CG - Security Management Without the Suck - Tim Krabec & Tony Turner

they should yeah whenever you guys are we're good it's okay we go through your introductions ok step up my coat ago how somebody doing y'all having fun welcome to besides Las Vegas no Orlando Orlando ya know Las Vegas Orlando yeah so we're going to talk about security management without the suck because we all know that security management is an incredibly sexy and fun topic right we kind of think we need to take a little bit more common sense approach to things so that's pretty much what this talk is all about right so first off my name is Tony Turner um you know I'm dead star wars nerd I'd like to have fun I i geeked out of a lot of security stuff

but you know we all have other interests as well I run up besides Orlando along with john singer and Jeff Toth right out here in the audience thanks for coming guys also run the OWASP orlando chapter also with john singer do a lot of web application security stuff and I worked as a security manager in the past I built a couple of security management programs for some incredibly dysfunctional organizations you'll see as we go through the talk that Tim and I have slightly different perspectives on things just because I've had the misfortune to work and some of the most horrific companies you ever could possibly work for I'm imagining security consultant or our guide point security

and I have lots of certs that are completely irrelevant good time all right I'm Tim over the years I have been doing a bunch of stuff from standard IT to security I'm now information security analyst at a research university I do information is to say South Florida I come up in goon besides Orlando because those guys are awesome and I do a lot of other stuff I got a small family my oldest is normally here at bsides Las Vegas but he's in his second week of basic so he's not here anymore so enough about me let's get moving still me all right so I guess it's still me we've worked on this for like the past two months and got

together yesterday to hash things out so scenario so we're going to assume a couple things here one you've been tasked you've been given appropriate basic level authority to start your program you've got some budget and some support from higher end you may be the sea level you may not be so we're just giving some basic assumptions that you are actually validly approved from your company to start doing this because without it it's an effort in futility because nothing is going to happen so the first question you have to ask is what is the goal of your program you want to be more secured you have to be compliant to something you know what is your goal you have to understand that so

how do you do security policy this is the classic way you do it Google security policy do a replace publish that and oh crap we failed and now we look for a job right so you cannot create security policy in a vacuum you have to talk to stakeholders you have to go out and you have to talk to people in your organization so so security policy is just one component of your security program right I think there's a lot of other meta issues that come up when we start talking about building security programs the first that I see a lot of people struggle with is we don't know what to do so let's go look at what other people

have done oh there's all kinds of great frameworks out there I 27,000 our code bit or whatever the heck you're you know the framework flavor of the week is and so you go out and you implement this framework without understanding what your actual needs are and whether that framework actually maps to the resources that you have available I mean some of these frameworks are massive there are incredibly cumbersome and it might make sense if you're a fortune 500 a little bit less sense if you've got a security team of one guy or maybe a security team where you're only half an FTE security I mean we see this all the time we have you know resource issues all over the

place not only from you know the people that you have to apply to the program but also the money resources that you have to apply to it as well and management pray your priorities may not lead to doing what you need to do to accomplish comprehensive framework adoption I though can be wrong i think frameworks can provide a lot of value but you really have to cherry pick right what works best for you you may want to do it in a phased approach it's not going to fear a small medium-sized company you're probably not going to go out and just say oh we're going to do ISO 27001 right we also have issues with stakeholder communication and that's

going to be a recurring theme as Tim and I talked talked about this there's a lot of information that we had to bring back from the business security especially if you're in a security organization that's embedded inside of IT sometimes you're a very insular look at the business you don't really understand how the business really operates you understand from an IT and a technical standpoint but there's a lot of business processes that you maybe you're not plugged into maybe applications out there that you don't even know about or what they do so we really need to get some disability into this stuff we need to know what's sensitive why is the sense of why is it

important where is it and the security controls we start putting in place as a result of our security program are they are they integrated with the way people do work are they creating issues for people maybe your harding systems so securely that's really great from a security standpoint but people can do their jobs it's kind of a problem and you can severely damage the credibility of your program lack of management prioritization I mean that this that this is a huge one I think we've all seen this it may be an issue where management really doesn't care about security or maybe they do but it's a secondary it's a secondary concern and I think in most organizations and most

sensible organizations security is not going to be your number one priority it's whatever the business function is right there not in business to be hey everybody we're the most secure organization on the planet they're in business to make money or to provide a service whether you're talking about a government entity or you know private sector that's more profit oriented and we need to understand those things and find ways where security can enable those goals why should management care if you can't demonstrate how your security program is enabling those business functions they're probably not going to care way little issues with integration with operations I mean this this this is pretty huge especially when you have security teams and operations

