Dave Bittner: Hello everyone, and welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting organizations around the world. I'm Dave Bittner. Today's episode is titled The Cybersecurity Paradox. The cybersecurity space is nothing if not crowded. Yet despite all the fantastic offers and promises being made by vendors, the sober reality persists that spending has not equated to improved security. For example, a recent industry survey revealed that 80% of IT security budgets are focused on detection and containment controls even though 70% of security experts believe that a greater focus on prevention would strengthen their security posture.
Dave Bittner: For insights on this contradiction, I speak with Robert Olsen, senior managing director of cybersecurity, information security and information technology strategy at advisory firm Ankura. Later we'll be joined by Steve Salinas, head of product marketing at Deep Instinct, as he addresses this paradox of why organizations are spending their scarce budget in ways that are contrary to their interests.
Dave Bittner: A program note - each "CyberWire-X" special features two segments. In the first part, we'll hear from our industry expert on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view.
Robert Olsen: I think it's a confusing landscape, to be honest. And what I think is leading to a lot of the confusion is just the number of options and choices that organizations, you know, have.
Dave Bittner: That's Bob Olsen. He's senior managing director of cybersecurity, information security and information technology strategy at advisory firm Ankura.
Robert Olsen: So I think that is where, you know, organizations really struggle. Most are fairly understaffed even if they're using, you know, an outsourced provider to assist them. They're just, you know, they're trying to do - especially with the challenges that they've had and continue to have with sort of the distributed workforce as it relates to COVID, you know, they've really got their hands full. So it's even harder, I think, for them to dedicate any kind of time or resources to really look at, you know, what are the products that are out there? And also, honestly, I think even more importantly, what are the products that they've already invested in. And how, you know, how should they be, how could they be leveraging those? Are they getting the full value out of those? So the last thing they need to do is just start introducing new products or additional products into their environment when they don't even - if they don't even really have a good handle on, you know, what they've already bought and are probably underutilizing.
Dave Bittner: How do you go about evaluating that, of kind of, you know, helping someone take stock of where they stand with the things they're currently using?
Robert Olsen: The best way that I've seen that approached is to really use one of the frameworks that are out there. So one that we commonly see and use with clients is the - what used to be known as the SANS Top 20 Critical Controls. It's now the, you know, Center for Internet Security. Critical security controls - and what's nice about that is it's really tool agnostic, meaning that it's a way for an organization to really look at their program in a fairly tangible and sort of unambiguous way and look at the needs, you know, relative to their specific business, the industry they're in, the type of organization that they are, their sort of operating model, the threats that are out there. And really, instead of looking at it from a, hey, what tools do we have and what functions do they play or what role do they play and what functions do they have? Sort of flip that around and say, OK, you know, here's what we need to have in place to have a mature security program. And, you know, how are we going to accomplish, you know, or meet these specific set of controls? And what are our options?
Robert Olsen: And really look at it from a security program maturity and threat kind of landscape to then say, OK - because there's lots of ways to, you know, meet the different requirements within not just the critical security controls but some of the other frameworks and standards that are out there. And it really is, ok, what makes the most sense? You know, and you always want to, you know, as part of that exercise, it's important to kind of do a, you know, really, a security technology review to also understand, you know, what tools do we - have we already invested in? What we find a lot of times is organizations have done a pretty good job of investing in tools. They've generally not done a very good job of integrating those into their environments where they actually add the value that they're expecting. And particularly in large organizations, oftentimes we'll see where they may have bought, you know - for all the right reasons as far as intentions - but they may have bought three or four or five different products that really are all, you know, fairly kind of duplicative in a functionality standpoint.
Robert Olsen: And so where it's helpful to really base that off of a framework, more of an objective exercise is it allows you to then align, you know, to meet this specific requirement, here are the tools that we have in our toolkit. And it really allows you to kind of objectively categorize those, identify - you know, identify, categorize and then figure out, do we really need these four things or is there one, you know, that's kind of best of breed that we really need to focus on? And it also allows you or really enables you to identify gaps. You know, so maybe you thought or maybe an organization thought that there was a particular tool or suite of tools that was helping them, you know, achieve a specific requirement. And, you know, reality is when they go through that exercise, inevitably there's gaps or kind of blind spots. And so that then helps them figure out, you know, is there a tool that they've already invested in that could potentially be leveraged to fill in that gap or do we need to go look at, you know, a new piece of technology or a new partner? You know, again, there's lots of ways to kind of solve things.
