Pete Luban of Dimensional Fund Advisors on MITRE ATT&CK and Security Optimization

Transcript

Jonathan Reiber:
Welcome everyone to episode seven of 17,000 of Think Bad Do Good. I can’t remember because we’ve been under quarantine for so long. You never know what day it is. It’s just one long Groundhog Day. But we are extremely pleased today to have Pete Luban, who is the head of cybersecurity at Dimensional Fund Advisors. He is joining us from Austin, Texas. Hey Pete.

Pete Luban:
Howdy, how are you doing?

Jonathan:
Good. It’s great to have you on. Best way to break up quarantine is to have good conversations with good people.

Pete:
Absolutely agree, couldn’t be happier.

Jonathan:
Thanks man, thanks for coming on. So Pete is a seasoned cybersecurity professional. He grew up in the great substate of Long Island which is excellent.

Pete:
This is true.

Jonathan:
Yeah.

Pete:
True.

Jonathan:
Then he wisely fled New York for the wider expanses of the southwest, so now he is in Austin, Texas. So Pete, tell us a little bit about yourself.

Pete:
Yeah, so like you said, I spent about 19 years trying to escape Long Island and the rest of my life trying to never go back. But my family is there, so it happens every now and again. I got my start doing this kind of stuff in the boiler room days of Wall Street in the late 90s when I was doing network type stuff for proprietary trading firms and financial startups and whatnot. This was sort of the birth of what we consider to be modern cybersecurity. Also a little bit, I guess now we’re in neomodern cybersecurity. So modern cybersecurity was, Cisco invented the blue box, and that is what everybody did. So I was that everybody, I kind of got handed the reins to deal with firewalls and VPNs and stuff like that when this was just starting to become a popular topic.

I was very focused on network technologies and network architecture, and I guess, at some point in time, these roads diverge and you decide where you want to specialize. And security stuff was way more interesting to me than building networks was, and there are plenty of people who would argue that that’s a silly statement but that’s how I roll.

So just progressively over the years, I immersed myself in cybersecurity and security in general. Bounced back and forth between risk management and technical cybersecurity. As a matter of fact, engineering and engineering management, eventually full-on taking the head-first dive into management, and I’ve kind of been there now for, I don’t know, 10-ish years, give or take.

Jonathan:
You mean you’ve been in management for 10 years?

Pete:
Yeah.

Jonathan:
Nice, good for you.

Pete:
Yeah, I’ve been struggling with this path for a long time. I miss my hands on the keyboard, but kind of this can be the best of both worlds in that you get to do the high-level architecture thinking and the vision and then kind of move the chess pieces around and make that stuff work, as opposed to being on the battleground, but it all scales, it’s all good. I enjoy it.

Jonathan:
That’s awesome.

Pete:
And that leads me to where I am today, which is running the cybersecurity program for Dimensional Fund Advisors. Dimensional Fund Advisors, as you said, headquartered in Austin, Texas, is a 500 and change billion dollar asset manager.

Jonathan:
Small change.

Pete:
What’s that?

Jonathan:
Chump change.

Pete:
Oh yeah, we always joke about the cost of some of the solutions we implement are generally found in the couch cushions in the lounge, which nobody goes to anymore because the offices have been closed since March. But there is an interesting company, it’s based in academic research. As a matter of fact, the board’s got some Nobel prize winners on it. These are literal rocket scientists and theoretical mathematicians and so on and so forth. They’ve written and implemented a philosophy that gives them advantages in the market around things that these are things people have been trying to figure out since the birth of the market.

So that’s how they do what they do. It’s a wonderful company to work for. It’s very progressive. And at the same time, I think it’s about a 38-year-old company, it’s really starting to embrace what technology can do for it. I think we’ve gone beyond “hey, everyone needs a computer at their desk” to things that are more research-based or quantity-based or app-dev-based and so on and so forth, so it’s an interesting place to be right now as it grows into its technological clothes.

The cybersecurity program is actually very, very young in comparison, and it’s a small, highly aligned team that really is interested in risk management and the application of proper technology and tools and practices, this is still a risk management thing. But, as we all talk about these days, risk management is this multifaceted animal that involves all sorts of things and we’ll get into that.

Jonathan:
You have a team of eight, right?

Pete:
That’s correct.

Jonathan:
That is very small.

