Market Guide for Endpoint Detection and Response Solutions
Published 26 November 2018 - ID G00346131 - 23 min read
Security and risk management leaders need endpoint detection and response tools to enable their security operations teams to discover more evasive threats and efficiently resolve security alerts. The EDR market is rapidly converging with the endpoint protection platform market.
Overview
Key Findings
- Endpoint detection and response (EDR) is crucial for advanced endpoint protection solutions capable of detecting suspicious behaviors at all levels of the computing stack from the device to the user.
- While EDR tools can be difficult to use for less experienced operators, they can improve overall security efficiency by reducing the time to detect and respond to security incidents.
- EDR tools are reaching feature maturity; however, automation and orchestration capability, global contextual incident enrichment, proactive hardening, root cause analysis, and managed service offerings remain differentiators.
- Established endpoint protection platform (EPP) vendors are rapidly filling in their EDR capabilities while dedicated EDR vendors are adding better prevention capabilities to compete with and displace incumbent EPP vendors. However, vendors that specialize in EDR still have better EDR capabilities.
- There are over 30 vendors offering credible EDR products; however, the top nine vendors have 83% of the market share. Mergers and acquisitions will continue in 2019.
Recommendations
Security and risk management leaders handling endpoint security should:
- For mature security organizations: Invest in EDR capabilities that emphasize workflow, orchestration, automation and integration to fully incorporate EDR into existing incident response processes and tools.
- For less mature security organizations: Invest in EDR solutions, but favor solutions that are fully integrated with endpoint protection, and offer cloud-based management and detection logic. Invest in advanced support for incident response help, or outsource to a managed detection and response solution provider.
Strategic Planning Assumptions
By 2025, 70% of organizations with more than 5,000 seats will have endpoint detection and response (EDR) capabilities, up from 20% today.
By 2022, 60% of organizations that leverage endpoint detection and response (EDR) capabilities will use the endpoint protection solution from the same vendor or managed detection and response services.
Market Definition
This document was revised on 6 December and 28 November 2018. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
The EDR market is defined as solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.
EDR solutions must provide the following four primary capabilities:
- Detect security incidents
- Contain the incident at the endpoint
- Investigate security incidents
- Provide remediation guidance
Essentially, EDR vendors provide tools that enable the bottom half of the adaptive security architecture (see Figure 1).
Market Description
EDR is a foundational security capability. Gartner expects nearly all endpoint and server protection solutions to include EDR capability eventually. To be effective, EDR solutions require a cloud-scale data management and analytics capability combined with a steady feed of intelligence about changing attacker tradecraft. Endpoint security vendors must develop a core competency in these fields or face disruption.
Good EDR solutions allow incident responders to rapidly answer the most common questions when systems are breached:
- What is the extent of the breach?
- How did the breach happen?
- What did the hacker or malware do while it was active?
- How do we restore the system with confidence that all traces are destroyed?
- Is this a random attack, or are we a target, and if so what are the attacker’s goals?
- How do we prevent it from happening again?
Market Direction
Gartner estimates that the EDR market will surpass $1 billion in 2018, up more than 50% from our 2017 estimate due to rapid growth of installed seats and increased average revenue per unit (ARPU) as a result of EDR vendors selling more prevention. We predict 25% growth in 2019. Meanwhile, we are tracking more than 30 vendors with EDR capability; however, in our estimation, the top nine EDR vendors have more than 83% of the total market share by seat licenses (Carbon Black, Cisco, CrowdStrike, Cybereason, FireEye, McAfee, Microsoft, Symantec and Tanium).
We estimate the market is now roughly 20% penetrated (i.e., 20% of enterprise endpoints have EDR agents). Approximately 40% of EDR deployments are using both EDR and EPP from the same vendor. Longer term, as EDR becomes a standard feature of EPP, breaking out revenue attributable to this market will become more difficult.
Market Analysis
Most security buyers are looking for platform-based solutions that provide all aspects of the adaptive security architecture (see Figure 1). Dedicated EDR solution providers are moving rapidly counterclockwise from the respond and detect quadrants to the prevent quadrant, whereas more traditional endpoint protection platform (EPP) vendors (see “Magic Quadrant for Endpoint Protection Platforms”) are moving clockwise into detect and respond. The stand-alone EDR market will remain viable until at least 2022 for the dedicated security operations center (SOC) team. But the rapid proliferation of EDR capability into EPP solutions will satisfy the midmarket and below (see Note 2). We anticipate that the stand-alone EDR vendors will focus on adopting more features commonly found in the security orchestration, automation and response (SOAR) market (see “Innovation Insight for Security Orchestration, Automation and Response”), shift into other security markets, or be acquired.
