The Modern Defender's Toolbox: Low-Cost Solutions for High-End Defense

All right, good afternoon. Hopefully everyone is fed and feeling good and not too tired, ready to go to sleep. My name is Wes Lambert again. Um I am a uh NSM engineer at Target. So I work with a lot of network security monitoring and I've worked with uh you know a lot of other um defensive tooling in the space just through either my own testing or pursuits. And I just wanted to share today uh kind of like an awesome list of the tools that I enjoy using uh that are low cost and easy to set up and can also in most cases scale to the enterprise. Uh so that's what I'm going to be going

through today. Um just again talking these various points um sharing this information with you guys. Some of this you may have heard before if you've heard me heard me talk. Um hopefully it's uh it's not too bad for you. But but uh but yeah, here we go. So again, it doesn't matter if you're big or small company, right? You've got a small security budget, no budget at all. Uh this is what this is about, sharing this information with you so you can be enabled or have that information to pursue um you know that security program with uh very low cost and hopefully lower effort. So, I'm going to start off with a problem, an example. I don't know what's

going on my network. I have no idea who's talking to who. No idea what's being downloaded or uploaded from the internet. C2, who knew? Maybe there is C2. Maybe there's some weird stuff going on in my environment. But I really don't know. Um, and that's the problem right now. So, you know what? What do I want to do about that? I want to find something I can set up quickly and easily to get that network visibility. I want to try to leverage existing network infrastructure if I have it if I have a span or if I have a switch uh at home that I'm using or in my network. Um maybe I can use that and use span port

on the switch. Uh so that's very simple or maybe just a simple cheap tap something to quickly and easily duplicate that traffic uh so that I can monitor the traffic and get that network visibility. Um, and then of course I want to try to use free or open source software if possible just to make it uh cheaper on my end. And I would also like it to be easy to manage. So in this case I'm going to go for security onion. Anybody heard of security onion? You like security onion? All right. All right. So uh security onion is free and open. Uh it's been that way since 2008. Uh it's based on Oracle Linux 9. Um it's

really meant for that security monitoring and log management. So we're taking in all these different types of logs, all this types of uh data, network visibility, host visibility, and we can get started with just two cores, four gigs of RAM, and 50 gigs in disk. So it makes it super easy to set up um and get rolling with it. Now, as far as the use cases for security in again that network visibility that I'm looking for um we can use Google Stenographer, Serraata, Zeke, right? In addition to that, we also gain host visibility. We can use elastic agent within security onion to expand that to our host if we want to. Uh these were previously known as beats

if you're familiar with elastic. Um and then we can also perform that static analysis or if we have some ad hoc work we need to do. There's the option to perform an EVTX import or pcap import to walk through that information. So that's good too. If I have some an investigation where I'm going back and somebody gives me a pcap and I want to take a look, quick and easy to run through that or an event log, quick and easy to do that. And we also have the security on your desktop which is allows us to have a dedicated analyst VM. So if I want to run my analysis tools I have special tools that I use when I'm

performing my analysis. I don't want to do that on my local host. I can do that within a dedicated analyst VM. So that's pretty cool. Um the deployment types for secure uh the simplest is going to be the standalone. It's just going to be a single node with all components. Next, if you're moving into a, you know, higher throughput network, traditional business setup is going to be typically a distributed deployment where you have a manager and a surge and a sensor node split out. It'll be three different nodes. Then there's also this nice little IDH node. And what we can do with that is stand up a honeypot in our environment and report that information

back to uh security and have that kind of trick wire in place there. And then again that import mode uh we can set it up just for importing pcaps which I mentioned before and evtx for that uh single ad hoc analysis. Some of the features within security in are going to be the alerts that are generated from uh circata and also stroka uh detection rules things like that are going to generate alerts for us to go off and investigate strange activity. we want to drill down on something or if we want to go threat hunting we have the opportunity to do that within the hunt interface and again those detections we can craft in the

detections module that will be sirata that will be uh yara and whatnot and then from there we can go in and drill into pcap we can get a closer look if we're pivoting down if we're drilling in this information and we want to get more specific data we want to look at the raw packets we can go into this beautiful pcap interface here look at those packets get that ground truth Then from there we can even pivot into cyershift. We want to do that. It's pretty cool. Super cool feature. Um also if we want to create cases we have the ability to do that. So we can go off and draft our notes in there, our investigation notes