Pete:
We span GRC-related activities. Obviously there’s an asset manager and we do business all over the world, so we are subject to any number of regulators and regulatory this-es and thats. But we also have operations’ engineering identity and all the other stuff you would expect to see at the enterprise level and, yeah, it’s actually built, maintained, operated, managed by a team of eight people, which is pretty impressive.

Jonathan:
It’s great for your span of control as a manager. You’ve got eight people to—

Pete:
Yeah it makes life a little bit easier.

Jonathan:
For sure. But a large attack surface with a tremendous amount of assets.

Pete:
Yes.

Jonathan:
So given the global nature of the firm and the assets that the firm has, what are the things that keep you awake at night the most? And you don’t have to talk for that question just about DFA, but for cybersecurity risk more broadly overall as well.

Pete:
Without getting into very specific things in the framework or whatever, I think, in broad swaths, I think the shape of the world as it relates to threat is changing quite a bit and I think it’s changing because of the current situation, but I think it’s been changing for a long time. As you sort of see the ease of technological advancement in adversarial techniques hockey-stick up and to the right, the variations one is looking to gain from doing nefarious things becomes more diverse. And what I mean by that is, essentially, as an example, if malware has become commoditized, then the next winner of the flag or capture of the flag is the one who comes up with the next variation that we didn’t perceive or didn’t plan for or didn’t think about.

There’s a million different ways to think about this, but, really, the thing that keeps me up at night is what is the next thing that I haven’t perceived or thought about that, generally speaking, none of my peers or anyone else who has a voice in the industry hasn’t really thought about? And this is why we have jobs obviously, this is why we do what we do because that’s essentially, it’s ever chasing any number of cats. So I think at a high level, that’s what keeps me up.

I think, a little bit more specifically, is that shift where I think people are now the most vulnerable asset an organization has and I think hackers have known this for a while, but I think, given the current state of the world, those types of things are seemingly much more exploitable, given everybody’s working at home.

This is not just a “well, the environment is different” kind of thing and “the connectivity thing is different” kind of thing. It’s a “what’s going on up here is different” kind of thing. Now you’re at home, you’ve got your family, you’re constantly distracted, it’s hard to make the differentiation between home assets and work assets so on and so forth. I think somebody smart enough to think about what that actually means as far as a vector for attack can figure it out.

As we know, people are soft and squishy and generally manipulatable.

Jonathan:
They sure are.

Pete:
It’s the way we’re wired. So the world has shifted where the bad guys and girls are now trying to take advantage of that type of stuff, and that is what I worry about the most.

Jonathan:
That’s very helpful. You and I have spoken before about the MITRE ATT&CK framework, which is a framework of adversary tactics, techniques, and procedures that emerged out of the Lockheed Martin kill chain project. It takes all of known TTPs of adversaries in the world and it puts them into a framework. I like to think of it as a periodic table because it sort of looks like that. Now you said some good stuff about it, so I want to ask you, how have you found MITRE ATT&CK to have transformed your approach in your team and for your company?

Pete:
Yeah so it’s a good question. I think it can be answered two ways. It can be answered in a practical sense and it also can be answered in a theoretical sense and I’ll get into that in a moment.

So, practically speaking, with a team so small where essentially all of the focuses of what one would consider to be an enterprise-class cybersecurity organization or information security organization, these responsibilities are basically spread super thin across a very small handful of people. So we need to make sure that we’re able to do the things like manage threats and think like adversaries and do all these other things that maybe not any one specific or handful of specific individuals on teams actually built for.

Not to say I don’t have people on my team who aren’t malware reverse engineers or who don’t have 30 years history in forensics and stuff like that. Totally do. But they need to manage the workload or a much larger team, so I think ATT&CK gives us the ability to do a bunch of things. Namely, have access to a framework that gives us the ability to remain focused where we need to be focused. The kill chain was great, but the thing about the kill chain was it was this highly serialized thing that, really, other than giving you the top of the pyramid to start at, never told you how tall that pyramid was or how you were going to get down—

Jonathan:
Can you talk Peter a little bit about what that pyramid is when you say “top of the pyramid”?

Pete:
Yeah yeah. So I mean if you’re familiar with the Lockheed kill chain, at any position on that kill chain, you’re basically talking about using the iceberg analogy that you see on the internet, how they describe the deep web. Just the top of the iceberg sticks above the water. And when you look at the kill chain, that’s what you’re seeing is the tip of that iceberg. But now, if you want to go vertically down what that means, and what I mean by “what that means” is who is the attacker, what’s the methodology, what’s the target, how are all the different ways that that target can get accessed, how do you consider that as it related to the step that came before it and the potential step that will come after it?