Dave Bittner: Do people tend to fall into a rut of momentum, that, you know, we're using this tool, we've been using this tool for a long time. Our folks know how to use this tool. And so there's that natural, I think, the impulse to resist change.
Robert Olsen: Yeah, absolutely. Definitely. You know, most IT organizations - the tools that they've invested in, they've, you know, put training - folks through training. They've got, you know, probably a significant amount of hands-on experience with, you know, the tool or set of tools depending on how long it's been in their environment. And so, you know, it is, you know, I think it's unfortunate, but I think it's probably not, you know, not too surprising that a lot of IT organizations or security organizations within - at least the clients that we deal with are hesitant to kind of look outside, look at new products, look at new ways of doing things.
Robert Olsen: One thing that's, I think, helped in one sense is as organizations are, you know, rapidly kind of migrating toward more cloud-based environments, a lot of the what I'll call legacy IT or legacy security tools, you know, aren't really designed to effectively operate in those types of environments. And so it's really forced them to look at really a whole new set of technology to be able to perform a lot of the same functions that they were using, again, more of the legacy toolset, if you will. And where it gets even more complex is when they've really got it both - you know, if they have a hybrid environment, they've really got to kind of balance both. So maybe they - they're not going to have to, you know, abandon their legacy toolset, but they may also then have to adopt in a whole second or additional toolset to really focus on cloud security and cloud management.
Dave Bittner: How do you advise them in terms of dialing in those numbers, you know, the percentages of their spend on things like detection versus containment versus prevention? You know, how do you evaluate what the best mix would be for any individual client of yours?
Robert Olsen: Yeah. It's really important. I mean, that's a key point. It's really important to, again, align that the tools and the spend - kind of value that it brings with, you know, tie that to the risk that it is, you know, hopefully helping to mitigate and/or, you know, accelerate the time to discovery, if you will. And again, I think it - something that we see organizations often do is they forget that, at the end of the day, really what they're trying to do is protect the data that exists within their organization. And so if you look at it from a kind of a data risk perspective and really a tool optimization perspective, you know, it's important to quantify the value and kind of in the role - or of the role that the individual tools play. Not all are created equal. And so part of that kind of assessment or, you know, using the framework is also really trying to articulate and understand the value that the tool brings and really kind of how it fits into the, you know, the different categories.
Robert Olsen: Again, you know, the NIST cybersecurity framework's a great example where you've got the five categories. And it's very easy to sort of allocate or kind of bucket, you know, tools into the role or the sort of the support role, if you will, that they have. You know, one of the most valuable things, which will probably sound very basic, but it's always amazing to me how few organizations even have an inventory of all of their tools and not even just security related tools but, you know, just an inventory of all of their tools that they use to run their business. Oftentimes it's - it doesn't exist. And so that's one of the first things that we'll do, and as we're doing that we'll then also want to understand, you know, what role do those tools play in the organization? How do they align with the business needs? How do they align with the business risks? And then ultimately, you know, make decisions from there.
Dave Bittner: In terms of the spectrum of tools that are available out there and the variety of costs of those tools, do you think that we're in a state here where most businesses, most organizations, can find an appropriate level of protection that falls within what they're able to spend?
Robert Olsen: I think with the advent of managed security services, which have been around for a number of years but I think are really kind of coming into their own, you know, we're at the point where, you know, a significant percentage of our small to midsized clients are, you know, for some of the more basic kind of security products - things like, you know, anti-virus, anti-malware, you know, some email filtering, those types of things - they're still investing in those and, you know, potentially managing those locally. But where they're really adding some sophisticated security capabilities at very, you know, reasonable price points is when they're going to more the managed security services route - so, you know, manage detection response, endpoint detection response, those types of offerings that allow them to, you know, benefit from security infrastructure that is comparable to an enterprise-level organization but at, you know, very attractive price points.
