How State and Local Governments Can Boost Cyber Resilience with Exposure Management

Good morning, everyone, and welcome to how state and local governments can boost cyber resilience with exposure management. My name is Zach Bennefield. I'm a principal security engineer here at Tenable, and I'm joined by Tenable's Chief Security Officer, Bob Huber, and the Executive Vice President and general manager of Security best practices from the Center for Internet Security, Curtis Dukes.

Zach Bennefield: It's great to be here today. And looking at the agenda, we're going to be discussing a few key topics, the SLG threat landscape. Versus critical infrastructure threats. What the recent executive order on state and local preparedness means for you, how States can leverage the State and local cybersecurity grant program, and how to improve your cyber resilience with exposure management

Zach Bennefield: As always. If you have questions, please leave them in the Q&A. We will get to them as you send them in.

Zach Bennefield: Let's get started. Some of these recent headlines underscore the escalating threat landscape for slugs.

Zach Bennefield: Can you start by giving us a snapshot of the current threat landscape for state and local governments? What are you seeing in terms of attack volume and sophistication? We'll start off with Curt on this one.

Curtis Dukes: Yeah, hey? Thanks, Zach, and pleasure being here. So from my lens, you know, I really see the threat to state and local government in 3 particular areas, the 1st ransomware, the second really is around critical infrastructure, and the 3rd is supply chain or third-party service integrations. For that.

Curtis Dukes: You know, in the 1st one, you know, I mean, you know, we've seen ebbs and flows of ransomware attacks over the last several years, and we're currently in a period of increased flow. And it's most likely brought on by cyber criminals using generative AI applications. I mean, it's just it's brought the work factor down for them, you know.

Curtis Dukes: Because ransomware as a service offerings are, you know, and generative AI have kind of tied that you know that barrier and made it much smaller and lower for everyone associated with it. We're also seeing an increased amount of volume and ease in creating the attack vector, you know, using phishing emails or SMS texts and voice.

Curtis Dukes: So that's kind of ransomware for the second one. Really, around critical infrastructure. You know, it's really a mixture of cyber criminals and increasingly nation states, and I think in an upcoming

Curtis Dukes: chart, will walk you through Volt Typhoon as an example of an attack on critical infrastructure. And then, finally, regarding 3rd party or supply chain, we've seen a steady increase in attacks against these types of suppliers. Some of you may recall the attack on programmable logic controllers used by water and wastewater systems that was attributed to Iranian threat actors in that regard, but that was one where they were attacking us.

Curtis Dukes: You know that supply chain? You know the vendor. In that case, you know Zack's, you know, in the chart right here, you know, we reference Rhode Island and Deloitte. And so that's another example where you know they're hitting those service providers

Curtis Dukes: to the States and local governments in that regard. Those are just a couple of the most recent examples. I would simply summarize that attack volume has definitely increased, and while there is an increase in sophistication, the evildoer or the miscreant, however you want to refer to them, is simply taking advantage of a lack of basic cyber hygiene.

Bob Huber: Yeah. And I think it's worth noting, too, that while the attack surfaces continue to expand, the rate of proliferation is continuing to expand. We haven't raised the cyber poverty line a ton at this point. So those things that we call foundational controls. I hate to say this. Many organizations are still doing that. So we've not kept pace with an effect, the adversary. And just for some perspective from Tenable, I can tell you, this dataset writ large. So it's not specific to state, local, tribal, or territorial.

Bob Huber: Let's say, a new critical vulnerability comes out for a mainstream operating system. So think like Microsoft, or think like Mac OS. You know, we can tell from our data sets. It takes folks about

Bob Huber: 2 weeks to patch

Bob Huber: Only 50% of those vulnerabilities. So now, you know, even if we might not have the resourcing, whatever those reasons are. That's a pretty significant window of opportunity for the adversary to take advantage of, even something that's a well-known exploit. And I think that's key to understand, like, that's not just state, local, tribal, territorial. That's actually the broader ecosystem of all our peers out there trying to defend against these attacks.

Zach Bennefield: Yeah. And that's a really important thing to note. Right, I'm not going to burn a zero-day exploit. If I have a low-hanging fruit right there in front of me. You know I'm going to take the easiest path in.

Bob Huber: That is exactly it.

Zach Bennefield: So, Curt, as we look at this chart, why do you see such a prevalence of attacks against local government in particular?

Curtis Dukes: Yeah, so maybe just a moment on the chart. So this was, you know, it was pulled from data that the Center for Internet Security. Their cyber incident response team has reviewed. There's a total of 139 cases that they reviewed over that time frame. You know, the 1st thing you note is that local government, you know, cities, towns, counties, and schools were the highest

Curtis Dukes: high sectors represented. This doesn't mean that they are the most targeted necessarily, but you know, but it does mean that these sectors are most often, you know.

Curtis Dukes: We are looking for support from our incident response team. The second area I draw your attention to is the recurring weaknesses across Sltt networks. These include default, credential usage, weak password policies, protocol vulnerabilities, whether it's SMB or RDP.

Curtis Dukes: and then also end of life or vulnerable software, you know. But what the chart does speak to is that there are resourcing imbalances, you know, between the subsectors, local government K-12,

Curtis Dukes: You know, within the public sector. In my opinion, that's the primary reason why the state and local cybersecurity. The grant program is so important, and it has to be reauthorized by Congress.

Bob Huber: Yeah. And I think you know. So this is a great slide. And I'll tell you, folks, I literally just briefed the Tenable board yesterday, we're public

Bob Huber: public company. So I had a board briefing on cybersecurity yesterday. If I were you, this would be one of those slides that would probably end up in my board deck for a couple of reasons. One. It just highlights the volume and the risk associated with whatever you know you're associated with, and to those top paths to compromise. You know, as we look at the State local cybersecurity Grant program and even the executive order, which we'll talk about briefly. It's a risk-based approach.

Bob Huber: Hey? You're seeing some of the top risks on the right-hand side. You're seeing the prevalence on the left-hand side. This is something you might want to think about grabbing at some point and taking that to your leadership as well to drive some of the business use cases, you know, for your request for investment.

Zach Bennefield: Yeah. And it's really interesting. Looking at these top paths of compromise, right? Because it really emphasizes the ease of compromise. You've got default credential usage. Right? We've seen major compromises from those weak password policies that are propagated by things like password spraying, password lists are free and available, very easy to find out there, right? And then I come all the way down to 5 outdated or vulnerable software. So

Zach Bennefield: I think a lot of people have a misconception that as long as they keep their OS. Patch, they're fine. I gotta tell you. When I come into a network as an exploitation analyst or as an exploiter. I'm looking at all that software that's on your network because a lot of them have vulnerabilities. That's gonna allow me to run commands at whatever account level they're using, right? So I can use that to escalate my own privileges, move across the network. So these are all things that you need to be really mindful of.

