Leveraging Automation for Threat Intelligence at Scale

and I'm live so good morning welcome to b-sides Asheville I have the distinct honor of being your first speaker today which is great because I can with confidence say this is the best presentation you will have seen so far today I'm gonna be talking about well title my presentation is machine to machine automating threat intelligence so just kind of general overview we wanted to talk a little bit about what threat intelligence is and then how you can use automation to empower your team to make faster better decisions in your security operations it's a little bit about me I'm an intelligence consultant with recorded future I'm also the manager for the automation and advisor group there I've been

working in the private sector for a little over five years some experience in the financial sector mostly vulnerability management before I came to record future also US Army veteran with over 13 years of experience with the military there's a picture of me there in front of some big machines because I love machines machines make our lives easier in so many different ways in this case it let us dig up and explosive devices and disable those without getting an adverse holders hurt technology they'll be talking about today it will help your teams as I said be stronger better faster when it comes to identifying and engaging threats in your environment so here's a good question how much time do your analysts spend

processing threat intelligence versus analyzing it a lot you know I think they've seen some some metrics that show you know it's an 80/20 split when you're spending 80 percent of your time just collecting and managing all of this data and then you've got about 20% left to actually figure out what does it mean so automation this is based on a poll with last year from our customers at record a future and just looking at how automation has improved their programs some of the reported metrics were eighty percent reduction in time spent on data management fifty percent reduction in time it spent for prepare reports and a ten times decrease in the speed analysis during critical incidents so we see

reporting from our customers that when they deploy these technologies in the end they can move the data around and they can process the data in an automated fashion it saves their analysts a lot of time and so their analysts can spend a lot more time really figuring out what the threats to your organization are and how to deal with those I should start by defining what is threat intelligence there's a lot of there's a lot of marketing out there on threat intelligence I'll put air quotes around that I will say hint it's not a pew pew map you see a lot of this stuff in marketing you see these old lines like I don't know

Russia's attacking the United States and I don't know we're we're attacking Alaska it's yeah that's yeah but what does this tell you no this doesn't tell me anything I don't I don't care if there's some attack vector from one country to another what I care about how do i how do I take action on this yeah there's nothing I can do with this you tell me something you know who's that who's specifically attacking through what is what is the infrastructure they're using what are the what are the actual malware signatures they're using you know what are the things that I can actually tangible things that I can look for and act on in my environment so

that's what threat intelligence is it's it's not just information but it's the context that makes that information useful to your organization so guard a great definition a little wordy threat intelligence is evidence-based knowledge including context mechanisms indicators implications an actionable advice about an existing or emerging Menace or hazard to assets that you that can be used to inform decisions regarding the subject response to that minutes or hazard so you a little worried pretty comprehensive but keep some key things there we see you know actionable it's something that you can take action on includes context and in in some cases even include some type of advice on what to do that's my definition a little more

concise but kind of the same thing threat intelligence is actionable information regarding current or anticipated threats that influence decisions within an organization so when we're looking at threat intelligence when we ran when we're evaluating whether a particular source of threat intelligence is valuable to our organization we want to make sure that the information provided is actionable and relevant to threats in our environment and also something that we can use to make decisions so most of us work for companies that spend money and they want to know what their ROI is on their security program and sometimes it's hard to define that so as a business justification you can take this back threat intelligence facilitates the

identification and reduction of risk through a better understanding of your operational environment so without threatened you're essentially operating blind you don't know without you you probably know what's going on inside your network but without understanding what the external threats are and what that threat landscape is you have no context to figure out what's a threat and what's not a threat within your environment or how to prepare for anticipated threats you know to paraphrase Sun Tzu if you don't know yourself and you don't know your enemy you have to have both of those things you have to know yourself and your enemy you'll lose almost every time but you know both of those things in and you set

yourself up for success I love threat Intel we have it we have sang in the army that enthusiasm will take you very far so their intelligence it should permeate all aspects of your security program it's not a siloed function that's just talking to itself I'm like hey these are really cool look at all this this neat stuff this director is really interesting you know it it should not be peripheral to your organization and again I'll kind of go back to how we do intelligence in the Army in any in any command structure your s2 your intelligence staff are key advisors to the commander and no decisions get made within a military unit without consulting your

intelligence team because you have to understand the impacts of the enemy on your actions and how your actions might impact the enemy and that's what your intelligence team tells you