and then continue on, move on, add evidence and whatnot. We also have these beautiful dashboards you see in the bottom right. And so we can create lots of dashboards for management and maybe for ourselves sometimes. Uh so that's pretty cool. And then we get all these different types of data things coming from the agent the alert data we get asset data so what things are in our network extracted content we get full content the pecat that was talking about before we get session data and then we also get transaction data so we get all sorts of juicy data to pour over through our uh analyst environment. All right first prize shark tap. All right who wants a shark tap. Now

what are some types of three types of data that we can get with security engine? >> Yep. >> You name specific names on >> uh yeah so so the the data that that I just presented on the last slide. >> Yeah. Anybody pay attention?

>> Yep. Here you go. All right, chug tap for the bar.

All right, so guided analysis is another cool thing that had happened pretty recently. Um, so it helps you basically investigate more easily. So it gives you essentially a playbook to go off and you know to go all right, what do I do next? that's based on um you know basically how do we investigate this alert and whatnot. So that's super cool. It guides you through the analysis of a particular alert or group of alerts and trying to get down to that ground truth. Uh so that's another cool feature. Another one is the onion AI that was recently announced. I didn't see it myself but I heard it was pretty cool. Matt Grace can probably tell you about it. The onion AI it's

pretty cool. So basically having it go through and investigate I think what on its own right. So this is something I'm still learning about. So can go through and investigate using AI on its own and then come to a resolution.

>> Right. Right. So still learn about that because I literally just learned about it uh this morning. So uh that's pretty cool. Um but yeah, so that's another cool feature that we have there with security in. But we have another problem. What about Wi-Fi, right? um security by default doesn't necessarily ingest wireless traffic um don't use wireless nicks or anything like that um or adapters to monitor that traffic and Wi-Fi can be weird and you know sometimes it can be difficult to really monitor that um you don't know maybe there could be threats from wireless attacks um don't really know how to manage that or detect that um and so what I want to do really is understand

like these anomalies maybe or what anomalies are in the wireless traffic around you know what's happening, what assets are around me, what things are in my house, what things are in my house I don't know about. Um, and I want to do that for free or low cost, right? Low cost hardware. And this is where Enzyme comes into play. Has anyone heard of Enzyme before? Awesome. Awesome. Yeah. So, Enzyme's cool. Another one that folks may be familiar with, maybe a little bit older, is KidsMet, um, which is a little bit different, but uh, Enzyme is a wireless security monitoring uh, platform. Um, so it allows us to detect when um, for the close access deni close access denial

allows us to detect, you know, um, this is kind of like a military tactic, right? Like where or like uh, when you're doing like physical penetration testing and you're maybe trying to plug something like work with something physical and and you're, you know, so it can detect close access things like that and just general Wi-Fi detection. Um, and the setup for Enzyme is going to be Ubuntu server and you can just use one of these adapters here. There's the Alpha, Panda, Intel. The link down below has all the supported types of adapters there, but you can also get started pretty easily uh with just four cores, four gigs of RAM, and 25 gigs gigs of

storage. So, it's pretty simple to set up there. Um, and then we have a single node architecture right there. It's really just like a web interface. The enzyme tap interface, uh, the enzyme node, like the worker basically, and then the storage. um just raw storage in the database there. And then we also have the multiode architecture if you're expanding that out into a larger network. So that's pretty cool. Um one of the things that we get here is uh it's defined under spectrum dominance is what they like to call it and it's RF situational awareness. So understanding Wi-Fi traffic, Bluetooth traffic, IoT and OT traffic, right? and then also having surveillance countermeasures and that just general intrusion detection

capability there which we can see here uh that bandit Wi-Fi pineapple there that was detected. So that's pretty cool. We also have asset discovery like I mentioned before knowing what's on our network right knowing may not know that it's on our network um or around us and then just traffic analysis similar to security engine it logs domains and other transactions things like that and then again that rogue device detection that we were talking about you know not knowing what's in our network maybe something is there that shouldn't be there

and furthermore more compliance. I know some folks maybe don't think about this, but there are certain compliance standards for these wireless devices, right? They have to be secured a certain way and they have to be configured or um placed a certain way. Um so all of these controls that helps meet for like things like PCI, DSS, CIS, NIST, ISO, right? All of these uh very useful to have there. So not only do we have the network visibility from the you know just traditional perspective where we're monitoring the traffic in our environments but we're also monitoring the traffic around us maybe threats um external to us physically literally um so that's pretty cool to bring that in