Bob Huber: Yeah. And it's really important to highlight, too. And we actually see this in our data sets that those things that are like more obscure devices, and even including edge devices to think routers. VPN concentrators, things like that, where you see a lot of vulnerabilities and exploitation. I'm not gonna throw any vendors under the bus here, but I will tell you internally, even talking to our teams, the networking teams here. They're like.

Bob Huber: Yeah, we're always hesitant to patch those edge-type devices because there's a real impact associated with those things. That's how your connectivity is flowing in and out of your organization or to plants and facilities. So they're very hesitant to patch those devices. Those things tend to have an even longer window until somebody actually addresses the issues from a patching perspective. And I certainly get it. And then take that a step further. If you actually have operational technology devices

Bob Huber: First, you probably have the patch approved by the vendor. Second, you can have it. Somebody probably has to deploy just to touch or fix the thing. Third, it's the same problem. If that thing gets updated from a firmware perspective, it doesn't work correctly. That's a big problem that's disrupting some service-critical service you're providing to your constituents.

Zach Bennefield: Absolutely

Zach Bennefield: Taken together, these insights prompt a critical question: Why does safeguarding SLGs against cyber attacks remain such a persistent challenge?

Bob Huber: Yeah, I'm just gonna go record and say, I have none of these challenges. So I can't address the question. True, not true. We have a mix of every and all of these things from legacy systems and infrastructures, things that run 5, 1015, 20 years. And you know, like a lot of times, certainly, when you think about critical components, operational technology, they're deployed at build.

Bob Huber: Right? It's a 1 time and done deal. You build a plant facility of some type. The system's deployed in there, and that's what you have until there's some type of refresh of that infrastructure. So one of the areas I always like to see folks lean in on is when it comes to supply chain-type activity. You know, you can push some of that pressure into your supply chain right by. You know, things. People do things like facilities, testing sites, testing facts, and stats. If you know what that means of certainly industrial control and Ot systems

Bob Huber: to make sure the vendors understand the importance of security in your world and the fact that a lot of times. You can't update things unless the vendor approves the patch. So that's also an issue. Make sure the vendor is very responsive and has a program to relay that information to you. It's not lost on me. And I actually know some people who are. I'll call them control engineers, that they're the control engineer, the database administrator, and the it person all the same person.

Bob Huber: So you know, there are challenges from a resourcing perspective as well, like, you know, you have your day jobs and you're responsible for uptime. And then you have to think about these other things from a risk perspective. So

Bob Huber: That's challenging. And then, I think, more recently, as Curt referred to earlier, you have the nation-state level attacks, right? And I had the opportunity yesterday to go speak to Congressman Lattrell out of Texas.

Bob Huber: We spoke specifically about the state and local cyber security grant program and the ability of not just commercial entities like Tenable but also state, local, tribal, and territorial entities. You're defending against nation-state-level attacks. During the conversation, I explained, I said, "Listen. It doesn't mean the big metro or the state entity."

Bob Huber: What about the entity that has the dam

Bob Huber: or the reservoir that's upstream from a major metro or associated with a port, or something like that. The impacts of those smaller areas, you know, what's municipality or rural entities that are significant. Across the population, the state, and even industry, in that respect. And you know, you know my joke, which is actually really true about the one guy who is the controls engineer, the It system administrator, database administrator, that one person has that responsibility on their shoulders which may have downstream effects.

Curtis Dukes: Yeah, I'll pick up on that, you know. For me. It you know, you know the generative AI is the area that you know, I think, has really enabled cyber criminals to actually create very well crafted phishing and social engineering type of attacks that lead to that initial access right? And then what they're going is they're taking advantage of

Curtis Dukes: lack of basic cyber hygiene, which is patching and configuring, to then elevate privileges. And they're targeting critical infrastructure. They're targeting those, you know, suppliers of critical services to Sltt governments in that regard. And so that you know, it's just. It's

Curtis Dukes: What generative AI has done is just powerful from an attacker's perspective. And so you know how you, how you defend yourself, you know, is really about that focus on those basics, really around, you know, patching, figuring, you know, adopting a cybersecurity framework and making sure you're measuring yourself against that, and that

Curtis Dukes: Unfortunately, it requires resources right? And so, as you move from the State level down to local government, you know, to Bob's earlier point, those resources are in contention. Right? They're, you know, they're they're doing multiple jobs. And you know they weren't.

Curtis Dukes: They weren't paid or trained to be cybersecurity professionals, and yet it falls on their shoulders to do that. And you see that very, very prevalently within critical infrastructure, just for example, water and wastewater. Right? You know that

Curtis Dukes: That you know. That person that's operating that plant, you know, is also, you know, more times than not, actually is that 1st line of defense, you know, to protect against cyber attacks and things of that nature, for that so generative AI has been a game changer for attackers. Now it also has an opportunity to be a game-changer for defenders. But

Curtis Dukes: What we find is that attackers are usually earlier adopters of newer technology, and they use it to create mischief.

Bob Huber: Curt, I love that. I'm gonna I'm going to stop this. So here's my take on it because I get asked about this by leadership at Tenable on the board, is, I do agree, the adversaries. They don't have to worry about guardrails, like there's not some committee inside the organization worrying about the use of AI for attackers. They just go.

Bob Huber: Now, on our side, we stand. We have frameworks and guardrails and committees and approval processes for how we use AI, and rightly so, because we want to make sure we can reduce the risk of our use of AI, but that also includes our use on the defensive side of AI as well. So a little anecdote here, I tasked my team last quarter

Bob Huber: to review AI capabilities. Specifically, my Security Operations Center. And I did that because I knew the Cfo was going to say, Hey, what are you doing? How are you using AI to become more efficient and effective? And I thought that sounds like a blank check to me, is what I heard, and I said, Hey, go out, take a quarter, evaluate the current market set. And let's see if we can gain some of those capabilities from an AI perspective. And unfortunately, to report at least for my team, anyway, and our experience.

Bob Huber: The team came back and said, Hey, let's wait 6 to 12 months and see what the market looks like, and we didn't think we saw the advantage yet for our side. Now I will note you're seeing a lot of solutions build it into the platforms, you know, Tenable included, along with everybody else, and that's a good thing. But day to day operations, the secure operation center is not quite there yet. So when Curt says, Hey, the advantage of the adversary.