so record a future we deal with a lot of different teams at different maturity levels there's so there's some some qualities that we see in mature teams mature teams have clearly defined intelligence goals means they know what they're they know what they want to look for and they know how to get it they utilize deliberate and repeated repeatable processes so they're not operating ad-hoc they're not flying by the seat of their pants they have regular deliverables that that they're creating in repeatable ways to build robust intelligence products inside your organization and they're also trusted influencers the other aspects of your security team trust them your board trust them when they say this is a threat people take that seriously and

they and that influences their actions within the organization and like our church it's not not the size of your data that matters it's how you use it so you can have all of the threat intelligence in the world but without a mature team with metrio processes and practices it's essentially useless team and a heart brothers again high-quality feeds and they have to include context they have to have something that tells you definitively what can I do with this how does this impact them this little picture here an orange and white volkswagen passat let me tell you a little war story so I was a platoon leader doing route clearance operations in Mosul Iraq and we were out every day

driving around looking for threats to our troops and one morning I'm prepping my platoon to roll out and we get this this breathless Intel guy runs up to the motor pool with this report we have a reliable report of an imminent attack vehicle-borne IEDs today vehicle are using is an orange and white volkswagen passat so be on the lookout for an orange and white Volkswagen Passat Aaron's here that have been to Iraq before what are the taxis look like in Iraq that's a taxi so we roll out of the gate and there's literally hundreds of these things so we have what might be it might be good intelligence it might be a good source there might actually be an

imminent attack but the indicator that I've been given isn't useful to me so you need you need intelligence that is specific enough that you can you can you can find it and definitively know this is a threat and deal with it give me a license-plate number give me a last seen location something that helps me figure out what I'm looking for okay that's my soapbox for threat intelligence so I'll get into the automation piece see here so what is automation we've got some cool little robots there most of times it's not robots a lot of times it's just software so automation is it's anything that takes the work the load of the workload off of your analysts when you automate

you're you're putting systems in place that do the boring stuff there's a buck automate the boring stuff that keeps up your analysts time and I'll talk a little bit about the kind of the key areas that you can all you can automate in your threat intelligence program there's a lot of pieces to this it can be scripts can be appliances API communication machines talking to machines automation does not replace your analysts you still need analysts but what it does do is it makes your analysts analysts as I said better stronger faster think of it think of your analysis as cyborgs or as our Swedish friends in report of future like to say threat intelligence Centaurs because they have

speed of a horse but the brain of a human so so common candidates for automation so these are some areas where organizations can really get a lot of a lot of ROI on automation efforts data management data enrichment and correlation rule in alert generation and threat research now these are all areas that our customers at record future are the ones that are successful with automation this is where they're where they're spending their efforts so for data management so think of a data management anytime you're you know moving data around you're copying data you're transforming data you're doing something to data you know in automation in this case is it's important because the scale of the the

scale of these data sets that we work with are enormous I mean you might have a list of a hundred thousand IP addresses that are known tied to command and control infrastructure you know you might have millions literally millions of data points that you're pulling into your program to try to make sense of the threats you could I guess if you had enough money if you had infinite money you could just hire enough people to do that but to really keep up with the pace of the threat landscape you need something that can manage all of that data in an automated fashion data entry your your team should not be doing data entry unless you're literally copying

from handwritten notes there's no reason for a human to sit there and type data into a system anywhere you can avoid it because they have better things to do there's a little diagram how threat intelligence gets you know that data is often managed you know we have our threat intelligence sources kind of out in the world and most most organizations will pull that it and they'll store it somewhere this isn't you know this is an exact sometimes your sim is the one that's pulling the data and it's storing it in the some organizations have a tip and they're pulling their data into the tip the third tip is a threat intelligence for a platform if you haven't seen that

say they're storing the data there I have some customers that just roll their own threat database and they they are just using or something to just collect all the information in a central place and then that data you can share it out via API calls to all of your appliances push it pull it from your sim your orchestration and instant response tools and your vulnerability scanners

data enrichment and correlation a couple definitions here enrichment in this case is adding context to internal data so you have some data from inside your environment and you're trying to make sense of it so you enrich it with threat intelligence correlation is surfacing interesting things in your environment a lot of times in this case you're starting with some type of external data a threat feed and you're saying are any of these things in my environment so let's see if let's see if we have indicators of threat based on what we know from their intelligence feeds and your computers are always going to be faster at this than your analysts it's just it's in it's it's infeasible to