and we can also you know bring that into the fold to expand our visibility overall but then moving on to our next problem talking about endpoint forensics and monitoring right security has some of that has some visibility with elastic agent where it can monitor the hosts um but it can also be difficult in general to manage you know especially from like the forensics or like large scale forensics or hunting perspective uh to manage not necessarily in security but overall um and then separate tools typically like forensics tools dedicated tools need to be used so that's when sometimes it's nice to have one tool that does all the jobs so effectively what do I want to do is I

want to monitor my endpoints at scale or perform forensic analysis and maybe IR stuff on the host quickly, easily. I want to be able to quickly add new detections based on some threat intelligence or uh on initial scoping of an incident. And I want to basically be able to adapt very easily, be able to craft uh new artifacts or new detections based on artifacts. I mean, it's where Velociraptor comes in. All right. So, kind of expanding that hostbased visibility into more of a forensics and incident response capability. Um this gives us that and it's a little bit different in the way um you know traditionally folks have kind of focused on that you know preserve the disk then go off and make a

copy of the disc and go grab stuff off the disc and analyze it. Um it's a little bit different. It focuses on efficiency. So we process on the endpoint actually um to provide that efficiency and that speed at scale. Um so that's what makes Velociraptor unique in the way that it approaches things. And here's the timeline basically of when um Velociraptor could be used, right? And the artifacts that we might gather. For example, MFT USN shell bags. Um the SQLite Hunter artifact can be used on initial uh compromise um before Velociraptor is installed. Maybe we'd use an offline collector or we go off and run a collection after installing. But once installing, we can run that uh

in our environment at scale. we can get lots of different information, you know, across different hosts and be able to scope a little more effectively. Then we also have endpoint monitoring for u stuff like ebpf um event logs, you know, tailing all that with sigma processing on the endpoint, cutting down on the processing on the sim or whatever else. Um so it helps to pre-process on the endpoint when possible. So some of the use cases for velociraptor might be just the typical client server deployment. Uh the offline collector is pretty popular in the IR scenario. Maybe it's managed by another tool and you deploy it out to an endpoint or maybe you drop it on a USB

drive, take it to an incident site, whatever. Uh and you can also perform interactive local analysis which is pretty cool. Honestly, it's just a single command where you take the binary and you just run the command and then you just spun up a local Velociraptor instance where you can test detections and and whatnot. It's pretty cool. Uh it's driven by VQL, Velociraptor query language, uh which is pretty fundamental to how it works. Um super expressive and flexible. Um but basically everything within Velociraptor runs on VQL. [snorts] Uh Velociraptor, this VQL, uh it is used in these things called artifacts. And these basically are the things that you're looking for, right? Like detection artifacts or like evidence on

the host, maybe evidence of action or something existed or happened. [snorts] Um, and there are different types of artifacts, some that run on a client, some on the server for management. So, it's pretty useful to be able to have those um, at our disposal whenever we're doing our collections. Here's an example of the mutants detection. So, basically, um, you know, mutants used by malware to prevent reinfection. So, this artifact right here is used to detect mutants. You can see the different parts there highlighted, such as the name, the parameters, and the query down there. Um, but Velociraptor has tons of different types of artifacts um, within its just its core set and also uh, contributed by the community to achieve

different goals. And again, contributed by the community, these artifacts can be imported with the artifact exchange artifact itself and that will pull all those in that are community contributed from the artifact exchange, which is pretty cool. A lot of really cool artifacts in there. And then when we're ready to actually perform or want to get those artifacts, we can perform a collection there. And then when we're ready to do that on a bunch of hosts, we can turn that into a hunt. And when those um excuse me, when those clients come online, uh they will enroll in the hunt and then the collection will be started for each one and they'll the results will be returned

back to you. Another thing that's useful in Velociraptor are the notebooks, which are basically an iterative way to develop artifacts. You can test right there without having to go save the artifact, run it. You basically do it right there in the notebook. Sort of like a Python notebook, right? It also has an API that we can use to hook in into it and perform automation through the API, which is pretty cool. Uh, so Matt Green also has an MTP server that he set up for this. So, um, you can check that out out if you want. The link is right there. Um, so that's pretty cool to be able to to leverage AI and automation there with Velociraptor in

that sense. But now we have a different problem. All right. What is this? Can a kit I'm gonna make him mad. It's gonna be a simple question. All right. So, what powers Velociraptor? What is it in the back? VQL. Correct. Yep. There you go. Congratulations. Yes, sir.

