good afternoon everyone carousel technology would like to welcome you to our servicenow webinar before we get started i would like to quickly go over just a few housekeeping items the audio portion of this webinar can be heard through your computer speakers or if you prefer you can listen through your phone using the dial and option displayed on your screen there on the left hand side please note all your lines have been muted to reduce any kind of background noise during this presentation and if you do have any questions please use the q a pod on the left hand side of your screen we'll do our best to answer your questions at the end of the presentation or make sure to follow up with you all offline this webinar is being recorded and a copy will be emailed to you afterwards just to tell you a little bit about caresoft we are a trusted government i.t solutions provider delivering software and support solutions to federal state and local government agencies as well as education and health care caresoft maintains dedicated teams to support sales and marketing for all of its vendors including servicenow google f5 networks and adobe our contact information will also be displayed at the end of the presentation so please feel free to reach out give us a call or send us an email at this time i'd like to introduce you to our speakers for today we have ben prime and jeff laport with service now guys the floor is all yours thank you thank you brooke and good morning to everybody this is jeff lecourt with servicenow i'm the security and risk sales specialist for all civilian and dod healthcare accounts within servicenow my background includes cyber security software as a service and data center enterprise applications ben hey everybody um ben prime i am the senior advisory solution architect for servicenow covering security and risk for the fed civilian health care and finance sectors my background is over a decade and a half in federal contracting cyber security everywhere from cyber security operations midnight shifts to policy and governance for nuclear regulatory commission audits certified ethical hacker and on some of the largest vulnerability scanning teams that the federal government actually employs based on the size of the organization so with that i'm going to turn it back to jeff and we can get started thanks ben so today we're going to be discussing not only managing digital risk but also the ability to measure digital risks associated with vulnerabilities and as you can see from the gentleman on the screen right there there is his tenable report that comes out and you know it's it's hard enough to deal with the daily and weekly inundation of new published vulnerabilities and not having a clear and concise way to understand the actual importance against the business risk and the mission so with that said the best that most people can do at an enterprise level right now is do the patches and then audit during the next vulnerability scan so you're going to get this massive report try to ingest it in a manual way and then from there try to then feed it out to everyone on your team that is going to work in that patch organization so it is a very manual mundane process around patch around emails and spreadsheets and that's what we want to try to get you guys away from um jeff there's actually a question already so it's how hard is it to get started installed up and running oh okay so wow uh so the integration um is the integration is fairly simple servicenow and tenable and we're using tenable as our scanner of choice for this uh presentation uh because of the acas solutions and most of the uh funding through cdm provided tenable out to the federal civilian agencies so they work we work together to ensure that the applications are available in the servicenow store and are following out of uh out-of-box best practices for ease of ease of use now maturity with the solution will come over time and i i would like to add that there is no need to have a comprehensive cmdb we can actually help enhance the cmd db from everything that the vulnerability scanners find and bring into the and we bring into the cmdb through the servicenow platform so this presentation again is going to be starting to cover the idea of shifting from the current state and moving into the future state which is a much more automated process ease of use good dashboards and reporting to show you have a clear understanding of where you are so servicenow vulnerability response is the application that helps organize organizations respond faster and more efficiently to vulnerabilities connect securities and it teams and provide real-time visibility it connects the workflow and automation capabilities of the servicenow platform as you can see there we have our our scanner in there going in and automatically ingesting all of the information and and putting that into a ticketing tool so with the vulnerability scan data from the leading vendors gives you the single team platform for response that can be shared between security and i.t okay next this this allows you to understand the key risk indicators of vulnerabilities impacting the mission and the systems while allowing full automation to patch management patches can be pushed to test dev automatically if they pass testing then tools like sccm or bigfix can be automatically orchestrated to push the patch to production or if they fail there there can be a process and an alert to manage to investigate the issue to understand why the patch failed going out all the while working with risk team and change teams to ensure that any poems or temporary mitigations are tracked from end to end giving management the full