EXP Technical recently hosted a FREE webinar entitled "CMMC Tools, Tactics, and Technology."
Among the items covered in the presentation were:
The webinar was video recorded and is now available, streaming on demand, below.
Good afternoon, everyone. My name is Kelly Paletta. I’m Director of Sales and Marketing here at EXP Technical and I want to welcome you to our webinar which is entitled “CMMC Tools, Tactics, and Technology.”
I have a few administrative announcements to run through at the top here, and then we'll dive into the main course of our presentation.
Pat, if you don't mind advancing the presentation…
So, among the administrative announcements…
One is that we have quite a bit of information put together for you here and it's kind of packed into a contiguous presentation. We expect that to take about 30 minutes and because it is fairly densely packed information, we ask that you submit questions via the Q&A feature in Zoom. Now at the bottom of your display, here you should see something that looks kind of like that image that you see on this slide. And that will enable you to submit a question via Q&A that will go to myself, the moderator, and to Pat Cooke our presenter.
And we've allocated time at the end of the meeting to address those questions. So we'll batch those up and go through those at the end of our presentation.
One question that's often asked in these presentations is, “Will this material be available to me afterwards?” and the answer to that one is: “Yes!” We'll be making a video available and for the folks that are in attendance today. We'll be able to send you the slide deck in a PDF format. So both the video, transcript, and the slide deck will be available should be within a week. It takes a little while to prepare that information for you…
And then in terms of other kind of high-level announcements, this is kind of a follow-on to a webinar that we offered a couple months back. And the first webinar in this series was a broad overview of right-sized solutions for small and medium-sized businesses that are on their journey towards CMMC level three certification. This presentation focuses a bit more on the specifics--the tools that we found that have been very effective with the clients that we work with that are subject to that regulation, and in fact other regulation as well.
So we'll be diving into the meat of our presentation in just a minute here and I guess one other administrative announcement before I introduce our presenter is that in addition to Q&A at the end of this presentation, we'll also be giving away an Amazon gift card for one lucky attendee. A hundred dollar gift card! So I encourage you to stick with us. Not only is the information informative and entertaining but there's also a door prize for one of the folks that are in attendance today.
And so having said that, I’ll lead to an introduction of our presenter and that is Pat Cooke.
Pat is a principal here at EXP. He leads our governance, risk, and compliance practice. He's a CISSP, which is an advanced cybersecurity certification. But not only is Pat a highly-skilled technician, he also has a lot of business acumen. He has a long career in I.T. leadership, both as an entrepreneur and as a CIO, as well. And in fact, in 2012 (I think it was) Pat was named by Puget Sound Business Journal as “Best CIO for a Private Business” in the Puget Sound Region. And so not only is he appreciated by our clients and respected in inside our company he's also widely respected as a thought leader amongst the local community here in the Pacific Northwest.
And so, having said all of that I think it's probably a good time for me to hand things over to Pat to begin the main part of our presentation. So Pat when you're ready feel free to go ahead…
Thanks for the introduction, Kelly.
And thanks to everybody for attending.
As Kelly mentioned this is essentially a follow-on. It stands alone, I think, but… I’m not sure if there's anybody from the previous webinar on the call. They may want to watch it as a recording and, as Kelly said, in that one we've sort of outlined our broad approach on how to achieve these compliance goals with limited resources, limited budget, which just about everybody in the small/medium business space has. We've been working through this for a few years now really and we've come up with some tools that we thought it was worth… would be worth sharing with our clients and prospective clients.
A couple of assumptions:
I’m going to assume that everybody who's on the call understands the NIST/CMMC requirements, or at least what the government is looking for you to do. There's 130 different requirements practices and I’m just assuming that you wouldn't be on this call unless you had some interest in meeting those requirements.
And I’m going to assume that the audience is somewhat technical. It's always a challenge in these webinars to pitch it to the audience, because, essentially, we don't know who's on the call and what their technical level of expertise is. I’m going to assume some level of technical expertise …at least from a leadership point of view.
And another thing that's worth mentioning is that I’m going to assume that everybody has some level of hybrid or on-premises infrastructure. Moving to the cloud…I’ll have a slide on this I’ll go through in a minute… Moving to the cloud is not, has not, really been feasible for government contractors that we have encountered not that's not to say that other there are not people out there who are 100% cloud mainly because of CAD manufacturing files, file size, etc.
