Cyber hygiene matters. According to the Online Trust Alliance, 93 percent of breaches in 2017 could have been prevented with basic security hygiene practices. But basic doesn’t always mean easy; the growing cybersecurity skills gap puts pressure on existing security professionals to do more with less, and do it faster.
On this week’s Security Intelligence Podcast, IBM Security Strategist David Moulton and IBM Security Vice President of Threat Intelligence Caleb Barlow tackle the concept of cyber fitness — creating a security training regimen that not only improves incident response, but helps enterprises develop muscle memory for IT security.
Cyber Fitness Builds Muscle Memory
Improvement requires effort, and cybersecurity is no exception. While hygiene best practices are a great way to call out potential problems and implement effective solutions, they don’t prepare organizations for the continuously changing nature of IT threats. For Barlow, teams capable of “adhering to a regimen of cyber fitness are able to perform well, not only in a cyber range in a controlled environment, but in the real world.”
The concept of muscle memory is critical here; even as threats evolve, teams that put in the work are better prepared to respond. Moulton compares it to training for a marathon: While companies may stumble at mile 19 and pick up the pace again at mile 20, consistent effort makes it possible to get past mile two without collapsing.
Do the Heavy Lifting — Without Collapsing From Exhaustion
According to Barlow, there’s another reason to invest in cyber fitness: “In the majority of the large-scale breaches we’ve seen over the last 10 years, the response to the breach is actually causing more damage than the breach itself.” Barlow calls out two key factors — lacking leadership skills and making decisions with limited data — that often get in the way of organizational response to IT incidents.
Security breaches require heavy lifting and quick decision-making with limited information under strong and confident leadership. It’s the equivalent of pushing yourself in the gym to lift the biggest weights possible and run at top speed until you collapse from exhaustion. Attempting this with no training results in limited efficacy at best and physical injury at worst. For cybersecurity teams, as Barlow noted, incident response without regular practice leads to breach responses that do more harm than good.
How Can Security Teams Learn How to Hit Back?
Barlow’s team studied the science: During IT incidents, teams experience a fight-or-flight response that impacts their ability to make good decisions. Add in the fact that they’re facing real-life adversaries that don’t follow the rules, and it’s easy to see where responses go wrong. Barlow compares it to a boxing match: “You’re going to get punched in the face. And if you don’t start punching back, you’re gonna get punched again.”
To avoid obvious haymakers, protect critical data and, yes, hit back, companies need cyber fitness training that includes active threat intelligence, agile run book development, and practice, practice, practice to ensure they’re able to both safeguard existing infrastructure and pivot around emerging attack vectors.
Pam: David, how do you think you’d do under pressure during a security breach?
David: From what I know, I don’t think I’d do so well. I don’t have a ton of training, and it seems incredibly stressful. There’s a lot going on. I’d actually want somebody who is a professional and knew what they were doing to help me out.
Pam: Aren’t we professionals? I mean, we are on a podcast about cyber security, so I don’t know that we’re inspiring everyone with a lot of confidence.
David: So is that not a good answer?
Pam: Well, I think it’s a fun answer.
David: You think so? I think it’s an honest answer.
Pam: I think it’s an honest answer, and I think that that really brings about the idea that cyber security response has to include all parts of the business. And maybe we could use some training.
David: Well, then how do you think you do under pressure during a security breach?
Pam: I do pretty well when I just think of other areas in which I faced emergencies. My son came home holding his wrist and I’m like, “Well, that doesn’t look like that’s how nature intended it to be.” And very calmly, like, “All right, let’s grab some snacks, get in the car, we’re going to the ER.” And then when everything’s done, you know, then there’s the shuddering moment of, holy moly, what did I just live through? So I feel like I can hold it together. But the trick is, is that I knew there’s a broken arm or a broken wrist. I know what to do. I go call in a professional. I call a doctor.
David: Right. But you don’t have a playbook. And I think the thing that gives me pause is when you think about a security breach and you think about being a parent, you know, I’ve got two kids of my own. In that moment, you kind of know, you need to go for the thing that’s causing the most harm, get them to a professional as quickly as possible, and provide the information that you can, and let the folks do their job. But in a breach, I think that you end up with the crisis thinking, you end up with a lot of different people in the business that need to be a part of it. And under that type of pressure, if you haven’t practiced, if you don’t know what you’re doing, things can go sideways on you pretty quickly.
