>>Hey everyone, welcome to this cube conversation. I'm your host Lisa Martin, and I have the pleasure of welcoming back our most prolific guest on the cube in its history, the CMO of Fin Ad, Eric Herzog. Eric, it's great to see you. Welcome back, >>Lisa. It's great to be here. Love being on the cube. I think this might be number 55 or 56. Been doing 'em a long time with the Cube. You guys are great. >>You, you have, and we always recognize you lately with the Hawaiian shirts. It's your brand that's, that's the Eric Hizo brand. We love it. But I like the pin, the infin nut pin on brand. Thank you. >>Yeah. Oh, gotta be on brand. >>Exactly. So talk about the current IT landscape. So much change we've seen in the last couple of years. Specifically, what are some of the big challenges that you are talking with enterprise customers and cloud service providers? About what, what are some of those major things on their minds? >>So there's a couple things. First of all is obviously with the Rocky economy and even before covid, just for storage in particular, CIOs hate storage. I've been doing this now since 1986. I have never, ever, ever met a CIO at any company I've bid with. And I've been with four of the biggest storage companies on this planet. Never met a cio. Used to be a storage guy. So they know they need it, but boy, they really don't like it. So the storage admins have to manage more and more storage. Exabytes, exabytes, it just ballooning for what a storage admin has to do. Then you then have the covid and is it recession? No. Is it a growth? And then clearly what's happened in the last year with what's going on in Europe and the, is it a recession, the inflation. So they're always looking to, how do we cut money on storage yet still get what we need for our applications, workloads, and use cases. So that's definitely the biggest, the first topic. >>So never met a CIO that was a storage admin or as a fan, but as you point out, they need it. And we've seen needs changing in customer landscapes, especially as the threat landscape has changed so dramatically the last couple of years. Ransomware, you've said it before, I say it too. It's no longer if it's when it's how often. It's the frequency. We've gotta be able to recover. Backups are being targeted. Talk to me about some of, in that landscape, some of the evolutions of customer challenges and maybe those CIOs going, We've gotta make sure that our, our storage data is protected. >>So it's starting to change. However, historically with the cio and then when they started hiring CISOs or security directors, whatever they had, depending on the company size, it was very much about protecting the edge. Okay, if you will, the moat and the wall of the castle. Then it was the network in between. So keep the streets inside the castle clean. Then it was tracking down the bad guy. So if they did get over, the issue is, if I remember correctly, the sheriff of Nottingham never really caught Robinhood. So the problem is the dwell time where the ransomware malware's hidden on storage could be as much as 200 days. So I think they're starting to realize at the security level now, forget, forget the guys on the storage side, the security guys, the cso, the CIO, are starting to realize that if you're gonna have a comprehensive cybersecurity strategy, must include storage. And that is new >>That, well, that's promising then. That's new. I mean obviously promising given the, the challenges and the circumstances. So then from a storage perspective, customers that are in this multi-cloud hybrid cloud environment, you talked about the the edge cloud on-prem. What are some of the key things from a storage perspective that customers have to achieve these days to be secure as data volumes continue to grow and spread? >>So what we've done is implement on both primary storage and secondary storage and technology called infin safe. So Infin Safe has the four legs of the storage cyber security stool. So first of all is creating an air gap. In this case, a logical air gap can be local or remote. We create an immutable snapshot, which means it can't be changed, it can't be altered, so you can't change it. We have a fenced forensic environment to check out the storage because you don't wanna recover. Again, malware and rans square can is hidden. So you could be making amenable snapshots of actually malware, ransomware, and never know you're doing it right. So you have to check it out. Then you need to do a rapid recovery. The most important thing if you have an attack is how fast can you be up and going with recovery? So we have actually instituted now a number of cyber storage security guarantees. >>We will guarantee the SLAs on a, the snapshot is absolutely immutable. So they know that what they're getting is what they were supposed to be getting. And then also we are guaranteeing recovery times on primary storage. We're guaranteeing recovery of under one minute. We'll make the snapshot available under one minute and on secondary storage under 20 minutes. So those are things you gotta look for from a security perspective. And then the other thing you gotta practice, in my world, ransomware, malware, cyber tech is basically a disaster. So yes, you got the hurricane, yes, you got the flood, yes, you got the earthquake. Yes, you got the fire in the building. Yes you got whatever it may be. But if you don't practice malware, ransomware, recoveries and protection, then it might as well be a hurricane or earthquake. It will take your data, >>It will take your data on the numbers of customers that pay ransom is pretty high, isn't it? And and not necessarily able to recover their data. So it's a huge risk. >>So if you think about it, the government documented that last year, roughly $6 trillion was spent either protecting against ransomware and malware or paying ransomware attacks. And there's been several famous ones. There was one in Korea, 72 million ransom. It was one of the Korea's largest companies. So, and those are only the ones that make the news. Most of 'em don't make the news. Right. >>So talk to me then, speaking and making the news. Nobody wants to do that. We, we know every industry is vulnerable