So the agenda is to essentially go through five different areas what we're calling the EXP suite of security and compliance tools. These are really focused at CMMC/NIST, but we also do HIPAA compliance, PCI compliance, GDPR, etc. And these tools generally cover all of those.
So we'll talk about endpoint detection response. The one that we chose after some extensive research.
We'll talk about security operations center and systems incidents and event management—SIEM.
We'll talk about multi-factor authentication.
We'll talk about a tool called compliance manager which helps with all of this.
And we'll talk about documentation in general.
There are lots of good tools out there. And these are the ones that we have found to provide good value for small/medium businesses.
We, of course, can't know everything about everything so we, in general, try to limit our tool set so that we can know those tools really well. We're about a 20-25-person company and face the same issues that everybody does in terms of knowledge management. So we try to find best-of-breed that work for our clients’ budget and that we can get to know them well.
So just to talk about cloud I’m assuming most people know that the Microsoft has a Office 365 offering which is known as GCC High.It's been expensive—too expensive—for just about all of our clients the E3, not even the highest level, is about $1,100 per user, per year. If you're a fifty-person company that's sixty thousand dollars with tax and everything! That's a lot of money to pay just for essentially email, Word Excel and SharePoint. It does come with a lot of security tools—the same tools that are in the business packages from Microsoft. It's just all housed on U.S. soil is the main difference. And it actually has some limitations: not everything is in there.
And it plainly doesn't offer a silver bullet because if you're hybrid you've still got to protect local servers. And again, the assumption is that everybody's at some level hybrid. If you're an engineering firm you're going to have AutoCAD, Revit, etc. If you're a manufacturing firm, you're going to have Solidworks you're going to have ERP systems that are on premises. Everybody's got them. I just haven't run across anybody who could go 100% to the cloud. I guess if you were you know an attorney firm, or something like that, that worked with government contractors, you might.
And there's still a significant burden of configuration even if you do spend the money and go to GCC High. You've still got to configure data loss prevention, transfer protection Azure information protection—lots of different stuff to configure. It's not a slam dunk just to put your stuff up there and feel protected. As I mentioned I haven't encountered anybody in the in the AEC or manufacturing sectors who are 100% cloud.
Also, Azure MFA which is included essentially with Office does not do a good job with desktop remote desktop gateway which almost everybody is using… VPN etc. It just doesn't do a great job. It does do a good job with Office Access but that's not the start and the end of it.
Just a little bit deeper overview; what they do:
SentinelOne what I’d call Next Generation Antivirus or Endpoint Detection Response is the current term EDR. Of course, it stops viruses and stops malware but it gives you media control (which is part of the CMMC requirements), application whitelisting, blacklisting—pretty sophisticated features there. A centrally managed device firewall for all of your workstations, which again takes a box or two.
SOC/SIEM log aggregation is part of NIST [SP 800-171]. You're supposed to put all your logs into one place so you can review them easily. It'll take in firewall and event logs—actually take in incidents from your next gen antivirus or even your regular antivirus and email gateways.
And then Duo is what we think is the price performance leader for MFA. Again, there's others out there but that's been around a long time. It's now owned by Cisco. It's got something for everything which is what we like about it.
And Compliance Manager is the documentation management and environment data collection tool which we'll talk about.
So to dive in… SentinelOne.
Why do we like it? As I mentioned before, we looked at several different next-gen antivirus—and there's many good ones out there: Sophos, Carbon Black. FortiEDR is one we actually still provide, but we're trying to consolidate them to SentinelOne. There's maybe 10 or 15 top-level ones. They're all priced about the same. CrowdStrike’s another one that actually I …we… haven't encountered, but it's expensive and supposedly good. But we're, as always, trying to find something that works for our client’s budget, that we can get our arms around technically to help them deploy it and to manage it.
Things we like about SentinelOne: It's like all of these.
It's behavioral, not signature, based so it's looking for anomalies and behavior…as in you know a thousand files being encrypted in a couple of minutes by a ransomware attack. That's behavioral. It's… No signature in the ransomware attack. Somebody's doing stuff either with a script or a piece of software on a machine and it can very quickly isolate those processes that are seen as being potentially dangerous and stop them.
As I mentioned before it's got a central device level firewall so you can… One of the requirements is only necessary reports should be open on devices. It can manage that from the central policy point of view.
It's got pretty decent…it's not quite where we'd like it to be… but pretty decent whitelist/blacklisting for applications, which again is part of the CMMC requirements.