teams that are not they don't have the same reporting structure or maybe there are some other divisions or maybe political issues within the organization and that's something else is going to be a recurring trend as we talk about relationships there's a lot of politics involved with running a security program I mean for our people there are largely technical people a lot of times we have a difficult time kind of waiting through those political issues I'm going to talk a little bit about that as we go through big thing big thing here is understanding that ops typically has one goal and that's reduced downtime right we typically have one goal and that's to make things secure and to keep our jobs

right those two things come up to be the third eye when something happens we get fire to come to go Sam he wasn't doing his job exactly exactly those are those two goals are kind of diametrically opposed at times we're asking sometimes asking opposite of things that directly impact those downtime metrics that there's relying upon for their own performance there performance metrics with management and and and lastly from uh from a meta issue standpoint kind of talk a little bit about kind of organizational hierarchy where does security where does the security department that people that are responsible for security decisions fit within the organization if you're too far down the stack removed from the sea

level you're never going to be able to implement any kind of strategic plan it's always going to be a completely tactical model where you're in reactive mode and you're just dealing with issues as they come up this can be very very difficult to be proactive about things when you're operating a completely tactical model we how do we how do we fix things I can identify things all day long and send it over to ops but is anything actually getting fixed how do i how do we work together and that's a really important part about that and again that comes that comes down to relationships some of that comes down to management structure and you know who

reports to who but even if there's not direct chain of command there that supports those kinds of things there's still some things that we can do with relationship building to ensure that when we identify issues and talking critical issues are really important not every you know chicken little moment that you find when you run a vulnerability scan and you find 50,000 vulnerabilities right the really important stuff if we can demonstrate that stuff for operations and get them on board and giving this stuff actually resolved and the other piece of this that I just want to touch on a little bit is it change change management kind of on these core things that you know unmade exchange is kind of a bad thing

but are these processes that you're putting in place actually hindering you from responding to incidents as they infer in your environment right we need need up a little common sense here I mean if you're actively being attacked I don't think you want to wait for the change review board to meet next week before you implement a firewall rule right all right so the bed array is radio just what we need another acronym but at least it's not a TLA all right so the basics of radio security management must map to real business objectives we need to truly understand the business and we can't do this by sitting in our office sitting in our mom's basement or

whatever we need to understand the data the products the goals the customers etc from the stakeholders point of view so radio is reconnaissance or relationships you need to go out and look at your entire organization analyze you go back and look at the information you got from your reconnaissance then you need to develop a plan then you need to implement it and then you need to optimize it you're not going to start day one when you help lamai implement your plan and it's not going to be everything you need you're going to start smaller than you want and you're going to grow toward where you want to be so step one reconnaissance communicate with stakeholders what you

need to do is you need to grab an organizational chart of your company look at the positions you need to talk to get names either if you know them you need to go talk to them if you don't know them you need to get introductions to them if you don't have anyone to introduce you to them you need to go introduce yourself and set up some time half hour 45 minutes to sit down with them and actively listen to what they're doing your introduction should be about two or three minutes hi I'm Tim I'm from security I'd like to set some time with you guys in the next week or so to sit down and understand what's important to

your business line to your portion of the business so I can sit me on so I can come back and make some recommendations and work with you to make things more secure without getting in your way inventory you know we need to know what's in the environment we know all the hardware all the software that's pretty easy but what about the data what about the use of that data who uses what systems that's the harder stuff step to analyze this is where we need to look at that information we've gathered by talking to people and correlate that with the information that we have gathered from our scans of the network and our understanding that way how are

you measuring success or how are you going to measure success when you're going through and analyzing this you need be looking for things you say you know I think it'd be important to to watch that to see as an indicator of whether we're doing things right or wrong right now if you don't understand oh if you're starting out and have no matrix just throw everything on piece of paper or a spreadsheet or whatever and capture it say oh I might want to watch that put it down and look at it later you can always go through and say you know I've wrote down 50 things i think these five things are these 10 things will be really good key indicators

validate that with the community and then go ahead and measure those do you have the right people on your team

so again as you're analyzing your data put it in a form you understand do you want on pen and paper due on the whiteboard you are an Excel spreadsheet do you want it in a database with you know everything in there know your limits when you're designing your security program this is very key if you are 15 levels down from the ceiling and the sea levels you're not going to be able to force anyone to do anything this is where relationships are key this is where when you've gone and talked to these people and met with them and understand them and you come back and say you know I'd like to make some recommendations for you that will help I