have an analyst look through data from a threat feed and ask the question is this in my in my environment and then go manually look for it there's just too much data you know even if even if you have a very narrow threat intelligence feed so you've only got a few hundred indicators you've probably got millions of events in your in your organization Sims make that easier to search but it's still it's still you know kind of an insurmountable problem so this is kind of what Richmond looks like so you have a zit you've got a some type of internal indicator it could be the wide variety things an IP address hash URL a file

name something and you say what is this this looks suspicious what is it so you have some type of automated process that doesn't add that there's a data lookup either from your own internal store of threat intelligence or it looks to external feeds and then it brings back several pieces of information and attaches to that indicator might be some type of risk or confidence score that were 50 percent confident that this is an indicator of risk it could be some risk evidence that could be things like this IP address has been observed as part of command control for Zeus or some other malware and you know related entities so you might say this IP address has been associated with these

domains in these hashes etc and this is really useful from a research incident response standpoint especially when this is automated because it pulls all this information in attaches it to the artifact you have in your environment and then it gives you other things to look for so you could say this IP address we've see suspicious outbound traffic to this IP address we do our data enrichment well this has been associated with these hashes the other sightings of this IP address have been seen with these hashes so then you say well do these hashes exist in our environment so you pivot from there and then you can confirm or deny whether or not that one piece of of information

that data point indicates something larger in your environment and that can happen very quickly with automation data correlation this is typically done more at bulk so you're using large to large sets of data you start with some type of threat intelligence feed an external feed that you've got you have internal say log data and then you do an intersection on that and say what are these two lists have in common and that resulting sublist is your correlated data so say I have a list of URLs that have been observed in phishing campaigns in the last 48 hours and then I have logs from my web proxy these are all the URLs that have that have been requested

through our web proxy intersect those two sets and say we've got these machines that are calling out to URLs that have been observed and involved in phishing campaigns in automation using automation this happens in seconds so you can very quickly figure out if you have a threat in your environment so

rule and alert generation this this topic can be a little more contentious and if some some people are of the opinion that you should that your rules should be manually created that your team should be building the rules themselves based on on their understanding but my Finnick you can't keep up as a you can't keep up with the pace of the the threats you know especially with things with IP addresses IP infrastructure as an attack infrastructure the value of that data is hours to days because an IP address is risky right now doesn't mean it's risky tomorrow and when you're dealing with threat lists with thousands tens of thousands hundreds of thousands of IP addresses there's no way your team can

build rules to detect those in a manual fashion you have to build automated systems that will automatically generate the rules to detect those in your environment you should all - knees based on what's important to you it's you know again and says there don't blindly block things that's important don't blindly block things a lot of security teams get yelled at because they got a list of IP addresses associated with some botnet and then they just blocked the whole list and then they are impacting their business so you have to you have to build in some logic into this rule generation that that makes sense a good way to do that is whitelisting we do that recorded

future with our risk scoring we get indicators that IP addresses have been associated with malware but half of these are AWS IP addresses or CloudFlare IP addresses so we mitigate that DNS servers things like that so as your as your so you build it so it's smart enough to say I've got some threat intelligence build some rules caveat build them based on these requirements these business requirements and then finally threat research this one's a little softer it's this one does require it's it's more human involved doing threat research but what automation does is it allows you to process large collections of data to surface interesting things that could potentially help inform your security program instead automation plus larger

sets of data equals awesome threat hunting I'm gonna talk a little bit about some this is this is actually something I did recently at record a future so one of the one of the threat feeds that we are one of the the data types that we we collect on is our vulnerabilities and we build risk scoring around vulnerabilities to say whether we consider them you know not a risk you know mod or you know low criticality all the way up to two very critical and so when we make that data available to customers and we have what we call threat lists we have a we have a vulnerability threat list that contains every vulnerability that we consider a critical

vulnerability saying you should patch this right so this is the breakdown by CBS s core of those vulnerabilities see we've got 36% are critical I've got a 62% which is a two point forty percent or high and then medium low or no CBS s score is about one percent of the entire data set that we would consider critical so the medium and lower small population doesn't doesn't look like that much of a threat maybe you you're like well we should definitely prioritize these highs because a lot of them are being exploited or we have a you know there's a lot of in the set but I was curious if we take the set of critical