Robert Olsen: I think a lot of the managed security service providers have done a good job of becoming more competitive from a pricing perspective. I think they've had to. I know we are seeing a significant uptick in not only interest but also, you know, onboarding new clients specifically around managed security services. And again, it's because I think with - you know, particularly with COVID, it's gotten even, you know, harder and more complex and just even more resource-intensive to properly, you know, protect and defend endpoints, which are right now extremely distributed in most organizations.
Robert Olsen: I don't see a lot of, at the small to midsize-level, sort of product buys, I would say - again, just because I think there's a good understanding now that it's not just buying the product, but do you have the other folks that have the ability - you know, the knowledge and the skills that are necessary to actually operate and maintain those tools? And you know, it's not, you know, fair to assume that - if, you know, an organization is using some type of outsourced IT provider, you know, odds are that they probably are limited or have a fairly limited set of security tools and skills as well. And so again, that's where we kind of see - we're seeing more and more of a - what I'll call a layered approach, where they're still using a firm for more traditional kind of IT support, IT help desk. But then they're layering, on top of that, a more purpose-built kind of managed security service.
Robert Olsen: And we're also seeing - which is interesting - a similar approach, but for different reasons, at the more enterprise level. And they're using the managed security services, and they, you know, in most cases, have pretty robust internal security teams. But they're using those, you know, managed security service providers as really, you know, sort of supplements or complements to their existing in-house team - so really, you know, kind of a reserve force, if you will, that they can call in and leverage as appropriate.
Dave Bittner: What are your recommendations in terms of organizations kind of taking stock and having an audit of the tools that they're using to take a look and make sure that they're properly calibrated?
Robert Olsen: So I think the first thing is really just understanding, what tools, you know, has the organization invested in? A lot of the times we find with organizations that have been in business for a while, you know, people come and go. That's just inevitable in today's economy. And so we oftentimes find organizations have invested in tools and, you know, the accounts payable, you know, just continues to process invoices and stuff. And so we wind up with kind of this layered approach, if you will, of tools that have just kind of continued to grow. And as new folks have come in, they're buying their own. So really, the first thing is just really understanding kind of the full suite of tools that the organization has invested in.
Robert Olsen: And then even more specifically within that, you know, inventory - understanding how the organization is using the specific functionality that those tools bring. Just because a tool can do a hundred things, it doesn't necessarily mean that the organization is using that - so really, you know, clearly capturing or documenting the tools that they have, the role that they are playing in the organization, the cost associated with those, and really kind of the value that they bring to the organization.
Robert Olsen: And once you have that data or that information pulled together, then you can start to really say, OK, you know, relative to kind of the best practices that are out there on the full set of capabilities that we need to have, where do we have gaps? Where do we have, you know, redundancies? And - and I think this is the piece that a lot of people miss - you know, what are the threats and risks that are out there that are specific to us? And what should we be building our program to defend against, really? Because, you know, there's a million threats that are out there - it doesn't mean that they're all, you know, equally probable or impactful to an organization.
Robert Olsen: And so tying all this together is really important. And then, you know, one of the outputs is really that a well-thought-out, you know, sort of security technology architecture that clearly articulates how everything fits into the program - the benefits of it, the role that it plays - and, again, identifying where there are gaps where we maybe need to bring in a partner, where it maybe makes sense.
Robert Olsen: Or it also can lead into, you know - hey, we're spending $100,000 on this tool, and we have to manage it ourselves. Is there a better option? Could we, you know, reduce that cost from $100,000 to $50,000 by going with some kind of a managed service and not only reducing our costs but getting a better, you know, really sort of a better product for it, if you will? We've got folks that are, you know, behind the monitors. This is what they're doing 100% of their time. And it, you know, offloads, in some cases, internal resources, which they can then deploy for other higher priority.
Dave Bittner: That was Robert Olsen from Ankura. Up next, we'll hear from our show sponsor - Steve Salinas from Deep Instinct.
Steve Salinas: Well, I mean, I think the first and foremost for any security team, security organization is to ensure that whatever business or entity that they're supporting can do what they need to do, right? So you want to make sure that you're not going to inhibit business - if you're, like, a retail organization that people can go to your website and buy products - you know, news. Whatever it might be, you're there to support the business.
Steve Salinas: But you have a really difficult job, though, because you need to support the business, but you also need to keep it secure because you could support the business by having no security - right? - and then all your data is being stolen and, you know, tons of bad things are going on. But the business is continuing, at least for a while. Obviously, that's not the approach they want to take.