Alpha. All right. So, we got a new problem. So far, we've discussed the network visibility, right? And endpoint monitoring. We've talked about Wi-Fi visibility. Now, we got a new problem. We're talking about the files that are extracted or files that we get from an incident. Maybe files that are extracted from Zeke whenever it collects that network traffic and extracts them and then it writes them to disk. What do we do with those? I mean, what are they of any use to us? How can we get any more information? How can we get any more data about those files and do something with them? This is where Stroka comes in. Stroke is actually baked into security onion, but I wanted to mention

it explicitly just because, you know, for those that don't run security on, it can still be useful. Um, it's developed and maintained by target. It's a modular data scanning platform. Scans files with a bunch of different scanners. Got 50 plus scanners. It uses Yara to taste the files and determine what the files like what kind of scanners is supposed to be applied. Um, and then it applies those scanners to it based on the profile. Um, and from there we get a lot of rich metadata. Um it can work very well in an enterprise file scanning pipeline that we used all the time within security and and um and other places. Um but again that file extracted from the network

traffic by Zeke sent to Stroka. Stroka analyzes the data produces logs right and then we ingest those logs and present them in a console or correlate those with other types of data and activity. Uh so we can also do that with ad hoc file analysis. simply just submit a file. Um there's a utility called fileshot that comes with stroker that you can use to do that. So it's pretty useful to do that or just um in the case of um you know maybe in security you just want to drop it in directory to get scanned or something else. That's another option. And then another use case for this kind of is academia right exploring files or file types

characteristics exploring detection opportunities evasion techniques and how that works with files. So it's very useful in that way to really learn from the files and those detection methods. Uh the architecture is fairly straightforward although there is some stuff that kind of makes my head scratch or scratch my head sometimes. But um so essentially uh we have this client that sends to the front end. It does some coordination with the gatekeeper eventually goes to the back end and the manager helps to manage those Reddiscues in there along the way. But this allows us to kind of scale. You can kind of scale it out with a large number of front ends and use envoy load balancer

if you need to scale it out if you have a ton of different files, but I'm not going to go through that because we just have more to cover. Um, this is some of the metadata. Uh, this is from the scanp scanner. Uh, just some, you know, generic metadata about the file here. Um, we can see the compile time, you know, the address of entry point, lots of other stuff. There's way more useful stuff we could look at, but just want to give an, um, give some output there. Give an example of some of the output from one of the scanners. Um for detection, Stroco can use the AR rules for detection. So we're talking

about a flying yard of files, right? And um and performing detection that way and then generating those, bubbling those up to your alert interface, getting those ingested along and correlated with the other data. And then the fileshot UI is pretty useful if again you're performing ad hoc analysis and you want to just kind of explore and learn and write detections and that kind of thing or you're just curious. It's pretty cool. And so we've got another problem though, right? So we just we've got a lot of problems in the enterprise, right? I mean, there's just a lot of stuff we got to do, a lot of things we have to secure. Excuse me. Let me get some

water.

All right. So, next problem is my employees keep getting fished and business email compromise is a real problem, right? Like it's a real issue. Um, it's important. Um, and I need a better email based detection and response mechanism. I need something the way email got network, got files, right? Host need something about email. So, that's where Sublime comes in. Super awesome. Anybody use Sublime for? Awesome. You like it? >> Yes. Awesome. Um, Sublime is awesome. Uh, email security monitoring or detecting fishing. Um, BC malware detecting it all. Um, You can perform threat hunting in the interface, user reporting. It's very useful for auto remediation purposes. Super easy to set up. It's hosted in um online like you

can just go sign up for an account. Um you get up to 100 I think mailbox is free with that. Um you can self-host it if you want. Um you can get up to 600 mailboxes that way. So you know if you're not super large, I mean it's it's pretty much you know free except for your time and effort. um has integration with 03 365 and Google Workspace to pull those in and analyze that those emails. And it's also capable of direct email ingestion. If you have raw emails that you want to um submit to Sublime, you can do that. And what's important here is that it's approach Sublime's approach is not to be that black box. They're very open and