vulnerabilities and we process it to say let's only look at the ones that have current evidence of exploitation let's take the full set of see the vulnerabilities that we're getting say I'm only interested in the ones that have that would have been observed being exploited by malware and say the last week right now we see a very different breakdown we see critical state about the same percentage but you'll notice medium low and none none meaning there's no Steve ESS score sign of that vulnerability is now over 25 percent of the pie so what does this tell me as a threat intelligence analyst or a vulnerability management person at my company it says hey we should pay

attention to these medium and low vulnerabilities because they're being exploited it gives me the context to say let's not just blindly patch again this goes back to knowing your enemy let's just not let's not just start with the criticals and work down until we get to the lows because you'll never get to the lows because the volume of vulnerabilities that are that are being disclosed relevant to your environment realistically you're probably never going to patch all of them so you have to figure out which ones are most important now and I've worked for organizations that you know they've got a 60-day patch process right how often is Microsoft released vulnerabilities every 30 days so all they did was constantly fall

behind because they were patching slower than the vulnerabilities were being disclosed yeah so this again this this shows you how you can use that context and how you can use automation to surface that in that context and what I did here is I just basically built a series of Python scripts that took the raw data compared it to some other sources and you know surface this I didn't have to go through and look at each there's this data set the original list is like 38,000 vulnerabilities you know so there's no way that I'm gonna sit there and go through 38,000 vulnerabilities and see which ones are being actively exploited so integrations so it's all kind of good in theory but

how does this look in your environment how do you deploy these these solutions with the technology that you're already using so these are three things that customers are commonly doing they're correlating in their sim to build targeted alerting within their environment they're enriching artifacts and they're incident response tools orchestration tools for instant investigations and they're correlating their vulnerability correlating and enriching their vulnerability data that's coming out of their milnor ability scanners so this is kind of what it looks like in your sim you got your threat feeds you've got your log data same pattern we saw before with the we're looking at the intersection of the threat feeds and your logs we've got correlated data but then from here we're

taking that and replying some alert criteria we might say we've got an intersection of these IP addresses from our outbound you know outbound firewall logs and known command control let's apply some some logic to say I'm interested in anything that has you know confidence score over 75 s or more that we're at least 75 percent confident that this is actually a server or an IP address that's been abused and then we'll apply some whitelists we're gonna ignore public dns servers we're gonna ignore AWS and CloudFlare and other CDNs and then we get a much smaller set of IP addresses that will start alerting on in our environment and have that done automatically the way this is done a lot

of our with our customers when they're pulling our data they'll do this kind of at various times so for IP addresses we recommend every hour to update your alerts based on the latest threat intelligence hashes and vulnerabilities you can probably get away with doing that once a day domains and URLs maybe you have four or five times a day so that's happening constantly so as those processes are running your monitoring tools are automatically detecting new threats without the need of human interaction and what does that do it that frees your in that frees your analyst up to actually respond to the alerts that are coming up they're not building rules they're responding to incidents in your environment so for

instant response orchestration tools this is this is a common pattern that we see with integrations now you have an incident something's happened a lot of times you don't know if it's a security incident yet it's just a thing there's some some alert triggered and we have we have some indicators or some artifacts and but we don't know where it is we're trying to make sense of it so we'll take they say we've got an IP address the domain URL and we'll interact each of those the IP address maybe we'll look at the ASN say what neighborhood is this IP address in are there a lot of other risky IP addresses - left and right we'll look at is is this IP address on

any command and control block lists has a reported observed supporting any botnets for the domain will enrich that will probably pull in some who is data who owns this who registered it when was it or how old is it I might look at subdomains you know great indicator here you better domain with a lot of observed high entropy subdomains that's that's an indicator that there's something really fishy going on and also the there are threat lists block lists for domains that you can look at and so that gives additional context URLs a lot of times this is mostly seen either with phishing campaigns so URLs that are being linked out from emails or malware droppers so

those are two common common areas that we see URLs being deployed so again this the enrichment automation can say this URL has been observed in these these fish reported you know as in these phishing campaigns or the few RL has been reported as dropping these malware's

and then the last piece here vulnerability correlation and enrichment so this the way this normally works so most vulnerability scanners most commercial vulnerability scanners don't support pushing data into the scanner right they don't they don't support the use case of doing enrichment correlation in the scanner so the way most of our customers are doing this and the way I see this most often is you're taking scan reports so you're running your vulnerability scanners are constantly running they're generating reports daily weekly whatever your cadence is you take those reports you either just work with them on a file system or it gets pushed into something like Splunk where you can search through it like you would any

