Security, et al

To be even better, your SIEM needs more intelligence without noise. Like the universe we live in, the area that must be monitored for APTs constantly expands. It is hard to focus on the significant security events when the field of view keeps getting larger.

The key to information security is what you focus on must be worth catching. Enforcing systemic, organizational proficiency to focus on the narrower relevant field is absolutely crucial to organizations’ security practice.

Focus on the Top 3 Blind Spots

A lot of the organizations we talk to are finding a way to address that challenge of making their SIEM better, not burdened. They do it by dedicating their primary effort to solving the SIEM’s top 3 blind spots:

1. Applications,
2. the cloud, and
3. failure to monitor all the Windows endpoints

We believe in this so much it’s where we are putting all our money. Here’s how:

LOGbinder provides the market-leading solution for SIEM’s to have visibility into what’s happening inside Exchange, SharePoint and SQL Server. Soon after the public availability of Exchange 2016, SharePoint 2016 and SQL Server 2016 (expected mid-2016), LOGbinder intends to release compatible updates to its core products. We already have these versions in development and are excited about their potential to help make your SIEM better. Our SIEM integrations help you isolate and monitor only what’s important.

Microsoft’s cloud-based products, especially Office 365 and Azure are hugely attractive to organizations of all sizes. Their limitation has been a lack of audit capability, but that is soon to change. Microsoft expects to release (also mid-2016) a completely new and very good audit function to both Office 365 and Azure’s Active Directory. LOGbinder is poised to deliver a matching solution to put cloud-based application security intelligence where it belongs – your SIEM. We are investing significant resources with the plan to deliver the solution 30 days after public availability.

By the way (and this is important), it is going to require special effort on the part of all of us in the IT security business to pitch in and make cloud security audit and monitoring possible. LOGbinder will provide the audit data from cloud, as well as guidance about what to watch. But… you should talk to your SIEM product development team today to make sure they are talking to LOGbinder and working on their integration for LOGbinder’s cloud-based solutions.

The 3^rd problem area for SIEM security intelligence is monitoring all Windows endpoints. If you don’t know which endpoint is installing a new program...

Your SIEM is perhaps your greatest bandwidth hog as it is, adding all that traffic from the endpoints isn’t feasible, right? But that’s not a good enough reason; nobody wants to have to explain a data breach because of it. The real reason is probably a financial one. LOGbinder has developed a solution and is devoting significant money to bring that solution to market early in 2016. We discussed it at length at the recent HP Protect conference. We call it SuperCharger for Windows Event Collection. It is software that – with no agents and no polling – uses the native Windows event functionality to deliver only the relevant security events to the SIEM from all the Windows endpoints with no noise! It’s really cool and we’re super-excited. So are our SIEM partners who’ve taken the time to talk to us about it.

We are very excited about the opportunities now (and soon to be) available for SIEM security analysts. Putting meaningful security event logs in the SIEM where they belong is our passion.

LOGbinder is committed to making your SIEM even more powerful by feeding it more intelligence without the noise.

Note: The statements in this post about our new product delivery dates are “forward-looking”. We can’t predict the future with certainty. Our plans are presented here, and we expect to be able to make those plans a reality. But like all future plans, they are vulnerable to unanticipated events.

There’s plenty of interest in all kinds of advanced security technologies like threat intelligence, strong/dynamic authentication, data loss prevention and information rights management. But so many organizations still don’t know one of the basic indicators of compromise on their network – new processes and modified executables. This is so important because in every high profile case of data breaches over the past few years a common thread has been the presence of a malicious program that provided the attackers with persistent access to the internal network of the victim organization.

Moreover, some security technologies – such as strong authentication – are no defense if you have malicious code running on the endpoint of a strongly authenticated user.

So rapid detection of malicious code is paramount. The importance can’t be over-stated. Detecting malicious code isn’t easy and traditional signature-based AV is only going to catch comparatively “old” and widely distributed malware. It isn’t likely to catch the targeted attacks we are up against today in which the bad guy uses shrink wrapped tools to build and package unique malicious agent to use against your organization.

How do you detect and even prevent malware like this? Like everything it takes a defense-in-depth approach. Advanced 3^rd party application white- and advanced memory protection are very effective. But whether you have such technologies deployed or on the radar, your SIEM solution can provide you early warning when new software is observed on your network.

