why I'm wanting it to. But, without that, with with with that covered, we'll, get into the presentation. So I'll kick over to Christie to start with our agenda. And like I mentioned, please feel free to reach out, in the chat or q and a, and and send us your questions. Thanks, Sam. So first, I'm gonna go a little bit into what what vulnerability intelligence is very briefly, and then hand it over to Tom and Adam. They'll talk a bit about a good, like, vulnerability management program and why and how to adopt an adult intelligence driven approach and then a little bit about services available. Alright. So so what do we mean by vulnerability intelligence here? So what we're talking about here really is just being able to prioritize an action on the most important criticality or the most important vulnerabilities before they impact your business. So some of the the key use cases that that we think about here are prioritizing vulnerabilities, making sure that you you patch the most important ones to patch, of course, as well as responding to to zero days quickly to avoid a breach. And, of course, we wanna be able to track the any vulnerabilities based on the technology your organization uses and then be able to get some visibility overall to to the vulnerability exposure of your organization. So, yeah, that's just kind of a very, very brief highlight of vulnerability intelligence. And I think now I will hand it over to Tom and Adam for the meat of this. It's firstly to stay with you. I'm gonna kick off this first bit about, like, what makes a good vulnerability management program. And I'm specifically here going to be talking about an intelligence driven one. So, So, yeah, how can we let you intelligence as part of one of the management program, words to plug it in, provide places, plug it in, and then we'll begin can give you some use cases, that could be actionable at the end of this. So it's like, giving you the takeaways for, like, where where to plug in the problem with the intelligence and how to get more value out of it. And we're starting with the three pillars of an intelligence driven vulnerability management program. These three pillars could be used as a framework developed developed towards, and these pillars help you move just beyond CVSS. And that's the three critical questions. So intelligence, environmental, and organizational. So first of all, we're looking at how dangerous is it and how likely is it to be exploited in the intelligence aspect. And environmental is, like, hang it to your organization. So are you vulnerable, and where are you vulnerable? An organizational pillar is all about what can you actually do, will you fix it, and can we fix it. So moving beyond CVSS, so what do we actually know about the vulnerability, and what can we do about it, tying it to your organization. So starting with that first pillar, being intelligence, how likely is this to be exploited? We're starting with external threat intelligence. So is it being exploited by threat actors in the wild? Is there a chapter about it on the dark web? What's the curve? What's the EPSS rating? Pulling in all of this information. This is really where Recorded Future can provide the most value because we're getting in all of this, and we're summarizing it and distilling it for you into one nice, neat, little risk score. We're actually gonna apply intelligence across the board here. But, of course, intelligence being what we know about our vulnerability and us being an intelligence company. This is really where the the bread and butter of the value we can provide is. But when we tie it down to the environmental pillar, which is where is it, how bad would it be if it was, exploited, it's all about for your organization. So where is the vulnerability? What's it exist? What assets is it on? Is the assets the vulnerability exists on? Are they critical assets? Where do they see it? Production, not production? In front of firewalls, behind firewalls? It's all about asking the right questions to go from many vulnerabilities to understanding the risk about them to your risk about them to what you can actually do about them. So this pillar really helps to understand the impact if the vulnerability was exploited, not in general, but for your specific organization. Finally, the organizational pillar. This is what can we do or should we do about it? So it's applying that business context, understanding if the vulnerability can be patched easily. So does the patch exist or does it not does the patch not exist? If the patch exists, do you guys have access to the system? Where is the system? Is it actually going to break business operations by patching it? It really is the an organizational decision, not just a vulnerability management team decision because you have to talk to the right people and get them involved. Engaging patching patching teams here is also another thing, providing them with the right context to go like, instead of here's a list of a thousand vulnerabilities that we picked up on Tenable we want you to patch. It's the here's the top 10 vulnerabilities out of that list that we want you to patch, and here's why. So adding in that context, and that's definitely something that intelligence can, be used for as well. The next section I'll get gloss over is the why is it important to have a intelligence level in the management program. So here, how we'll dive into a bit is all about, attaching it to some of the main struggles I've