Bob Huber: I hate to agree, but I'm kind of in the same place. They don't have those same guardrails and constraints that we do to do the job we do. We just can't pull in any tools and start doing the job. It doesn't work that way.

Curtis Dukes: Yeah, let me. One other area that I think often doesn't get enough. Attention is around insider threats, right? Whether it's intentional or unintentional. And you know, when it comes to state and local government, that's an area that's of increasing concern, right? And so what I mean by unintentional is that you know it could be that that person was, you know, you know, multi.

Curtis Dukes: You know, multitasked. And then they took them. They just had one bad day, and that gave the adversary the ability to gain persistence from that. But then you also have where increasingly, where you see a number of folks that are

Curtis Dukes: that are malicious by intent, and you know, and it's just so difficult for organizations to defend against that, because it's human nature to want to trust your coworkers. And it's just very, very hard to, you know, protect against that type of insidious behavior by individuals.

Zach Bennefield: Yeah, yeah, I'll definitely have to keep an eye on Bob from now on.

Zach Bennefield: So, looking at the statistics at the bottom here, 80% of SLTs see phishing and social engineering as threatening and require additional attention, while ransomware comes in at 66%. And I think that is really important to call out when we do talk about that generative AI.

Zach Bennefield: Similarly to the 2 of you, I keep preaching. How AI has transformed social engineering, right? It used to be very easy to catch social engineering grammatical mistakes. The link was clear if they spoofed it. That was an extra step that most didn't do right. And now generative AI can write these things.

Zach Bennefield: But looking at things like ransomware, you know, it's not just the simple attacks that AI is advancing. It can help you write this ransomware. It can help you write ransomware. It can help you write scripts to do enumeration. It can help you with infrastructure is code to set up your infrastructure for your malware to call back to. So it really is going to advance the attack surface

Zach Bennefield: and the capabilities of attackers in ways that we didn't have before.

Bob Huber: Yeah, and I think, so I actually have an operational data point here which speaks specifically to this, you know, most fishing-type activities. We have a lot of users report stuff, and that's fantastic. That's absolutely my 1st line of defense. We didn't get crazy rates of them in all honesty, I would say, over the past 6 months or so.

Bob Huber: You see, the sock team kind of doing this bit of like, oh, man, I don't know, like is that legit, or you know, they were usually pretty easy to sift through. But I do know. We're seeing more reporting internally here at tenable very specifically, and the team's having to take a little bit more time to ascertain, like the validity of like. Is this a fish or not a fish? I think that speaks volumes, because, you know.

Bob Huber: Data will tell you that you get so many of those, somebody's bound to click right, so that makes me a little nervous inside. But we can actually see, like you said, everything from, you know, better grammar to associating information with people, because now, there are tools that automatically collect information on people and what programs they might be working on within organizations. So it brings it all together a little faster and a little easier for the adversary.

Zach Bennefield: Absolutely

Zach Bennefield: So, throughout recent years, we've seen a surge in attacks on critical infrastructure, such as water, transportation, and healthcare. These attacks have ranged from simple stolen credentials to extremely sophisticated and coordinated multi-site compromises.

Zach Bennefield: So we see some simple attacks in here that use default creds to get in and make modifications, right? And then we see something like the Danish critical infrastructure incident that affected multiple facilities. So it does swing both ways in the critical infrastructure section

Zach Bennefield: Looking at one of those attacks from the list, we've got one of the vault typhoon attacks, and it was notable because it didn't rely on specialized tools or a zero-day exploit to be effective. This attack targeted vulnerable edge devices, which Bob talked about earlier, right? Sometimes, they fall behind because patching them or updating their firmware can cause outages, right? You have to be very deliberate with these devices.

Zach Bennefield: So a lot of times, they can fall behind the rest and leave a foothold for the adversary to gain entry, and then they use stolen credentials to move through the network. So I talked about how easy it is to find a password list. If I want to go out and spend 10 minutes on the open web right now, I can pull up 5 password lists very easily. If I want to hop on the dark web and pay 5 bucks, I can get 50. That would take me a little more searching on the open web. Right?

Zach Bennefield: So once you're in the network, the attackers use native system tooling to maintain persistence and elevated privileges. And that's why it becomes critically important to understand the applications that are there and how they're being used, right? So they weren't bringing in tools that were going to get flagged by a security tool. They were using native tools like PowerShell.

Zach Bennefield: So when you're looking at an attack like this, what are some of the key elements that could have prevented it through basic cyber hygiene? And what have you seen in the field in relation to why this attack may have happened?

Bob Huber: So I'm happy to take to jump in here. So the 1st obviously is knowing what you have right. And I want to break this down very simply when I say, know what you have vulnerabilities. Yeah, that's great, knowing what's in your infrastructure, though. So you know the way. When I looked at, especially newsworthy, vulnerabilities. It takes everybody a while to scan or understand if they have it. I just want to know, like, do I have it, yes or no, and how much of it do I have?

Bob Huber: So let's say the next big vulnerability comes out on a firewall of some type or a VPN concentrator. Do I have it? And then eventually I'll run a scan and find out if I'm vulnerable. But I think that's key is like knowing what you have, that step, one of creating an inventory of whether that's a hardware inventory or software inventory. Which, mind you, I know it's challenging, especially when you're talking about plants and facilities that gets very challenging on the Ot side to know what you have out there.

Bob Huber: But that gives you some indication right away of like, what's my attack surface look like the attackers and the adversaries do the same thing.

Bob Huber: And to your earlier point, Zach, you know they don't come out with 0 days all the time, and sometimes it's stuff we already know about, right? There's a reason why there's a cab.

Bob Huber: The capitalist from Cisa. It's

Bob Huber: Known exploited vulnerabilities, right? It's not likely to be. It's known. Hey? These are being exploited in the wild. We know they're using them already. That's why we put them in the list, right? And you'll note, too, that most like they're not all high. Cvss. Scores either, which is, which is a crazy thing. So like I said, we know, intenible within our data. The window of opportunity can be, you know, weeks or even longer, certainly, for edge devices on the far left. That's definitely the case.

Bob Huber: You know. You want to close them off as quickly as possible. But then I think when you move into the center here, and you're talking about living off the land techniques, that becomes challenging because of living off the land. Now you're saying, Hey, my Edr might not even catch these things because it's allowed tools on a system that they're using to move around the environment. So, even with those, they still look for additional ways to exploit other platforms in the environment and continue that motion. Now, Curt, if you want to add some color, there.