Pam: That is a great point. And that’s exactly why in this episode, we’re going to talk about the idea of cyber fitness and why it’s so important to have a run book and to be agile in the face of a security breach
This is the Security Intelligence Podcast, where we discuss cyber security industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: So David, what stood out for you from this week’s interview?
David: I had a chance to talk with Caleb Barlow, and there were a couple of things that really stood out. First, this idea of cyber fitness. I really like this idea. It applies to your daily life. You know, you get out, you get a workout in, you start to be a little bit more fit. But that can apply to anything, and it actually applies to how you respond to a breach. Do you have the muscle memory? And it never really occurred to me that included in the idea of cyber hygiene was this idea of cyber fitness. And I think Caleb did a really great job of illustrating the importance of cyber fitness. He talked about some things like the Chaos Monkey that Netflix uses, and how teams that are really adhering to an idea or a regimen of cyber fitness are able to perform well, not only in a cyber range in a controlled environment, but in the real world.
Pam: I had an opportunity to work with Caleb for many years, and I love his passion for the idea. I love his enthusiasm. And having heard the interview I know that comes across, and I’m really excited for everyone to hear our conversation.
David: Caleb, could you take a minute and introduce yourself and your role here at IBM?
Caleb: My name is Caleb Barlow. I’m the Vice President of Threat Intelligence with IBM Security. And my role is actually fairly interesting because there’s two sides of my job. The first side is kind of the real part, right, where we go out and respond to security incidents around the globe. In fact, our team spans over 133 countries. And when bad things happen, we’re kind of like the equivalent of 911. Our teams respond in under an hour, and work with clients to help either identify what happened, or in many cases, help them restore and get back to normal. And that comprises not only a response team that we work with tightly in services, but also an intelligence team whose job is to try to figure out what happened, who’s the actor? What campaign is that part of this? And what are their motivations? And then the last part is an incident command team, that anytime we see a large scale event, or pandemic type of attack, like WannaCry, we stand up a fairly large team that can respond to that with full scale, bringing all the power of different parts of IBM to help in that response.
Now, the other side of my role is—as much as the first part’s about the real stuff—the other side of my role is about the fake stuff. It’s about running these large-scale cyber ranges where we have one in both Cambridge as well as one of the back of an 18-wheeler truck that drives around Europe. And these things are designed to simulate a large-scale breach. We do this with our clients, we give them the opportunity to hone their skills, but also understand, what is that worst day going to be like? Because the more we teach people how to best respond, the better they’re going to be able to handle that incident.
David: So Caleb, can you tell us a bit more about the behavior responses? The good, the not so good that teams have when they go through either a range experience or maybe even some of those real world experiences.
Caleb: I think one of the things that has really surprised me, as we have both looked at real world incidents, as well as those we see in our cyber ranges, is that more often than not, in fact, I would go so far as to say that in the majority of the large scale breaches we’ve seen over the last 10 years, the response to the breach is actually causing more damage than the breach itself. You know, what happens in these cases is this is way beyond just the technical aspects of doing a security investigation. This is about requiring a set of leadership skills to respond in a crisis that most teams are just not prepared for. You have to make decisions in a very short period of time because you’re up against a human adversary. They can watch what you’re doing. They can pivot, they can jog based on your reaction to the breach.
In addition to that, you have to make decisions with limited data. And that’s something that most executives aren’t comfortable doing. Most often, if we have a tough decision at work, we slow down, we build those decisions with data, we get more information, you know, we build a PowerPoint or hire a consultant. You don’t have the time or the ability to do that during a large-scale incident. And you have to learn how to process through what we call crisis decision-making, which is all about making decisions quickly, realizing that not making a decision is, in fact, a decision, and usually it’s not a good one. But also being used to and comfortable with changing your decision when you get more data or you when you get more insight. And this is one of the biggest challenges we see both in real world incidents as well as clients that come into the range.
David: So I think you’ve described that is less engineer, more EMS, and I really like that. If you were to go a little further, what preconceived notions unravel when a team steps into the cyber range?