These things the kill chain never really did anything for you. So the whole unexposed part of that iceberg was kind of left up to the interpreter and we used 853, all these other frameworks to give us a way to bucketize those things. And I think a lot of us wound up with framework fatigue because it was like, well, I want some of that and I want some of that and I’m going to mash that whole thing together so now I’m essentially managing my own framework which is different than what everybody else is doing to some degree.

So ATT&CK, I think, has taken a lot of the guesswork out of how deep you want to go in any individual part of that kill chain. But also it’s given all the people on my team a common language and not only that, but it’s given everybody across the industry who leverages it a common language.

We can all point to a place and be like, that’s what we’re talking about. And we can go even deeper and say here’s all the stuff going on in the wild that actually pertains to somebody’s ability to successfully attack or to successfully exploit or whatever it is.

Jonathan:
Have you used it in meetings across your enterprise to be like, this is the kind of attack we’re looking for, just so you know?

Pete:
So, I, personally, as far as the level of understanding my chain. Because I don’t work for a high tech company, I work for an asset manager, so there is literally no expectation that above my boss, who is the CTO, that I’ll be able to walk into a room and start talking about TTPs and them be like, oh, fascinating. There is so much context missing there and there’s so much understanding of how that stuff boils down. But what it has given me the ability to do is communicate with the entirety of the technology organization and even into places like risk and compliance. There is a bit more of an understanding of really target acquisition and the protection of targets and so on and so forth.

I’m still looking for a way, and I promise you we’ll probably wind up getting into this later as we start to talk about the technology. I’m trying to find a way to translate how we leverage ATT&CK and how we leverage the tools that leverage ATT&CK to produce something that I can hand to the board and say “this is why life is good” or “this is why life is bad.” And like I said, we’ll most certainly get into that.

So right now, maybe it doesn’t, for me anyway, translate directly into conversations I can have at the board level. And like I said I never expected that that was what it would produce on its own.

But there are certainly ways to get there, and I think that’s what we’re currently trying to figure out.

Jonathan:
Yeah, we’ll talk about that. It’s a large part of what the security optimization platform is about too. So that’s the practical part, and the theoretical component you’ve spoken before about it. I think you said it was like a motherboard. You didn’t say motherboard.

Pete:
Mother Brain.

Jonathan:
Mother Brain, yeah. You see it as a Mother Brain.

Pete:
Yeah yeah. And what I mean by that, anybody who is an old school video game fan maybe like the analogy doesn’t directly connect. Anyway, point being—

Jonathan:
I like the analogy. Tell us the analogy, I like it.

Pete:
It never really got into detail, it was part of lore, but the Mother Brain was essentially the controller of, it was the hive mind. It was the thing that controlled, unfortunately, in this situation, all the bad stuff going on around you and you had to go destroy the Mother Brain to win. But anyway, the point was there was this giant brain in a jar that had all the knowledge of all the things that was going on around it, and it was able to sort of make sense of all that stuff and target and defend and attack and whatever it was.

I use it in this sense because what I’m essentially saying is it is that hive mind. And I know hive mind is generally associated with bad things. But, in this sense, what I essentially mean is there is a bazillion of us in the industry who are out there who are concerned about these things and whose day jobs it is, if not life’s work it is, to figure all this stuff out. And now we’ve all got one place to go back to where we can figure it out and we can go as deep as we want to go or we can go as broad as we want to go. And like you said, the periodic table is there and if you know anything about natural sciences and so on and so forth, that is a starting place.

Now you can go into whatever it is you want because you know exactly where you are atomic weights blah blah blah.

Jonathan:
That’s awesome.

Pete:
Yeah, so I look at it that way. And the application then, so if we’re talking about the theoretical what it is and why it is, now we want to talk about “theoretically, what does it mean in the future,” and not to get too far ahead of I think the rest of the conversation, I think—

Jonathan:
Sure, go for it.