The key thing is to look for Event ID 4688 in the Windows security log. Compare the executable name in that event to a list of whitelisted EXEs you expect to see –or better yet a list of executables that automatically builds from past events.

You want these events from every possible system – including workstations. If you are concerned about the amount of log data involved, I should mention that the sponsor of this article, EventTracker, provides an agent that can efficiently forward just the relevant events you want from thousands of endpoints.

Will there be false positives? Yes – especially until you refine your rules to take into account patches. Will this catch every malicious agent? Of course not. After all, there are multiple ways to insert malicious code on an endpoint and some are completely in-memory with no new executable involved. 3^rd party advanced memory protection products or Microsoft’s EMET can provide some help with detecting memory exploits though and using your SIEM to collect and monitor those events is the obvious thing to do if you use EMET or another memory protection technology.

Some malware embeds itself in the existing, trusted EXEs and DLLs so it makes sense to monitor for modifications to such files. Again you want this from your workstations – not just server endpoints. Getting EXE/DLL modification events requires either Windows file monitoring or a file integrity monitoring (FIM) solution. Enabling auditing of just EXE and DLL files with Windows file auditing though is not that easy. You can’t configure audit policy on files with Group Policy without also impacting permssions. So widely distributed scripts would be required. FIM is definitely and easier route. Again, it’s worth mentioning that EventTracker’s agent includes FIM monitoring making it easy to catch changes to existing software as soon as it happens.

This article by Randy Smith was originally published by EventTracker”

http://www.eventtracker.com/newsletters/are-you-listening-to-your-endpoints/

Please help me help you in the coming year. I need your help to determine which security topics to cover and to prioritize my real training for free™ sessions.

The survey will take about 15 minutes of your time, but it will make a big impact on what I do at UltimateWindowsSecurity.com. One of our best sponsors, HEAT Software (formerly Lumension), helped me design the survey and will be sharing in the analysis of it.

Besides some general questions this survey covers 3 key areas of security today: cloud, mobile and endpoint management. Your time will really help me tailor my real training for free ™ webinars to fit your needs, priorities and interests. And it will help us understand the changing world of IT and information security.

Click here to complete the 2^nd Annual UWS Community Survey. All participants will receive the annual report, developed from this survey. We thank you in advance for your participation in this important survey.

Thanks so much for your support!
Randy Franklin Smith

Sometimes we get hung up on event monitoring and forget about the “I” in SIEM which stands for information. And that’s important because there are more sources of non-event security information that your SIEM should be ingesting and correlating with security events than ever before. There’s at least 4 categories of security information that you can leverage in your SIEM to do better analysis of security events:

1. Identify information from your directory (e.g. Active Directory)
   Your directory has a wealth of identify information that can help you sift the wheat from the chaff in your security logs. Here’s one example. Let’s say you regularly import a list of all members of Administrator groups from Active Directory into your SIEM and call the list PrivliegedAccounts. Now, enhance any rules or reports looking for suspicious user activity by also comparing the user name in the event against the PrivilegedAccounts list. If there’s a match, then the already suspicious event becomes even more important since it involves a privileged user. But you also likely have certain control over privileged user sessions. The PrivilegedAccounts list helps you identify anyone (internal or external) bypassing those controls whether a malicious insider or an outside attacker ignorant of your controls. Perhaps you require all administrators to go through a clean and hardened “jump box”. You can setup a rule to identify logon sessions where the username is in PrivilegedAccounts but was not initiated from the jump box.

2. Environmental information (both internal and global)
   A global example of environment information is geocoding. Perhaps there are certain countries that you do not do business with which also have a bad reputation for cybercrime and espionage. Another popular way to leverage geocoding is to detect when a given user is apparently in 2 places at once which can indicate compromised credentials.
   But you can also leverage organization specific (i.e. internal) environment information. For instance, perhaps all of your administrators’ workstations fall within a certain range of IP addresses. Use this information in a rule examining logon attempts to your jump box or other hardened infrastructure systems (such as the management network interface on ESXi and HyperV systems) and alert when you see attempts to access these systems from non-administrators.(As always, the real world may be a little more complicated. Case in point: you may also need to factor in logon attempts through whatever means administrators use for remote access.