heard from when dealing with customers, understanding the core problems that they have. Maybe it's they have hundreds of thousands of vulnerabilities up to millions. And where do they start? Maybe that's because they're using CVSS. But I'm also really interested to understand what some of your key struggles are. So if you don't mind chucking anything in the channel, if you have any, struggles with what what your main struggles with vulnerability intelligence not vulnerability intelligence, your vulnerability management program, and then, hopefully, be able to see, like, we can help out with vulnerability intelligence and applying it to the at the right place. So why have an intelligence led program? Now that we've covered how to think about vulnerabilities using those three pillars, the intelligence, environmental, and organizational factors, The next question really is, why is this approach important, and why is it important now? So the first challenge is simply volume. Most organizations are dealing with tens of thousands of vulnerabilities every month. But the thing is, only a small fraction of these are actually being exploited, so the problem isn't actually detection. The problem is prioritization. And this rings true from when I've been running the vulnerability analysis service with customers. I've been handed vulnerability scans, which have contained tens of thousands, hundreds of thousands of vulnerabilities, and they're just swamped. And there's when you're basing off of CVSS, you really don't know where to start. So relying on CVSS scores, you're missing a huge part of the picture because CVS isn't telling you everything that's being exploited by threat actors or if it's part of a ransomware campaign or if there's a working exploit out there. It's not designed to keep up with how these threats are evolving, and this really is where threat intelligence comes in, adding that missing context, helping you adapt, and make some of those decisions. So the real goal here is stop trying to patch everything slowly, but start patching what actually matters fast. So using the threat intelligence to go from a large number of vulnerabilities or feeder vulnerabilities that come in to highlighting the vulnerabilities there that are actually the most important and pertinent to your organization. Finally, the context. When you have to justify why one vulnerability should be patched over another to leadership or or or orators or regulators or patches, Fire Intelligence can help you, giving you an evidence based reason for why a specific vulnerability should be patched. So this is one of the things that, like, in that organizational column, even though when the intelligence will sit on the the less of it, Intelligence can plug in here and help you when you're having to deal with other teams and provide that context and the reason to why a specific vulnerability should be prioritized for patching. So that's the why. In In the next few slides, I'm gonna show how, we can actually embed front of the intelligence into these existing workflows and highlight some specific use cases for where we can deliver value using threat intelligence. I'm gonna take off the first one, then I'll hand it to Adam to do the rest. The first use case we have is operationalizing intelligence with scan results. So it's all about taking, scan results, so from Tenable, from Qualys, That that's all that you have in those tools and it's helping to understand where to start from, taking that data, enriching it with Recorded Future threat intelligence, and going, okay. Now I actually know the context and which vulnerabilities pose more for others. We can delve into it further. I've pulled out a few, vulnerability risk scores, and so I should go back a little bit in terms of a bit of an overview of how intelligence works. But as Christie was mentioning at the start, vulnerability intelligence looks at, what specific things are happening to specific CVEs and how are they being used and what do they apply to it. So, whether that's, it's being linked to ransomware or it's attached to malware, All of these, we attach to CVEs, and that will change the risk associated to them. So if we knew for entire vulnerability scan for your organization, where some of these risk will sit, we can delve specifically into those, and we're going from large numbers of vulnerabilities down to the ones that actually matter. These are just a few. There's a link at the bottom of the slide that was also dropping to the chat, which is, the vulnerability risk rules. There's a there's a list of many. I will say there's 39 of these, but these are some of the, like, the most important and pertinent ones that we'll just delve into on the next slide. This is the, the process for, we we are using a Python script, which takes in that vulnerability scan from Rapid7 Tenable Qualys, enriches it with vulnerability intelligence, and produces the key findings we're about to delve into. The script does a few things. It outputs in a bridge scan. It produces some risk score statistics and some counts the counts and the prevalence in the ones that I'm gonna show you today and show you, like, the value of, like, an approach like this, how we can go from, you know, large quantities of vulnerabilities, the ones which matter to your organization, and then also the rest distribution. There's also a few other analytics that these scripts produce, but I haven't dropped them all on here. On this first