Market Trends in 2019
Buyer acceptance of multitenant SaaS EDR solutions is rapidly increasing. Indeed, the benefits of low-friction adoption, cloud storage and computing scale, and low solution maintenance are disruptive to traditional solutions. Architecture is also shifting from smart disconnected client agents to more adaptable lightweight data collection and enforcement agents powered by always-available cloud intelligence. It is mostly the new vendors in this market that are capitalizing on cloud computing to deliver more agile solutions with lower maintenance overhead. Centralized cloud data also provides superior detection analytics enabled by consolidated real-time data collection and the ability to use the data for refining machine learning and other detection techniques, and the luxury of using multiple detection engines simultaneously.
While the EPP solutions have been using a cloud assist signature look-up model, they have not replaced the large dependence on distributed signatures, nor have they taken advantage of cloud detection logic in real time. Several of the newer solutions in the market are now using a cloud-stored signature database and detection engines which have several advantages over distributed signatures. The cloud provides the most up-to-date data on new threats. It can hold larger sets of data, including both the good and bad application signatures; it eliminates the maintenance issues of daily signature distribution; it enables a lighter agent; and it reduces network congestion. Off-network machines may be at more risk in this architecture; however, this is offset by nonsignature client-side detection methods and the design of threats, which mostly depend on the internet to achieve their aims.
Acceptance of cloud data storage and management is increasing, but is not universal. Some vertical markets (e.g., defense) and geographic regions are still wary of cloud delivery. Privacy and regulatory compliance concerns are still common. More critically, most EDR clouds are run from only one or two data centers. Prospective cloud buyers often have valid geopolitical, legal, and availability or latency concerns. Moreover, buyers have a hard time assessing the security of the providers’ cloud environments. Cloud EDR providers will be forced to provide more public and private cloud deployments, and meet industry certifications such as the Federal Risk and Authorization Management Program (FedRAMP) to address these concerns.
EDR solutions are designed to detect and surface suspicious events for inspection. Resolving these less deterministic alerts may increase the workload and require more sophisticated operators than traditional EPP tools require. However, increased visibility from EDR tools also improves existing incident responses and remediation efforts. To help alleviate the skills gap, many EDR solution providers are offering a range of managed support options. Less mature organizations are strongly encouraged to buy support for incident response or fully managed solutions (managed detection and response).
In addition to traditional techniques such as signatures, static file analysis and behavioral analysis, numerous vendors are advertising machine learning (ML) capabilities (or the more hyped “artificial intelligence”) to differentiate their detection methods. There is no question that using ML to detect events in the mountains of data collected is a critical task, and ML will have future uses as EDR solutions expand into user and entity behavior analytics (UEBA)-type detections. However, buyers should beware the hype and focus on measured outcomes. ML is a valuable tool, but it is not the only technique that has value.
Leading improvements in functionality during 2018 included:
- Addition of deception decoys and breadcrumbs for improved detection
- Addition of vulnerability assessment
- Utilization of the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to classify and consolidate alerts
- Increased automation of common incident response (IR) tasks and remediation actions
- Improved search functions for hunting and IR actions
- Improvements in detection of malicious scripts (particularly PowerShell) and other Microsoft utility exploit techniques
- Usability improvements aimed at improving SOC operator productivity and lowering the prerequisite knowledge for administrators responding to alerts
- Improved response actions such as fetching memory and files, and remote access to execute scripts and commands
- Improvements in linking chained attack stages together into a single event graph
- Increase in network detection techniques
- Integration across network products such as cloud access security broker (CASB), firewall, network traffic analysis tools, secure email and web gateways
Many vendors are also advertising improvements in threat-hunting capability. However, in most cases, vendors are referencing improved search capability or automated threat intelligence service integration. Few organizations have the skills for real threat “hunting,” which is defined as searching for unknown threat indicators.
