ERP033 - Advanced Biometric Security w/ Ian Paterson

Welcome to Evolve Radio where we explore the evolution of business and technology. Today on Evolved Radio, we're talking about everyone's favorite IT topic lately, that's security. I'm joined by Ian Patterson, CEO of Pluralock. Ian's company has a really innovative approach to security, it's an advanced form of user identification that can tell who you are just by how you're typing and moving the mouse. We're going to talk about why users hate passwords, the trouble of security requirements for regulated industries and much, much more. If you enjoy the show, be sure to subscribe on iTunes, Stitcher or wherever you get your podcast from. Also, be sure to check out the webpage evolvedmgmt.com/podcast for show notes, links to my guests and to check out previous episodes. Now, let's get started. Joining me on the podcast today is Ian Patterson, CEO of Pluralock. Welcome Ian. Todd. Great to be here. I'm excited to talk to you about the security industry. It tends to be a topic of extreme interest for listeners of Evolved Radio, and I think the experience that you have and the technology that you're working on is going to be pretty interesting, probably pretty eye opening for people as well. So, uh, if you would like to get us started, maybe just give us a bit of your origin story and uh your history in the industry. I I've been in the security industry for a number of years now. Before that, I came more from a a big data analytics background, the commonality is really data science over the last number of years. Um, but what what I've been realizing is that security used to be a domain that uh was high priesthood. You know, it was only the the super uh technical or super specialized individuals who really cared about security. Um, but over the last couple of years and especially over the last six months or so, I'd say that security just is is so relevant and so topical to everybody. Even to the point of I was getting my haircut the other day and uh somebody was in the in the barber shop and we're we're talking and they're saying, yeah, I think I think I got my my data breached. You know, I got an email saying that my data was breached recently. And that's pretty common. Um, you know, it's these days we're finding more and more that that data just keeps getting in the hands of bad guys and so it's super common. So I I guess my background specifically is as I was saying data science, um trying to solve problems, business problems using data, using machine learning. Uh and Pluralock is really doing exactly that. what you guys do is continuous authentication. And this is probably not a term that a lot of people are familiar with, most people will uh be aware of their love hate relationship with passwords. And more people that are security minded are aware of two-factor authentication and anyone that knows a bit about security probably knows about biometrics. And I would probably put continuous authentication into maybe a more advanced version of biometrics. Would you how would you qualify that? Yeah, you're you're you're on the money there. So Pluralock is uh a company that uses behavioral biometrics. which is the study of biometrics over time. Um, so effectively what that means is we look at human behavior and that could be the way that you type, the way that you move a cursor, uh the way that you sit, the way that you walk. There's unique biometric markers involved in all of that activity that allows us to first identify an individual, um and then be able to make an authentication decision on whether they should be on that device at any given time. The thing that's interesting about behavioral biometrics unlike a a fingerprint reader or an iris scanner, swiping your fingerprint is a slice in time. Right, it's it's a very specific point of time, typically you unlock your device and then it's open and and available. Behavioral biometrics generally speaking is looking at at your behavior continuously. So what that means is not only when you swiped your your thumbprint, uh can we identify who you are as an individual. But we can look at that continuously throughout the the the user session. So to give you an example of that, um we we get deployed as an agent that sits on an endpoint and anytime a user is just going about their regular day. They're typing an email, they're browsing the web, they're working in Excel, every couple of seconds, we're making a determination whether that's the right person or not. If if it's not the right person, if we detect some anomalous activity, then we can take an enforcement action and that enforcement action is configurable based on on the environment. But the point is we're trying to change from uh from static point in time authentications, which most people are are either using a password or like you're saying like some sort of biometric. And we're trying to change that paradigm to looking at the whole session over time. Um, you know, if you think about it, most workplaces will typically have five to six authentication moments throughout the day. Generally you have one when you walk in the morning, you you first sit down, you log in uh and you get on your desktop. You might have a couple of others if if you connect to Gmail or Office 365 and you have two-factor authentication turn on. Um, there'll be another authentication moment there. Um, and then in some cases, if you're accessing a a privileged database like the payroll database for instance, you might also get challenged. Um, but even if you if you're checked or challenged five or six times throughout the day, the majority of time