Pete:
This represents, so the security industry has always been a very guarded thing. Everybody does it their own way and likes to keep it under wraps. I used to work for organizations where talking about what went on behind the closed doors was punishable by death, by termination. One of the biggest problems me and some of my counterparts have always talked about is, we don’t talk to each other outside the walls of our own organization, and there’s a wealth of knowledge to be gained if we would just have a way to inform each other about what’s going on in the world.

I think ATT&CK is that thing. I think it is a framework by which we can correlate experiences and we can talk about what’s bad now and what’s going to be bad tomorrow and what we learned about what was bad in the past.

Jonathan:
That’s awesome.

Pete:
Yeah, and if you look at how the industry is growing and where the focus is going as it relates to things like intelligence and threat intelligence or risk management, those industries or sub-industries are growing around ATT&CK. I see it a lot more, and, as a matter of fact, when I think about solutions I want, one of the very first questions out of my mouth is “how does this leverage ATT&CK?” This is the language I want to speak with my counterparts.

Jonathan:
I thought it was really good, two recent very public indicators around ATT&CK. The first was the Australian prime minister’s office last summer released guidance when China was conducting, I think it was China was conducting a coordinated campaign against Australia. They mentioned the ATT&CK framework as a method to test and detect and validate your security controls against Chinese behavior. And also for China, last week the Department of Homeland Security’s cybersecurity and infrastructure security agency released an alert saying this is what China’s doing, and it gave a very explicit direction about what to do. And then at the end it said these are the ATT&CK techniques we know they’re going to deploy.

And to have a government doing that and to have everybody already prepared to think about it is just tremendously transformative. And for you and me, we’ve been in the business for a while, this is like really new. For the young guys and gals who are entering now who look at it, they say that’s sort of de rigueur for them but not at all for us.

Pete:
Right, yeah. That’s sort of a, yes, it’s a giant indicator, right? I mean it’s a giant indicator of the validity of the thing, the extensibility of the thing, the common language associated with it. Hey man, you’ve been doing this long enough if governments can talk the same way we’re talking life is good.

Jonathan:
Life is transformed, exactly.

Pete:
Like the point you made about the younger generation getting into this industry. If we’re still talking about ATT&CK 15 years from now, I wouldn’t be surprised.

Jonathan:
For sure. It is something into which you can put data and then get information back.

Pete:
Exactly.

Jonathan:
I think it’s a good chance to pivot to the overall efficacy of ATT&CK, and the ATT&CK team has talked about this before and we talk about it a lot, but for red teams and blue teams that are trying to test, in the case of red or purple teams, security controls and then validate that they work on the case of the defenders side. Our proposition at AttackIQ is that you can do automated security control validation and automated testing through a platform. And that’s what we do, this is what our business is. And you’ve been a customer of ours for some time. The Security Optimization Platform wants to get to a place and exist in a place where we increase the efficiency and effectiveness of your cybersecurity program. And the goal is we provide you with real performance data about how your security controls are performing.

And I wonder if you could, agnostic to our platform right now, but I wonder if you could talk about the value of having real performance data on the basis of using known threat TTPs to test your controls.

Pete:
For sure. The most applicable thing that I can say that I think a lot of people in my position can relate to is, if you look at how the higher ups in your respective organization get information about what’s going on in our industry, it’s either from their peers or through the media somehow. Through some publication, through the ISAC, through whatever it is. And all that leaves them with is the feeling of, “oh no, this is going on in the world.” Obviously this can spiral into the conversation about what are we doing about it, blah blah blah. I think that’s where this plays a huge role.

Now, in my role as the head of security, we perform assessments and pen tests and third-party validations and all these things, audits, for different various reasons throughout any given calendar year. Those things all produce artifacts. It’s a piece of paper and I could look at it and I could show it to my boss and I could say this bad this good.

Jonathan:
Yeah.

Pete:
But now, how do I take that, apply it to what the higher ups are hearing coming from the news and their peers and spit something out the other end that’s a peace of mind one way or the other, at least now you know where you stand kind of thing. And there are many many other variations of this that apply from right next to me all the way up the scale straight to the CEO and the board.

But the point being is, I could say you read a thing that you’re concerned about, I’ve got an assessment here that says it’s a thing we should be concerned about or not, and I could tell you what we’re doing about it. But then I could leverage a platform to actually show you that we’ve done what we said we did with some periodicity over time and continually show you “green good, red bad” as a way for you to understand that the thing you heard about that you were concerned about is actually on our radar, and, not only that, but it’s being mitigated or managed.