to this. Some of the ones that might be more vulnerable, healthcare, government, public sector education. I think the Los Angeles Unified School district was just hit as well in September. They >>Were >>What, talk to me about how infin out is helping customers really dial down the risk when the threat actors are becoming more and more sophisticated? >>Well, there's a couple things. First of all, our infin safe software comes free on our main product. So we have a product called infin Guard for Secondary Storage and it comes for free on that. And then our primary storage product's called the Infin Box. It also comes for free. So they don't have to use it, but we embed it. And then we have reference architectures that we give them our ses, our solutions architects and our technical advisors all up to speed on why they should do it, how they should do it. We have a number of customers doing it. You know, we're heavily concentrated the global Fortune 2000, for example, we publicly announced that 26% of the Fortune 50 use our technology, even though we're a small company. So we go to extra lengths to a B, educated on our own front, our own teams, and then B, make sure they portray that to the end users and our channel partners. But the end users don't pay a dime for the software that does what I just described, it's free, it's included when you get you're Infin box or you're ingar, it's included at no charge. >>That's pretty differentiating from a competitive standpoint. I might, I would guess >>It is. And also the guarantee. So for example, on primary storage, okay, whether you'd put your Oracle or put your SAP or I Mongo or your sequel or your highly transactional workloads, right? Your business finance workload, all your business critical stuff. We are the first and only storage company that offers a primary guarantee on cyber storage resilience. And we offer two of them on primary storage. No other vendor offers a guarantee, which we do on primary storage. Whether you the first and right now as of here we are sitting in the middle of October. We are still the only vendor that offers anything on primary storage from a guaranteed SLA on primary storage for cyber storage resilience. >>Let's talk about those guarantees. Walk me through what you just announced. There's been a a very, a lot of productivity at Infin DAT in 2022. A lot of things that you've announced but on crack some of the things you're announcing. Sure. Talk to me specifically about those guarantees and what's in it for me as a customer. It sounds pretty obvious, but I'd love to hear it from you. >>Okay, so we've done really three different types of guarantees. The first one is we have a hundred percent availability guarantee on our primary storage. And we've actually had that for the last, since 2019. So it's a hundred percent availability. We're guaranteed no downtime, a hundred percent availability, which for our customer base being heavily concentrated, the global Fortune 2000 large government enterprises, big universities and even smaller companies, we do a lot of business with CSPs and MSPs. In fact, at the Flash Memory Summit are Infin Box ssa All Flash was named the best product for hyperscaler deployment. Hyperscaler basically means cloud servers provider. So they need a hundred percent availability. So we have a guarantee on that. Second guarantee we have is a performance guarantee. We'll do an analysis, we look at all their workloads and then we will guarantee in writing what the performance should be based on which, which of our products they want to buy are Infin Box or Infin Box ssa, which is all flash. >>Then we have the third one is all about cyber resilience. So we have two on our Infin box, our Infin box SSA for primary storage, which is a one the immutability of the snapshot and immediately means you can't erase the data. Right? Camp tamper with it. Second one is on the recovery time, which is under a minute. We just announced in the middle of October that we are doing a similar cyber storage resilience guarantee on our ARD secondary product, which is designed for backup recovery, et cetera. We will also offer the immutably snapshot guarantee and also one on the recoverability of that data in under 20 minutes. In fact, we just did a demo at our live launch earlier this week and we demoed 20 petabytes of Veeam backup data recovered in 12 minutes. 12 >>Minutes 2012. >>20 petabytes In >>12 bytes in 12 minutes. Yes. That's massive. That's massively differentiating. But that's essential for customers cuz you know, in terms of backups and protecting the data, it's all about recovery >>A and once they've had the attack, it's how fast you get back online, right? That that's what happens if they've, if they can't stop the attack, can't stop the threat and it happens. They need to get that back as fast as they can. So we have the speed of recovery on primary stores, the first in the industry and we have speed on the backup software and we'll do the same thing for a backup data set recovery as well. Talk >>To me about the, the what's in it for me, For the cloud service providers, they're obviously the ones that you work with are competing with the hyperscalers. How does the guarantees and the differentiators that Fin out is bringing to market? How do you help those cloud SPS dial up their competitiveness against the big cheeses? >>Well, what we do is we provide that underlying infrastructure. We, first of all, we only sell things that are petabyte in scale. That's like always sell. So for example, on our in fitter guard product, the raw capacity is over four petabytes. And the effective capacity, cuz you do data reduction is over 85 petabytes on our newest announced product, on our primary storage product, we now can do up to 17 petabytes of effective capacity in a single rack. So the value to the service rider is they can save on what slots? Power and floor. A greener data center. Yeah, right. Which by the way is not just about environmentals, but guess what? It also translate into operational expense. >>Exactly. CapEx office, >>With a lot of these very large systems that we offer, you can consolidate multiple products from our competitors. So for