3. Threat intelligence feeds available from security organizations
   There’s a growing array of threat intelligence feeds ranging from community-based free feeds to those commercially produced and available for a fee. These feeds range from lists of IP addresses linked to command and control networks, botnets and compromised hosts to network indicators of compromise and malware signatures. We recently look at the free feeds available from ermergingthreats.net in this webinar sponsored by EventTracker. Correlating event logs from all levels of your network to threat intelligence can help you identify compromised systems and persistent attackers much earlier in the process.

4. Internal threat intelligence.
   A. N. Ananth (EventTracker) coined this term to describe information that you can compile from your own network and systems using similar techniques as outside threat intelligence organizations. There’s no arguing the “crowd-sourced” value of external threat intelligence but such information is missing a key aspect that is addressed by internal threat intelligence. External threat intelligence tend to be “black lists” of “known bad” data. On the other hand, internal threat intelligence usually take the form of “white lists” of “known good” data. White lists tend to be much smaller, more effective and easier to tune and maintain. For instance if your SIEM can determine from past history that server A normally only communicates with 10 other hosts – that is very valuable to know – especially if your SIEM can alert you when it sees that host suddenly start sending gigabytes of data to an entirely new host on an unusual port.
   The bottom line is that your SIEM needs as much data (both event and non-event) as possible and it needs to be effective at correlating it into valuable situational intelligence. Don’t stop at logs. Look for other kinds of security information from your directory, the local and global environment and threat intelligence from the security community and internal.

This article by Randy Smith was originally published by EventTracker

http://www.eventtracker.com/newsletters/enriching-event-log-monitoring-by-correlating-non-event-security-information/

For compliance and protecting root access on UNIX and Linux you can’t live without sudo. I’ve written and done several webinars recently on how to implement sudo so that

• no one ever logs on with root
• you can implement least privilege instead making everyone all powerful
• enforce accountability over privileged users with a high integrity audit trail of every command executed

But most folks have more than one system to manage. It might be simple to start off using sudo by maintaining a different sudoers file on each system. As you setup sudo on each system you just copy and paste portions of sudoers from another system already set up. But that is a bad pitfall you do well to stay out of. Usually the differences in sudo policy between each system are important but subtle; most of your sudoers policy can be re-used across systems. Creating independent but substantially similar sudoers files leads to management headaches and security risks because files inevitably become out-of-date and inconsistent as roles, users and security needs change.

Thankfully sudo is designed to support multiple systems. For instance you can use the Host_Alias directive to define groups of systems and then assign the same rule(s), once, to all appropriate systems via the Host_Alias.

That’s how sudo supports multiple systems within the sudoers file but how do you get all your systems to share the same sudoers file? One way is maintaining the file on system and using a variety of file copy utilities to physically copy sudoers to each system. But sudo also supports storing your sudoers policy in your LDAP directory. http://www.sudo.ws/sudo/man/sudoers.ldap.html. This isn’t as simple as it sounds because it does involve schema changes which many admins fear.

In my next webinar with BeyondTrust I’ll explore how to manage sudo on multiple systems. Please tune in.

Microsoft licensing is complex, confusing and time consuming. “I just want the license key – legally!”, right? While trying to figure out how I could get a legal copy of Windows 8.1 Enterprise for a friend (they need Windows To Go Creator), I came across this article at http://www.mirazon.com/windows-8-1-enterprise-get/, I also got this newer article from Seth http://www.mirazon.com/windows-8-1-enterprise-licensing-now-a-stand-alone-product/. I still had some questions and so I took them up on their offer to “guide you through the confusing terrain of Microsoft licensing so you can avoid unnecessary purchases” and emailed them. Got a reply back from Seth the same day. Fast and accurate. It’s not just about the money saved on unnecessary licensing mistakes but it’s also the time and effort saved researching stuff you really don’t want to learn about anyway! Thanks, Seth and Mirazon!http://www.mirazon.com/category/microsoft-licensing/