visibility they need so this is important it's a single source of single tool single source of data everybody's sharing the same screens to understand exactly where everything is so and in the end the vulnerability scanner that was the authority on finding the vulnerability so the confirmation and the true closure of the risk that can be confirmed with the vulnerability scanner this can either be automated through a rescan or when the next scans are confirmed to close each vulnerability item as you can see on the chart we're going back and checking back again so um key takeaway on this i guess is best way to say it is this is allowing you to understand that some lower vulnerabilities on critical assets may outweigh the most critical vulnerabilities on such as something like as simple as a kiosk and non-mission essential systems so ben i'll turn it back to you to discuss grc a little bit and how we integrate the risk piece into this okay so i mean we fundamentally come down to the first question that we asked in the chat like why do people brush their teeth um there was actually a root cause now so there's no pun intended um people who answered that they do it because they said so tend to fall in the uh obligation of the governance and things we have to go with we mentioned cdm we mentioned a cast we mentioned i mean there's fisma there's nist there's all of these different things that we're following the governance or regulations because they said so um the other side the cavity people those are ones for the secondary question which was why did the scissors stay awake at night they're thinking of more of the outcomes of the risk the governance is intended to get you there but you still have to fall back on that risk and those key risk indicators is why a lot of these things tied together so i mean from the fisma aspect that's the original act and if you actually printed out all the nist documents as the authority they'd be over nine feet tall and then you have to report on all of them be it enterprise rest messaging risk it risk and all the other business processes continuity we've done a heavy focus in the risk management framework uh not only the accreditation in the production systems but we're going to really focus on the continuous monitoring that real visibility cdm has been a foundation everywhere it's the what's on the network who's on the network it doesn't go against either fisma or rmf it's a foundational logic and the means to actually have the tools to complete the task then we have things like the finding operational directive 1902 which just shifted critical vulnerabilities and public-facing assets that's essentially what we just said before is what is the mission criticality what what is more important the kiosks and the non-mission systems or the ones that are public facing and the actors can easily come at so dropping that from 30 days to 15 on criticals and down to 30 days on moderates that's a big directive now not everybody makes all that but the intent is still there again how do we secure our federal systems and then even if you get into silva in u.s search a lot of this requirement to roll up if there's a breach in one hour never mind having to do the full risk assessment and potentially go to the hill or the house to report on why i think that kind of happened with opm so those those are the big ticket items for uh where we're trying to conquer that friction and you have a lot of these different groups and a lot of these different silo teams that are looking at these things differently from the security team and the us start breach to overall tier one governance from the top level of the organization so those are the big ideas um did we have a question yeah so in the chat there's a question our groups have a hard time getting answers and approvals through email and following up we have seen the mobile app but it's not available in the gcc today and just for anybody's knowledge gcc is fedramp high government cloud solution we've moved from moderate to high is there a possibility to be available in future so to answer that question yes the plan is to move and have the mobile app released in paris which is just around the corner we name our applications by cities right now so orlando new york paris alphabetically uh there is a key there that's putting it in a fedramp jab approved uh fast so there is the possibility that the jab has their say and may or may not stretch our plans of when to release but yes the plan is to have the mobile app to do a lot of these approvals and authorizations to the process in the gcc okay so where do we want to bring together just at a high level even if we just separate out the continuous monitoring the service now is one platform with one system so we're trying to eliminate that disparate data understanding risks from the finance department understanding risks from the mission or the architecture and the different critical boundaries if it's f-o-u-o classified non-classified and then all the way down to the it systems the ato within that classified network or that compartmental network then once and and that falls back on the cdm and the fisma what's on your network who needs to interact with it who has a risk stake in it chief risk officer information security officer chief information officer everybody's kind of in there they're looking at it through different lenses so having that one pane of glass and then reducing the risk exposure because now you're bringing in the tools and the other data you're understanding what the change team and operations are doing you're understanding what the vulnerability scanning team or the security team is doing you're understanding what