throughout that user session is left open. And so there's all sorts of things that can happen, could be that uh, you know, you're working remotely from Starbucks, you you walk away from your device for a moment, uh and and you leave it accessible to someone else. Even if you're within an office environment, um, you know, the the same the same scenario could could be uh concerning both from a security perspective as well as a regulatory perspective. So if you if you think about a regulated industry like healthcare, if you were to get up and walk away from your device and there's sensitive personal health information left on the screen, it's obviously a security concern. But it also becomes a a huge regulatory nightmare that you've suddenly enabled co-workers to see data that they shouldn't have. So kind of bringing this back to what it is that we do. Again, we're we're trying to look and and authenticate people um through their behavior and uh and and that that fundamentally that that level of of continuousness um is really what defines us um as different in the marketplace. So the way that the software works then is that uh the same way that someone has a particular signature style. Uh even, you know, people can be uh authenticated based on their their cadence, their walk, the way that they they they move through a space. Those are some more advanced biometrics. But the same way that people will type on a keyboard or move a mouse, you can actually detect a consistency to that and basically identify a person based on how they're typing. Is that is that right? Yeah, absolutely. And and the key is it's not what you type, it's how you type and in the same way, it's not what you click on, it's how you click on it. Um the the technology actually dates back to World War II. So Morse code operators way back in the day had a unique signature. Um even if you didn't know or couldn't decode what the Morse code operators were tapping, fellow operators could could identify who the operator was just by the unique signature they had. They called it a hand. So the Morse code hand was unique to the operator. And so it was a it was a very early way of doing signals intelligence. Where uh you didn't know what they were typing because it was encrypted, but you at least knew that it was the same operator. That same technique is ultimately what what we're doing just in a in a much more advanced way. We're looking at behavior over time and we're looking on the keyboard, it's the speed, rhythm and cadence of how you type. Um on the mouse, it's things like direction, speed, change in direction. The interplay between speed and clicks and direction, um there's there's there's unique biometric markers that we're able to to identify, pull out, extract, create a profile of and then use to authenticate on a continuous basis. Technology that they use for the the capture, the new capture boxes where it's you have to click and say I'm not a robot, I've never understood specifically how that works. That, you know, I I click on a box. How does that identify me not as a robot? Is that the same thing? Uh similar. I mean, there there I would say that the things that are are similar to the the capture box is we're looking at their response. Right, and and humans are going to respond differently to a prompt than machines would. If you think about uh just a person, the way that they type or the way that they move a mouse. There it's always going to be a little bit different. You're never going to do two things exactly the same every time. Um and so there's always going to be what we call an organic drift uh between one interaction and the second interaction. And we can actually model what that organic drift looks like. And there are some things that we can expect that drift to have that are going to be different than uh just a a some random data thrown into a robot trying to mimic the same thing. There's there's there's nuances there that we would expect to be able to detect differently. So I would say that the capture example, uh absolutely it's a great way of identifying are you human or not. We're actually trying to answer a more concrete question, which is are you the same human? So it's it's similar, um but we're looking a little bit more nuanced at at some of those biometric markers. Like the speed, rhythm and cadence of how you type. I I could see that as uh a tricky difference of, you know, uh maybe you've had four cups of coffee. And you're a little jittery and your hands are kind of splashing all over the keyboard. Uh I find it really interesting that that you've developed uh a sort of a a tight ability to find the the match between that drift and what the the typical cadence is for for an individual. Uh you sort of identify an an important point that it's not just the fact that you are a human. It's that you're the same human that was originally authenticated. So I've logged into this secure system and yes, it's still me, yes, it's still me versus there's still a person operating there. Because the the old school approach of this is if there's no activity, then blank out the the the screen, turn on the, you know, the the lock and enable the screen saver, whatever the case is. Uh and yours is uh doesn't matter if there's activity or not, uh there it's it's still able to detect that the person interacting with the keyboard or interacting with the mouse is the same person that was originally authenticated for the session. Exactly. I mean the the technology itself was developed over a number of years by our our PhD data scientists. It's it's a hard problem. Anytime you're dealing with with people