other piece of log data and then once you have it out of the vulnerability scanner then you can do bulk enrichment we can see here this little spreadsheet this is actually intelligence from recorder future so you've got a list of vulnerabilities that have come out of a scan we've got a risk score so we're saying hey these are these are highly critical vulnerabilities according to the intelligence we have and then we include risk evidence on that so what that tells your vulnerability management pact management team is you know this vulnerability is risky not just because it has a high C VSS score but because of this at the evidence that's provided by our threat intelligence providers one of

the challenges is that a lot of vulnerability scanners don't use CVS in their reports they'll use their own proprietary vulnerability IDs so sometimes you have to do some type of data mapping say if you're using koalas for example they assign a queue ID to vulnerabilities so you have to map you say you've got these queue IDs in our environment so map each of those to the CVEs that are related to that queue ID sometimes could be multiple CVS and then from that you do the bulk enrichment you can also do correlation with vulnerability data this this is enrichment so we're attaching additional information to the vulnerabilities from your environment you could just as easily though say we've got a list of

going back to the the slide ahead before say let's take those medium and lower vulnerabilities that are being exploited correlate those with our scan data see how many of those vulnerabilities are in our environment because it goes out there doesn't mean you're using the technology so you have to again you have to understand yourself in order to to react to the threat okay one more piece this is the last piece I've got learn to code and I was saying you have to learn to code but someone on your team should know how to code I recommend Python one because python is easy to because almost every security tool I've worked with is either written in Python or supports

Python it's just it's kind of the language of the industry you don't have to use it you could use Ruby you could use c-sharp net you could use Java I mean if you really wanted to you could use C but but knowing how to code and having that capability on your team will save you so much time you know say for example you get some new threat feed some new some new data that you think is valuable but it's in a non-standard format right so how you said it's in a format that your tool not equipped to consume if you have someone that that knows how to do this in an afternoon they can knock out a

script that'll do the transformations that you need to consume that data into your feed threat research if you know someone that knows how to code or if you have some you can code or someone on your team can do it they can knock out in an hour two scripts that will answer the questions you have about the data you're looking at so have this capability on your team and I say in your team because if you're a if you want to rely on the expertise in other places in your organization you may or may not get those resources this comic is obviously dated that's that's PI that's Python that's Python to everyone should be on Python everyone's using

Python three right all right questions yeah yeah yes yeah so okay yeah so the question was I guess I could say to like sort of some best practices around tuning alerts you know in an automated fashion for your organization so the classic answer is it depends on your organization what we see a lot of times is customers will look at the look at the threat landscape to their industry vertical or to companies similar size to themselves and they'll say you are industry peers have are being hit a lot with these types of campaigns it's whale phishing campaigns it's ransomware a taxable or whatever it is and so you take that and you you tune your alerts to look for those very

specific threats in your environment that's one thing the other thing is obviously whitelisting you know so if you if you have one thing one thing that's good to do figure out what are the IP addresses of all your key business partners and make sure you have a white list of those IP addresses so you don't inadvertently block some critical connection in your environment and the other thing too so for your kind of teams that have more advanced threatening capabilities you may start building out like TTP profiles kind of attack patterns and there are ways to build your alerts around those attack patters again to look for very specific things in your environment and I'm an

advocate of you know you can have an have an alert that just tell me any bad IP and also have an alert that says tell me if I tell me specifically if I see an IP address related to this botnet because you know company X&Y have been hit by this and they're very similar to me so a lot of this is being done actually in in their tools so they're doing this in Splunk and they're doing this in QRadar or or they're doing this in you know phantom or resilient or some system like that so a lot of those systems have kind of some infrastructure built into them yeah so again it depends on your on the

amount of data that your you're working with and don't know any kind of benchmarks off the top of my head for you know I haven't do that it would just be you know you might know the have to kind of yeah system defendant Jeff any other questions start hearing we'll come over there favorite sources of threat Intel and sources of threat until I don't trust well I work for threat intelligence company so I like our data a lot it's one of the reasons why I came to work for a recorded future was because I was really impressed with the product so good sources of Intel there's there's a lot of feeds out there that are there that are valuable a lot

of them are there's organizations that all they do is they collect indicators around specific campaigns you know there's there's organizations that will provide you indicators for Zeus I keep mentioning Zeus but Fyodor or specific ransomware so finding those those feeds that are relevant to your organization organization is is pretty important feyza don't trust anything that again anything it doesn't have context if if all you're giving me is a list of a list of indicators but you're not telling me when you saw it and you're not telling me how many times you've seen it yeah you're not telling me what other things you saw with it it's essentially useless so so yeah so again I would I would