hr is doing there are risks with hiring and letting people go um accounts and things like that so all of this is risk upon the organization so having that context on one platform so you can operate the mission and then we're improving that response speed just like jeff brought up being able to automate all the way through the patching cycle not just dumping the patch on because it comes out today that's just too much risk but actually responding to that speed and accuracy that if it passed the test of stem then we're through the change board then we can just go automated you can actually really increase the speed and accuracy of your changes of anything going on in your organization all right so from there we're going to move into the current state the pain points and if anybody has any other questions please feel free to drop them in the chat um so the pain points i came from tenable i know i kind of omitted that but i was there but i was on scanning teams so that that picture of the guy holding the vulnerability response stack of paper yeah that's an asset report especially if you've been scanning organizations with over a million assets 100 or so vulnerabilities per asset that's that can get really big so getting that data a lot of times when you get that spreadsheet you get that report or it's actually given to the person to prioritize it in some way they're removing critical artifacts from them they're removing printers i don't care printers or printers but from my pen testing days from the target breach those things that you may not specifically care about are still commensurate with the system so that just for anybody knows the target breach was the hvac system was a third-party app nobody's thinking about patching the air conditioning unit they're more worried about the credit card terminals but essentially the hackers hacked into the third party managing the hvac systems and then were able to laterally move to the credit card systems in another operation when i was auditing a team the only thing they let us actually attack was a printer it happened to be the finance printer i was printing off people's payroll and then one that cost a lot of money to print checks so i had accidentally overprinted checks in a financial debacle but to the point of the sizzle and the cio there was a risk there they understood the importance of that printer at that point in time so as this process may work for many it's a lot of time with the teams to do this manually that's why they're cutting out those things and their time to focus on the administration like how are they going to get it done rather than the analytical tasks does that make sense and i'm up to number three one and two are green they're automated three is where this uh administrative rather than analytical tasks come in so we do have new questions in the chat for everybody um now from a servicenow understanding when a patch cannot be implemented uh and the vulnerability has to be mitigated another way yes we do have that process to defer based on the criticality of the system you may be looking up in the cmdb for your configuration items and your criticality across different systems but we can do that deference that's up to you if you want to defer because the patch is waiting on the vendor for two weeks you want to defer because that patch will actually break the availability of a system or those types of things that calculate the risk score on your deferral and the risk acceptance which brings up a good point there is also risk when implementing a patch into production right so when they prioritize the vulnerability this big number four loop in here is all of the different teams the different system owners or software owners and the different locations they have to understand the risk of implementing a patch into production that's why we test patches before deployment when a critical vulnerability hits the news which we you know internal blue and heartbleed and all these other ones that made people jump it's much easier to accept the risk and implement the change if we understand that all of the other process has been done from what i mean by that is prioritizing test and dev getting the change approval on the on the um major or minor changes if needed deferring what can be deferred and then prioritizing the changes and manually putting them in there that's a big pain point for um people if you've done all of that and you're ready to implement the change and you're waiting for the change window the risk you have to accept is somebody's not there to watch it that might be a much easier risk to obtain and bring somebody in for a critical change then just willy-nilly pushing a path to a critical system and taking down the availability when the criticality of that system was availability to begin with and then finally we could automate the process with change now this is the process we used to do in service now so from there so then um i'd like to ask for our next question to go up to the the group on the on the webinar about their um how their patching program is is operationalized so if we can have that one come up that would be great um thank you so how do we shift so we talked about the different vulnerability scanners we're agnostic to those doesn't matter if it's tenable tns or t of the old pen or qualis ids or rapid7 or directly from the missed nbb bringing in that authoritative source of truth within vulnerability response we're going to be able to prioritize those vulnerabilities like we talked about the cmdb and the configuration items in the servicenow platform you're designating which critical business services and those things can be brought up we can