It can report on patch compliance level We get a client-wide…if you see from the dashboard here… It rolls up all of our clients that have it into one dashboard so if we've got an infected machine, we'll see it straight away and can take action help get it mitigated and it connects to our SOC which I’ll talk about in a minute.
There is a higher level license that will give you forensics. It essentially records everything that's happened on the machine and can play back to what happened. Nice to have extra four dollars. It all adds up. Worth having if you can afford it. If not, the $6 per device per month is good value, we believe.
What does it do for you from a (as well as a practical point of view) a compliance point of view?
What are the NIST/CMMC requirements practices that it checks off?
Well, it can manage portable storage devices. It's got policy-based USB management control and monitor, user install software application whitelisting/blacklisting. It can restrict ports etc. protocols. This one specifically mentions blacklisting/whitelisting of unauthorized software.
Of course, like any antivirus it checks the media as you… If you put a CD, DVD or USB it's going to scan it before you access it, and can again manage portable storage devices such as USB—which are pretty common for movement of files around manufacturing and AEC firms. And control/monitor use of wipe technologies. Again you could you can blacklist Zoom, Teams…whatever you want…so that only the VOIP technologies that you want to use are allowed.
And again this is self-explanatory: malicious code. It updates… This is one that's worth mentioning. Most of these next-gen AV systems do not perform periodic scans like the old ones used to do. Like scan the machine every night. However, that is a NIST requirement. So you can schedule them. And you might do it once a quarter or something like that, but you can have a essentially an automated task that would scan every machine, because it does not do it by default, but it is in there as a compliance task that you can do.
And it monitors traffic at the personal file or the device firewall level and if you have non-vendor-supported products you could prohibit them from being used with application blacklisting/whitelisting
So SOC as a Service…
You know everything is “as a service” these days. SOC (security operation center) essentially means that you've got a bunch of folks sitting around computer screens with tools monitoring your environment 24/7/365.
That's, in the past, been beyond the reach of both our client base and technology companies like us to provide.
I’m glad to say the prices come down to where it's now affordable and again it ticks a lot of boxes [on the NIST/CMMC requirements list] but also know when this stuff happens, it's going to be the middle of the night. And there's a level of comfort in having somebody there, if a ransomware attack starts at 1:00 A.M. on a Saturday or Sunday morning. Somebody call… Somebody will call you and you know first of all stop at remediate/mitigate, but call you… Get you involved if it's that serious. So actually, people you know, that will call you on the phone or escalate a ticket or whatever
Gives you… It’s a bit of the hackneyed phrase but gives you a single pane of glass for most things that you have from a security point of view.
SentinelOne, Sophos, WebRoot, and Defender will connect to it and it'll create incidents from underlying incidents in those platforms it will ingest firewall logs which is one of the requirements.
It's a syslog mechanism. One of the devices on your network acts as a forwarder—essentially takes the firewall logs and puts them up into the event management system.
Can take in servers and workstation event logs. From a price point of view, obviously we would recommend that you put on everything servers, then workstations, but at least on servers. To me, that's a reasonable compromise from a cost point of view because it is ten dollars per device per month. So most companies have six to ten to twenty virtual machines or servers and putting them on them alone is not gonna break the bank.
And there are some sort of freebies. For instance, the Office 365 tenants you get for free; The EDR for free those don't cost…do not count as devices…so we're actually sort of deploying it for all of our clients because you don't really incur cost until you actually put it on a device on the network and it gives us again a roll-up—single pane of glass for all of our clients on this system.
Barracuda is the main email gateway that it pulls in data from. Lots of other connectors. You can see over here you know it's got cryptomining plugins. It looks at the traffic in and out of your network—where it's going where it's coming from.
Everybody if you've got a public server, you're going to get a lot of cyber-terrorist traffic. Just… It's all automated. They've got bots out there trying to get in. If you've got something like NewForma, if you're engineering, or your ERP is online… They're trying to get in and you'll see that traffic coming in from all over the world.
It does give you threat landscape updates on a on a real-time basis, which is part a CMMC requirement. And useful just to know what's going on! I was very impressed when they… We had the print nightmare vulnerability… They came out with a print nightmare plug-in almost the same week. So that it was part of the dashboard. I thought that was really good actually.
It will connect to “’;--have I been pwned?”, which is a site that that figures out which of your passwords are available on the dark web. You'd be surprised. A lot are! And it'll tell you and allow you to change those if the login and password is out there on the dark web.