Caleb: One of the things that happened when we first built a range Cambridge is, over the first few months, we started to notice something that was really interesting: that certain people were just very adept at dealing with these kind of chaos situations where all kinds of information is flowing in, systems are going down, you’re not really sure what’s going on. And, honestly, most executives that we would put through these simulations would really struggle. But probably about 10% of the people, we noticed, just seem to be comfortable in this environment. And not only did the chaos not faze them, but they were able to really look above that chaos and make decisions and really make sound decisions. And it took months to figure out what was different about these people.
We started interviewing, we started asking them questions, you know, where did you just go to school? What did you study? What kind of experiences have you had? And we finally realized there were two common traits. One, which now seems somewhat obvious, is many of them had military experience. And if you think about military experience, you know, you are trained to deal with tough situations. You’re trained to deal with making decisions with limited data. But this is also a field where you simulate and rehearse constantly what you do to the point at which is muscle memory. And we found the same was true, interestingly enough, with folks that had practiced in emergency medical services, EMS, so folks that have worked in emergency room in a hospital or worked on an ambulance as an example. And same kind of situation: comfortable making decisions with limited data, and also a field where you practice and rehearse constantly.
And over time, we actually went back to the science on this. And what we learned is that, when you are presented with a crisis situation, you get into the classic fight or flight mentality. And your amygdala takes over your thinking and your brain. In fact, when all that cortisol shoots around your brain in a crisis, you actually have about 17 minutes, that you can’t think as clearly as you do when you’re calm. And if you make decisions during that 17-minute period, they’re not going to be as good as decisions, you’re not going to process through them in the same way you would if you were kind of calm sitting at your desk in your office.
So how do professions like emergency medicine and the military deal with this? They deal with it by practicing, rehearsing to the point at which it is muscle memory. We don’t even need to think to make that decision. And this is what we’ve learned that we have to bring to cyber security. We have to train people to be able to, again, make those decisions almost like it’s muscle memory, where they’re built into not only a practice and rehearsal, but also actually built into the run books.
David: So you once told me about a customer who released malware into their own systems to see if their team could find it, and to really test their teams. Can you give our listeners a snapshot of what this team does to push themselves and then help us understand why they train that way?
Caleb: Well, there’s a fascinating thing that’s happening in the range that also fits in the realm of things we never anticipated, which is not only are we teaching clients a lot, but we’re learning from them. You know, this has become a laboratory for best practices where, as clients come in, they bring their run books, we look for ways to crack them. But we also see constantly good ideas and new techniques. And one client came in, and they’re using a process called chaos monkey. Now, this was first engineered, I believe, at Netflix. And the basic idea is that in an IT environment, infuse chaos on a regular basis into your production environment, make your team deal with it in production. And that team will then become much more resilient. So when it’s not you causing the chaos, when it’s actually a system or a server that’s down or a power outage, your team will be much more adept at handling it. This is a well-documented construct, this concept of chaos monkey, but we’ve never seen it adapted to cyber security.
So this client came in and they were using the very same principles. And what they were doing is, and I have to underscore this, in production, they’re dropping in not only your traditional kind of outages and things you’d see from an IT perspective, but they’re also dropping in live attacks. Now, obviously, they’re picking benign attacks that they know aren’t going to cause any real damage. But, you know, they’re detonating malware that their team should be able to detect. And they’re dropping servers, again, in a production environment that their team should be able to detect. Now, what’s amazing about this is, of course, this team has to architect their environment to be incredibly resilient, because they have to deal with not only real-world instances, but they also have to deal with about 25% of their time dealing with incidents they’ve caused themselves from their chaos team.
Now, when this team came into the range, they were robust. There wasn’t anything we could throw at them that they hadn’t done to themselves over the course of the last few months. And it just gives you an idea of what good can look like when you practice and rehearse to the extreme, and this amazing realization that if you really want to be resilient you’ve got to make it a day-to-day activity. The last piece I’ll give you with this is, you know, there’s lots of people that build redundancy into their environments, redundant servers, fail over environments and things like that. But rarely are those things ever used. I mean, they might be exercised once or twice a year, so you don’t have that level of assurance that they’re gonna work, that a company that uses the chaos monkey would have.
David: So it sounds like just like exercise in your daily life keeps you fit, you need to have a chaos monkey keeping you fit, your cyber security. So maybe that’s one thing that a team needs. Could you talk about maybe two, three more things that any team out there that’s listening should be thinking about doing or working on day-to-day, every quarter so that they’re ready for an adversary or in a controlled environment like one of your ranges?