Longer-Term Trends
As the EDR market matures, Gartner expects feature improvements to focus on increasing the capabilities of the adaptive security architecture (see Figure 1) to provide more holistic and integrated security capabilities. These will include community intelligence-sharing portals and global comparative trending data that can improve “predict” capabilities. Proactive security state assessments provide configuration information to spot security problems before they become a breach. Hardening techniques, such as flexible whitelisting, will become more common to prevent malware execution. Hardening policy will provide execution restriction to limit process access to OS services (i.e., no autoexecute from USB, as well as no external network access, proxy or restrictions to OS services) to prevent malware from gaining a foothold.
Data stored from the EDR solutions can also be used to detect potential issues, such as insider threat and account takeover, that are currently addressed by UEBA (see “Market Guide for User and Entity Behavior Analytics”). However, few EDR vendors are addressing this market yet.
EDR vendors have not yet focused on the unique demands of cloud workload protection (see “Market Guide for Cloud Workload Protection Platforms”). Most of the focus of EDR has been on end-user-facing endpoints and on-premises Windows and Linux servers; however, the providers are only beginning to address elastic virtual and container workloads in infrastructure as a service (IaaS) environments.
Attackers are becoming more aware of EDR solutions, and are starting to develop countermeasures such as disabling EDR agents. User space agents are most at risk of compromise by attackers. Memory and kernel space attacks are increasingly common, and we anticipate that attackers will move lower in the stack into hardware and firmware, which may be less visible with current EDR techniques.
Microsoft Windows 10 Defender Advanced Threat Protection (ATP) could be influential in this market. Windows 10 deployments are proceeding rapidly at many organizations. The embedded ATP capability eliminates the need to deploy and manage additional agents. Integration in the OS can provide better visibility control and tamper protection. Microsoft ATP agents are available for Windows 7, 8.1 and 10 as well as Server 2012 R2, 2016 and 2019. Microsoft has now partnered with other EDR providers (e.g., Bitdefender, SentinelOne and Ziften) for older Windows platforms, Linux and Mac support. However, ATP does require additional licensing cost (e.g., E5 licenses).
Critical Capabilities for Consideration in Buying Decisions
Infrastructure
Most solutions consist of an endpoint agent data collector and enforcement engine, with a centralized management server, data repository and analytics engine. All are supported by a cloud-based source of indicators of compromise (IOCs) and information on attack patterns. Many include the capability to ingest third-party threat feeds. Some solutions also offer network agents to detect suspicious network traffic patterns.
All solutions support Windows-based endpoints and Windows servers. Support for Mac OS and Linux are now common, but not all functions are the same across all platforms. For example, solutions may provide detection, but not prevention. Support for mobile OSs, mostly Android, is also expanding.
Architectural Considerations
At their core, EDR solutions are based on the efficient collection, storage and mining of vast amounts of data. Therefore, the most significant architectural consideration is where the data is stored — distributed or centrally — and, when stored centrally, whether it’s kept on-premises or in a cloud-based service.
Distributed storage of endpoint logs on the endpoints themselves makes it easier to scale. However, in a global organization, a large number of endpoints will typically be powered down and nonresponsive to queries at any given time. Moreover, local storage of intrusion evidence is more susceptible to attacker manipulation and deletion. Centralizing the storage of endpoint log data is more responsive, and it enables more aggressive and continuous data mining, but it also requires a bigger centralized data repository, which increases cost. Default data retention periods can range from seven to 90 days. Some providers offer methods to store data longer in “cold” storage that needs to be explicitly loaded to search. Some solutions store only “suspect” or interesting data, while others store all data.
Centralizing the data store in a vendor-managed cloud instance service provides ease of implementation, eliminates scalability issues and enables the EDR provider to provide cross-enterprise correlation of events. However, cloud-based storage of EDR data introduces data privacy issues and potential regulatory and geopolitical issues. Solutions are alleviating this concern by providing visibility into the data uploaded to the cloud and data masking for sensitive information.
Some solutions offer temporary agents that can be downloaded for snapshot inspections or introspection queries that run a batch query of Microsoft logs or memory and disk inspection. Periodic state inspection will be useful in digital business partner assessments, incident response and inspecting unmanaged clients for high-trust transactions or data access scenarios. Although useful for unmanaged machines, temporary agents are unable to record what happens between snapshots and, thus, may miss critical short-duration events. Temp agents may also require the use of common credentials with elevated privileges to execute, which can be exploited later on for lateral movement.