slide, apologies if it slots a little bit small and you need to move closer to the monitor, but this is one of the tables that, the scripts produce. And it shows from for this case, there's an example, vulnerability scan, using some dummy data, which just contained, high severity and critical severity, vulnerabilities. And then we enriched that with Recorded Future vulnerability intelligence. And then the things that we actually pulled together here, that, like, if you were just basing your prioritization based off the CVSS score, you can see that the risk score the number of times we've seen that risk score triggered is around 10,000. However, when we actually delve into the specific risk rules, which are the the pertinent ones I had on the slide before, such as, vulnerability being exploited by ransomware or exploited in the wild by malware, we're getting down to, like, 14 vulnerabilities, 26 vulnerabilities. So we can actually understand, the the vulnerabilities which are the most the the most important that we should prioritize our patching for. Hopefully, you can see how this is, like, really actionable going from, like, doing a vulnerability scan to then enriching it with intelligence and then knowing which of those vulnerabilities that you have in your environment are being exploited by ransomware, are being exploited, by malware, or we have other intelligence of, like, maybe our group is developed for it. Another one of the key findings that we produce, is a correlation between high risk CEEs. So this isn't high risk based on the CVSS score. This is high risk based off of recorded futures risk score and then the prevalence of these across the organization. So this case study, when when we actually did this correlation, the two that we found that had high Recorded Future risk score and a large number of prevalence, so the two at the bottom, the CV twenty twenty three, six three four five and twenty three four, four six seven one were both actually Chrome vulnerabilities, which gives a different lens. It goes, okay. Well, the CDs with high risk that are the most pertinent in in this example, actually Chrome. So it could be patched relatively easily by, like, forced regular updates and and reopening of current. So it's a different way to look at your the vulnerabilities you have and how you can delve into it. Another way that we actually apply this and can join that intelligence pillar with the environmental pillar is this calculator. This calculator is baked into our ServiceNow integration. This ServiceNow VRM integration takes in, of course, your CMDB, so to some lots of other calculations, but can also take into Recorded Future Intelligence on vulnerabilities. And this calculator shows how it's all, merged together to give you one score, taking into account all of the information from the CMDB, such as the business criticality. So, the context as to where that system is and, is is it critical or not critical? The environmental aspect. So is it in production or is it in development? Then the firewall, is it, like, inside the firewall or outside the firewall? All of this stuff can then be applied and also included with the Recorded Future risk score and merged together to give you that overview. That wraps up the first section of one of the ways of, like, utilizing vulnerability intelligence, merging it with your vulnerability scans, and then giving you a lens for prioritization as well as an introduction into important intelligence led vulnerability management program would look like. I'm now gonna hand over to Adam to delve into use use case number two, which is threat map prioritization. Yeah. Thanks, Tom. So next, we're gonna get into, another lens you can start applying to, view your scans. And in this case, it's with the use of threat maps. So real quick, what are threat maps? Again, at Recorded Future, we provide these threat maps for both threat actors and mailer families. And we define and present, in this case, relevant threat actors on the map based on, these two following axes, opportunity and intent. Really, intent is, you know, has this threat actor presented previous interest, against specific organization, appear in your industry, third parties, so on and so forth. And opportunity really is correlation between that threat actor's capabilities, and your organization's vulnerabilities. How capable is this threat actor to perform certain cyber attack using one of these vulnerabilities? And the interesting thing about these threat actors in this case here, we we they contain technical links, which are verified relationships between infrastructure they've seen in using, infrastructure they're using in their during their exploits. This can be tied to IOCs like IPs, domains. But in the case for today, we're gonna be talking about vulnerabilities. We can begin to build a mapping of these technical links, to the CVEs with a scan result similar to the prior use case, and then begin prioritizing these high severity threat actors, or malware families on your map against your scan results. And we do so by correlating those vulnerabilities exploited by those threat actors via those technical links, those verified relationships with the scan results. And we also factor in the prevalence of those vulnerabilities across assets. In the case here, we started out with what was originally in the thousands of vulnerabilities, with the sample data and actually boil it down to about eight or so vulnerabilities