Curtis Dukes: Yeah, no, I will. And you know, thanks for the shout out about, you know, knowing the environment right? And so you know from a center for Internet security perspective. When we look at our, you know, Cis, critical security controls, right? The the 1st 3 controls are, you know? All about knowing the environment, hardware, software, and then actual data and data sensitivity. And so

Curtis Dukes: knowing what assets you have on your enterprise absolutely. You have to know that in order to defend that software, you need to understand it. You know, what's the current state of the software, on your, on your

Curtis Dukes: In your environment. And this really gets into end-of-life products and things of that nature, right? And so, organizations for a variety of reasons, you know. Will, you know? Maybe, you know, keep. Keep that software even past its expiration date, if you will, in that. And so and so that makes it that much more vulnerable from an adversary perspective, you know. Again, it's just a simple, you know. Look, once they get the initial access and say.

Curtis Dukes: Hey, you know you, you're running into life, or you're running unpatched software applications from that. And that gets them that initial access, and then from there, you know, they can use a variety of tools to elevate privileges.

Curtis Dukes: And you know, Bob, to your point, you know, once you're once you're on the inside, you know, using, you know, applications that are already been known that are known and vetted for use with

Curtis Dukes: and within enterprise that you're now hiding, if you will, inside the noise chamber for that all the work was done at the front end, looking for bad guys or evil doors, but once you're on the inside, the checks are not as robust as they should be, and that kind of speaks to why, you need to understand.

Curtis Dukes: You know your vulnerability from an exposure management perspective in that regard. The one other thing I tell you is RDP. There are legitimate reasons why you use Remote Desktop Protocol, but it's also a protocol that

Curtis Dukes: adversaries use to great effect. Right? They look for misconfigured RDP ports and and they take advantage of that, and that gets them that initial access from there, and then once they're inside. You know, they just elevate and

Curtis Dukes: and then, you know, prosecute, whatever their mission is, whether it's a ransomware event where they actually are stealing your data or encrypting your data at that point.

Bob Huber: Yeah. And this is a great visual, for, like the adversary's attack path and thinking. So you know, ideally, hey, that stuff on the far left here. You're ensuring that you're doing vulnerability scans regularly. You're updating. You're patching those things, you stop there. Oh, you know what they got in because we patch those things slow, like everybody else, they're inside. Now, now you're starting to think about things like, what's your tooling locally? Are you running CIS benchmarks on all the devices? Are you auditing all devices against the config?

Bob Huber: Right? You don't want to have flat networks, and then, of course, you see the credentials. So the excessive permissions that allow people to navigate and pivot and grab files of information like, you know that file you have out there in a share that has a bunch of passwords in there to help you set up new systems that they steal and use to move laterally, like there's a lot of different ways. You can go after this. So it's not like one of the challenges we have in our world is, you know, you've got, you know, if you have the resources

Bob Huber: I get this, you might have multiple teams running all these things down separately of like address, the vulnerability address, CIS benchmarks, address, excessive permissions, like all these different teams doing something, talking to multiple teams on the other side, trying to address them. And any one of those can break the chain, which is the good news.

Bob Huber: But the question is, that's a lot of alerts and a lot of events and data. And now, if you have limited resources. You have tons of data coming in. What do you do? So, so I think that's you know, and we'll touch on that here shortly of how you help prioritize that stuff. But you can see how there's a bunch of different ways to address it from the, you know, vulnerability management side or exposure management side, the excessive permissions, the you know, the configurations on the local host. They all help, right?

Bob Huber: But you have to do them all, and that's where we talked about earlier, like that. Those cyber foundations are those cyber foundations. You should be doing all these things. But then the flip side is, you know, don't get so much data that you're paralyzed.

Zach Bennefield: Yeah. You know, vulnerability scanning isn't gonna catch me using Ps exact on the network, right? It's not gonna catch me bypassing the execution policy for PowerShell. So you really need that defense in depth, and you need it. You need to break down those security silos and bring it all together in a way that's meaningful and useful. So you're not just inundated with noise. You can start to work with those data sets together and see how they correlate.

Zach Bennefield: So let's talk for a minute. We're going to shift and look at the new executive order achieving efficiency through state and local preparedness. This executive order specifically calls on States to take a more active role in preparing and defending against emerging cyberattacks, including attacks on critical infrastructure. So what is the significance of this executive order, and what shift does it signal for state and local governments?

Curtis Dukes: Yeah, I'll go ahead and start, you know, on the surface, the executive order, you know. It makes sense, right? You know. I mean, you're basically saying state and local should manage a good portion of critical infrastructure. You know they're that 1st line of defense for that, you know they're, and they should be ready and prepared to defend that critical infrastructure against attack.

Curtis Dukes: But you know that said, you know, they simply don't have the resources, you know, for that shift in responsibility. That's what you know, that's been given by this executive order. And I think that's where that's where the rub is, at least from my lens, you know it's it's almost as though the executive branch is passing the buck on to

Curtis Dukes: onto state and local government. And yet they're not. You know, they're not helping them in that area. The other thing I'll point out is that there have been some recent studies that have cited a critical shortage in cybersecurity. Professionals in this country, right? And that hasn't changed with the issuance of this executive order

Curtis Dukes: and those available and what available professionals are here in this country, you know, state and local governments is competing with the private sector. I mean nothing against Tenable and nothing against the is. But you know

Curtis Dukes: we're in competition for that, for that same skill set for that, and most of the time, and not the private sector is better, better resource, you know, you know, to compensate them for these critical skills. So, so just, you know, saying, Hey, let's achieve efficiency by, you know, through state and local preparedness, you've got to enable. You know the state and local government, and from my lens, again, I go back to.

Curtis Dukes: You know, grants from the Federal Government to help them with this. With this executive order, you know, to actually prepare that if you will, that 1st line of defense.

Bob Huber: Yeah. And I think you highlight something that's material, which is, you know, the passing-the-buck comment, while in jest, it's true.

Bob Huber: The dollars are flowing. There are multiple challenges, state and local tribal territories, like you don't have the resources. Somebody's got to apply for the grants. That means that that's work to be done there, you know, if the dollars are going to be used for programs internal, like, you have the resource to go out and execute, and you've got to be able to prioritize. So those are all challenges. So you know, the one thing I do like about the EO, at least in notion from what we've seen so far, is is it's moved from that. You know that all hazards approach or consideration to a risk-based approach.

Bob Huber: And we're all the same, like, even in my organization, and everybody, I'll talk to all my peers like nobody can tackle everything. So you always prioritize. So, even if you had in the past taken an all-hazards approach, you probably have the pool of threats already available to you. Now you just go through and do your risk assessment.

Bob Huber: And then, based on that risk assessment, you decide where it makes the most sense for the investment of those resources. You're going to get to reduce your risk.