also prioritize based on a third party threatening tone like recorded future and other things the vulnerability uh the tenable dpr score right that's how exploitable is in the wild is it in my public facing assets is in my dmz in public facing all of those can be used to set the priority and then we can group them together so now we've set the priority of certain vulnerabilities but in the microsoft world they like to do one roll up patch with supersedents for a bunch of different bones it might be a net vulnerability and then you have another finding from the vulnerability scanners that's for the operating system and another cve that's a finding for microsoft office but as far as the patch teams are concerned their operation is i have one patch to one set of systems and that's going to mitigate a whole bunch so rather than opening up that huge stack of a hundred thousand tenable light items we make one group with one patch to the patch team and then we can still track the individual findings to figure out what hasn't been patched what needs to be deferred per vulnerability or we can defer the whole vulnerability group then we can talk about that automate that we talked about where we can pass it off to the test dev team and if it passes automate the patch that can make more ability response very very rapid now while all of this is going on grc monitoring all the different tables we can have risk indicators we can be monitoring those tables for all of the governance we talked about the one to many so uh cdm must scan all systems within 72 hours if not within the next 72 hours uh nist 853 must have a ra 5 and seven must have a scanning program that states how often you're gonna scan so we can be looking at the vulnerabilities coming in and the vulnerability groups to make sure that they're patched against those systems and anything found will be a risk indicator so that's continuous risk monitoring now on top of that when we actually do risk in grc it's usually the potential for it can be flood adversarial it can volcanoes tornadoes unicorns whatever that potential of a thing happening that impacts operations or the mission when we do that if we've left vulnerabilities open that's like going on vacation right if you go on vacation and all your vulnerabilities are passed or all your doors are locked then there is a lower risk your risk assumptions when you did your risk assessments are probably true if you've gone on vacation and there's a whole bunch of doors that you forgot to lock and your risk assumption where they were locked well that risk isn't actually truthful right the risk assessment that you've done you're actually more vulnerable than predicted and there's probably a higher chance of those things happening so from a risk to vulnerability perspective we can actually calculate the scores over time and alert you that that six months or a year ago that you did the risk assessment currently as an actual state by doing that continuous monitoring continuous reporting and all on top of the servicenow platform that's the biggest piece is that any of those indicators can kick off workflows any of those indicators can cook off automation and we can even report on the process we can report on the state we can report on trending over time and all of the teams are now linked together it doesn't matter if it's financed it doesn't matter if it's i.t it doesn't matter if it's changed it doesn't matter if it's hr everything's on one platform so from there um i'm just going to look at the thing well i missed that question but it looked like 100 of people who are saying scan team dumps reports on the patch team um that's kind of interesting because that's what we've seen in the fed so it's i thought it would be a little more different but i think it was 100 so when servicenow comes in to sorry um we're going to try to eliminate that that dumping and the patch team dumping and the prioritization hopefully this concept will take away that hundred percent um just dump on the patch team i i know it's an operational thing but the sizzle sleeping at night from the original question um why do you brush your teeth both from a governance perspective is why the patch teams and the vulnerability teams are there all of that should be tied together the the concept of just it's my mission to dump and scan does not get the mission of continuous monitoring continuous risk cdm's intent to protect the network fisma's rnf rmf intent omb shortening of the window for that all of those intents were not foundationalized on it's just to scan and dump so from there i'm going to turn it over to jeff if there's any other questions thanks ben so next we're going to talk a little bit about managing the life life cycle of the nist related policies uh for the updates reviews and approvals um you've got all your inventory assets vendors roles and responsibilities and you can start to add some business context around those and what's what's critical and and add that scoring methodology to that so here we're looking at setting up integrations with those third-party tools map upstream and downstream processes align taxonomies and match vendor tiers with their assessments and then we're going to look at defining the scoping profiles policies risk statements and create controls and assessments uh ingest customers content and then use the servicenow automation packs inside of the grc application to help put those into the system and map them to where you need to go next slide so um for number four we're going to set up that continuous monitoring and automate the tests and assessments so you're going to create your test plans publish a assessments define the audit