based on those high severity threat actors on that map. And this is also where we find CVSS actually being more useful when it's combined with threat intelligence. So we took Recorded Future threat intelligence and actually bubbled up the CVEs tied to, like, malwares that matter. Then we incorporate CVSS exploitability metrics because it's a consistent, transparent, and rather automation friendly way of aiding prioritization. But, again, it doesn't factor in the threat actor intent, the malware, prevalence or intent or active exploitation, until we combine it with the recorded future. So then we can begin prioritizing based on those severe malware families. So So you've identified which vulnerabilities you'd like to begin patching. You know, we worked our way from hundreds or thousands to a handful, so it's a manageable amount, but you still often have to engage the owners of that asset or the patch management team who's responsible for rolling out and provisioning those patches. And oftentimes, they require a little bit more justification than saying the CV is bad. So let's figure out how we can actually provide a concise, descriptive reason why we should patch something. So in the Recorded Future, we provide what are called AI generated summaries that can help your vulnerability team clearly communicate that severity to those patchers, speeding up the patching, and minimizing time spent on actually curating these reports or, justifications, however you like to refer to them. So within any of our CVE intelligence cards, we provide in the bottom left, you can see a snippet of a Recorded Future AI insight, which is pretty much aggregating all the evidence details we have around a vulnerability and other CVSS metrics, maybe which malwares or threat actors have been seen exploiting this vulnerability, a little bit about the products that are affected. And it brings us all together to create, like, a nice concise little summary. And, hey, I'm I'm sure some of you have had struggles conveying why to patch something. Maybe the struggle, stemmed from just spending the time aggregating all this information. So we recommend just trying out copy and pasting this description right here and dropping it in that ticket or, however you relay that information to that patch management team. These AI insights are also able to be returned from the API too. So in any of those correlation scripts we were mentioning earlier, these are fields we can also extract and apply in a bulk enrichment manner to your entire scan output. And, you know, we recommend incorporating them with that affected asset when you found the discovery date of that CVE, add in an AI insight, and any other remediation steps. But we can take this one step further with the use of our, Recorded Future AI assistance. We have a nice way of interfacing it through natural language. And by doing so, you can query your intelligence graph and create even more descriptive outputs via prompts. Like, for example, maybe let's we wanna write a proposal why an out of patch action was required for certain vulnerability. Or on the opposite side, what comes in and controls prevent this vulnerability from being exploited? A lot of times, some vulnerabilities don't even need to be patched because you have compensated controls in place. Well, you can always utilize these this, this prompt just to find out what mitigating controls would prevent this vulnerability from being exploited and then go vet out internally if you have those in place. Just a quick example. So let's just write a quick proposal why we might need a patch, CV twenty twenty five forty six thirty two. Immediately, you can see us returning a lot of that information presented in the in the intelligence cards, including the products and everything you see in bold are clickable entities. We include a CVSS score, a quick summary about what this exploitation is, and then given some of these factors that we're laying out, some actual bullet point steps of, you know, what why do we need to patch this vulnerability? What is the criticality of the CVSS score? Hey. In the past, it's actually saying there's some patches that have been rolled out, but they haven't fully addressed this vulnerability, as more severe versions could still be present, and so on and so forth. And if you'd like to find out real quickly what compensating controls for whatever reason you might not be able to patch something, maybe it's out of, out of scope or it's just a bad time of the year to actually deploy a patch. So you might be interested in setting up some compensating controls to prevent this from even being exploited. And real quick, we output, we input the prompt and output several steps that we can follow through. For example, could always implement some firewall rules blocking access to various endpoints as part of this product, or maybe some access control lists. Or within that product, maybe there's some component that are actively used by those product owners. We can always, disable those features, or maybe some web application firewalls, etcetera etcetera. But these can often be useful when you're trying to create some justification maybe why we can't patch it, but we are still covered. And in the case you just simply can't patch something, mitigating controls aren't enough, or you don't have the correct ones in place to prevent something from happening, there is still a way to manage exceptions with the use of our vulnerability watch list