Zach Bennefield: And you know we're really in a time now. Where defensive teams have a huge advantage over what they had 5, 10 years ago.

Zach Bennefield: Tenable has a few different metrics within its products. So VPR, ACR, AES, right? These are all risk-based metrics. They reflect what's going on in the world. What's going on in your network? How are you connected to the Internet? Right before we had these metrics, I used to go around to conferences and give talks, and I would call it Zack's Risk Methodology, right? And it was exactly what ended up becoming all these different metrics.

Zach Bennefield: Is your asset important? Right? Is it a domain controller? Is it a DNS server? Is it something that's going to cause a mission outage or an operational outage? If it gets if it goes down or gets compromised? Is it connected to the Internet? Are the vulnerabilities on it exploitable?

Zach Bennefield: Who is the person that has an account on the machine? Is it the

Zach Bennefield: The front desk receptionist? Or is it one of the software developers who have deep entry into the network? Right? So, look to your tooling to see what metrics are in those tools that can help you identify risk, right? It can help you identify, based on threat intelligence. What's happening in the wild and what you should be paying attention to, because

Zach Bennefield: None of us have time to patch 100% of the vulnerabilities. We don't have the resources, but if you can really focus on the things that are most likely to be exploited, the things that are most likely to lead to a compromise that's going to put you head and shoulders above many of your peers that aren't focused on those things.

Zach Bennefield: One of the things that the executive order did was direct within 90 days to come out with a plan, right? And that plan is going to put stress on state and local governments. It's going to add more work. So, one of the things that I want to talk about is the state and local cybersecurity grant program

Zach Bennefield: In the previous slide, you mentioned that the States aren't prepared to take on some of this responsibility because of these resource constraints, such as finances. So, what are some of the resources available that could better enable them to be proactive against cyberattacks?

Zach Bennefield: And, Curt, I'll turn it over to you.

Curtis Dukes: Yeah, so you know, 1st thing I have to say is, you know, you, when you break it down, break it up by its acronym. Slcgp. Boy. That's a mouthful, you know, in that regard. But you know, it's really about improving the resilience of publicly managed critical infrastructure, and also offering digital services to state residents. You know. And it does that by

Curtis Dukes: By the implementation of what I, you know, call security best practices, you know, through the Grant mechanism. For that, you know. Ideally, you know, state and local government, you know, would have you know, selected a cybersecurity framework. You know that you know that they would then implement and measure themselves against. You know from my lens, you know, it could be the sales critical security controls, or it could be

Curtis Dukes: You know, NIST, cybersecurity framework. You know, another core piece of of you know what this grant program does is it actually helps you implement with that implementation, but also understanding the threats that one faces and being able to show resilience from attack, you know. And again, you know the good news is it kind of? And I think we'll get to it in the next slide. It kind of breaks down.

Curtis Dukes: You know. You know what you know. It uses the NIST cybersecurity framework to kind of break down those core functions. You know, governance or govern, identify, protect, and detect. And these are all areas where

Curtis Dukes: You know, you can actually leverage what this grant program does, you know, to actually help build up resilience, you know, for

Curtis Dukes: Yeah, for Europe, the state and local enterprise.

Zach Bennefield: Yeah, and I didn't.

Bob Huber: I do like the approach of the risk-based assessment. Right? So. And that's how we're going to defend. So I know one of the requirements is to do a risk assessment in effect. And you know, if you have.

Bob Huber: Whether that's an inventory or knowledge of what's critical to your enterprise. You know, people, facilities, systems, processes. Whatever those things are. I mean, it really comes down to as simple as like probability and likelihood, right, and impact to the enterprise internally. In our risk register. You know we have probability. We havea  likelihood score one to 4, and we do some math, and and the math kind of gives us a number, and we go from there, and like these are our top risks. And then we look at the top risk and say, what are the threats against those risks? So that's how we prioritize

Bob Huber: Our investment of resources internally. And that's kind of what this is driving like. That's the way to do it, because we can't. Peanut butter spread everything as even as much as I'd like to. So I think that's good to understand. And even if you have, you know, limited insight, you can always bring in 3rd parties and have them do risk assessments of your environment. Right? So that's that's 1 way you can put those dollars to use is to is to help you do that. So you understand what the landscape looks like for your organization, because that's, you know, ideally, that's where you start at right.

Zach Bennefield: Yeah, absolutely. And this slide was really surprising to me, looking at these data points. So states are utilizing the SLCPG funding for a variety of projects. Right? 80% of that 800 million dollars is allocated towards local governments.

Zach Bennefield: So with limited resources and funding in your view, what should SLG leaders prioritize 1st as they start aligning with this executive order, and I'm particularly interested in some of the key gaps that you see at the state or municipal level.

Curtis Dukes: Yeah, I'll go ahead and start if you don't mind, Bob, you know, for me when I look at you know again, based on the NIST Csf core functions, you know. And if you look at the 1st 1st 4,

Curtis Dukes: You know, that's the bulk of the you know the funding that you know, or states or local governments, actually been utilizing, against, which is just kind of the foundational pieces. As I think Bob mentioned earlier. You know this, this govern, you know, this oversight of risk management. I mean 52 projects. And that's really about, you know, just, you know, organizing oneself and how they're actually going to.

Curtis Dukes: You know, choose a cybersecurity framework, and how you know how they're actually going to implement it throughout their enterprise. And again, you know whether it's a centralized or a decentralized model. How they actually do that, you know. And then it's okay. You know. Okay, I've got. I've done my risk assessment, you know, and again, back to

Curtis Dukes: from a Cis critical security controls perspective. You know those 1st 3 controls. You know, it's knowing your enterprise, right? And that's really around. You know, the asset management of hardware and softwar,e and

Curtis Dukes: and increasingly, just understanding what data and the sensitivity of the data. And where that data is actually located for that. It also, you know, to an earlier comment around upgrading equipment, right? You know. A lot of equipment, particularly equipment. That's in in critical infrastructure may already have reached life.

Curtis Dukes: And so you need to, just, you know, be able to get rid of that that end of life equipment, actually upgrading for that, and then from a from a protection perspective again.

Curtis Dukes: Now we're getting into access control. I think you know, one of the earlier stats was around, you know, credential misuse or credential harvesting right, and that is an easy way for an adversary to come in and get that initial access is, you know, they, you know, they're harvesting credentials, and they're they're selling them on the open market, for, you know.