and trying to identify how do people behave, it's a very hard problem to solve. Um we have three issued patents on this technology, uh a significant amount of time has gone into the development of it. So I'm, you know, it's not it's not easy. And certainly with with the way that machine learning has advanced over the last five years or so has made this sort of thing possible at scale, um as well as the the compute power. But but you you brought up an interesting point there, which is that because we're able to look continuously and we're able to uh actually autonomously make a decision to challenge a user or not. It actually becomes a a conversation around convenience and friction within the workplace. So a lot of our early clients were in the defense industry. Um we've got a lot of government customers. We also deal quite a lot in the enterprise financial services space, um because they have the the same sort of threats that that governments do, which is that they're defending against nation state actors. Um but what we're finding is that when we go in and and have a conversation about security. There's there's 1800 other cyber security startups out there in the world. It's a very noisy space. The way that we've been able to differentiate is actually selling convenience. So what I mean by that is. If you can imagine that in most cases, security and convenience are are two opposing polls on a spectrum. Right, on the one side, you have something that's very secure and completely unusable. On the other side, you have something very convenient and it's wide open to attackers. And and most of the time, solutions are on some end of that spectrum and they may go, they may skew slightly towards more convenient at the expense of security. And then it becomes a business tradeoff. We're trying to flip that around. And when we go into an organization, we actually say, look, don't choose between security and convenience. Make it convenient for the user, um and we can do that by deploying this continuous monitoring system. But you actually get more security because the more the user does their everyday activity, the more confidence that we can have that it's the right person. So in effect, we're actually saying, don't do anything special. Don't fumble for your your keys and look for T factor, don't don't try and get an SMS message to your smartphone and and get the first one sent and then it didn't send and then, you know, like all all that frustrating stuff. Um we can actually do away with with that and provide better security. And so effectively what we're selling is a way for IT administrators and CIOs to scale down some of the frustrations around traditional authentication. Um so we have a a financial services client that they actually got rid of their password rotation, they got rid of their password complexity requirements, they got rid of their session timeouts. And in theory that would increase the risk of your organization, they deployed us as a compensating control to decrease that risk. And they got better security, they got better user uh experience and they're expecting to see a decrease in overall help help desk tickets, um simply as a result of of decreasing some of this friction. So long long story short, um we're selling security, but the reality is that people are buying convenience. Yeah, and I think that's a really important point because uh I am certainly one of those people that rail against password complexity. There's there's definitely a good enough type approach here. And you know, if you have uh a 12 character password that requires uppercase, lowercase, uh you know, a numerics as well as special characters or maybe it doesn't allow special characters, which messes with sort of your typical password. All of this forces the user to just throw their hands up in frustration, especially a non-technical person that doesn't actually uh consider or or value security. They'll just write it down on a sticky and put it on their on their desktop. So the I think the the friction around security is actually a really, really important component of the future of security is uh, you know, any any security policy or system is only as as strong as the users. And that's why. One of the most important things you can do around security is user training, you know, fishing uh campaigns to make sure that people are aware of what these things look like. But also just anything that you can make the user experience easier around the the password and the use of the password. I think is both a God send to the people in charge of the security policy and also the people that are underfoot of the security policy as well. I think password complexity requirements is a tricky one. Definitely there's there's a move towards either removing or reducing the password complexity requirements. But I think the challenge for the CIO or the VP of IT is, do you really want to be the guy who goes to the board and says, we just had a breach, the reason this breach occurred is we reduced the password complexity requirements. My bad. We have organizations like Nist coming out and recommending that, hey, guys, we don't actually need to have these super long and complex passwords. Uh because it's it's not actually getting the behavior that we want out of users. Um I think that that most CIOs, certainly that that we talk to are looking for help in being able to reduce those complexity requirements without exposing themselves to to somebody who's who's maybe not as sophisticated to say. Why did you just make this organization less secure? Um and so for that reason, it's really a a two two-fold approach, one