frequency and even if you're doing vrm you can do vendor risk management and then you're going to be able to capture that risk report on that risk or compliance with your kris included as well so here we got the real-time reports and dashboards and this is kind of what servicenow is known for is creating these dashboards that fit your agency's needs they can be customized to show any type of report or metric that you want uh and you're gonna so from our perspective we want you to understand your risk posture your risk compliance and the levels of risk that you have and at the same time when we talk about risk and policy and compliance we're going to be able to do self-auditing and build the reports that you want to have inside of your organization so that when you do have to go through that internal third-party audit we're going to have a lot of the reports already created for you so i can't tell you how many times we've talked to customers about doing those third-party audits and the amount of time and complexity they represent in the reports so we bring a lot of that information to you out of the box with this continuous risk monitoring and we turn that into another topic which we call continuous compliance monitoring and the two obviously tie together so back back to where we started from now we're at this mature continuous monitoring and predictive analytics we're using ai to find things out um and this is uh this is a big deal so you can do a complete risk risk assessment view the performance of mitigating controls and determine the risk response plan right this is where we we really get a customer to be at this maturity level so they're way ahead of the game and they're they're not responding or reacting to issues or problems they're seeing it come out ahead of time uh the vulnerability piece in integrating tenable yeah so just two more slides before a quick top-level demo um we usually show the slide because we always ask that question about the patch team dumps and i've been there um patch teams in the ikey operations they know their patches come out on tuesday or they're monitoring for patches from linux or wherever that is and the vulnerability managers really only job on that scan and dump is to verify what hasn't been patched there is a push up to risk against the governance um to verify if those risks are resolved or if they're automatically closed right but the shift needs to be in my opinion from what the intent of the government is to protect the network is that the risk manager or that risk mentality from the risk management office should be identifying the priority of the risks they should be setting the scoring it shouldn't just be cvss and it shouldn't just be threat intelligence it should be on the business criticality that they spent all the time doing the atl process on and optimizing that system and the risk acceptance and tracking their poems they need to identify what's priority to them not just track the outcome then they can push that to the vulnerability managers to help prioritize what the patch team needs to be looking for i come from a cyber security background i understand that a lot of times surface area is a much easier way to patch systems most of my systems are windows desktops that's the easiest patch microsoft's pretty good about getting out on tuesdays having the patch ready it's a quick testing regime but really when it comes down to a breach like the opm breach or something else that's a few very specialized systems with very critical information personal identifiable information the hipaa information those are the systems i when we talk to scissors for the most part they're actually more concerned with those five to ten systems than the contractor at saying they perhaps ten thousand systems this month or a hundred thousand systems this week or whatever that is it's not surface area anymore it's really coming down to do i we just never had a way to do this but how do i help as a risk manager the it staff of what's a priority to me and break down those silos those bars between uh as a future part of what's coming in paris also and to that predictive analysis not only will we help prioritize risks and bring those things up as predictive analysis but when the scan teams are trying to allocate to the owners and not really understanding how change is going to implement based on other groups of vulnerabilities to the change team how they've been altered either they've been split or they've been reassigned like you gave them to the manager and the manager delegated it to three different people we're going to start with that predictive analysis but as new systems come in understanding what software they're running or their vulnerability and their location and system owners or boundaries or whatever that is will predictively give you an idea if it's unmatched to an owner of who the owner should probably be would it be a group would it be a user would it be a system and then once it's in that group then the change team can still correct it and we'll get smarter predictive analysis it's machine learning learning um but we can also help facilitate that speed of who owns this because with the scan and dump mentality it's the i don't know who actually owns it uh and i don't own it as a scan team this separates that mentality yes you don't own it but you getting the data to the right person for them to do their job is what enables them on their mission so this helps with the predictive analysis big time all right so i'll jump into the um and and while you're jumping onto the demo pages we're going to throw one more question for the for the group to answer yeah um so from the top level we talked about