And the escalation can be either to you, or to us. Not everything is escalated. Serious incidents only. But it's sort of… We obviously work with a lot of clients who have no IT department. It's going to come to us. If they have an IT department, they might choose it to come to them. There's flexibility. There there's a sort of a contact tree that can be put in.
And importantly, if you're ITAR, it's US-based screen staff and the data centers in the US. It's not accessing your data, but that level of comfort.
And, as I said, $10 per device per month which is relatively affordable. It used to be to get into this: $60,000-$70,000 a year. Obviously, if you've got 10 servers, that's [EXP SOC as a Service] $1,000 dollars a year. And you know it's you sort of need to understand that you get what you pay for, to a certain extent. A lot of it's AI-based, but there are actually people looking at screens. And if something happens, they will escalate and call you.
This is a relatively new tool for us. It's actually really useful. There's a lot of work in compiling the data that you need to have to be compliant. This is a cloud-based product. The way it works is a data collector is installed on the local area network. It's also got external scanners. The data collector goes around, hits all of your servers and machines and user databases and produces a set of worksheets that are somewhat painstaking to to fill out…but when you do fill them out…and put in narrative about how you are meeting the various requirements. It pretty much then automatically produces these documents in what I think is quite a good-looking format. And presentation always counts—especially in an auditing environment, where you're going to be audited. If you look like you've got your stuff together, it's going to serve you well.
It produces a lot of documents. The critical ones—the system security plan, the plan of action with milestones… You can't even get off the ground without those. Those are requirements for DFARS.
It'll do a risk analysis—an automated risk analysis and a treatment plan. That checks a box.
It will calculate your NIST score, if you're going to report that up to the Department of Defense, which you're required to do for the interim rule. It'll produce a CMMC Evidence of Compliance document.
And these are automatically generated so the idea is that you go through it… It's a continuous improvement so you're going to go through many different assessments. And as you go through them it will update them and you can't actually edit them. They come out in Word and Excel format so if you if you want to manually edit them, you can. They're not just PDFs.
And it's quite affordable. It's definitely worth the money $150 a month for up to 250 devices. And I would say, just in in the generation of those documents, it probably saves (if I was to do them all manually) it would probably save me 20 hours of my time.
Here's some examples of reports. I’ll go through them quite quickly.
The System Security Plan
It meets the DOD format. Everything is either “implemented,” “planned”, “to be implemented,” or “not applicable.” You put in the text, the narrative for how you are meeting those. It prepares a system summary with data owners etc., the start of the documents. It's 16 page documents and again meets the requirements. It could be longer, of course, if your narrative is more lengthy, but I tend to recommend that people keep it short and pithy.
There's an example of the POAM, which is the plan of action you're supposed to have for things that are on your System Security Plan but are planned to be implemented. You're supposed to have milestones and estimated completion dates, a status update… Essentially it provides you all of that so if anybody asks for it, you've got it, and you can either file it as a stamp of where you are a particular point in time—at the assessment—or use it as your project task sheet.
It will, like I said, come back with a score for you. It's a real pain in the neck, trying to calculate that score, and this takes some of the work out of it—especially as you're moving through different iterations of the assessments. And it'll give you the score that you can report…
Evidence of CMMC compliance…. Again it's all based on the narrative that you put in and how you say you're meeting them but it does produce a document that you can give to a partner. For example, sometimes they will ask for that. If you're the secondary to a prime contractor in a government contract and sometimes they'll ask for your evidence of compliance. You can choose whether or not to give to them of course but at least you've got it in a digestible format.
It does the risk analysis, based upon the data collection, and it'll give you a risk score and also checks off the periodic risk analysis requirements of NIST.
It'll do a basic diagram. Obviously looking at this you're not going to be that impressed. The more information you give it and the more SNMP stuff etc. it has, the better will be. You can use it or just put together your own one in Visio. You don't, of course, don't have to use any of these. They just sort of get spat out by the system.
What does it do for you in terms of compliance? Well again, like I mentioned, you have to have a System Security Plan. That's a prerequisite for even submitting a SPRS score. You have to have a plan of action. Those are both DFAR’s requirements. Assessing the risk to your organization operations. That risk analysis with actually…working on the treatment of it fulfills that requirement, in part at least.