is remove some of those frustrating policies. But at the same time, if you can deploy a a compensating control to reduce any attack surface that that may introduce, then you really get the best of both worlds. And it's it's tough, I mean, it's tough being the CIO and and having to have those hard conversations with uh boards in particular. Um measuring security and and trading that off against uh friction. Yeah, but I think uh the the way you describe it as a compensating control to allow it to be easier for the user, but still secure in some some method is an important one. I view this as as one of the the useful cases for for uh two-factor. Is it's okay if someone gets your password. It's not great, but at least, you know, there's at least a secondary verification. You would see a prompt saying, hey, do you authorize this this device from Uzbekistan? That wants to use your account. You say, no, absolutely not. Okay, I'm going to go change my password now. So at least there's some level of control after the fact. I I see this as uh just sort of lowering the bar, it's okay that you don't need a 32 character password. But okay, an eight character password with at least some level of complexity, uh just makes it a little easier. But also still uh keeps the the security intact. So I think that's a an important point. So so two-factor is also a a good example. I mean. We have just an internal policy where all of our staff have to turn on two-factor for everything that that provides it. So I think two-factor is great. I think that the challenge becomes it's it's yet another roadblock to getting things done. So we we have a a hedge fund client and their their struggle is they need to be secure, but they can't they can't frustrate their users to the point where they're unable to get their work done. And two-factor is one of those interesting ones where it provides a really great security, but it completely destroys your flow state. You know, if if you're sitting down and you're trying to make a decision, if you're coding, if you're writing. It's it's very frustrating and it really interrupts. Even beyond the 30 seconds it takes you to to go through that handshake, the the impact of that interruption is actually more severe than that. What what we do with two-factor is because we're authenticating a user every couple of seconds. Um we actually integrate with solutions like call sign and duo that ordinarily would require a step up authentication. So if users are going to access the payroll database for instance. Normally they would trigger a two-factor step up authentication. But rather than having duo uh send a a notification to their phone and and have them go through that workflow, um they'll actually query our APIs, see that we've authenticated that user in the last 30 seconds, see that their identity score is very high, so we have a high confidence that it's the right person and then just let them in without that two-factor step. So it's still a form of two-factor. Because it's still something that you are, which is what we're effectively doing. Um but we do that invisibly in the background. And so if you think about that at scale, you know, if you have three or four two-factor requests per user per day. And then if you have an organization of 5,000 employees or 10,000 employees or 100,000 employees, the business impact of stopping work to do that handshake and forcing the user to go through that is actually very severe. Now, if you can get equivalent security without bothering the user, that's a win-win. And so that's, you know, again, when we're talking about reducing friction, those are the types of use cases that we really gravitate towards because we're providing better security, but we're also providing the user an easier way of going about their business. Yeah, and I think that's a really important point because I I like everyone else suffer from that. Where, you know, Chrome updates uh its browser, which forces last pass to then re-verify me on multifactor. Uh and, you know, I had to rebuild my machine after I lost my hard drive and I I was frustrated with the number of times that I had to do the the the two-factor authentication to re-authenticate all of the systems that uh, you know, generally knew who I I was. And I get it that you guys probably can't cover the initial login because unless you're integrated deep to, you know, the the OS layer for authentication, hopefully that comes later. Um but at least to sort of skip the steps where there is a high authentication score, I think that's a really cool addition. Do you do you see that as something as a potential in the future where, you know, the your password prompt is is basically type this sentence. And based on the the software, it's able to authenticate you from beginning as well as the continuous authentication. Yeah, so we actually have it's it's available as a closed beta right now. Um but we do have a credential provider uh built into Windows. So rather than using the Windows Hello workflow uh that uses biometrics for instance, um we'll actually use the pass phrase. Uh so the way that you type a specific pass phrase, again is unique to you and we can use that to authenticate. So we do have that available. The other thing that we're doing with with a number of uh virtualization clients is we integrate with Citrix and VMware. So for remote desktop or virtual desktop, um environments, we can actually uh do that initial handshake through a a web browser or web prompt and then also can uh connect into the virtual desktop and protect that continuously as well. So short answer is yes. Um, you know, it's