a whole bunch of different pieces um to look at and a lot of times these are siloed your policy and compliance your government regulations your authority documents with your risk statements and your risk register and your control objectives tied to your policies are in one place then your configuration compliance or your vulnerability response is coming in from your scanning apps like tenable and everything else so we're actually able to take the configuration scans or the vulnerability scans or change management or any of those and we can map them to the granularity of the policies and the policy statements which guide to the control objectives and understand from the top level how the whole scope of failure is happening i won't get into security in certain response but out of the box we do follow nist 861 for contain eradicate recovery same thing us cert follows um and then as you get better over time like we said we're still going to track that process it doesn't have to be everybody on the platform how much do they make but we can put them in different buckets of patching or forensics for security or scanning those types of things as they get better and things get assigned and tickets get closed quicker or they don't sit in the wrong queue they don't go to tier one and sit there for 45 minutes or six hours until someone looks at it and goes oh this is supposed to go to someone else as you mature your workloads across the servicenow platform we'll be able to not only save you labor hours and value but and reassign those people to do more diligent tasks but we'll be able to report on that also so you can show the benefit of that from the second level um like vulnerabilities new verse closed a lot of these really aren't the biggest picture items a lot of the vulnerability school scanning tools will tell you configuration verse pass failed and time burst new verse closed but we can do it on overdue because we're looking at each of the government pieces and what you put down for your policies against those systems or those services or those boundaries your bismuth boundaries and i'll dive into that a little bit more because i pulled out a little bit more which is this um we have a lot of out-of-box and all the other tabs are sorry i'm jumping around the first tabs are out of the box this tab i just added with an easy click in the button and add a widget and pull up my favorites and pull things in but i brought these in because a lot of our vulnerability out of the box ones there's some overlap i came from temple i know you know it's a point in time scanning like how long has this been open for is this new previously mitigated all of those different things what tenable doesn't understand is what's on my network it doesn't understand what the truth of my cmv bcis are so we're bringing in all the data from everywhere we're closer to the authoritative source if not the authoritative source of what's on my network right master system master user master data so when tenable or a scanner finds something and it's unmatched well nothing's going to be done this is why they're still open vulnerabilities for 60 days and even beyond that if the vulnerability maps to a system in the leisure of the system in the cmdb well maybe that piece of software doesn't have an owner or maybe that os doesn't have it only the person left the person shifted it's a legacy system and it's never been reassigned those aren't going to get patched so these are the fundamental reasons of the vulnerability scanner finding things week after week day after day month after month and then understanding where the patch team who's actually been assigned can get to things now we talked about risks and other things so a lot of times you wouldn't actually see that vulnerability trending on top of what you would be doing in governance like your critical service boundaries and where those teams are with the changes they put in any trending or who's opened up the most poems for their business service um maybe they don't understand risk as well and they just can't do it they don't have enough staff maybe it is that they don't have enough staff maybe they need more people because they can't get through the testing maybe they need another testing system to actually run more tests to put different things in the production and then understanding why people might have deferred that vulnerable item a single vulnerability tied to a single asset or why they would have deferred a group so did they accept the risk and this went through a process through the information system security officer or the designated authority or whoever it went up to um again a waiting maintenance window maybe that's one of those things we can shift if you're just awaiting the maintenance window maybe the risk won't be accepted for waiting maybe the risk will be accepted to change the window right uh false positives i won't go in the banter on that one but different definitions fiction available mitigation control in place we do have a lot of legacy systems so maybe this is a continuing risk and everything rolls up to the firewalls or you know the boundary devices are going to take it and any different way you want to pivot and again being able to see that at your fingertips for where that vulnerability group might be in states so for vulnerabilities just coming in i got three critical i don't want to just send them to patch if they've already gone under investigation and gone through the change board and done all their testing and their weighting implementation maybe i want to do the change window on this one if you actually want to come out and do that and being able to see those changes training