transparent about their rules and their rule language and how things are done. um has a distributed detection model with multi-layered AI fancy computer vision and NLP natural language processing um is actually works really well. Um it also leverages behind the scenes stra. So um you know kind of another building block again from the file perspective um so it does it in combination with its NLP and other stuff to make those informed decisions about emails. Um it also has a gentic automation as of late. So uh talk about like automated workflows from user triage, right? Report triage. Um you can go off and proactively craft detections from uh the agent uh for whatever is being sent or

seen in your environment. It's pretty cool. Um this is an example of a flagged email. So this would be if it detected something and it was flagged and it was not auto remediated or autoacted upon. You can see the link to auto download of sus suspicious file type here. Um, and just some other random information there, but basically just the messages that are matched to those detections. [snorts] User reports again at like an abuse mailbox, you can auto remediate, you can perform automated actions based on however that's reported. Um, replies also can be automated. And then quality feedback supplied. And then yeah, again the auto remediation again you can quarantine the flag messages automatically if you want

to remove them. You can move them to spam or remove them completely, whatever you would like to do there. And what's pretty cool here is that you can also hunt throughout your emails, right? So, if you want to look retroactively, maybe you didn't have a detection in place, um, and you wanted to retroactively hunt through based on some, you know, some threat intelligence or some new report, you can go do that with MQL and the rules right there in that hunt section. And then again uh the rule creation interface is pretty cool. You can write and test rules right there in the interface against some of your data. That's pretty useful. And then submitting those EMLs directly

with EML analyzer. You can do that and you can get an interactive report there in the UI of the EML. That's pretty cool. But that's not our only problem. So all right we got network host forensics monitoring right files email got to cover a large swath here. All right. So, our users leverage browser extensions, right? Any anybody's users have like a bunch of browser extensions, code editor extensions, all that stuff. Pain to manage, probably pain to kind of search through. Don't really have a great way to handle or understand the validity or the risk of these extensions. We want to get a better understanding. It's where secure NX comes into play. Another great platform performs

extension security monitoring for Chrome, Edge, Firefox, VS Code, OpenVSX. Think more is on the way. Uh it's a great way to do this. We get visibility into those extensions. We can search for a specific extension if we want to. If we have something that looks suspicious or that we're not sure about, we can get a report there. We can see that this one the risk was inconclusive. Although the availability, maintenance, and ownership were provided here. We can get some context, right? Which is important. We get context and really understand what's going on like why does it have this rating or why does it have this many users but it looks like it doesn't really do anything or whatever. We want

context to answer the questions. Some more of the search interface here. some good information like organizational information, author information trends and then an AI analysis of the extension, looking through the codebase, the extension, and attempting to provide an overview of what's happening there. We can also see the manifest of the extension. It's pretty useful. Bless you. And we also have the code review section which breaks down some of the code there in another section uh for the results. So that's pretty cool being able to see just like broken down what components do what quickly and easily some more of that. And then we can also search for extensions by organization. Search for you know stars, ratings,

users version. Pretty cool. Also for vulnerabilities, what if you know we're searching for particular vulnerabilities or extensions with vulnerabilities? It's pretty useful to understand that that's present in our environment. We can also monitor for changes. I think that's pretty important, right? I think there are a lot of extensions where they've been picked up by a new owner or the owner's changed something, emails and other stuff, right? And then they're not what they used to be. Pretty important. That's not our only problem. All right. Trying to think. No. All right. So, now we have another problem. I'm looking through alerts. You know, I'm looking at some data. No idea about this IP. I don't really have any context. I don't

know about any trends or patterns really about the information, the data, the IP address. I'm looking at what should I be aware of? Should I are there things that are happening? So I want to get more context here. I want to better understand these trends, right? Trends in data and get more context. So where grey noise comes in? Does anybody use gray noise before? Awesome. Cool. So great noise you know there are a lot of these I won't say a lot of these but there are a lot of companies that perform you know intelligence or provide intelligence like you know obviously like virus settle like a bunch of bunch of companies but uh for me great noise is