Jonathan:
Yeah.

Pete:
That is a giant value-add use case that follows the life cycle of information or misinformation from beginning to end and gives me a tool by which to validate, no pun intended, that what we do is worth what the company spends on it, right? That’s a simple use case that is insanely valuable.

Jonathan:
Right, because it’s, our CEO likes to say it closes the ecosystem in security. Without it, it’s like you don’t have any lights that go on in your engine to, say, your engine check, time to take the car into the shop.

I like to use the term of a Fitbit. I like to track my resting heart rate, I like to have it at a certain range, and last week, after the smoke in California and eating too much steak, it got too high, so I was like, all right, I’ve got to make some changes. A, I can’t control the smoke but the smoke went away, so I started running again. Now the heart rate is back closer to where it needs to be. And that way, you can report out, get a daily report that says “this is how well our people processes and technology are performing,” and you can then say “we spent $150,000 last year on X and Y cybersecurity capability and I found that it was operating at 85 percent effectiveness, but with the following changes I was able to maximize it and move it towards 95 percent, and now we’re getting a much bigger return on our investment.” Is that your understanding?

Pete:
Yeah, absolutely. To put it in harsh reality terms, what I hate to do is have to go back to the CEO who brought me this concern and say, yes, it’s something we have to worry about, and, no, we don’t have a good way to deal with it right now.

Jonathan:
Totally.

Pete:
At least this lets me show in extremely practical terms this is how it looks and how much we have to worry about it and I can show you over time how we’re buying down that risk. Like I said, I can push a button every day if I want and show the work. That’s the big selling point for me.

Jonathan:
Have you detected an improvement in efficiency and effectiveness since you started using it?

Pete:
I think what we’re still trying to figure out is, what I’m literally trying to figure out right now is return on investment based on the percentage of total technology budget spent on security. I’m still trying to figure out how to figure that out in a good way. We just got a new CFO, so maybe he can help. But there is a way to essentially take that and, let’s just say it’s the IBM recommended somewhere between 10 and 12 percent, and I could say “great, well, out of that 10 and 12 percent, based on our ability to quantify risk, I can show you that investment is essentially theoretically saved you N dollars.” I spent, in my job prior to this, a lot of time thinking about how to quantify risk and it’s an extremely theoretical space and it’s extremely difficult to do.

Jonathan:
Yeah, but important.

Pete:
But I think of practical things to say, well, you could see what else happened in the world and you could see what happened to that company and you could see what that cost them. So even if you don’t believe brass-tacks-wise that that would have cost you that same thing, you can see that we are not susceptible to that thing and therefore don’t have to worry about the potential bazillion dollars that that other company lost.

Jonathan:
You can validate the likelihood of a potential bad outcome that you’ve seen in the past not happening.

Pete:
Exactly.

Jonathan:
Exactly. That’s really useful.

Pete:
Because up the chain they read the newspaper. I stopped doing that a while ago because it’s way too depressing.

Jonathan:
Too depressing, exactly. Yeah, yeah.

Pete:
Too depressing, you know?

Jonathan:
One of the things that I like and one of the reasons I’m so excited about this platform and this mission of improving effectiveness, I’ll just take one minute. I used to work for the deputy secretary of defense and we would sit in the secretary of staff meeting every morning at like 7:30 in the morning. So all the under secretaries and occasionally the chairman of the Joint Chiefs was there, which was mind blowing. To be in the room with the chairman of the Joint Chiefs, who was reporting to the secretary and the deputy secretary of defense, is a mind blowing experience.

There’s this one under secretary who I care about, she is a good person and I won’t name who this person was. It may actually not have been a woman, it may have been a man. For the record. She had a very complicated portfolio with one of the biggest, most public-affairs-related issues in the entire department. And every single day she had to brief about it, and it was one of the number one things in facing the department. And she would consistently report on the problem without describing the exact tactics she was going to do to change it.

And I would just think to myself, I’d be like, you need to start with a plan for your solution and how you’re going to make things work. And that I think is really what excites me about this platform and what we’ve heard from customers is that it helps you prove that the things that matter most are working and for those things that aren’t working it helps you see how to fix them.

Pete:
Yeah, couldn’t agree more. That’s exactly it.