Curtis Dukes: You know, dollars per pennies to to to dollars for accounts, and then that gets them. The initial access for that. So just fine-tuning access control and authentication is hugely, hugely important from that. And then, once you've done that, it's really around. You know the detection function, which is, you know, how do you actually monitor your enterprise? And you're looking for signs that

Curtis Dukes: An adversary has gotten initial access, and they're trying to elevate privileges for that. So. So the bulk is really right there in those 1st 4 NIST core functions, you know, and then, you know, and then, you know, should there be an event, you know, you'd have to follow up from a respond and recover perspective. But

Curtis Dukes: You know, up front. If you actually do the work up front. You know it actually costs you less. Should you. Should you suffer a cyber incident, you may be able to protect yourself, and the adversary is going to move on to another target. That's if you will lower hanging fruit for them.

Bob Huber: So I like this because the data validates. You know, my earlier statement is like, start with a risk assessment.

Bob Huber: Don't take it upon yourself. Bring in a 3rd party. They're really good at this. If you've done it before. Good for you. There are lots of different formats out there available on the interwebs that you can utilize. But it's really good to give you an outside view of your entity, whatever your entity is, and preferably somebody who's worked in that sector with those entity types as well to understand, because they're probably going to have better knowledge of what your peers are seeing or showing. So start there

Bob Huber: That should drive prioritization across everything else. You do that risk assessment. You know you have to start. We're on a maturity journey, right? So start where you are. If you've got no people, it's a part-time job, or you get one person. You're not going to do all these things. What I tend to say, and I'm not saying I'm right. Do that risk assessment that helps you prioritize all those other efforts and make your request for resources. So if you're using events and grants, awesome. You know where to make investments.

Bob Huber: I'd really pound the table here to ensure that the respondent recovers.

Bob Huber: You have that plan, because inevitably it will happen. You know, when I met with Congressman Luttrell yesterday, I said, Hey, you're from a small town. You have 2 wastewater treatment plants.

Bob Huber: Something happens. Who're they gonna call?

Bob Huber: You know. That's a great question to ask to understand who that person is, who's probably one person responsible for everything, and security. What's their first phone call?

Bob Huber: You know? And if it's law enforcement, do they know where to go after that, right? They might not be the right resource to address the issue, you know. Does the entity even know what was available to them? Whether that's you know, MSISAC, or some other entity. It's knowing where to make that 1st phone call, because you likely will call somebody else to help respond, right? And not only that, you want to practice that

Bob Huber: You would have that contact information available. You want to know who gets to make the decision to make the call. You probably got to coordinate with some type of PA function of some type in your in your entity organization. Have that plan in place right away, even if you've not done all the other things, and it's probably especially if you haven't done all the other things. Have that handy and have that out to multiple people across the organization. So you know what to do in response to any significant event.

Zach Bennefield: Absolutely. And you know all of this kind of ties into exposure management. We're looking at the executive order and what it's going to place on SLG, so when we're talking about exposure management, Bob, how would you explain that to a government leader who's newer to the term.

Bob Huber: Yeah. So it's almost like what we talked about earlier like that all hatches approach.

Bob Huber: Think of it as an all-cyber risks approach, right? So, misconfigurations, weaknesses, and vulnerabilities all rolled in. And what I mentioned earlier was all those solutions. They create a lot of data. And then you got people on the other side, receiving all the data, trying to coordinate with somebody else, to resolve all those things. Right? So. And that's traditionally what the space has done for a long time.

Bob Huber: Exposure management seeks to essentially consolidate all that data. So they don't go to different tools and different consoles. And you know, jokingly, internally. My team calls it yak. Yet another console. They have a lot of consoles to log into. And that's how we run down all these issues that are identified all these exposures.

Bob Huber: So now the idea is, take it all, consolidate it, aggregate it, deduplicate it, normalize the data, which is in effect to say, bring it all together, boil that ocean of data.

Bob Huber: and then present to us a lens of the most critical issues within your organization, and even call out things like that attack path we saw earlier of like, hey? If somebody wanted to get in they would go here. They would do this. They would elevate privileges here. That's the attack path to get in, you know. Break that chain. But oftentimes what happens is, if you're resourced enough, and you even have the luxury of this capability. You would have one team working on the critical vulnerability over here, who doesn't know the

Bob Huber: Who doesn't know the vulnerability here, and that's the attack path? So you just talked about three different teams, and it might be three different people or three different teams on the other side fixing them.

Bob Huber, who also doesn't know

Bob Huber: That this is the attack path. This is how they get it right. They're just doing their day job. And like, I'm going to fix this critical vulnerability. Another person's gonna fix this critical vulnerability. So the idea is, bring all that data together into a single platform that helps you prioritize that. So now, when I go to my peers of the CIO of the Engineering, like I have a concise message to relay to them, like this is your priority. Make it much simpler for them, because all they see is lots of tickets coming across

Bob Huber: There are lots of tickets to fix all these different things and change configurations, when in reality, the message is, "Hey, your focus should be here. Invest your time here." If you only have 5 minutes, do these things.

Zach Bennefield: Yeah. And as we're looking at exposure management, where does it fit into the security continuum? You know, we've heard a lot recently about the need to move from a reactive damage control posture to a more proactive stance. And it's called out in the executive order, right? So just last month, members of the Subcommittee on Military and Foreign Affairs stressed this point during a hearing on salt typhoon and managing threats to our nation's critical infrastructure. So, how can exposure management help us get to where we need to be?

Bob Huber: Yeah. So I think it's, it's exactly what I said. If you know what these top-level issues are altogether prior.

Bob Huber: You know, that's the proactive side. That's what that means. You have the opportunity to either break the chain, probably in multiple locations, of all the risks being identified. But you do that work, Prior, and you know, measurely, it's gonna save resources on the other side. And you know, and I know we have some great stats here, and it says, here's how much a breach costs, and it's gonna save you this amount of money. You have to think about that from the perspective of when an incident happens.

Bob Huber: You know how many resources across multiple teams I'm gonna deploy to address whatever the issue is? And then, did I also disrupt the enterprise? If you're providing a service or capability to other organizations, or to other entities or constituents like, did you just disrupt those services? Those are the costs we're trying to capture on the right-hand side. Right? That's the cost of a breach. So if you do these things upfront and you're able to prioritize what the different teams are addressing.

Bob Huber: You're going to reduce the need to spend those resources on the reactive side. And now I always caveat this, and sometimes not popular, especially here with intenible. You still need those reactive capabilities. Don't forget those. But what I'm saying is, if you make the appropriate investment up upfront of the configurations and and Vulnerability management program exposure management program bring all that day together and addressing those you have the opportunity in front of you to reduce the spend on the right hand side, or even prevent the occurrence of that.