Here’s another cool thing I found, this time at Redseal’s South Booth 1107.  Their software collects configuration and state data from all your routers, firewalls and switches and builds an incredible visualization of your network and its structure.  But that’s only the beginning.  It makes it easy to color code different segments of network with classifications like DMZ, Internet and various internal zones.  Then it shows you the paths different protocols and applications can take throughout your network.  You can select any device or host and instantly trace out all possible paths that data can take to or from that node.  I wish I’d had that recently when I re-designing our 2 data centers to provide better isolation of our virtualization hosts and some labs that outsiders need to access.  It was such a nightmare to test and validate that the policies I’d architected were configured correctly and that the wrong traffic was blocked and the right traffic permitted.  For instance we needed the 2 virtualization infrastructure networks to communicate over the site-to-site VPN with each other but only allow admin access from our jumpbox.  But Redseal goes beyond this by consuming the results from any vulnerability scanner.  Redseal doesn’t just plot those vulnerabilities on your network visualization – that’s not really that hard.  Instead they analyze the vulnerabilities found by your scanner against the known access paths on your network and surface the vulnerabilities that really count = those that are accessible via the actual access paths open on your network.  Pretty cool stuff.

Here’s another find from the South Hall at RSA 2015 I came across (I’d snuck away from the UWS booth while Barry wasn’t looking.)  The 2,000+ of you who’ve attended my recent endpoint security webinars know how much I worry about endpoint security – especially user endpoints (laptops and workstations).  On my daily hike I actually puzzle over new ways to address this risk and I wish I’d come up with the idea Bromium has already implemented.  The messaging on booths here make it hard to figure out what companies do but “isolation” and “endpoint risks” caught my eye as I walked past Bromium’s booth 2007.  From talking to Bill Gardner I learned that Bromium was started by virtualization experts formerly at XenSource.  Bromium inserts a hypervisor between the metal and OS of your endpoint.  Then each application is isolated in its own micro-virtual machine.  This is something I want to learn more about.  Depending on how isolated applications really are and how clean the user experience is – this could be really awesome.

Dell Software is my longest time sponsor and has made possible many hours of my real training for free ™ webinars.  We don’t usually give them much time to talk about their products on my webinars and they are really nice about that.  So I thought I’d set down for a few minutes at the UltimateWindowsSecurity.com booth here at RSA 2015 with Todd Peterson.  You never hear from Todd on the webinars but he is one of the main folks behind making them possible and he has a good perspective on Dell Software’s sizable portfolio of security products.  Our conversation centered around the Dell Software security portfolio as a whole and what makes it compelling compared to point solutions.

(Transcript below video)

Randy:  Alright, so back at the Ultimate Windows Security Booth at RSA.  This time I’ve got Todd Peterson from Dell.  And folks, you’ve probably have, I don’t know if you’ve heard Todd before, but you’ve heard a lot of other Dell people because Dell and before that Quest have been pretty much our best and biggest sponsor of real training for free™, so thanks a lot for that through the years Todd.  But, here’s what I want to talk to you about and I’m picking this topic for you because how many security products does Dell have?

Todd: Lots.

Randy:  Yeah.

Todd:   I mean, Dell kind of has the strategy of baking security into everything they do, so you know, if you want to be really technical, every laptop, every tablet, every server, every router, every switch has security baked into it.  If you want to be a little more literal on the classic security products, firewalls, data encryption, it’s probably 40 or 50 separate offerings across the whole line.  Most of them under the Dell software group umbrella.

Randy:  So, if we want to buy “a security”, we can go to….

Todd:  Yeah, yeah I’m happy to sell you an app for security. 

Randy:  Right.  Okay, but the thing of it is, is then and you’re the perfect person to expound on this, is do we go after security piecemeal, like here’s my risk, I want to solve this problem or do we build a security stack and think strategically, how are we going to make all these pieces fit together and then the risk is time to value and functionality but we never get anything out the door?

Todd:   I think in a perfect world, you do the latter.  You plan it out, you build security from the ground up, everything fits together and works great, but we know that that never actually happens.  So you end up with a piecemeal approach with whatever the fire of the day is or you know BYOB all of a sudden comes up and you didn’t even think about that, you know 12 years ago when buying a server was your big deal and so piecemeal is the way it has to go, but if you approach piecemeal with the right strategy, there is going to be something next and you may not even know what it is.  So just make sure that you’re future looking with everything you do.  I think piecemeal can work and kind of give you that plan from the ground up, you know, result without actually having done it.