in our portal. And, again, these exceptions are based on information you're presented with at a specific point in time, and conditions and the variables will change over the course of weeks, days. And if a vulnerability becomes more actively exploited, quarter futures identifying more exploitations happening, new proof of concept code is rolled out, it can be important to revisit and reassess these exceptions, but this can be difficult. Keeping track of a handful of vulnerabilities might have exceptions in foreign place. So we can tie these watch lists into Recorded Future playbook alerts, specific for vulnerability intelligence. And as these watch lists are populated, risk rules change, new evidence details are released. We've seen something new happen in the wild. You could then set up alerts to to inform you of any of these changes to backtrack to that triage and exception discussion phase. And lastly, if you'd like to simply populate these watch lists entirely based on your entire scan results, we do have two connectors available today, for Tenable and Qualys, Setting these up will auto populate your vulnerability watch list based on your most recent scan data. And this will also account for, any stale CVEs that they're no longer observed within your last scan results. They'll fade out of these watch lists, creating actionable alerts that you won't have to tune and close out due to false positives. So we do recommend exploring any of these connectors if you do have either of these products. And, also, if, you know, you're using something else, curious to see what scanner you might be using if you'd like to drop it in chat or, just get in contact with your CSM if you'd like if you'd like to submit feedback to see us build out a new connector for a different scanner, you know, including endpoint scanners. So kind of summarizing all of this, pretty much everything we walked through regarding those, integration use cases regarding correlating your scan results either on a risk rule, risk score based approach, or via ingesting those entire threat maps, extracting those technical links, and correlating your scan results. And professional services here, we we can certainly do this for you. We can work with CTI analysts responsible for identifying those vulnerabilities, the vulnerability management teams themselves, anyone really, with an interest in mitigating, your vulnerability exposure. Really, the only thing that requires of you is just to send, the professional services team, a comprehensive set or a subset of vulnerability scans through our secure file sharing service. And we'll process your scans for you, analyze them, and pick out those vulnerabilities that based on your threat maps or your with the risk rules hitting against them, walk through a presentation for you, and if applicable, work with you or your engineers to embed any of the script logic into your existing vulnerability management programs. We are aware that probably many of you on the call today here have pretty sophisticated, complicated, built out vulnerability management programs tying into many different platforms, many different endpoints. So this is something we'd like to help work with you to try to embed any of our API endpoints into that existing program, walk through some of the logic, help you understand various evidence details returned. But this is certainly something if you're interested in, we recommend reaching out to your CSM, requesting it through them, and we can align a workshop, tailored based on your scan results. If you if you were, interested in what you saw today, we can run through that for you. And that really concludes what we had a walk through today. Sam, I'll kick it over to you if you wanna run the question and answers. Yeah. Thanks, Adam. Thanks, Tom. Tons of great questions that have come through. Haven't seen not often on a on a webinar with this many questions, so great to see the engagement from from everyone here. I will run through a few that have already been submitted, but, again, please feel free if you do have a pressing question to just drop that in the chat. I'll start with one for Christie here. So what happens when there is a one day that isn't yet in CISA's kev? Yeah. So so this is something where the fact that we have lots of different sources really helps us. We're we, of course, use CISA Campus, one of our sources of sign signal for something that's being exploited, but that's actually our first source only about 25% of the time. So we have a lot of other sources where we get information about vulnerabilities that have been exploited that will cover that that gap. Perfect. And then question for Adam and Tom. So the scripts and the calculator you walked through, how can someone get access to that? Yeah. I can take that one. Again, I would I would simply recommend reaching out to your CSM, and they can put you in contact with, most likely, Tom and myself, where we can walk through the actual logic in the script with you and then hand it off to you. Or if you'd like us to simply hand it off, I'd say get in touch with your CSM and we could get that over to you, on that way. But we're happy to walk through to any questions. Tom, anything you'd like to add there? Yeah. Just touching on the the calculator there, the question. Yeah. So this calculator logic is embedded as the defaults in our ServiceNow VRM integration. And isn't actually something we've built out into other integrations yet, mainly