Steve Salinas: So a lot of organizations will take a very conservative approach to building their security infrastructure or approach. And a lot of it comes back to just based on the people that are running it and what has happened over the history of cybersecurity. I mean, let's think about it. Have we ever seen any sort of prevention solution be 100% effective all the time? No. It's not possible, right? So a very conservative approach would be, you know what? I'm going to invest some money in prevention because I have to, but I'm going to focus my efforts on making sure that I have the best detection tools available and am able to respond as fast as possible. What they really want to do is drive down, you know, what you might call dwell time, or the time between when attack is identified and they can actually take some action to stop it. And I think that's been the driving force for quite a while.
Steve Salinas: But it's really interesting - as time has progressed, the cybersecurity vendor market space has gotten huge. If you think about it, over the last couple of years, I mean, hundreds and hundreds of new options are now available to these security decision-makers. So they don't have an easy job. I mean, they have lots and lots of technology they can choose from. Their budgets - while a lot of them, I think, have benefited from slightly higher or maybe even a lot higher budgets, you know, you're almost presented with this unending menu of options to secure your environment. So it's a pretty daunting task.
Dave Bittner: You know, it sort of reminds me of someone faced with the task of protecting, for example, you know, a retail store, where - as you describe, you know, obviously I don't want people walking off with my inventory out of my store. But at the same time, you know, if I make this place so unpleasant to shop in - if I'm, you know, patting down everyone as they come in and out of my store, well, people aren't going to want to come there. So it also strikes me that, you know, something that all retailers deal with is a certain amount of - I think they refer to it as shrinkage. You know, yeah, some things are going to walk out the door, and you need to deal with that. I mean, are we in kind of a similar place when it comes to data? Is there a place for that kind of acceptance that, you know, nothing's 100%; sometimes things are going to happen?
Steve Salinas: Well, I think there is. I think that's where we have to help the security decision-makers in minimizing that because, I mean, yeah, they're going to operate with some level of risk or some level - so one good example is, think about logins. Right? So when you log into your computer - and I do it all the time - I mistype my password. I probably do it three times a day.
Dave Bittner: Sure.
Steve Salinas: Now, you could put a rule in place, like, oh, mistyped password. After two times, lock the computer. Well, you know what you're going to end up with is a bunch of employees that are calling the help desk irate. They can't get their job done. They're on the road. So no one wants to do that. So there's a level of risk that most organizations are going to be OK with. Even maybe 10 failed logins is OK, maybe even 20. And they know that some of those potentially could be an attacker trying to, you know, infiltrate their organization. But at the same time, they have other the controls in place to try to detect that stuff.
Steve Salinas: So, yeah, you're going to operate with some level of risk. And you know, what we do a Deep Instinct - we are a prevention-first cybersecurity company. So I think when you think about risk, I think a lot of people right now are probably a little too comfortable with the underperformance of their prevention technologies they have in place for a number of different reasons - because of the hassle of changing them or for the belief that they can't get any better.
Steve Salinas: But you know, it's not uncommon for, you know, an AV solution that's in place, especially a legacy or even a next-gen, to, you know, have an efficacy that is significantly lower than 100% - like, way lower. But they're OK with that. And the way that they mitigate it is building a defense in depth strategy with lots of detection response tools. But then it can kind of get really cumbersome. And over time - and I think that's what we see today is that they built these really complex security stacks that are kind of getting unwieldy and hard to manage - harder to manage every day.
Dave Bittner: I'm glad you brought that up because that's actually where I was going to go is I going to ask you about defense in depth and what leads to that. I mean, I can see the appeal of having a bunch of different things in place and being able to sort of turn those knobs on the various defenses that I have to try to customize something that best suits my environment.
Steve Salinas: Well, I think a lot of times a lot of the innovation that comes out of cybersecurity is because of lacking of previous technologies that were delivered. So we think all the way back to like just basic antivirus. Back in the day, when the number of threats were small - did a pretty good job. As threats started to evolve and change, AV started to fail. And you had next-gen AV come in. And that's what a lot of people use today. But then even with next-gen AV, there's like a gap there. So what do you see? You see things like endpoint detection and response or the newest one being XDR, kind of like across your environment protection response. But then you start to see, you know, you have - the good news, I think, is there aren't - there's not a lack of ideas.