Detection
One of the most critical EDR capabilities is the ability to detect sophisticated hidden threats, ideally without requiring externally fed IOCs. The biggest problem for any buyer of EDR solutions is determining the depth and accuracy of detection techniques. There are not yet any standardized public tests of detection capability. Vendors have excellent marketing departments capable of describing even the simplest techniques as if they were invincible ones; however, most organizations will benefit from improvements in detection beyond traditional EPP.
The MITRE organization has created the ATT&CK knowledge base of adversary tactics and techniques, which can be used to score a vendor’s detection capability across different stages of the attack chain. In the fall of 2018, MITRE conducted ATT&CK-based evaluations of select products. NSS Labs conducts annual tests, and AV-Comparatives is also a good starting point (see “Understand the Relative Importance of AV Testing in EPP Product Selection”).
Future attacks will continue to exploit higher in the stack, including the human layer, and lower in the stack, including firmware-level attacks and attacks on foundational protocols — for example, the Key Reinstallation Attack (KRACK) on the Wi-Fi encryption handshake. PowerShell and Windows utilities exploits are becoming routine. Full in-memory exploits that do not require file-based persistence methods are increasingly common. We also anticipate more attacks against common privileged applications, such as system management tools, and supply chain attacks such as the NotPetya attack (which started from the update of M.E.Doc software) and the CCleaner trojan. Detection methods will also have to address attacks that exploit previously stolen credentials.
The best defensive technique is to deploy a funnel approach to detection that moves from low-cost, but highly deterministic, techniques toward less deterministic techniques aimed at spotting unknown attacks. Solutions should deploy multiple detection approaches (see Note 3); however, the more advanced solutions will focus on behavioral detection at all levels of the stack aimed at spotting common tools, tactics and techniques of advanced adversaries. EDR vendors that also provide incident response services often provide early detection methods of new advanced attacks discovered by their incident response investigations.
Investigation
A security analyst’s ability to investigate EDR and other security alerts to determine the technical- and business-level impacts is a critical capability. Ideal solutions provide a graphic interface that supplies a visual view of events and shows all parent and child events, so that incidents can be traced to their origin and all effects can be shown. Connecting events in a chained attack may be difficult for some solutions. External intelligence — such as related incidents and IOCs, reputation information, and object verdicts from VirusTotal and threat actor information — is useful in scoping the potential impact of an incident. Community information, such as prevalence of objects and actions taken by others, is also valuable. Ideally, solutions will provide enough information that administrators can quickly identify which behaviors triggered alerts and determine the next steps to resolve alerts.
The key is to find solutions that provide guidance sufficient to enable less experienced operators to quickly resolve incidents, but with enough depth to provide sufficient detail for more experienced operators. Solutions are improving automation to take common actions for alerts based on previous actions and integrating with other security solutions to take common actions for remediation. This includes performing related incident searches, submitting objects to a sandbox or VirusTotal for analysis, or isolating machines on the network, blocking process from execution companywide, and coordinating with authentication and network resources to contain damage.
Leading solutions will provide the following features:
- Fast, real-time, natural language query tools that can get rapid answers to questions about IOC-type objects against the centralized data store or, optionally, against live systems.
- Risk-prioritized views based on the confidence and severity of the incident, as well as the business value of the assets affected. (Note: “Tagging” devices based on Active Directory, process, machine and network information is a very useful function for dynamically assigning business value.)
- Click-down attack chain visualization tools that enable investigators to easily pivot on interesting data elements or drill down for more information. (Note: Linking events of seemingly disparate IOCs is extremely important to consolidate alerts and show full attack impact.)
- Automatable fetching of suspect files or memory and disk dumps.
- Automatic integrated analysis of suspect processes/files in a cloud or on-premises sandbox, with clearly visible metadata, combined with global information (i.e., categorization, author, prevalence and providence). Not all EDR solutions provide a sandbox, but most have integration with popular third-party solutions.
- Severity and confidence indicators on threat alerts.
- Investigation tools that provide an alert management workflow to enable incidents to be assigned, transferred, annotated and easily resolved.