due to, that the, a large large variety of scanning tools and the large variety of, alpha DB tools building something that considered the middle and match all of these. It is it's very challenging because there's the combination is is a large amount, but, with ServiceNow VRM, it makes it slightly easier because it's the CMDB, has the asset information and pulls in the scan results. So it makes that a little bit easier. I'm definitely keen to explore this one a little bit further, though, so if you have any more questions or can provide, yeah, more information on your specific, setup or context. That's definitely something we can look into on our side in terms of, providing this logic or potentially scripting it out and adding it into a script. But there's, because of the amount of customization that's in asset DBs, there has to be, lots of configuration that happens on that side. Perfect. Thanks, guys. And then question around the AI agents that, Adam locked in. So that's actually available for users of the threat intelligence module as well as geopolitical intelligence module from Recorded Future. As you can see, there are some AI components baked into a CB intelligence card. But currently, the chat is only accessible if you are a user of the threat intelligence module. We got some, we got some love for Rapid7. So people looking to, connect to Rapid7. I know that is is one of the, other solutions that our team is researching. So, Yeah. Just touching another bit on this is that one of the things that we haven't showed on this, but it we have documentation available in our support portal for, is that we have a Python script that enables you to update your watch lists. So if you're using a Rapid7 or any other vulnerability scanner that isn't on those two connected things that Adam showed, you are able to export from these, export to CSV, run this type of script locally, and now pull out the CDs and then populate your button with the watch list with that. So, it's a slightly more convoluted workflow, but possible. But, yeah, thanks to for, yeah, sharing which tools you're using because it's good for us to know what's going on in both and their efforts. Yeah. It's a good point Tom. We got another question around, can this be integrated with, an ASPM solution? Is that something we can also have also kinda use the, the API for for? Yeah. I can take that one. I I would I would imagine, yes. The list API, you know, it's if you're Recorded Future customer client today, the list API is free for you to use and build into any of those, any workflow, any tool wide tool that you're already scripting with. You know, maybe it's Wiz today, but if you're pulling back any product or vulnerabilities from Wiz locally somewhere, certainly can work with that list API to, populate vulnerabilities. We also have a tech stack watch list for actual products themselves too. And I'd say those two watch lists, are what you really want populated to generate the most actionable playbook alerts. Awesome. And then, kind of, you know, topical conversation, like, at least the news cycle. How are you gonna solve the current issues with the NVD? There are news reporting that'll probably end. Christie, I know you've kind of researched a lot of that. Anything to add here? Yeah. Absolutely. So, yeah, our our current approach here is that we are we are working on adding additional sources of data. So right now, I guess, since the slowdown in NVD in what was it? Late twenty twenty three, maybe early twenty twenty four, we've been getting data about a lot of the key elements of CVs from other sources. So that's one part of it that, of course, doesn't address if CV is stopping assigned altogether, which is something that, I'm currently evaluating other other sources for, and aim to to have redundancy there as much as possible. Fantastic. So I think, no new questions have come in for a little bit. So I think if you are a current Recorded Future customer and are interested in learning more about what Tom and Adam talked through today, again, as Adam mentioned, reach out to your CSM, reach out to your account director, see if they can set up time to start working with our professional services team, to really make sure you can take an intelligence driven approach to vulnerability management. You know, Tom and Adam have worked with a number of our clients to build up this approach. So there is a tried and true practice here. And as you can see, they are kind of wizards of, of what they're doing. So definitely feel free to, to reach out and get that set up. If you're not a Recorded Future customer, you know, hopefully, we can cover hopefully, we covered a little bit about the use cases of vulnerability intelligence here and also some of the, additional services and capabilities we can provide so that we can make sure we can mature and grow your program as you onboard Recorded Future. But with that, if there's no more questions, we can wrap up. As a reminder, the slides won't be part of the follow-up email, but you will get the full recording, which, again, will have all the slides that we covered today. And if you do have any additional questions, please feel free to reach out to the Recorded Future at any time. We'll make sure that your question, is routed to the appropriate person and make sure we're working with you to get everything that you need addressed. So thanks everyone for joining today, and we'll talk soon. Thanks, everyone. Thank you. Cheers.