Steve Salinas: The cybersecurity - the people that delivered products and services, tons of great ideas to kind of fill in those gaps. And I think it's all delivered with the best intent. But as the consumer of all of this different technology, wow, it can really get to where before you know it you have 50 products and you have 10 different agents deployed. You have 12 different management consoles. And you're like, whoa, all this stuff is like, how am I going to manage all this together? So I think that's how you end up with this - and defense in depth, I think, is the right approach. But it's got to be the right depth. You know, you don't want to get too enamored with, like, the latest and greatest technology that's coming out. But, like, look at the core foundation of your stack. Is it built on a really strong foundation that's going to give you the fewest gaps, I guess, is one way to put it.
Dave Bittner: Do you suppose that - I mean, are there chief security officers who find themselves sort of playing defensively to say, if something happens, I want to have a whole array of products in place so that when I'm asked, hey, you know, how did this - I don't want to get caught with having something happen and somebody say, why didn't you have a product in place that could defend us against this?
Steve Salinas: That's a really good point. I think you definitely see that from security teams and companies that we talk to. I mean, you're going to, like I say, you're going to some companies and they have every product that you could think of. It's like, wow, you guys are really well funded. And a lot of it comes from that. Like, hey, we're going to get the budget. We're going to bring in the technology. And I say - I do see that point. But at the same time - and you see some of the bigger breaches that have occurred over the last few years, the really sad part about it is the technology they had in place actually saw it, it identified it. It identified that there was some suspicious thing that happened. But you know what? It got lost in the sea of other alerts.
Steve Salinas: So, like, the intent and the idea that, you know what, I want to really cover all my bases is the right idea. But I think how their bases are being covered, that's what we want to try to do is to try to - the real way you're going to solve or make some impactful change in the way you secure your environment is to really kind of take a step back. Let's start from the beginning. And I think most security practitioners would think, all right, the first thing I want to do is try to prevent as much as I can. So let me look at this tool here. What am I doing here? Am I preventing as much as I can? OK, fine. Maybe I do prevent it a lot. And I'm comfortable with it - and then start to build on top of that. You want - for me, my approach would be lean and mean, right? Let's get only the things we need. And let's make sure that we can really use them. No - there's no point in bringing in technology that's too complicated to use, right? That's just not going to help you get to where you need to go.
Dave Bittner: Well, when you say prevention, I mean, dig into that for me. What exactly - what does that cover?
Steve Salinas: So yeah. That's a really good question because I think prevention means a lot of things to a lot of different people. When we think about preventing, we are trying to - think about like the kill chain or like how an attack takes place. Prevention means you want to prevent it as close to the beginning of the attack chain as possible. So, like, take a very basic example. Like, let's say that someone has sent you a phishing email. So ideally, once the email comes into your inbox, you would want to have the ability for whatever, some sort of technology to say, you know what? This email has a URL in it or has an attachment that I right now - I can tell that this is malicious. So I'm going to go ahead and remove that from your inbox. I might send you a little notification. The security team gets a notification. And guess what? I have prevented that phishing attack before it even had a chance to cause problems. All right. So that's like a really basic example of prevention.
Dave Bittner: As opposed to, I mean, let's walk through a different possibility in that same sort of phishing attack. What would - I'm thinking of things like detection and containment. Is that - how would that play out differently?
Steve Salinas: Sure. So let's kind of - yeah, let's move forward. So the very earliest one would be that. I remove it from your inbox. Let's say I don't. And let's say that the employee's working and they pop open and, oh, yeah, I'm expecting this PDF from this person. They just kind of open it up. Now the attack has silently initiated, but you can still prevent, right? Maybe the damage has not occurred yet. So maybe there's some sort of runtime prevention that can occur. Right? So you see what's been loaded into memory and you identify, oh, this is malicious, you stop it. Well, let's say that doesn't happen either. And let's say that some scripts start running. So you can use something like a script control that's monitoring for suspicious behaviors from scripts. So as certain things start to happen in scripts, boom, OK, now we identify it, and we stop it. But let's even say that doesn't happen. Now the attack is underway, but you notice that, all right, there's some weird traffic on my network, some command and - it looks like command and control traffic. Now you have something else there. So, I mean, I think everywhere along the line there, you can make the argument all of that is prevention. I guess the one way that you would not prevent is if the employee gets the phishing email, they open it, they open the PDF, the attack starts, the command and control communication starts, the attacker steals a whole bunch of data and then they leave. And no one ever knew it happened.