don't think they're going to cause a major impact on your environment if you're talking to the Ops guys you say I'd like to make things more secure and I understand where you know eighty percent utilization on the servers for our ad and what I want to put in place is really going to take another ten to twenty percent utilization and we can't do that right now and keep your up time there so I'm going to push from my side to say yeah I concur with ops that we need to get better servers more up to date so we can finally push these things out to make us more secure so we can meet our goals you know if you are you

the CSO of the company and you can walk down and say we are doing this tomorrow or you know do you have budget do you have hardware you don't have that authority you're going to be spending a lot of time again as we talked about communicating and developing these relationships if you don't have that authority and you don't have that authority to be able to go directly to these people that make things happen you may have to do a little negotiating you may have to find ways to understand what are the what are the pain points for your Ops guys or your other stakeholders what problems are they facing they may not be security problems they may be

other problems that you can help them with as a security person you make recommendations internally if you hire external consultants to come in and you can you know find ways to you know get that recommendation in the report that says hey these Ops guys need new servers or they need upgrade their Active Directory environment you can find ways to do some favors for these Ops guys and get some benefit for yourself as well and one particular organization I worked in the past I was having a lot of time getting any kind of support from operations and they were just being very resistive it was a very combative environment I think many of you are probably seeing similar

things and what I found was by reaching out to these Ops guys and finding out where the problems were I was able to we were able to meet goals together for instance they didn't have good monitoring on the rent point and this is years ago but before people started you know setting all their logs to assume and doing good log analysis assuming you know you guys are doing log analysis you got approval for them right you have budget ok so what I wanted to do at that point in time was I wanted to roll out a group policy to do some hardening on all the end systems and you know serpentine was very resistant they you know they

weren't particularly happy with the testing that I had done because I'd done it in kind of a sandbox environment and they're too much too much variation in the actual live production environment for them to have some comfort levels with this and so it was I work with them to build some scripts to provide to deploy these scripts out on the in systems provide some of the monitoring capabilities that they needed to support their own operational efforts and so we were able to kind of combine kind of our own both of our problem areas into one solution to roll out they got something they needed I got something that I needed and everything and everything was

a lot better does that mean that they were my best buddies after that no we still had a relatively combative relationship we still had to deal with some of those things but it was something that improved over time as I've continued to demonstrate how I could help them do their job and I wasn't just a drain on their resources right if all you're doing is going to your operations teams and asking them to do stuff for you that takes them away from the job that they're trying to do they're not going to thank you you have to be able to provide some value to them as well so look at the conclusions you're drawing and make sure they kind of makes

sense you know step back from it a little bit try and look at it from their standpoint you know is what you're doing at a cost them time or money and can they detail what you're trying to do step 3 develop a plan so we've gone out we've done our reconnaissance we've done our analysis and now we need to sit down and develop a strategic plan without a strategic plan you're going to be lost in the woods three two framework is our ultimate goal framework in three years or five years you know do we have a mandate and you know three years we need be I so compliant or and you know a year we need to be HIPAA compliant so on the

ISO front even if you develop a security plan that's not a true I SMS it's still going to lead you to getting to an eye SMS and if you can make some early inroads and create a plan and roll it out and show you're not doing bad things and get some credibility you know and get some credibility and show things up front it's going to help you further down the road remember organizations are political structures one person with the ear of the CEO the CFO or whatever can ruin your entire plan everyone remembers Leroy Jenkins video right they were doing it assembled this massive raid in World of Warcraft they were going out and there's one guy Leroy's like I'm

going to troll their asses and goes out hits the guy before everyone's ready it just runs everyone else got slaughtered you know so one but one person can screw up your entire plan communication it's not just important during recon but after you develop your plan you need to go back to the stakeholders you need to emphasize the portions of your plan that are relevant to them when they push back and say I don't know if we can do that it looks like it's going to be an awful lot of work for our people say well what are your concerns how can we make this less impact to you what do i need to give up on my side to help make

this successful for your team so you know you need to have buy-in for these people before you go and present this to everybody out you know as a group if you want if you've got five different business units and you've gone and you've talked to each one of them and you've shown them when I'm working with you guys and ops here are the things that we're going to make more secure I believe it's going to help uptime by XY and Z and reducing the amount of malware on the system's when you're over here talking to sales you know we're going when we do this your guys can be able to get in remotely and securely so when