Jonathan:
That’s awesome, I’m glad to hear it. That’s what we want to do. So let’s take a step back for just a second and think about how you would like to see the industry evolve on the basis of what you’ve learned in recent years around efficiency and effectiveness. What are some changes you would make either, it’s hard for you to say on your own team, but what are some changes you would recommend that folks make in the field more broadly to maximize efficiency and effectiveness?

Pete:
To keep this noncontroversial I’ll not use swear words, but—

Jonathan:
We can bleep them out man, it’s all good.

Pete:
Good, I’ll keep that in mind. Stop letting vendors sell you garbage. Point number one. Because all of the swag in the world and all the air pods and all the steak dinners and all the whatever, it’s all great, if that’s what you’re into, but at the end of the day, rub the lamp and get your wish, it never works out that way. Every vendor that says the ROI is totally there because you’re getting this monstrous converge platform where everything is the same data, and it’s not true, none of it’s true.

And the only way to avoid falling into the trap of the fabulous prizes and the blah blah blah is to know what you want to defend against. And to know what you want to defend against as it applies to your industry, your company, your departments, your individuals, your intellectual property, whatever it is. And I think if you understand that and you approach that through threat-informed defense and you understand what the threats are and what’s going on in the world and why it’s important to worry about that thing and less important to worry about that thing, then the solution becomes less more about what’s flashy and cool and has the nice paint job.

As a matter of fact, I think you’ll see that there’s maybe not a massive shift but at least in my world anyway we put a ton more focus on what’s going on in the open-source space because those things are crowd-refined, very specific to very specific use cases, and if I go in knowing what the use case is and I know what to go look for, I don’t need to buy the multimillion dollar converged solution because I don’t care about nine-tenths of what that thing is giving me. And I know that because I took the time to understand what the relevant threat was to me.

Jonathan:
Using the ATT&CK framework to scope your thinking.

Pete:
Exactly right. So if I could, two things, if I could hope for the industry to go in one direction it would be more in that direction and if I could give anyone a recommendation on how to think about approaching your 2021 budget, don’t worry about the golf outings and the cool logoed socks. Worry about what’s going to kill you in your sleep.

Jonathan:
Yeah. It would be really horrible if the logoed socks are what kill you in your sleep. [crosstalk 00:34:33] Exactly, it would be pretty terrible. Although I’ve seen some of these socks and I wouldn’t put it past them. Oh man. So that’s great, Pete.

Now let me give you a chance to take an even bigger step back and offer any concluding thoughts on the base of what we talked about, or as you say in the defense department any alibis or saved rounds.

Pete:
Like I said, the security industry is not a fame-and-fortune industry. I don’t think it ever was, but I think, back in the day, the security guys and gals were the keyboard cowboys, when we were literally on the front lines fighting adversaries and blah blah blah. Things are completely different now. Don’t forget that you’re becoming commoditized. And the only way to keep yourself from slipping into obsolescence and being replaced by that multimillion dollar converge solution that the tie wearers are like, “yeah, want that because of the socks or whatever it is,” you need to do more around educating yourself on threat and defense and what’s going on in the world and spend less time focused on getting the Ferrari and the data center and the cloud. Because if you don’t even have your driver’s license, the Ferrari is not going to get you anywhere but wrapped around a tree.

That is my philosophy, it is what I myself attempt to stick to, it is what I encourage the people that work for me to constantly remember. And we don’t have the luxury of having an unlimited budget. I’m sure these days nobody does and it makes it a lot easier to do what you got to do, but the doing what you got to do these days is that stuff and it’s the best way to make the best you. It makes you more valuable as an individual, it makes you a more effective protector of what you care about, and, generally speaking, it’s just better for our industry. Be more informed and help inform other people. That’s my take on things these days.

Jonathan:
That was incredibly well said, Pete.

Pete:
Thanks, appreciate it.

Jonathan:
Yeah, that was really well said. And thank you so much for coming on and sharing your thoughts with us.

Pete:
Any time. More than happy.

Jonathan:
Yeah, it’s really great. Thank you listeners for tuning in, a lot of these have been on video but soon enough they’re going to be on Apple iTunes and Spotify and all things like that, so for those of you who still listen to podcasts, of which I don’t because I don’t go to the gym, maybe I’ll start again sometime soon, that you’ll be able to do that too. So thank you, Pete, let’s wish him a whatever word is trying to come out of my mouth, a nice round of applause. Thanks, man.

Pete:
I really appreciate it.

Jonathan:
You bet, me too.