Caleb: Well, let me first say, if you’re going to use your analogy of comparing this to exercise, this chaos monkey team was like a bodybuilder that walked in with gigantic muscles. We’ve just never seen anything like it before, and they were in incredible shape.
If we think about things that teams should be doing on a regular basis, you know, let me start with the most basic, which is, do you even have run books? And unfortunately, most companies that come into the range, either they don’t have a run book or their run books are pretty basic. And usually we can break them in about 10 minutes, and I’ll give you a couple of examples of really basic things we had. Almost every run book we get starts with some sort of request to get everybody on a crisis communications call or a video conference to kick up the crisis or the fusion team.
And it’s funny, almost none of them document the leader pass code. They all document the participant pass code. So we ask people to go get on these calls and then they suddenly realize no one remembers the leader code, and they’re futzing around for an hour just trying to get on the conference call, which sounds completely silly, right? But the only way you’re going to figure that out is through testing and rehearsal. It’s easy to fix, but if you’re having that problem in a real world incident, that’s an hour you just gave to the adversary. And remember, you’re often assuming your IT systems are down, so it isn’t like you can quickly send somebody an email with the new leader pass code, you’ve got to know it. It’s got to be written down. It’s got to be on paper.
We often find that not only is it important that clients can have a run book and follow it, but it’s also equally important that they can adapt and be agile in the event of a crisis. Another great example of a story we tell all the time is we had a hospital in the range and they were working through effectively a ransomware incident that had become pervasive in this fictitious company they were representing. And one of the things that it affected was the elevators, and they get a call from a surgical team stuck in the elevator. The surgical team indicates that they’re with a patient, they’re stuck in the elevator, they’re always locked up with ransomware. Well, the security team then proceeds to ask a million questions about the ransomware, how many bitcoins it’s asking for, what does it say on the screen? Nobody asks about the patient.
So we had the surgical team call back and say, “Hey, the patient’s not doing well,” and the security team once again dove into asking questions about the malware, indicating that they’ll have them out soon. So we had to call back a third time—and the third time with them indicating the patient was now deceased because they were stuck in the elevator too long they couldn’t get to surgery.
Now, you can imagine a pin drop in the room at this point, right? As they realize they’ve become stuck in their security run books, and hadn’t looked above to be agile and go, “Wait a second. Life safety is probably way more important than working through the incident.” That’s a really great example of what people have to do, right? They’ve got to practice, they’ve got to rehearse. They’ve got to play with scenarios that maybe they’ve never seen before, but could happen. But they’ve also got to make sure they know how to work as a team and can be agile when things happen so that they can look at the unforeseen and figure out what to do.
David: So to recap, it sounds like some of the things that you’re talking about are to actually just have a run book, but then to go to the point where you test it, and not just test it, but to figure out some of the other scenarios that might occur, and to do that on a regular basis to build up that muscle memory or become cyber fit, so that you are capable of pivoting with and moving as quick during a response as your business needs.
Caleb: Yeah, absolutely. And, you know, one of the reasons why we built out these fully immersive cyber ranges is that’s really hard to do in a sterile kind of tabletop exercise with PowerPoint. You need to get people into the mode of what it’s going to be like during the actual incident where you’re going to be up for 16 to 18 hours a day, potentially for weeks on end. You’re going to have all kinds of information flowing at you, most of which is not correct. And you’re going to be asked to make a thousand decisions without really knowing whether you’re choosing the right decision or not. The more we can immerse people into what that’s going to look like, the better we can train them to be resilient during that event. And it’s like anything, a good leader is going to make all the difference. And we see this occurring in events today where companies that are transparent that respond with speed and can process through decision-making faster than the adversary, those are the ones that are ultimately resilient.
David: Yep. So earlier you called the X-Force command centers your cyber labs, and I’d be curious if you were to go back to day one and then walk us through some of the milestones of the evolutions that you’ve seen from that starting point to today, what’s changed? What stayed the same? What have you added in? What maybe would you have wished you would have known when you started out that you know today?
Caleb: What we were astounded at was how much time and how much desire there was of line of business executives to really learn and understand. And I’m not just talking about the CISO. I’m talking about the CMO, the CEO, the CFO. Because if you are hit with a large scale cyber security incident, everybody’s got a role. This is a whole of business response.