it's coming, we're trying to uh evolve in a way that that we spend our time and attention on on the areas of highest friction for users. Because that ultimately just means, you know, that's the most amount of value. And the solution overall, like it sounds like it's a uh it's a uh it's complex, it's advanced, uh which mean typically means it's enterprise-based. Uh do you have sort of a market that is typical or uh someone that um a lot of the MSPs that may listen to the podcast are wondering. Is this for me or is this just for hedge funds and banks and governments and things like that? Can you maybe speak to that a bit? Yeah, we've definitely started in the enterprise space. Our early customer wins were from DOD, uh financial institutions. Organizations that are both enterprise like you said, but also suffer from really severe security threats. I'd say crypto is is also up there in terms of the type of uh the the level of risk that organizations have. Probably those three are the highest. Um what we realized though is because we've designed the system to work for scale, uh to be able to support thousands, tens of thousands, even hundreds of thousands of users. It's it's all very automated and autonomous. So the system itself when it gets deployed to an endpoint, it automatically enrolls the user, uh creates a profile for that user and then it flips from enrollment mode to protection mode automatically. There's no there's no administrator involvement. Really the only thing the administrator has to do is push out the agent, which you can do through a policy update or or an MSI. So because we built it for scale and we assumed that the administrator wouldn't have time to to hand hold many of many of the client side functions. It actually is a pretty good fit for small businesses who either don't have a lot of expertise or um only have a guy or a couple of guys who are able to to manage, you know, a couple hundred end points. Um so it's kind of interesting that that we built it for enterprise, but it it seems to to be a pretty good fit for the mid-market and and SMBs as well. Um I think to your question about um uh about enterprise requirements. So we do have a reseller program. Um we there are uh there's going to be some some announcements coming out where we're firmly uh announce our our global channel program. And we do have uh channel partners all throughout the world on every major continent already signed up today. Um and that's both a a mixture of managed providers uh as well as resellers. Um you know, I think that the the markets that we're that we play best in are usually regulated. So historically those have been uh government, financial services and critical infrastructure. We have some power plants also and and utilities that that use our software. But really it's it's anybody who has a regulated industry, we seem to do pretty well in. And I think largely it's because if you're in a regulated industry, you need multifactor authentication. If you're in a regulated industry, you need continuous monitoring and you also need anomaly detection. And these are just basic requirements that are true across pretty much all regulated industries. Now, you're always going to find non-regulated commercial accounts who strive to hit a higher bar. Um and so we also do quite well with those. But you know, we've got uh we've got good representation across a number of industries right now who who are looking for those um advanced solutions. Things that'll protect against advanced threats. Um but also can check the box for Hippa and PCI and Nist or or even just ISO 27001. Yeah, the regulation of IT is is coming fast and furious. Uh a lot of people are now dealing with uh clients that have hippo requirements as well. Um I you know, PCI was a was a God send for me as a former manager of a practice uh security practice. Because someone else was uh dictating the level of uh security process that was required and that creates a lot of work. It's good for the IT industry. But like you said, it's if it if it's not done in the right way, it's it creates a lot of friction with the users. So this it is a it is a sort of a nice bridge between the two to provide some advanced measures, but also uh not be impeding uh the workflow. Uh like you said. We've actually seen it pop up in in cyber insurance policies as well. Where where it's it's almost like a, oh, I didn't actually realize I needed to do these three things. I didn't know I needed to to look at the logs on a regular basis in order to comply with my my cyber insurance policy or just the writer that I have on my my general liability. I've heard that a a number of times recently. And so it's actually. It's a question that I've I've started posing to the the managed service partners that we have. To say, how many of your customers actually know what they need to be doing in order to remain on side of their cyber policy and and the amount of blank responses I get is actually pretty high. So if I were a managed service provider, if I was if I was somebody who had responsibility for somebody else's IT infrastructure, I'd actually be asking those questions. Because in a lot of cases, organizations think that they're not regulated, therefore they can do whatever they want, which is true to an extent. But there may be other reasons why they still have to comply and and get to that that base level of best practice. The other one that we've been seeing quite a bit is um service providers to larger financial institutions. There's there's generally some contractual obligations that say they have to be sock to compliant or they have to um