Containment and Remediation
Contextual actions (i.e., actions relevant to the incident) should be available in the administration interface to contain a suspected incident while it is being investigated. The most common option is simply to quarantine a suspected infected endpoint from the rest of the network and isolate its communications to the EDR management console while it is under investigation. Other initial containment options typically include process network isolation, process kill/block, process quarantine and hash-based blocking. Tagging solutions dynamically can provide a way to classify endpoints such that critical systems are not taken offline. Interaction with end users may also be necessary; thus, full directory information with user contact details can be helpful. Leading solutions will provide an instant messaging communications window with the end user.
Although most enterprise organizations reimage machines for all but the most simplistic threats, this approach is expensive and disruptive. Leading EDR solutions should have enough detailed event history information to outline repair actions that will roll back the recorded malicious activity. Leading solutions present operators with a detailed remediation task list and the ability to make changes to the endpoints. Larger organizations are likely to have rigid change control policies and separation of duties between operations and the security teams. As such, EDR tools should be able to transfer the repair tasks list to other operations tools and, ideally, integrate with ticketing systems.
Remediation is the least mature function in the current crop of EDR tools, and most tools focus on simply containing the threat.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.
Market Introduction
Vendors that provide EDR capability come from several IT security markets. Dedicated startup vendors focus specifically on EDR capability for enterprise SOC teams. Some of the Visionary EPP vendors in the Magic Quadrant come from the EDR market, but have added prevention to compete in the EPP market. These vendors continue to be distinguished by functional integration of EDR concepts into the solution, versus the bolted-on approach of the EPP vendors that have been developing their own EDR capabilities. Two client management tool (CMT) vendors have added EDR capability. Network security vendors are adding EDR capability, mainly via acquisition. Finally, some vendors in the broader security market have acquired or built their own EDR capability.
Table 1 lists 32 representative providers in this market and each provider’s product, service or solution name.
Table 1: Representative Vendors in Endpoint Detection and Response Solutions
Vendor
|
Product, Service or Solution Name
|
---|---|
Binary Defense Vision
| |
GravityZone Ultra Suite
| |
Cb Response, Cb Defense
| |
SandBlast Agent
| |
Advanced Malware Protection for Endpoints
| |
Predictive Endpoint Protection Platform
| |
Falcon Endpoint Protection
| |
Endpoint Detection and Response
| |
Deep Detect & Respond
| |
CylanceOPTICS
| |
Cynet 360
| |
Endpoint Detection and Response
| |
Endgame
| |
enSilo
| |
ESET Enterprise Inspector
| |
Fidelis Endpoint
| |
Endpoint Security
| |
Rapid Detection & Response
| |
Kaspersky Lab (see Note 4)
|
Endpoint Detection and Response
|
Endpoint Protection & Response
| |
Active Response
| |
Advanced Threat Protection
| |
Guidance Endpoint Detection and Response
| |
Adaptive Defense
| |
NetWitness Endpoint
| |
SentinelOne
| |
Intercept X
| |
Advanced Threat Protection
| |
Threat Response
| |
Apex One
| |
Threat Detection & Response
| |
Zenith
|
Source: Gartner (November 2018)
Market Recommendations
Before investing in EDR technology, EDR buyers should consider organizational maturity, incident response frequency and security vendor inventory. The key value of EDR solutions is detecting threats that have evaded other protection technologies.
Faster resolution of security alerts and faster incident response are key buying criteria for SOC teams. EDRs can reduce alerts into more consolidated incidents and can be used for malware hunting. However, they require more experienced operators, are yet another agent and console to manage, and can increase false positives.
Organizations with mature security programs and SOCs that would like to improve incident response, reduce alert fatigue and begin hunting should invest in advanced EDR capabilities from dedicated EDR vendors.
Organizations that are maturing, and would like to improve the detection of advanced threats and incident response, will find that most solutions are better than what they are currently using. They should consider ease of use and guided investigations, as well as integration with incumbent security tools, to be critical capabilities.
Low-maturity organizations should invest in vulnerability and configuration management, and other controls before investing in EDR tools. Eventual investments in EDR should be as features of more comprehensive solutions that will improve prevention, as well as detect and respond.
Smaller organizations that are potential victims of advanced attacks, but have few IT resources, should invest in managed security service provider (MSSP) services that offer managed EDR solutions such as managed detection and response (MDR) services.