they're at starbucks they're not going to get compromised and all your sales data is going to go to the client to the custom the competitors again when you go over and talk to financial guys this isn't going to cost too much money because we're doing x y&z to mitigate that and you get buy-in before you go and present this to everyone so you're going to walk into your meeting later on sale here's our here's our presentation we've covered everybody's you know concerns as much as we can and there are times I hate to say this but there are times when you need to make the stakeholders feel like our input is being valued and you have to do which is

all the time right well no you always want to make the feel like their input as being value but there are times when you're not actually going to be incorporating their feedback right I mean you can't please everybody at the end of the day we still have a goal here of achieving a more secure environment you can't cater to everyone's wishes that I don't want to type in the password when i log anymore you make that happen for me you know i mean i just want to wave in front of my webcam exactly so I you know we need to continue to keep them engaged and keep them involved but all throughout this we need to use some common sense so get

your commitment from the stakeholders know your commitment before you go to roll out the plan you don't need a hundred percent we need a majority you know if you can get four out of five of your stakeholders on board with this and you go to roll it out that one person is probably to keep their mouth shut and not really anything I I don't really like this but you know I think we can move forward on this rather than saying no we're not going to do it everyone's kind of wishy-washy you're in trouble step 4 implement the plan you got to push the button sometime you should already have sufficient buy-in you should already have sufficient for

support you know what level of authority do you have within the organization to push this out you know you need some help if you've got an executive sponsorship it's going to make life a little easier if the CEO has gone and talked to everybody in the in the company via you know an email or whatever else and said you know what this happened at target this is not going to happen here he's got the authority to put this plan in place and I need this done in six months and you will not get in the way you will be fired he's a lot better than having you know the CSO going you know when you

make things more secure the CEO going ya know if you can make it happen within budget go ahead and if you're getting too much pushback during the implementation phase it's because you didn't do the development phase properly I don't have good relationships yeah and and and that has to be key throughout this process so when you do that implementation whoever whichever stakeholders it's going to impact you need to be able to have those conversations during that development of that plan so when it comes time to implementation you can just push the button obviously things don't always go right the first time I mean we need to have some back out plans we need to have

some ways that we can deal with issues arise okay but most of the bulk of that work honestly should be should occur within the development phase and you should you know in unless your environments where you have to force thing down everybody throat you should not be forcing things down people's throat you should have the relationship and people should say yeah I'll give that a try for three months if it doesn't if it doesn't impact us horribly we can keep it or if it does and you come back and optimize this and fix it for me we're good with that then remember when you implement do it in steps you know roll it out to IT first

pull it out to your group make sure it doesn't impact things to the degree it can you know are you pushing out new firewalls do you have to push it out to every single you know business branch in one weekend or can you transition it can you make it smaller bites so that if you've got a failure or something major that you didn't think was coming up does you can now stop roll back without affecting everybody you know if you're if you've got you know 500 things on your list that you need to implement implement a couple at a time and just make it a phased rollout do it like change not change management but DevOps

do little changes all the time and people aren't going to notice it especially if it doesn't get in their way Step five is optimized so once you've gone and you've rolled out your plan and a six success which it should be what you want to do is realize your security goals over there and you've done this you've made one step toward you roll now part of the part in that now part of the plan is you need to keep making incremental steps till you get to your goal of being quote secure but that's a moving target so you need to go back look at where pain points are for you for your stakeholders look at other

things that are paying points for the business or more security that you need to add okay we've gone with we've enforced passwords we've got good password length we've got good password rotation in terms of time the users are happy with that you know we really should add two factor authentication to the administrators so that so that their box they can't get popped is now maybe we need to add that over to financial services we may not put that the sales guys yet because well they're sales guys and it doesn't really matter if they have to factor off but just start making more and more small changes in the environment slowly and with buy-in to optimize your plan and make

sure people know that your door is always open you're always willing to learn and to listen to them you know don't go pushing stuff out when the sales gotcha sales when they've got to meet their end court you know they're in and end of quarter goals you know try and work with them and have the open communication so you know when their deadlines are and if you can avoid it don't do things when their deadlines are what about best practices best practices work everywhere right right one size doesn't fit all so I look at best practices as recipes as guidelines to getting me to do something you know how many people have gone to somebody's

house and they had spaghetti it tastes exactly like your mom used to make it right so there are slight differences in the way that we cook food you know if you're cooking for vegetarians you're not going to use meat if you're cooking for people who are gluten free you're not going to use gluten in your recipe you're going to tweak things around a little bit so best practices are the same way it's a guideline to get you close to what you know this is kind of what we want let's see what we need to change to get it implemented ah the textbook rollout this always happens right you read something you adopt it you implement it and then you win right