Dave Bittner: Right, right. So how do you recommend that folks come at this? From a budgeting point of view, how do you - what do you think the wise approach is?
Steve Salinas: Well, I think the best approach is to, as much as possible, try to take a fresh - get fresh eyes on what you have in front of you - right? - and look at the tools that are in place, the processes you have, the resources you have available. It's really tough right now to find additional, you know, skilled security analysts. So the people you have are extremely important. They're always going to be the most important part of your team. And then look at the budget you have, and try to sketch out, like, where are all of the - like, in your current security stack, if you did some analysis, you could probably identify where a lot of the alerts are coming from, right? So there are some things in there that just might not be working correctly. Maybe they need to be tuned. Other things to do - and, like, we always would recommend - is to look at that - depending on how you look at it, that's your prevention technology that you have in place. At Deep Instinct, like I said, we are a prevention-first cybersecurity company. But we do offer detection response, as well. But we do believe the best approach is to prevent. Prevent as much as you can upfront. So look and see, how is that prevention control you have in place working? And I would say, if it's not giving you a really nice efficacy out of that, there are so many different options. Obviously, we like what we deliver. But you should go out and investigate and look and see, can I replace this with something that is better, more streamlined, optimized and tuned better for today's attacks? So that's what I would do. I would take that evaluation.
Steve Salinas: And then, we're certainly saying you're going to want detection response tools. You're going to want to have a nice defense in depth strategy. But I think if you're able to - I kind of look at it as, like, a net, right? If you think about your prevention that you can do first, it's like a net. Now, you want your net to have very small holes in it. I guess that's maybe not the best analogy. But, like, if you're trying to, like, I don't know, clean your pool or something, you know, you want to be able to catch a lot of stuff - right? - with this net. But if it has big gaping holes in it, it's not going to catch a lot, right? You're going to end up with a lot of holes that you have to go back and figure out, well, how am I going to find this other stuff, right? So try to get that as solid as you can. Test it, right? Bring it in-house. Run it through its paces and see if it's going to meet your needs. And I also recognize that a lot of security decision-makers don't necessarily have a ton of time - right? - because part of the problem is, if a big, bad breach does happen or a compromise happens, one of the natural things that can occur is that, you know, people get replaced and leadership changes, right? So you want to try to do this fast and effectively. But the good news for the security decision-makers is you do have a lot of options. You don't have to feel stuck with what you have in your security stack today. You can replace that stuff. And you can replace it easily, faster than ever before. And it's very competitive, and you can probably get a good price for it.
Dave Bittner: Where do you think we're headed? Is the word getting out? Are folks taking a better approach to this? Or the evolution, is it headed in the direction that you think it needs to?
Steve Salinas: Well, I think that you're seeing lots of different ways to secure an environment. Security decision-makers are getting smarter and smarter every day. And I think, you know, there's a lot of built-in, from their work in the field, understanding what needs to be done. And I think what we're seeing is kind of some refinement on these different technologies. You see a lot right now that happens - and this happens on a fairly regular basis. You end up with some consolidation, right? So bigger security vendors consolidate, and then you have kind of a better solution. So one of the things I think we're going to see more and more and more is how the technology and the human expertise are blending together. What I think we're going to see over time is more tools that are really helping drive the decision. The security analyst and the security expert - they're still obviously integral in the flow, and that's not going to change. But they need help, right? And that's what they need their technology to do. And I think what you're going to see over time are these lean, mean security stacks they have a lot of autonomous decision capabilities built-in, the continued evolution of technologies - like, we're using, deep learning, to solve these more complicated challenges and identify more complex threats. So you're going to have these security analysts that are able to really put their experience and their knowledge to better use. At least, that's our hope. And I think we'll get there.
Dave Bittner: Our thanks to Robert Olsen from Ankura for sharing his expertise and for a Deep Instinct's Steve Salinas for providing his insights and for sponsoring this program. "CyberWire-X" is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.