abide by standards very similar to to a Nist or or a sock. So, you know, even if you are a high-tech company and you've got a SAS platform for managing payroll, um even though you may not be regulated, the customers that you service may be regulated and there may be some flow through obligations. And so the idea of vendor risk management as as an IT driver, um I think is going to become more and more common, especially as these large incumbent organizations effectively push through or pass down risk to their service providers and say, look, you need to do these these bare minimum things. And even then, I still need you to indemnify against any sort of loss. Which means you need a a really good cyber program in place. Yeah, it's the odd part about security, um there was sort of this period uh around the introduction and the renewal of the Patriot Act. And people got really paranoid about data residency. And so many times we in in the IT practice, we had run into clients claiming that they could never host their information in the US. It was it was factually not not true. It was just that they heard all of this this fud around. You know, you can't have their stuff in the states, the government will just come and seize all of your all of your servers and the reality of what I often told people is unless someone has told you that you have data residency issues. Or if you consult with a lawyer and they tell you that you have data residency issues, nine times out of 10, this is not a problem. And I kind of wish that that level of awareness or paranoia was present around the risk mitigation issues that you just talked about. Like so much of that stuff, people just have no clue that they're actually on the hook for things that that that they're unaware of. Like are you collecting sensitive information? Are you touching uh government data, you know, do you have uh obligations to third-party clients based on OLAs and and master uh agreements? There's so much of that stuff really slips under the radar unless it's under enterprise management, right? Yeah, and and it it goes a couple of hops away from you. So I I'll give you a personal example. Um Pluralock obviously being a a cyber security vendor, we're we have a heightened degree of cyber awareness. Everybody that works here is extremely paranoid about everything that we do. Which as as they should. Um and so that that same level of paranoia goes to the vendors we work with. And so we actually select vendors um partly based on their level of cyber hygiene. And their ability to uh to maintain their business and and defend against cyber threats. The challenge is uh one of our vendors vendors got hit in the type form breach from last week. And even though we did our due diligence on the vendor itself and it seemed like everything was above board and and it looked good, um we were still exposed to risk because their vendors vendors used type form. And so it's it's challenging to be able to first even just identify these risks that exist because we live in such an interconnected world. But then to be able to defend against them or or to develop policies to mitigate against those is actually pretty pretty difficult. I'll give you another example. Um some of the large financial institutions that we work with have a lot of overseas relationships. And so it could be something as basic as a call center that they've contracted in the Philippines or in India. Or it could be some some other business process that they've outsourced. One of the challenges that they that they face quite frequently is the ability to identify who the worker is. And so we see this a lot with financial institutions. Where they'll they'll interview a candidate who they want to work with that's that's overseas. They'll background check that individual. They will reference check that individual. And they'll go through a full interview process. And by the end of it, they have a a pretty high degree of confidence that this is a person that is trustworthy, that they can work with. Uh and so they they give them a contract or or give them a job. And it's possible that this all occurs through a third party. So it may not actually be the organization in Canada or the US, uh it may be uh that they're they're doing this all through a third party. What we've seen multiple times is that the person who shows up for work on day one or even day 50. Is not the same person who has been reference checked, background checked and interviewed. But because there is uh a a degree of complicity that the worker still has all the right authorized credentials. And we've even seen it where there have been fingerprint scanners or or um other forms of biometrics deployed within the environment in India or or in the Philippines or wherever it is. And the authorized user shows up in the morning, swipes their thumb, they go off and do some other work and then ostensibly a a lower paid person sits down and does the work that the the higher paid person was was hired for. And so it becomes very, very challenging to be able to first even identify how much of that takes place and be able to defend against that. So even the the guys in outsourced markets are outsourcing the work taking the the Tim Ferris four-hour work week a a little too far, right? Absolutely. Yeah, absolutely. But it's challenging, right? I mean, that vendor risk management, there there's not a lot of good solutions out there. Our so just as as a bit of a plug, I mean the way that we solve that is um we we actually encourage our customers to use some sort of virtual desktop technology. So you you retain the data in whatever secure