Oh another fail so real implementation you read everything narrow stuff down you vote you make a decision you reread your top choices or whatever it is you tweak it implement it and then you optimize it you know nothing goes you know how many people have installed windows that always works every single time on all the hardware right what about linux same thing Oh doesn't okay so how do you optimize things a couple different ways one you can trap map you have to track metrics to make sure the processes you put in place are getting you the results you need and use consistent metrics don't just change metrics if you get some metrics toujours use them this year and the next year you

change you can't go back and see how this year compared to last year so if you need to change metrics keep the old sit around for a couple years or a couple months or however long you track that so you can go back and say this is where we are now this is where we were and we look good that way and the new metrics you're showing we also look good talk to people you have to talk to people you have to continue having relationships with them look for how people are avoiding work in your system and find out why you know I work at a research university I've got a pretty good relationship with the client

services guys and I've told them anything i implement when you guys find a way around that great you've now got a pass for 30 days 15 days whatever you can keep doing that once we lock it down that gives them incentive to find problems in my system and then they get a lot of bonus of being able to do things if it you know if they need to surf somewhere that they can't they get a little added bonus there that way so it's a win-win and I'm not going to punish them for going around it because I need to know

conclusion here talk to people actively listen you do care about what they have to say because it will make your job easier if they like you and you give them things that are not causing them problems they don't care about security it becomes another thing they do if you're always getting their way and always throwing up roadblocks they're going to work around you and you're going to be looking for a job and remember every step towards security is a step toward where you need to go this stuff is complex it's a moving target you know and you have to have allies you know you don't want to punish people in sales because they're doing things you

know outside of your system to breaking it you want to know about it so you can fix the system so it works for them and works for you use some common sense you're going through this process it's don't just stick to the best practices the best practices I hate the term best practice we talk best practice really talking million liac ceptable practice right I mean you see these lists of best practices out there from various organizations whether you're talking missed or whoever right they work in many in many circumstances they may not work in your environment it may not make sense to have a password history of 30 passwords long in your environment I mean you know you see the one that CIS

sub you know guidelines for like though with the the high level security for like 30 remember passwords that's crazy that's very difficult to be effective with within your environment not all of us work in those kinds of environments maybe it doesn't make sense to adopt those top level controls maybe it makes sense to ratchet things down a bit use common sense one of the things we're looking at in our environment around passwords is looking at length in their password requirement I'm looking at making passwords never expire there are a few reasons you'll have to change a password one anyone finds your password it gets changed to if you reuse your password and that index a used on Facebook and Facebook

gets popped I download password list running against my systems if I find your password you have to change it if your system gets popped you have to change your password if my infrastructure gets popped you have to change your password without those happening you know there's you know if you can't get the Sam or the other password repositories off the system there's no real reason to change passwords in our environment so you know look at things and see what makes sense in your environment we've got some legacy researchers who have the same password less than eight characters probably a dictionary word for the past ten plus years because they're the customer to where I work they're allowed

to have that so I need to come up with rules around that to protect it or convince them that they need to change and show them line any questions comments concerns crude jokes yes

I don't know I mean as part of my as part of my job I didn't really get much guideline you know I was brought in as the security guy you know make things more secure its research education so we do have some higher edge we got postdocs we've got you know researcher coming in working on drugs and medical devices and stuff like that so you know I'm like you know what I need to go out and talk to these people because I have no idea what they do I've got a pretty good idea you know I can lock things down and make it make it good but if I really understand what they're doing and how they work

then I can really do this so I'm going out meet with people a half hour you know now are here and there nobody says anything my boss is like oh you've been going out meeting with people and talk to them cool can you give me the results I'm like yeah you know and I've made it my policy to because I T as a whole doesn't go out and talk to people if anybody that I meet with has any gripes or any concerns with IT I write that down and I go back and I talked to stakeholders of my in my organization it's not my you know i'm dumb i mean i don't handle backups we have a backup

guy but i will take this i will bring it back to my boss so we will discuss this and we get an answer for you one of the best sources of information within your organization is if you have mature business continuity programs within your environment they're more plugged into how the business works and how the business processes works and what's critical and what the dependencies are then pretty much anybody else will talk to in your organization that's a very very valuable resource to reach out to if you don't have those kinds of programs in place you might want to think about it