very very good at uh providing contextual data and and like quick to see trends and all that good stuff. Um and it really helps filter out a lot of the noise for me. Um, so my experience have been very good about providing that intelligence for particular IPs. It also has a great visualizer interface which I realize now it's probably a little difficult to see on the this screen because it's dark but uh it gives you a lot of rich contextual information here. Again, trending information, observed activity tags for malware activ you know activity campaigns that sort of thing. We can also see the trends here. So um we can see a timeline of activity kind

of with the trends in CVE associated these unique IPs these ranges for this past amount of time. So it's pretty pretty cool. We can also generate alerts if we want to based on some of this information which is pretty useful. We can tie that back in uh into our log management platform if we wish into our SIM or sore platform. It also has many different integrations. You'll probably see it or you might have seen it in other products where you can integrate with great noise to provide the contextual IP based information.

Then we have another problem. [snorts] All right. Flying through these. I was trying to get through quick. I'm trying to think of a question, y'all. Um, all right. So, often complete a lot of manual tasks during analysis or investigation. Takes a long time, right? Limits my ability to work on other stuff, maybe more impactful or meaningful stuff. And my team continues to use more and more security tools for different purposes. [snorts] I want to automate where it makes sense, right? Alert triage pretty pretty good to do. Hash lookups if I need to. Domain reputation, host analysis, scoping maybe could be useful. Vulnerability remediation could be really useful if done safely. Um, containment. And this is where I had to pick one. And

honestly, I like a lot of these, like a lot of low code editors, but um I just want to kind of just throw it in just as an example, but this is one of my favorites just because it's pretty flexible and it's not necessarily tied to this like this sore thing or like whatever. It's it's pretty open. Um so I like Nad for that reason. It's a no low code open source automation workflow builder easily hostable via Docker. This helps you tie all the things together, right? helps you do less manual work. [snorts] So, has a few different node types, triggers, start the workflow. And this is a super old example here, the hive. I've not used the hive a long time, but

um yeah, you can see the hive there is the trigger. And you can see the route by observable type. It's going to be an action along with the other actions. right there. We're just basically whenever an observable was added to the hive there, it would go off and then it would perform a hash hunt and then a file name hunt for there to look for that file on the host. This is what I'm talking about. Make my life easier, right? And then there are a bunch of different actions that are built in aside from just running code or generating your own via Python or raw commands. There are lots of different integrations. So, they've got a huge library to pull from

which is pretty cool. a lot of community contributed actions, a lot of work there. Um, and again, you can customize this built-in actions for code such as Python again, raw commands, if else, logic, whatever else, you know, switches whatever. So, in that assembling, assembling the toolkit. All right. So, we've got our wireless monitoring, our network monitoring, our email detection and response, our IP intelligence, host monitoring, host forensics and IR extension monitoring, file analysis, and then wrap that up with some automation, right? We can easily tie these together. A lot of these have APIs, right? We can tie those together with things like NAD. A lot can also tie that together by the artifacts are super

flexible and the fact that you can do pretty much anything you want that a computer does. So if you want to get crazy um but yeah add a little automation in with these like we have a fairly comprehensive start at least for a lowcost low budget security program or at least monitoring program and that's all that I have. I don't want to take too too much of your time today. Yes SIR. [applause]

>> YEAH. YEAH, SURE. I can get to you. Um, yeah. So, um, just get with me after I can show to you. And I guess it'll be it'll be on the recording, but I don't know. It'll actually host the slides, I don't think. Right. Yeah. Um, let me see. Trying to think of a I haven't thought of one yet. I want to ask. Go back. See if y'all remember anything or just been sleeping.

>> I'm like the worst at these. >> Yeah,

>> enzyme. Y >> uh yes I believe so. >> Yeah.

>> Yeah. Yeah. API is available with Splania.

>> I don't think so. I think most of them have APIs. Multiple of them have MCP. Um so yeah. >> Yeah. Yep. >> Yep. >> Have you tried system running. >> Um I think that's loud. Um I think security onion probably would be the most and then like second on top of that. I have not tried it running on the on all one system. Um probably run on like two systems. You could run it on one but it just be kind of weird. But yeah. Uh come on. Pick something. Pick something that's like right. Come on.

All right. I'm gonna do this instead. I'm thinking of a number. [laughter]

>> 75 >> 75. >> All right. You get this alpha adapter. Congratulations. All right. All right. Well, thank you guys for for having me and let me ramble.