over time dive into the application or show all the records those things you can do inside the servicenow platform um do a time check here so from even the higher level we'll have other dashboards just to give you that kind of view um extreme risks with known f exploits you can pivot on any data you want to you can make any of these tabs any of these features anything you want to do export them have them as a report by system class by system boundary by which team has the most exploits all of those could be pivoted on unnecessary software unauthorized risk um another big key one high-risk security configuration so again we're pivoting between the um how is the box set up is the guest account disabled because you might not be completely vulnerable but you might be able to mitigate through a configuration setting versus patching to the latest version of software which is a vulnerability and then the top reports the oats top 10 the dvr the verizon data breach crypto um even into recorded future threat reports so we do have an integration with them but on top of that even if you don't directly talk to recorded future we're still taking their reports and we're still giving them to you in the um the newer format so you can understand how much of your vulnerabilities are out there you'd be surprised how many vulnerabilities for heartbleed showdown still showing on their reports and their dashboards things like that um we're not as bad and fed on getting to those big ticket items but it does give you that nice view out of box where you don't have to do as much configuration or changes end of life software that's another big one things are not going to be patched a lot of vulnerability scanners just say yeah end of life i'm not giving you a criticality but the assumption is critical that's kind of a big lesson that's kind of hard to keep in track so one of our ties together is software asset management which we're not talking about on this one but they're keeping a running total of tens of thousands of different software vendors that are putting things end of life so we can work with the platform and the other tools on the platform to understand where risk may be um from a procurement standpoint even like this is end of life what do i have to procure do i have to pay more to upgrade to the next version so that's the biggest top level pieces i'm a few minutes early does anybody have any questions and do we want to uh do we want to touch on time back into the the cdm requirements yeah we could um i'm not sure how many people would hit on cdm um but i can i think it's it's it would be a good topic yeah i mean jeff and i i've been covering cdm for the last seven years i helped put tenable on the original bpa before they approved products list and apologize nobody in here unknown cdm and i'm spitting that word so um some of the biggest items for us are we're across the boards there's foundationally cdm is built on what's on the network who's on the network so you have tools collecting that data from a baseline perspective we talk to those tools we talk to the forescouts the big fixes the tenables titaniums um the splunks and all that other data that's gathering in there so we can actually and our discovery on top of that which goes out and finds things on the network software on the network we can be in that discovery layer and as i look for my powerpoint um from the next layer up when we're talking about data aggregation because that's where cdm really wants to bring everything together and it's working out of those silos vulnerability is a data collection but it needs to be tied to the master system the master user the master device records which then fall in the fisma boundary the governance which then tie into the um ou container which is the enterprise level and then all of that data is rolling up into um the dashboards of course there was a shift in the dashboards so from that perspective we are actually on almost everything from business continuity to uh operation management approved to design built secure uh evmt event management for security that's predominantly where our security operations tool falls and we're in things like group f where we're already in the middle layer to roll up to the current dashboards and we'll still be in that process when the dashboards switch over and i'm looking for my powerpoint which might help explain this but not coming up too quick um so those are the big ones nobody has any questions i want to show a hands who's asleep somebody turned their mic in store no i'm just kidding i'm um pull this up grab it yeah brooke i i think we're at the end of our presentation i don't know if uh if you want to take back over and drive any questions yeah absolutely i don't see any coming in through the q a pod but just to remind everyone online on the left hand side of your screen if there's anything else you'd like us to show we do have that available and we can help you guys out there um if not though if there's any requests for individual demos or um specific deep dives into other technology we can help you offline as well and uh jeff or ben did you want to cover this slide really quick or not a problem i want to thank everyone for attending our webinar today we appreciate you as well as our speakers thank you ben and jeff so much um we do have a few quick polling questions so i'll jump into that as well um and our contact information is also displayed on the screen evan is with our servicenow team here at carisoft and he can help address any questions you all might have or as we mentioned provide personalized demonstrations feel free to reach out and i hope everyone has an awesome day thank you so much you