Zach Bennefield: Yeah. And one of the things that we look at here, as well as you know, you didn't have to report breaches previously to the public, right now you do. There are many regulations that require it. And you've got that negative impact on monetary brand customers. Investors, right? Bob has to deal with this every day. Right? He has to look at it through this lens. If we were compromised as Tenable as a security company, what does that mean for us? What does it mean

Zach Bennefield: for our customers, our shareholders? And he has to bring these real-world insights to the Board, to the shareholders, and show them what we are doing to protect

Zach Bennefield: We're doing what we can to protect ourselves, our data, and your data. So it becomes really, critically important to incorporate something like exposure management and understand the overall risk posture.

Bob Huber: Yeah. So I think, actually, you know, if you if you're presented to leadership of some type and you took the original slide Curt had up there the breakout of attack types, and then the entities reporting that you overlay a number like this and the number, I would say the truth, somewhere in the middle. There's some big number on the other side.

Bob Huber: You kind of say, hey? Likelihood of occurrences looks like this. The entities that are likely to be targeted look like this. And you know, potential cost looks like that, right? And you, you know that number ties back to the size of the entity as well. But at least you have some rough ideas of like, hey? Here's what some of the risks. And not only this like quantitative risk to an extent. Here's what quantitative risk looks like, because we all have

Bob Huber: subjective opinions and certainly securities. In my opinion, a lot more art than it is science. You know, we're kind of doing the, you know, thumb in the air. What does it look like? What do I think it is?

Bob Huber: You have real numbers here. So as you're building your cases for investment of resources and and don't don't just think like technology. And people within your organization think that the other people who actually do a lot of the work, because security doesn't always do all the work right. It's their teams. It's ot engineers. Other people actually oftentimes do the bulk of the heavy lift of security work. So, make sure you consider them in your resource. Investment requests, because for them, it's prioritization.

Bob Huber: Right? We could do this project over here. But you know what we want to do the security thing, and there's a cost in doing that in the trade-off.

Curtis Dukes: Yeah, if you don't mind, I'll just pick up on that, you know. And you know, and I'm gonna use a term called Reasonable cyber security. And you know what really drove that from a center for Internet security perspective was, you know, you know, in and how you actually secured your environment. Was that reasonable, right? And so should you suffer a cyber incident, you know, and you get hauled into court.

Curtis Dukes: That's exactly what a judge is going to be asking, you know, was, you know, was your was your implementation reasonable? You don't have to protect against every type of attack. But did you have controls in place? Were they actually being? Were they being monitored by you? Was it a reasonable implementation for that? And you know the good news is, there are a number of States – 5 now that have actually created safe harbor laws to protect

Curtis Dukes: entities, commercial companies operating within that State for that. So when I think of the security continuum, I think of it through the lens of reasonable cybersecurity. And hey, you know, I chose a cybersecurity framework.

Curtis Dukes: I was reasonable in my implementation of it. Here's the here's the evidence. I you know, that I prove that I'm using an exposure management product, you know, and how I'm monitoring that across my enterprise. And should I, you know, should I suffer? I breached, you know, and I've reacted, you know, you know, because I've done tabletop exercises and things of that nature.

Curtis Dukes: You go in there. You've got a defensible case, you know, in the eyes, in the eyes of the court. So I kind of think of this also in the eyes of reasonable cybersecurity.

Bob Huber: I love that I work with our chief legal officer, general counsel

Bob Huber: More than I'd like to admit, probably, but the term we were fond of using is reasonable standard of care, like even in a public company. Do you have a reasonable standard of care? That's very specifically defensible. So when I present to the Board, that's essentially what we're evaluating. The board members are evaluating on behalf of shareholders. Do you have a reasonable standard of care, and we're a public company? So we also have to show that we have a reasonable standard of care with the SEC as well.

Zach Bennefield: These are all big terms for what I've always called due diligence. Right there, you go.

Zach Bennefield: Diligence.

Bob Huber: Yep.

Zach Bennefield: And so, as we're looking at exposure management, 2 of the big things that it focuses on are reducing your tax surface right by putting all these different things together and giving you contextualized risks. So in my 20 years or so of time in the field, I've been exposed to countless tools across countless vendors. Bob talked about this right. His analysts have to log into all these different platforms.

Zach Bennefield: And one of the most challenging aspects for me was always how to make sense of the data I was looking at in a meaningful way, because I had to physically sit down and map out all these different things, and many analysts aren't. Aren't there right? If you're bringing a junior analyst in, they need it presented to them in a way that they don't have to learn how to correlate all of this data.

Zach Bennefield: And so I had network data vulnerability data. And I would have loved to have any insight into my Active Directory permissions and how that affected me. But I didn't. Right. So, when we're looking at our exposure management, how does that help? Agencies not just respond to threats, but actually anticipate and prevent them. And why is it important to include OT, cloud, and identity in this risk-based approach?

Bob Huber: Yeah, so I'll jump in here. I know we're getting pressed for time here, so I'll speed it up for you, Zach. So if you look at the slide, and I previously mentioned this, these could be multiple teams in your organization sending multiple reports and looking at multiple consoles of multiple other teams to do stuff.

Bob Huber: So, thank you. So now you're getting kind of this effect of stuff flying by somebody that's on the other side to respond. And like I said, the VM. Team doesn't know that there's an identity issue with a device over here that also has a critical vulnerability. So, Zach, if you would press to the next slide, I think this kind of paints the picture for us

Bob Huber: of you know

Bob Huber: I need knowledge of what that looks like in relation to other contexts in the evironment, whether that's business context or attacker context, and vulnerabilities like, I need that nknowledge to make more informed decisions, certainly, for the person executing the other side. So they understand like, why are they doing the thing, whatever the thing is? And I think we've beat it enough now that people know, like, Hey, you got a patch, sure, gotcha right? And people kind of get that. And you see it roll up in the goals. But, like the why, why are you patching? Or why is this more important? Like, I think, exposure management?

Bob Huber: We'll start drawing that in. So it kind of breaks down these silos. Right? So the attacker they look right through this. They're just like “I need this vulnerability on this device and this identity over here, which I'm going to increase privileges over here to get to this asset…” Right there, you have a perfect example, and throw in a misconfiguration. And like, that's what the attacker needs. And that's how the adversary is viewing your environment, whether it's from the outside. So don't just think external assets, or whether it's from. You know me clicking on that email with that fish in it. That's my, that's my beachhead, right? So now I've got

Bob Huber: Access to the box. And now I've got an identity, and I can increase permissions, and I can find a vulnerability somewhere else, like that's the attacker lens, and how they're doing what they're doing. So the exposure management it, it brings that together for you instead of you having people sitting in one location. If you're lucky in today's world. They're like, “Hey, this vulnerability is critical in this box.” And somebody's like, “Oh, yeah, they have access privileges on that… On that account over there like that,” that never happens. It's never going to happen. So you have a system that can do that for you.