Note 1Representative Vendor Selection
The vendors listed in this Market Guide have EDR products in the market that meet the market definition and have verifiable customers using the products.
Note 2Capability Matrix
Basic common capability:
- IOC-based detections
- Manual hunting
- Lack of attribution or threat intelligence
- Limited remediation
- Hunting = search query
More advanced capability:
- On-agent detection and prevention
- Integrated multiengine detection
- Analytics/machine learning — anomaly detection
- Behavioral detection — predeveloped and custom
- Timeline threat graphic views
- Guided investigations
- Protection
- Visual interface
- Easy pivot
- Asset tagging
- Security state assessments
- Root cause assessments
- MSSP services
- Cloud delivery
Advanced capability designed for dedicated SOC buyers:
- Role-based access control (RBAC)
- Workflow and case management
- Community
- Forensics — memory and disk forensics preservation and analysis
- Open APIs for both inbound and outbound data sharing
- Advanced hunting — memory analysis, disk analysis and UEBA-like algorithms
- Deception
- Attacker simulation — i.e., attack path
- On-premises, optional delivery — larger-scale, tens of thousands of seats per server
Note 3Detection Techniques
IOCs and object reputation information provide a low-cost approach, but represent a high volume of information to inspect. IOC information has a short useful life because it is the easiest part of the attack chain for adversaries to automatically change rapidly.
Inspecting portable executable files is the second-most-common technique. File census data (e.g., first seen, first run, certificates and VirusTotal score) should be used to surface suspect files for further analysis. Not all solutions inspect all file types, so ensure that prospect solutions inspect interpreted scripts, such as Java, PowerShell and Perl, and Office document macros. File inspection can be accomplished in several ways:
- Signatures — Direct hashes of known files, stored in a local cache database or cloud database, are the standard of antivirus vendors. To be effective, signature databases should contain both good and bad files. This is a low-overhead detection method, but its limitations are well-known.
- Algorithms — Trained machine learning detection methods are gaining in popularity. These solutions do not require the maintenance of a signatures database and are more accurate at detecting variants of known bad files. However, they are potentially subject to gaming the algorithm, and often cause high false-positive detections.
- Emulated — Some solutions inspect the file code in real time, looking for partial matches to known bad code snippets. It is harder for attackers to change the entire code.
- Sandboxed — Files are executed in a virtual environment and detected using behavioral detection methods.
Behavioral detection methods offer the highest flexibility and are often hard for attackers to hide with automation. A series of behaviors characterize the tradecraft of the attack type, which is harder to change. Behavioral indicators can be high-level or lower in the stack — for example, at the user process or network level (e.g., late-night admin account login, using nonstandard LAN/application traffic to a new external address). They can also be at the application level (e.g., Word doc spawn “cmd.exe,” starts PowerShell with downloaded pastebin code) or the process level (e.g., process injection or dynamic-link library hijack). Behavioral indicators are often late in the kill chain and, in some cases, may be too late if the attackers can gain control and tamper with protection and detection techniques.
Note 4Kaspersky Lab
In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky Lab’s software from their systems. Several media reports, citing unnamed intelligence sources, made additional claims. Gartner is unaware of any evidence brought forward in this matter. At the same time, Kaspersky’s initial complaints have been dismissed by a U.S. District of Columbia court.
Kaspersky has launched a transparency center in Zurich where trusted stakeholders can inspect and evaluate product internals. Kaspersky has also committed to store and process customer data in Zurich, Switzerland. Gartner clients, especially those who work closely with U.S. federal agencies, should consider this information in their risk analysis and continue to monitor this situation for updates.
source : https://www.gartner.com/doc/reprints?id=1-5Y6HEW5&ct=181214&st=sb&mkt_tok=eyJpIjoiTXpZelpURm1NVFl6WVRNMSIsInQiOiJrR2dCSVpoNXNzaXY3YkU3WGU2cXYwTVdYdldLbExDUENDUEhnTXh1bGhCY0QwcHBpSGNIQmNBVVpiMktyVG83alBSbXBkdmZBdmEwNGJ5Yk1LTGtRVFREaGV6dXlVdXMxMjhxaDBEUjZ2Z1hXcFwvTVN5NFwvUEErSThuT3NJQzF5In0%253D