Randy:  Yeah, because what I fear is management coming and they’ve read about a breach and they’ve read what Gardner or whoever is saying at the time, we need to get control of mobile devices.  We don’t have a mobile device management.  Go get MDM and so you go and you buy a MDM point solution, you get that in place.  Iterate that a few more times and what you’ve ended up with is a whole bunch of solutions, maybe a lot of them really cool, but they were from start ups, a lot of them.  They’ve gotten bought by someone else over the years, who knows what has happened and do they all talk to each other.  Because that’s the other thing, Todd, is getting your security products to talk to each other is opening up a whole new world of synergy, so given that you’re a company with 40-50 different security products, you probably have feelings on these issues.

Todd:   Yeah, I mean obviously you want them to talk to each other, but, you know the reality is people are often, you know you have pressure, you have to solve the problem today, so you’re going to go out and you know, whoever you’re hearing the most about to solve that problem is at the top of the list.  Maybe you’ll implement them, maybe you won’t, but you know, then down in the future, the next thing comes up and that solution’s great, but the next thing can’t be solved by that solution, so you do it again.  So, what you end up with is you’re defining security and the controls that provide security, so, an identity of a person, a person’s authorizations, the way you authenticate, what it means to be somebody, you’ve defined that in each and everyone of those silos, and you’ll probably define it differently.  So then standards emerge, that if you’re able to wait for the standard to take over, that makes it a little easier.  You know, only use SAML authentication, that solves a lot of the problems.  Use other standards is the baseline.  That’s good, but a lot of times the problem can’t be solved at that time.  So you just need to look for things that are on the cutting edge of standards, but also for a strategy of not reinventing the wheel every time a security issue comes up.  You don’t want 12 Randy’s across 12 different security silos.  You want 1 Randy that’s applied 12 times to across 12 silos, if that makes sense.

Randy:   Well, that’s ironic since Dell is, would you say your core security product is your one identity solution?

Todd:  I would definitely say that. 

Randy:  Yes.  Well let’s come back to that and talk about what is the core of a company’s security stack, but I think what you’re getting at is that to build a house, you have to put the foundation in first, you cannot say, you know, the biggest thing I need right now is a roof, and then I’ll come back and do the foundation.  There’s a sequence that you have to build things in.  Alright, with an IT environment, that’s not really the case.  You do have the option to say these are my biggest pain points.  I don’t have a roof over my head, I know I don’t have a great foundation for identity or whatever, but I need to get that roof over my head in terms of two factor authentication or mock change auditing, whatever.  I could go put that roof in and I can say I also need this door over here with a lock on it, but so that’s piecemeal, but what you’re saying is that what we want to do is be looking towards the future and saying at the end of the day we want a house that’s all connected to each other and doesn’t look like we bought a trailer and then added on a family room.

Todd:    Or worse case, you end up with 12 trailers.

Randy:  Well that’s ulgy.

Todd:  So yeah, I mean totally.  And what I would say to that foundation is as you’re putting the roof on, let’s say you’re just doing your roof, you know, you do have the opportunity at that time to form up the foundation and set it up so that when you put in the walls, when you put in this door, when you add on to the house, that those things can happen easier without re-pouring a new foundation.  So, you know, getting that foundation solid and then right along with that first big fire that you’re putting out, is probably the best approach and I would say that foundation is what I mentioned earlier…identity, role, authorizations, authentication, you know, getting those things set because if people can’t get to the stuff they need to do their job, there’s no point, that’s why it’s there.  Security is often viewed as a barrier to people doing their jobs because it’s another person saying no instead of another person saying yes.  But, if that foundation is right, there’s going to be opportunities to say yes, go way up and the opportunities for the temptation to say no unnecessarily has just disappeared. 

Randy:  Yeah, well that’s, I always go back to we’re in business to do business, not to be secure.  Secure doesn’t make money.  So I think what I’m hearing is you’re thinking about what we’re hearing from a lot of folks is the whole whether you want to call it dynamic or adaptive security, right, being able to dynamically say I need more assurance that this really is Bob, right?

Todd:  Yeah and if you think about the way security is normally implemented as a silo approach, you know, you’re on-prem you’re using a company controlled device.  There is a set of rules, you follow those rules and you’re allowed to get to something.  So you go off-prem they’ve established another set of rules for that and you follow those rules, you’re allowed, you’re using their mobile device, a different set of rules, data encryption is involved, different set of rules.  You’re coming from an IP that’s unknown to the organization of a different set of rules.  So, each of those can return a yes or no decision.  If any one of those 5 things, returns a no, the answer is no, even though I may legitimately be doing things that’s going to be absolutely secure, but one says no.  But, what if you take into account the context of the who, what, when, where, why, how and past history to make a dynamic decision in real time that says hey I know who you are, I know where you are, I don’t know you’re device, but I know that you’re history means that you’ve come in from a device like this one and so I’m going to allow you in.  So you can kind of take into account the varying strengths of the yes and no decisions to return an accurate decision that changes in real time depending on the situation.  You know, that’s I think the nirvana of security.