MFA Duo we again like. With SentinelOne (we) went through a lot of different products, or again we're looking for the price/performance later. And we are pretty confident that Duo is the one. It's only three dollars per device per month. They have different levels. You can pay up to $10, I think, and you get more stuff like policy-based device management etc. But the three dollar level actually does most of what our clients need to do.
And it does take some setup. We can do it, or we can help you do it.
It provides multi-factor, two-factor authentication to—as you want it—workstations, servers, remote desktop, most VPNs, Office 365… It can replace the one that's in there, which I recommend, so that people are used to use in one system. And it layers nicely on top of the Office 365 tenant websites. It'll even plug into a WordPress website. And again, quite affordable.
What does that do for you? Well it's pretty simple. there's two there's two requirements about Multi-Factor… in this CMMC, and it meets those. Just on this one there's often some confusion about this “required Multi-Factor Authentication/non-local maintenance sessions.”
That's external, but local and network access from general understanding means you have to have it on the workstations and servers. “Network access to non-privileged,” accounts means you need MFA for your workstations on the local area network. That's my considered opinion. Some people might argue with me.
Pulling all this together… “Keep it simple,” is my advice. Somebody came to me after a webinar that they had been at from somebody else in this business said we're told reading 90 different documents policies etc. to meet this requirement. Yeah. And of course this was from a company that sold a policy producing product. I would argue that if you've got 90 different… in a small/medium business environment if you've got 90 different documents, you're in over your head to begin with.
You need to keep it simple.
My advice is that anybody in your organization should be able to read your policies and understand them. And at least sign off on the ones that are end-user facing annually and on higher maybe more, if you're changing frequently.
You need to back things up with evidence especially for CMMC which is practices and procedures. If you're doing stuff, back it up by recording it as simple as scanning a configuration worksheet when you deploy a new machine and uploading it to SharePoint. Obviously if you've got automated systems that's even better. But you want to be able to say if you ever get audited, “We're doing what we say we are doing and here's evidence that is unarguable that we have been doing it in just about every case.”
Keep it maintainable. 15 to 20 documents to me is appropriate people might argue with me on that, but again that's where I come from. I have been in compliance for quite a while.
These… I've got 17 documents here I won't go through them all. Some of them are required for NIST, some of them are required for CMMC.
You need a System Security Policy. You need a POAM.
You need a System Security Plan, which could be the same thing as the policy if you wanted. Some people take that approach.I see the policy as more internal policies about what you're doing from a security point of view. The plan—more of a statement to outside folks about your system security
You need to manage remote access, wireless mobile device policies, from an end -user point of view.
Data management, and CUI flow is a requirement for CMMC. You should have it anyway except acceptable/unacceptable use. Most people have that as part of their employee manual, but you should have it in a policy. And you could combine these into one policy if you wanted.
You need a Cybersecurity Incident Response Plan as part of both CMMC and NIST.
CMMC wants you to have a Business Continuity/Disaster Recovery Plan. You should have one anyway if you're of any complexity as a business. [It] does not have to be 25 pages or 40 pages. Five or six! Keep it short. Keep it simple.
A Risk Analysis Report, a Risk Treatment Plan you'll get those out of Compliance Manager, if you're using that.
And then procedures: Really as just documenting that you're doing stuff. I have configuration managements. You need a device… a media standardization procedure and checklist, especially if you're setting stuff off site for maintenance. That's a requirement.
And change control… you need something to manage that's part of a NIST requirement.
Anyway… So here's a summary of the costs if you were to use all of these. Again we're not trying to sell anything to anybody. I just want to let you know what it would cost if you were to use them.
A 50-person firm… You've probably got 50 workstations, 10 servers.
It's going to be six dollars a device one 10 for SOC. If you just do servers, it'll be less.
Compliance Manager: it's affordable. We don't really mark it up. It's $150 for up to 250 devices, which I think you get a lot for that. It would save you time in terms of document creation, that's for sure. And for program management, because it's a continuous improvement tool and assumes that you're going to be doing assessments every six months, every year…whatever…every two months maybe initially, or every month.
If we were to do a gap analysis and to do this for you what would it cost? Well maybe around six thousand bucks for a medium complexity, small you know 50-person, manufacturing, AEC firm. It all depends… so don't hold me to that but that at least will give you some measure.
And we of course do ongoing consulting, remediation…whatever you want.
In summary again to reiterate, these are not the only… are in some cases the absolute best tools, but the ones we see as being good value for small/medium business. Affordability is of course really important especially in the this market.
We're happy to help you get compliant with tech tools you already have or else use some or all of the ones we've just spoken about.