enclave that you have uh in North America. So there's no data exfiltrated to uh a country that you don't have access to. Um but then also when you're securing that virtual desktop session or or that VDI infrastructure. We we run our software inside of it. So you have not only whatever your base level of controls are, be it two-factor or just log in and password, but also should should that individual walk away from their machine. Should that individual trade places with their co-worker, whatever. We're able to recognize that in real time. And in some cases, our clients just want that that information. They just want to understand what the threat is and be able to look at that in a consolidated report, either in their SIM system like Splunk or Q radar or whatever. Um or just in a standalone report that we provide. Or in other cases, if the level of sensitivity is high enough, like if it's financial information, if it's PII, personally identifiable information, um they may configure it so that there's an enforcement action that takes place in real time autonomously. Again, because we have a a high confidence in being able to make those decisions. Um in a lot of cases, we can just let the AI run, challenges the user, potentially locks them out. Um and and by doing that, by having those controls in place, it actually lets the the IT staff focus on higher value uh work items. So they're not just constantly refreshing a log window, seeing when there's a an incident that pops up. They're focused on higher value stuff, they have confidence that they know we're protecting them in the background. And then when there is an incident, we'll take care of it right away and they don't need to drop everything that they're doing just to respond to it. Yeah, I agree. I love the autonomous aspect of it. That. The security is being managed and I'm a big fan of managing by exception. So you're not, like you said, you're not combing the logs looking for uh for those those events, those are events are being monitored by essentially an AI to to look for something to alert you that is actually worth noting. So I think that's a a really good advancement as well. I think so. AI and machine learning, I mean machine learning is a subset of AI. I I think that there's there's a lot of interest in the hype of artificial intelligence. And what I always tell people is that the way to view machine learning or AI is that it becomes a force multiplier. And it becomes a way of getting your people to do higher value work. That's that's how you should be looking at AI. It it's a great feature, but the benefit it provides you is it will do things that are monotonous, uh that are commonplace and allows your staff to go do other things while the AI takes care of of the 80% or even the 90 or 95%. I'd say that Dark Trace. Um, you know, as as has an interesting reputation, but I'd say that they're very well known for promoting their use of AI. Um and there's a bunch of others as well. Um but the whole point is being able to leverage AI or machine learning to cut down on the monotonous day-to-day activity. And then focus your staff on the higher value items. Um and I think that especially for for channel providers where you have a lot of smaller clients. That's that's really the same thing they've been doing for years and years. Which is automate as much as possible and then only deal with with things that are problematic. And what we're seeing is that security is getting to that point as well. You can automate a whole lot of this and then really only deal with the the high ticket items, um and ultimately you're providing a better value to your customer as well. So it's a it's a win-win-win. You mentioned crypto earlier. Uh is this a a space, obviously being a security company and someone who's security minded. It's a it's a a space of interest for you, I'm I'm sure. Uh any overlap in the work that you do or just sort of uh uh curiosity moment, I'm sure the finance companies are interested in in crypto as well. Uh like you said, it's a it's a higher, more vulnerable attack factor because there's a lot less regulation to control the authentication mechanisms or uh the lack thereof in some cases. Yeah, crypto is interesting. I mean, I've I've been. interested in the blockchain space, the crypto space, um since since well before it was sexy. The thing that I find really interesting is that you you cannot have a conversation about crypto and blockchain without talking about the security aspect to it. And what I've seen just sitting partially on the sidelines looking at the space is the crypto project, the crypto projects and specifically the cryptocurrencies that are successful are the ones that haven't been hacked or haven't been hacked yet. And so especially if you're comparing the crypto exchanges and you chart uh the the life expectancy and and the reasons why some of them are no longer around. Obviously there's some regulatory risk there, but the the majority is really. Who can protect their user's data, who can protect the keys, who can protect the wallets, who can protect the fact that you've you've you're keeping currencies on the exchanges. And so security actually becomes a differentiator. There's there's all sorts of interesting aspects to various projects, uh be they wallet or currencies or exchanges or what have you. But I think if if I were um looking at it from an investment standpoint, my investment thesis would actually be who has the highest degree of security built into their model of whatever it is they're working on. And those are the ones that I want to bet on. Because security is such a high