Randy:  So, going back to the building at your security stack and piecemeal and looking toward the future and so on, you know, what do we get if we make a commitment to Dell in terms of… you know, I have to have a lot of worry.  My supply management people have worry every time I bring in another vendor or another partner on board.  All right, how healthy are they, are they going to be in business, what’s their limits of support and so on.  So I mean, what’s codified in terms of if we come to Dell and saying if possible we’re going to try to get our different pieces of security from Dell?

Todd:   Well, obviously we would like that, but the advantage is Dell is a very mature, very stable company that’s not going anywhere and has a long legacy of very happy customers including customer service excellent support and each of the acquisitions that they’ve made have been of companies with an equal to a lesser degree, but an equal reputation, so they acquired Quest, which is where I came from.  You know, Quest has some of the industry leading customer satisfaction numbers on a software site.  The security software, being Identity Access Management stuff, is the leading satisfaction among the questions. So all of these things come into play that you know, you’re going to eventually have to buy a firewall if you don’t already have one or you may have to upgrade your firewall.  You’re going to have to buy something for identity and access management, something for privilege management, something for authentication.  You’ll probably eventually need a data encryption type of solution.  You’re going to need security baked into your servers and your laptops and your tablets and your desktop computers.  If that ultimately is in the same place and you know it’s not going anywhere, then you already trust and you know you can continue to trust, that really alleviates a lot of the danger, a lot of the risk and a lot of the worry of am I really going to be secure next year with the decision I make today?  With Dell, we feel and I think that history proves that yeah you’re set for years and years and years and years, at least from a peace of mind state.

Randy:   Well, it is, I’m always amazed.  I can never keep track of all the different security solutions that you have and you’re starting to make them talk to each other more too.

Todd:   Yeah, absolutely.

Randy:  I think that’s important and that’s something maybe that I had wished for more in former days and I’m seeing more now, so…

Todd:  Yeah, for example a lot of our authentications solutions, our multifactor authentication our federations’ solution are beginning to be reused by other Dell technologies.  So the Quest KACE MDM solution uses our single sign on federation.  The Dell SonicWall firewalls use our multifactor authentication.  You know, all they’re offerings, the Dell offering for medical organizations uses our signal sign on solutions.  So you know there’s a lot of places where this 1+1=3 can come to pass because it’s, you know, all offered by the same organization.

Randy:   And that’s what I would want and expect if I’m going to make a commitment and say all right, I’m not just going to automatically go out there and get the cheapest, newest and best of breed solution for each piece of the puzzle.  I want that synergistic benefit of going with a vendor.  If I’m going to go with one vendor, then I’m hoping for that synergy along with products.  The more of their products I use, the more of that 1+1=3. 

Todd:  Yeah, and the treads continue, you know where I mentioned earlier that adaptive context way of security.  Right now that involves few of our identity and access management solutions and our firewalls and the SecureWorks Counter Threat platform.  In the future that can expand to where the firewall is actually enforcing, not just helping make a decision, where an encryption solution from Dell is enforcing in addition to helping to make a decision and it can go anywhere and then when we build an API into it, then it can actually go beyond Dell and you can build your own contributive piece to that context where it thinks.  So you know we are excited about that, but you know it all comes down to it’s one big stable strong company that can provide it to you.

Randy:   That’s cool.  Folks normally you’re used to seeing me or at least listening to me more, but this is an opportunity I get to talk to the people like Todd that make all the real training for free™ webinars possible and I said let’s just talk about their products a little bit.  So thank you, thanks for all the great webinars that you’ve sponsored over the years.  We get lots of people that come up and say I go to every single one of your webinars and when we need answers especially on windows security log, they come here, but you guys are the ones that make that possible, so thanks.

Todd:   Thanks for allowing us to do it.  We find a lot of value in it as well.

Randy:  Well, take care.

Todd:  Thanks Randy.