evaluate if you're evaluating threat intelligence feeds evaluate it both on does it provide intelligence on threats that are relevant to you and does it provide you enough context to actually act on the intelligence question one of the hardest things I come up it is I don't have a like a cheat okay the question was do you have a sheet sheet for best places to collect log data for like in your sim I don't have a cheat sheet like per se there are I've seen some some pitfalls where where customers are kind of shooting themselves in the foot with what they're collecting one thing I would say not to collect or not to care too much about our dropped connections

from outbound traffic or inbound traffic so if you have if your firewall is dropping inbound connections you might want to know about it from like MIT there might be a DDoS going on but shouldn't be security incidents because inbound traffic was blocked by the firewall firewalls doing its job it's not an incident but I see a lot of customers who are collecting they're they're pulling that those those dropped I drop connection events from their firewalls and they're just being flooded with alerts they're being flared you know we had 2,000 attempts to access our network from blocked IPs today and I as an analyst now have a queue of 2,000 alerts to go through yeah so they've you know so you have you want

to be selective to pull from the areas that that you're gonna they're most likely going to represent threats so yeah outbound outbound IP zap Island URLs from your firewalls or proxies or next-gen firewalls that tends to be high fidelity because it's something inside your environment that's talking out so if it's talking out to a malicious IP address or malicious URL that's that could be bad mutant warrants an investigation okay the question was if you're a new organization here just standing up your sim what are the top things you should start looking for at first again I would go back to the outbound traffic is is important if you can get anything related to again your

your your endpoints the protection will probably pick this up but you've got customers that are actually pulling data they're pulling log data from their antivirus into their sim so that they have that hat they have those hashes and other signatures in their sims they can they can alert they're on theirs you know because it could be you know it could be that the endpoint protection did its job right found something cleaned it up but you want to you want to make sure that you capture that event in a centralized location and I would just make sure that your you know you want to make sure you're collecting from the you know you definitely want you want your firewalls

you want your proxies you want to collect from uh you know any any load balancers actually DNS a lot of people aren't watching their DNS servers and that's a problem because DNS tunneling is a very common technique that third actors use that's again goes back to the comment about high entropy subdomains if you're saying a bunch of really high entropy subdomains and outbound traffic from your organization even if those aren't considered malicious that's a that's an indicator that someone's tunneling information out of your network so you definitely want to collect you know collect DNS so I'd say firewalls proxies DNS maybe some other kind of in you know network infrastructure pieces that might capture some some of that data yeah any of any

other questions alright uh nothing yeah so have a problem now the European yeah agents have so what's gonna replace that indicator doing that sort of research or is it are we just waiting until the ICANN works out whatever sharing program they want to create some time five years from now yeah so the loss of who is is problematic could be problematic I'll caveat that to say most learned actors aren't registering domains under their own name they're using they're using third party or what I see most often is they'll use they'll use some third party and on amaizing registrar out of Eastern Europe that registers on their behalf and now you've got you know you've got a bunch

of domains that are just registered by some shell company somewhere so it's it it is a degradation and the information we can get around those those sources but I don't think that it impacts I don't think it impacts us that much not as much as as some people are concerned about there are other indicators you know non PII related indicators around domain registrations that they're still useful you still have the time you can still know when it was registered you know if it was if it was registered yesterday and it's a it's a you know a type of squat of one of your domains that's that's a concern it was registered yesterday and it's it's one

letter off from my domain and now I'm saying traffic in my environment that's that immediately tells me that this is something that I need to look at okay anything else all right thank you so much so this year we we really did well this year we sold a hundred ninety tickets and we got great sponsors so this year we decided to do some real good speaker prizes and so Dan here's getting some of the first ones right so that we've had this laughs alright that's going on my laptop but we also this year for we did some limited edition coins the coin is says on the front think globally secured locally because if you ever looked under the

b-sides logo it says local in the binary and the back of the coin is a dragon and a knight and this year on the side on the coin it says in the cyber realm and binary here be dragons in Latin and kill defeated by no enemy so this is the first point very much since this is beer City USA we local company made these these are all stamped of b-sides logos awesome and also got glasses to go with it with the b-sides logo that's great so Dan is getting the first speakers gift thank you so much

[Applause] [Music] [Applause] [Music] [Applause] [Music] you [Music]