And we can help in various capacities as we always say, “It's a la carte.” We can give you guidance to help you do it yourself. We can do the documentation, manage the whole program on an outsourced basis, and we can do project-based remediation to help you with specific parts. But like MFA you might decide you want to get that done just done by us and we can do that because we're not just compliance consulting, we're of course a IT…you know a fully-rounded IT support/implementation/project firm. We've got a support desk, many engineers and we're a Microsoft GOLD Partner.
We've got no minimums, and no contracts. We have a “terms and conditions” sheet that's very simple we're happy to work with you for a couple of hours. I mean that's a sort of our approach. Some companies want you to sign up for a certain amount of labor to make it worthwhile. We don't take that approach. Our point of view is that a small client is a potential bigger client, so we're happy to work with you on just a small amount of consulting if you want.
And if you've attended this, we'll happily spend an hour looking at your environment discussing it with you at no charge.
So Kelly, questions/answers? You'll you provide the questions. I’ll try and provide the answers
Well there are a few that have come in and that and they are focused pretty specifically on products. The first one was, “Can the SOC service connect with any firewall?” They didn't mention a specific firewall, but just generally, “Can it connect with any firewall?”
Pretty much. Provided it's got you know a syslog function which is essentially an export of its logs. And most of them do. I haven't encountered one that doesn't. It works with the Fortinet, the Watchguard, the Meraki, (you know those are pretty pervasive out there)
Ubiquiti… So yes… provided it has that export syslog functionality the answer would be.
And there's a another SOC related question. You mentioned the SOC connects to Office 365. “Does a client have to pay for all of the users as devices for that?”
No. And that's actually a nice thing about the the SOC service that we deploy. Office 365 is sort of a freebie. You do have to have an account that's got Azure Active Directory Plan 1 which is about four dollars. If you don't have it as part of your subscription, it has to have that because it needs to connect to all of your users etc., but it does give you good reporting out of Office 365. It actually connects to the secure score function within Office 365 and you know let's let you basically report on that there's a lot of good stuff in that and it pulls it all into the one dashboard and it will report on account changes network access within the tenants. So yeah, it's that's essentially free!
Like I said we're deploying that to all our clients whether or not to sign up for the SOC just because it's a freebie.
And just to clarify: Azure AD is four dollars per month per user?
Yeah but you only need one. You need the account that you're going to log in from the SOC to Office to have that license so you don't need it for everybody. Just for that service account got it.
And we've got try to get through as many as we can here: “Can SentinelOne do scheduled scans?”
Yes. I think I mentioned that um it's generally not the way it works these days, it's all behavioral, but there is a requirement to do periodic scans as part of NIST and yes, it can do that. And you could periodic it could be a year it could be six months could be monthly could be weekly…whatever you want. It essentially lets you create an automated task to push that out to every endpoint that's covered by SentinelOne.
And I think we've got time for one more question. So the last question that we have time for is: “What format are the documents that compliance manager produces in? Examples like PDF or Word or Excel?”
They… Word in Excel. So that's nice because then you can you can modify them the thing you have to be aware of is that if you modify them that's a one-time thing. Because when you generate them again your modifications are going to get overwritten by a new version so in general it's best not to modify them. But there might be situations where you want to and you can do that just the Word and Excel format. And then you can print them as PDFs if you want
And with that I think we're at the end of our presentation. I’d like to thank everyone for attending. As we said before we will make a video a transcript and for the folks that are in attendance live here we'll be sending you a pdf that includes the slides. If you have more questions you can contact me. My email address appears on this slide. Additionally, as Pat mentioned we'd be happy to engage in a one-hour consultation with you conversation about here you're at on your journey towards CMMC level three. If you haven't already gathered we're agnostic about products but we have found a lot of products that tend to be very helpful for small and medium-sized businesses: right-sized solutions that are very effective at getting them where they need to be.
And before signing off, I’ll hand it over to you Pat. Is there anything else you need to add?
No. Just again to echo Kelly's thanks. I know everybody's busy and taking 45 minutes out of your day can be hard. So thank you for doing that we'd love to talk to you about where you are and where you want to get to and as I mentioned before no job too small. We're happy to work with you on a very on a starter level even a couple of hours to do a quick gap analysis or whatever. That's our approach and uh we'd love to hear from you.
And thanks again for attending have a great afternoon. Bye.
All right. Thanks everyone! We'll see you later!