high important topic, um that it that it really it's existential to to the product itself. Um so certainly. I mean, we've we've been uh brought in to to consult on on a few projects. And you know, I won't go into too much detail about about what those were. Um but what I find interesting is is the level of risk that they have is just so high. There's also a hesitancy for for a lot of these exchanges and projects to work with law enforcement. And so whereas a traditional bank probably already has a relationship with uh local police or or federal police. Because the crypto market is still in a bit of an uh gray area. Although it's it's getting cleared up, um especially the the recent SEC announcement about Ethereum. There there's still a bit of hesitancy to work with law enforcement. And so what that tells an attacker. Um if I'm going to target something, if I target a bank, I know that the the Feds are going to get involved. If I target a crypto exchange, it's hosted in the Bahamas, I I probably don't have the same level of of response. And so obviously as an attacker, I'm going to go attack whatever is easiest and whatever is is safest, um and it's going to provide the best the best bang for buck. So, yeah. I think that that's that's a big part of why a lot of the news that we hear about blockchain and about crypto is, you know, 30 million just got wired to uh uh to an account that or to a wallet, I should say, that that it shouldn't to. Maybe to continue on that vein, any any other thoughts of the future of uh the security industry? Crypto and blockchain are certainly one of those. Any other areas of interest in in the security field that you're watching for future unfold? I think consolidation is the big one. You know, I mentioned 1800 cyber security startups, everybody has a story about going to the RSA conference. And seeing more and more and more of the same vendors that are out there. Um so. You know, I think from my perspective, I I see that a lot of the survivors or the winners in the security space are going through consolidation. You know, it's it's not enough just to have a single point solution. Um and and say this is the silver bullet, you need defense in depth. But you also prefer that defense in depth to come from a smaller number of vendors. So I think that the opportunity that presents, especially for the channel, um be it resellers or or managed providers, is if you can take best of breed point solutions, consolidate them and then bring them to your clients. You're actually doing them a huge service. Um not only because you're doing that that integration work up front, um but you've also done the selection, right? So pick a next gen antivirus, pick a next gen firewall, um you know, pick a a couple of of monitoring solutions. Bundle them all together and then take those take that package uh to your customers. And you're solving a really big problem even just by by selecting and integrating those. So I think consolidation, um from from a couple of different directions is is something that will continue and it's something that I'm watching. Um I think the other big one would just be the the level of automation. Everybody's heard of the cyber security skills shortage. I think the the the latest figure I saw was a million cyber security jobs are going to be left unfilled by 2020. And it only gets worse after that. So what that means in effect is that the solutions, the the cyber security products that survive and do well are the ones that focus on on automation. Generally speaking, the rule of thumb is every new enterprise security product you bring on requires an additional staff member to care and feed. Um and I think that the the solutions that are going to do well are the ones that actually reduce that number. That are able to act autonomously, that are able to cut down on the number of manual actions that an IT staff member has to do. That uh that allows you to do more with less. I think those are the ones that are going to to do well. So consolidation, automation are are the two big drivers that I'm seeing. Excellent. Well, uh we'll look to wrap up in interest of your time and uh the the listener's attention as well. Um any call to action? Anything you'd like to ask of the audience or have them take a look at or do? I well I think as a follow-up, um if if you're interested in learning more, uh I'll I'll send uh a short two-minute video that that has a bit of an explainer on on the solution. Which uh that would be great if you could if you could help share around. We can include it in the show notes. Perfect. Um I think that my my question of of the channel would be, what are the threats that you're seeing? Especially from the the the SMB or the mid-market. I'm really curious to hear what sorts of either threats or challenges um that that you're seeing. You know, law firms are a great example of uh areas of extreme risk that maybe are not as developed uh with their cyber hygiene. Um but I'm curious if there's other sort of pockets of of opportunity from a a security standpoint. Okay, great. And if people uh want to send you that those details or get in touch with you uh further, where should they reach out to you? Yeah, absolutely. So connect with us at pluralock.com, that's p l u r i l o c k.com. And uh there's a chatbot that's on there uh that is ready and willing to uh to have a conversation with you. Okay, great. And uh LinkedIn or Twitter, anything like that on social channels? All the social channels. We're on all the channels. Okay, great. Well, this has been fascinating, appreciate your time in and uh thanks for coming on the show. Thanks.