So that was the first really big aha moment. I think as we progressed, one other thing we didn’t really didn’t understand initially was the challenge people have, even folks that are high performers in general business, really sometimes struggle in making decisions in a crisis. And it took us, frankly, six months or more to really realize that crisis decision-making and crisis management is an entirely different discipline. And a lot of what we’ve done today in business schools, we’ve taught this out of people, right?
Again, you know, the whole idea of slow down, make decisions with data, build consensus, as much as those things are great leadership principles for day-to-day, those are things that are going to really get you in trouble during an incident. You need somebody in charge, and you need very clear line of sight to who’s in charge, and who’s in charge has to be in the room, right? You can’t be waiting for the executive that’s on a plane for the next 14 hours to make a critical decision during a cyber incident. You have to work outside the org structure in an incident command model and make decisions quickly.
And as we started to realize this, then we start to realize, we actually weren’t inventing new ground. These principles existed before. But they existed in a place we hadn’t thought of. It was in the military and in emergency medicine. And that’s where things got interesting because we just had to translate them. So, for example, one of the things we teach constantly in the range are these concepts from fighter pilots in terms of how they make decisions. They use something called an OODA loop, which stands for observe, orient, decide, and act, and it’s just a method of making decisions quickly, and questioning your own decisions, that directly applies to cyber.
We also learned about a concept called commander’s intent, where a military commander defines the outcome for the troops, with the recognition that if anything happens, the troops still know what to do. Well, this also directly applies to a cyber security incident because you may have lost communications, you may have other people making decisions quickly, you need that very concise, very well understood definition of what is most important.
And, the funny thing with most companies is it’s not the things you’d think of, right? With a bank, it’s not reputation that’s the most important thing. It’s frankly not even servicing customers, as much as that sounds awful. The most important thing for a bank during a cyber security incident is to maintain the ability to move money. Because as long as you can move money, you can fix everything else. But if you can’t move money, you’re done. And then, you know, if we think of a hospital, they obviously have a different commander’s intent. It’s about protecting life, safety at all costs. Nothing else matters, right? The reputation doesn’t matter, the infrastructure doesn’t matter. It’s about keeping people alive.
David: So there are a lot of moving pieces in security, changing technology, especially as companies are moving into cloud. You know, the ever-changing tactics of attackers and, of course, how and what businesses want to do so that they can grow and thrive. Can you take a moment and talk about how these three forces influence what security leaders are looking for when they visit the range?
Caleb: One of the things we pay a lot of attention to in the range is the evolving attack surface. And we have to continue to pay attention to this because businesses are changing, and even the attackers are constantly reinventing themselves.
For example, we think on the business front, more and more workloads are moving to the cloud. Well, when you move workloads to the cloud, on one hand, you get a lot of benefits, you can set up security by design as you move that workload in the cloud. But there’s some problems as well, in that the perimeter largely disappears, you lose access to a lot of the richness of network data that you might have when things are on-premises. And you have to kind of rethink the security model. A database that’s sitting on-premises behind a firewall and an application server is probably a lot more secure than a database that’s sitting in the cloud, especially if it’s only protected with a username and password. A lot of these things have to be rethought in new ways, and we bring those new ideas, those new challenges into the range.
But in addition to that, we really think through how are the attackers changing their model, right? I mean, most of what we dealt with, up until 2018, was data exfiltration. Bad guy breaks into a system, gets access to data, and downloads that data for money, profit, or influence. But as we get into 2018, we started to see a big pivot towards ransomware. Well, why? Because they don’t have to clean the money, they get paid directly, right? With data exfiltration, they’ve got to get your data, they’re going to wash it, they’re going to put it up on the dark web, they’re going to sell it to somebody, they’ve got to get paid, they’ve got to have a reputation or for people to buy it. They might even have to provide support.
That’s a lot of work. If I shift to ransomware, you just pay me directly. But of course, then what happened is not Apache and WannaCry, which really weren’t ransomware, but looked like ransomware. And even if you paid you aren’t going to get unlocked and that kind of ruined it, because…and people got accustomed to not paying. It kind of ruined the reputation for that industry overall. So we saw a 45% decrease in ransomware from the start of 2018 to the end.