Zach Bennefield: Yeah. And you know, as a long-time exploiter, you have to get it right. 100% of the time. If you're defending against me. I have to get it right once, and I'm not looking at your vulnerabilities as my only door in when I have identity, misconfigurations, password list unsecured. S3 buckets with secrets in them. Right? So exposure management really works heavily to break down those silos in a meaningful ways

Zach Bennefield: and bring all that data together for analysts. So they're not having to manually put it together. They're not relying on one talking to the other and saying, Hey, we've got this weird network traffic that might look like xfil

Zach Bennefield: What's going on on the vulnerability side, and a phone analyst sitting there going, “I don't know, man. I've got 10,000 critical vulnerabilities. And 80 of them could be a data exfil, right?” So it really contextualizes that data together in meaningful ways for those analysts so that they don't have to, you know, go through the sorting process amongst all the different teams.

Bob Huber: So, so, Zach, I'm gonna jump in again. And you're very kind by saying you're an exploitation analyst, because I, the way I look at those. You are a Nation State attacker. So let's be honest here. Don't want to throw that too broadly. But I just did so. This slide here like when you look at it, you think about exposure management.

Bob Huber: As I already said, we have an ocean of data. We're trying to boil it. That's what you're seeing. On the left-hand side, there are a bunch of different teams and tons of data. Boil the ocean of data.

Bob Huber: highlight those connections, the attacker's viewpoint of the things I need to focus on.

Bob Huber: And that's what we tackle.

Bob Huber: That's what we go after. Right? So the adversary is already chaining all these different misconfigurations, vulnerabilities, and weaknesses. We have to think like that as well.

Bob Huber: It's not efficient to do that, because we probably do have siloed tools and siloed teams. So you want to have platform that brings it all together, and then hopefully coming out the other side.

Bob Huber: A lot fewer things your team has to have eyes on and everybody else across the enterprise has to take action against you're essentially, effectively shrinking your attack surface is what you're doing, and that's the value add. So you know, you think about AI is a great, a great example. That's like we think AI is going to do great stuff, and someday we'll do great stuff, and in some cases, it does a little bit. Maybe

Bob Huber: Like our platforms are catching up now, like this has not always been available to us as defenders. Our platforms now have the ability to collect data from tons of 3rd parties. Hundreds of 3rd parties

Bob Huber: boil that ocean of data and decrease the things we actually need to pay attention to, and the likelihood of an incident. And it was something I'm fond of saying internally, because I have vendors hit me up all the time, and I'm a vendor. I know this

Bob Huber: Vendors hit me up all the time, and I always say I don't need to buy more alerts

Bob Huber: Like, I have tons of alerts already. I need ways to do something with all the alerts that I get, and and and we finally gotten to the point of. That's what we're doing right. And I actually talk to product every single week. And Zach will tell you I drive a lot of my own needs into our solution sets for that reason of like, Hey, I can't have all the teams do all things like, just give. Give me some focus things I need to work on.

Zach Bennefield: Yeah. And you know, I've been at Tenable a long time, coming up on 10 years, and in our old headquarters, on one of the walls, we used to have in big letters. You can't protect what you can't see, and I think that is the perfect summary for exposure management right back. Then I was like, Oh, yeah, you can't protect what you can't see in the sense of vulnerabilities. But you can't protect what you can't see across the network. So you need a meaningful way to bring that all together.

Zach Bennefield: And then state and local governments have some unique challenges. So, focusing on these challenges specifically around resources and budget constraints. How does exposure management help?

Bob Huber: Yes, to all those things, you know. If you're if it's coming together in one platform, you don't have yet another console as I referred to. So you're increasing efficiency there, literally less connectivity, less training across platforms, that makes a lot of sense. You're prioritizing those risks based on all the data you have available to you. So don't just think Tenable. You know, it's 3rd party data coming as well. So all those platforms and even competitors and cases, so overall that, you know, reduce costs.

Bob Huber: Reduce time to spin people up as well. We just hired a couple of new people here, and it's fewer places they have to go. With less training, they have to get to become more efficient, effective, their job so essentially optimizing those resources. Of course, tool consolidation. Everybody talks about that, you know, even in my own tech stack, you know, I have 40-plus tools. I think the average I saw in some statistics somewhere is like most organizations have, like 76.

Bob Huber: Good luck to you that that's a lot of stuff to bring together. And that's why some organizations create their own cyber data, analyst teams, right? Their own cyber data lake and invest in that. And then they have to. You know, industries finally caught up. But you know, I think this is an opportunity for organizations. Sit back and reassess of like, hey, can I? This makes sense to me. Do I have a lot of different feeds coming in? Can I bring this all together and create this prioritized view? It makes us more efficient, more effective at what we do.

Zach Bennefield: Absolutely. And with that, we are at the end of the presentation. If you have questions, toss them in the QA. But I want to thank Bob and Curt for their time today. It's always great to sit down with you guys and talk shop.

Curtis Dukes: Hey, Zach, thank you for hosting us, and being a great great moderator for that. You know, I guess we'll just leave with 1 point, you know, you know, Bob actually was, you know, up on the up on the hill, actually advocating for a renewal of the

Curtis Dukes: the State local cybersecurity grant program, and I'm hopeful that he was successful and it will get reauthorized because I do think the funding is, and that grant funding is hugely important to the state and local government. So and I think, you know, we've got enough information now to actually help

Curtis Dukes: Prioritize. You know the resources that a State and local government needs.

Bob Huber: Yeah, I think great call, Curt. So I think everybody that I had spoken with was receptive. Cyber is not a partisan issue. It really wasn't. It's how it gets done. That might be a little more partisan, and they're well aware, you know, the funding has a limited duration and time, and looking to extend the funding, I felt extremely positive. Coming out of those conversations

Bob Huber: Like I said, everybody understood the importance. They understood that the burden lies with state, local, tribal and territory entities as well, and that funding just can't disappear right? You can't implement programs on a short funding timeline. It doesn't work that way, at least in my world. You know, it's like 18 months to implement a program of something.

Bob Huber: Right? So yeah, and you need that consistent funding right mechanism to make that happen. And I, hopefully, you know, fingers crossed that pans out. But I but I felt really good coming out of those meetings.

Zach Bennefield: Awesome. Thank you for joining us, and to all the participants, thank you. Everyone who registers will receive an email within a day with the recording and the slide deck. So have a great day, and we'll see you next time.

Curtis Dukes: Yeah. Take care.