well well that's where the depending on how long you've got to implement this I mean if you've got a very large like very large like fortune 500 or large small company you go and you talk to the key stakeholders the sea levels or those right below that and you talk to them you get there by and they may say go talk to these guys over here but that helps you get an understanding of this and you know if you talk to the sea levels you say okay here's three things I can take away here's three things we can introduce that aren't going to cause a big problem and then you can go meet with the next level of guys down and say

okay what are your pain points what are your concerns and you can work on that and then move further and further down in my place we've got a couple different sets of customers we've got corporate which is all the people that work for my university their corporate if I need to get security policy in place I can go to our CSO or acting CSO and say I'm short title but i can say here's what we need to implement he can come out he can say this is a mandate you will do this these are corporate systems you don't own them I do you're doing this we've got probably fifty percent plus BYOD because the researchers don't like to spend

grant money buying machines for people doing research go figure so it's not always that simple no Tim right and a lot of organizations especially if you work for like a large corporate entity has done lots of mergers and acquisitions and you've got all these various different business units and maybe they haven't all been integrated into the internal operational structure they may not have common management structures that they may be in the middle of an integration process and you kind of you do have to kind of start with the overall org chart and work your way down from there but then once you get out to these kind of splintered oops yeah you have to look at you have

to treat things differently you you have to do the research once you identify one of these entities are like why are they not plugged in the org chart why did I not know about this business unit and then you've got to go you need to find out and radio all over again in any in any instance in most organizations that I've worked in if there was kind of money splint or business units there's always some kind of liaison right there's always some kind of interface with the core business even if it's at just at the financial level right there's some place where you can go and get information about who's actually running things over there and then you

might have to reach out to some people that are not plugged in to IT or security or anything to get at those people and at those systems and at those processes maybe it can be quite a quite a labyrinth to navigate to navigate but you start with the core you start what's important you start with you know where where is the really critical stuff where is the sensitive data right going back you know first step in radio reconnaissance we have to we have to know where our stuff is right if you don't know where that stuff is pretty much lost yep you know in treat things separately like I said I've got corporate I've got I you know for the

BYOD I'm partial isp for the researchers there I'm there there my client you know they're the guys bringing the money into the Institute so we can continue to work and they can do their research so I need to support them I need to stay out of their way so one of the things I'm doing with those researchers is I'm finding out I'm asking them questions in my interview do you guys allow remote work and you're in your group okay how do you guys do that to use Dropbox do you use Evernote ok cool do you want your guys working on this stuff from home no yes I don't care whatever they want I'm going to try to enable it and try and be able

to set up monitoring so I can know that if Tony's guys aren't allowed to work from home and I know all these systems which I don't yet then if I see Dropbox or any remote stuff coming from his environment I need to take care of that if Gary's guys are allowed to work from home or from wherever in the world then when I see Dropbox or whatever he's approved for his guys to use on a go okay Gary's guys are using it all right great and I'm gonna ignore it and move along that's about the intelligence you gather that way so any other questions yes well that that's where relationships come in you know my

first month at at this place i spent a lot of time with the client services guys I came out of you know break fix environments and small business environments and home environments so I know virus removal I've dealt with it far too many times so I spent my first month you know over there helping those guys out anything they need to know you want help scripting fine I'll help you write a script for that oh you want help oh you need other tools to pull this virus off well here's some other ones i found that are useful oh you guys are doing that well here's a tool to help me with this every single day i was given

him another tip any time they had a question i answered if i could if i didn't i did some research and reached out to somebody I knew who did so I built a relationship there now if they've got a problem they come to me if I've got a problem I go to them and it works out very well because one of the ladies in client services has been there for eight years my campus has been open for 10 she knows everybody so she walks me around and it introduces me to everybody oh here's a new guy on our staff he's a security guy you know and I get the intro that way so now I'm not a

not doing this

I've got me rocking today nutri earth and now that relationship you've got so use your relationships with eating it's not it's not exploiting that's trust transfer but you have to realize though just because they trust her doesn't mean they implicitly trust you you have to earn the full trust but at least you've got in the door without being the salesman anything else yes you have to go but but listen to this you get to go sit in people's offices for a half hour 45 minutes and and get paid for it besides were Lando t-shirt you guys want to talk more we'll be in the back or out there