But what replaced it? Well, just like any entrepreneur, the bad guys are thinking, “Hey, you know, how do I get more of a subscription model?” How do I like go get SaaS revenue, right? Which is exactly what they’re doing. So, with ransomware or with a normal data exfiltration attack, it’s a once and done. But with crypto jacking, I get paid every month. I bet your server, or your workstation, or your thermostat, or your dishwasher, and as long as those things connect to the internet, as long as you don’t notice it, it keeps mining cryptocurrencies and I keep getting paid. And not only get paid, but it kind of looks like legit earnings, right? It doesn’t necessarily look like…because I haven’t stolen your data. Yeah, I’ve broken into your system, but again, I haven’t taken anything, haven’t destroyed anything. All I’ve really done is stolen some of your processing time in your electricity.
So 450% increase in crypto jacking this year. We expect that will continue to evolve, because why not? It works, it pays, it pays on a recurring basis. But also I don’t have to go after just servers and workstations. What about going after your thermostat? Because as long as your thermostat still works, if that’s got extra processing power, it’s going to be installed there for years, and I’m just gonna keep getting paid. So the whole IoT gets interesting. Now, what does this mean for us in the range? It means we’ve got to bring all of these scenarios, all these new attack surfaces into the range on a daily basis.
David: At RSA, you shared the stage with our GM Mary O’Brien, and you spoke about the impact of adopting an agile security culture. Does having an agile culture really allow for teams to move fast enough, to adjust and respond to the constantly changing threat landscape?
Caleb: We don’t have a choice but to be agile. And I think the easiest way to think about this is that this is gonna be the first time in your corporate life, where you’re up against a human adversary that doesn’t play by the same rules, can see what you’re doing, can pivot, and can jog. You know, if we think about any other competitive or, you know, kind of conflict in business, it always follows rules, right? Even your competitors follow rules.
Cyber adversary doesn’t have to do any of this, it’s probably much more analogous to boxing, right? You’re gonna get punched in the face. And if you don’t start punching back, you’re gonna get punched again. And if you don’t start punching back, you’re gonna get punched again, right? So all of this is true with the cyber security incident if you take too long, if you wait, if you aren’t transparent, you’re gonna get that virtual cyber punch in the face yet again. So the more we can get ready for that and understand that’s kind of the boxing ring we’re in, the better we’re gonna fare during it. And that’s all about thinking agile, being able to pivot, and of course, practicing and rehearsing.
David: All right, thanks, Caleb. Incredible conversation. As always really appreciate you giving us your time today.
Pam: So, David, now that you’ve been in the cyber security industry for a while, has your perception of cyber response and the idea of cyber fitness changed?
David: Oh, absolutely. You know, I came in from another industry and I didn’t quite have full understanding or recognize the difficulty of a good response and all the people that are involved to make something that can be a bad day for a company into a moment that they learned and, as a customer, you’re brought along on that journey with them, and you still have your trust. So what used to be a shaking my head, this bank or that hospital had some problem, not fully understanding it.
Being on the inside now, seeing how companies handle that, how they maintain a channel of communication, how they bring in different people across the business, to manage that communication and the expectations, I’m really impressed with some of the responses. And I know that, you know, me a couple of years ago, I would have been in the camp that just was disappointed. And this is hard work, and the people that take care of cyber response and/or in charge of security for companies should be applauded for the incredible effort they have to put forward to make things work day-to-day across the world.
Pam: Yeah, I really think about that as well. You know, when big breaches happen at retail stores or, you know, healthcare companies and then you get the letter like, “Oh, we need to disclose that you may be affected.” And I feel like there’s a personal level of cyber fitness that then kicks in. It’s, like well, okay, time to go check all the credit scores and, you know, lock down on all the personal credit files. And so we have our own personal idea of cyber fitness as well, in empathetic response to like, “Boy, if this is just me managing a family of four, I can only imagine what it is to manage the response to just the staggering levels of affected PII records and all of that, that we see nowadays.” Just year of mega breach, we decreed that back in 2015, and they’ve just gotten bigger.
David: That’s right. Yeah, you almost need a personal playbook. And that’s a wrap. Our thanks to Caleb for joining us as a guest.
Pam: You can listen and subscribe to the Security Intelligence Podcast on iTunes, Spotify, SoundCloud, Google Podcasts, or Stitcher. For more security stories, visit SecurityIntelligence.com, or you can follow IBM Security on Twitter and LinkedIn. Thanks for listening.