example, with one of the competitors, we had a deal that we did last quarter 18 competitive arrays into one of ours. So talk about saving, not just on all of the operational expense, including operational manpower, but actually dramatically on the CapEx. In fact, one of our Fortune 500 customers in the telco space over the last five years have told us on CapEx alone, we've saved them $104 million on CapEx by consolidating smaller technology into our larger systems. And one of the key things we do is everything is automated. So we call it autonomous automation use AI based technology. So once you install it, we've got several public references who said, I haven't touched this thing in three or four years. It automatically configures itself. It automatically adjusts to changes in performance and new apps. When I put in point a new app at it automatically. So in the old days the storage admin would optimize performance for a new application. We don't do that, we automatically do it and autonomously the admin doesn't even click a button. We just sense there's new applications and we automate ourselves and configure ourselves without the admin having to do anything. So that's about saving operational expense as well as operational manpower. >>Absolutely. I was, one of the things that was ringing in my ear was workforce productivity and obviously those storage admins being able to to focus on more strategic projects. Can't believe the CIOs aren't coming around yet. But you said there's, there's a change, there's a wave coming. But if we think about the the, the what's in it for me as a customer, the positive business outcomes that I'm hearing, lower tco, your greener it, which is key. So many customers that we talk to are so focused on sustainability and becoming greener, especially with an on-prem footprint, workforce productivity. Talk about some of the other key business outcomes that you're helping customers achieve and how it helps them to be more competitive. >>Sure. So we've got a, a couple different things. First of all, storage can't go down. When the storage goes down, everyone gets blamed. Mission. When an app goes down, no one really thinks about it. It's always the storage guy's fault. So you want to be a hundred percent available. And that's today's businesses, and I'd actually argue it's been this way for 20 years are 24 by seven by 365. So that's one thing that we deliver. Second thing is performance. So we have public references talk about their SAP workload that used to take two hours, now takes 20 minutes, okay? We have another customer that was doing SAP queries. They improved their performance three times, Not 3%, not 3%, three times. So 300% better performance just by using our storages. They didn't touch the sap, they didn't touch the servers. All they do is to put our storage in there. >>So performance relates basically to applications, workloads and use cases and productivity beyond it. So think the productivity of supply chain guys, logistics guys, the shipping guys, the finance guys, right? All these applications that run today's enterprises. So we can automate all that. And then clearly the cyber threat. Yeah, that is a huge issue. And every CIO is concerned about the cyber threat. And in fact, it was interesting, Fortune magazine did a survey of CEOs, and this was last May, the number one concern, 66% in that may survey was cyber security number one concern. So this is not just a CIO thing, this is a CEO thing and a board level >>Thing. I was gonna say it's at at the board level that the cyber security threats are so real, they're so common. No one wants to be the next headline, like the colonial pipeline, right? Or the school districts or whatnot. And everybody is at risk. So then what you're enabling with what you've just announced, the all the guarantees on the SLAs, the massively fast recovery times, which is critical in cyber recovery. Obviously resilience is is key there. Modern data protection it sounds like to me. How do you define that and and what are customers looking for with respect to modern cyber resilience versus data protection? >>Yeah, so we've got normal data protection because we work with all the backup vendors. Our in ARD is what's known as a purpose built backup appliance. So that allows you to back at a much faster rate. And we work all the big back backup vendors, IBM spectrum Protect, we work with veritas vem com vault, oracle arm, anybody who does backup. So that's more about the regular side, the traditional backup. But the other part of modern data protection is infusing that with the cyber resilience. Cuz cyber resilience is a new thing. Yes, from a storage guy perspective, it hasn't been around a long time. Many of our competitors have almost nothing. One or two of our competitors have a pretty robust, but they don't guarantee it the way we guarantee it. So they're pretty good at it. But the fact that we're willing to put our money where our mouth is, we think says we price stand above and then most of the other guys in the storage industry are just starting to get on the bandwagon of having cyber resilience. >>So that changes what you do from data protection, what would call modern data protection is a combination of traditional backup recovery, et cetera. Now with this influence and this infusion of cybersecurity cyber resilience into a storage environment. And then of course we've also happened to add it on primary storage as well. So whether it's primary storage or backup and archive storage, we make sure you have that right cyber resilience to make it, if you will, modern data protection and diff different from what it, you know, the old backup of your grandfather, father, son backup in tape or however you used to do it. We're well beyond that now we adding this cyber resilience aspect. Well, >>From a cyber resilience perspective, ransomware, malware, cyber attacks are, that's a disaster, right? But traditional disaster recovery tools aren't really built to be able to pull back that data as quickly as it sounds like in Trinidad is able to facilitate. >>Yeah. So one of the things we do is in our reference architectures and written documentation as well as when we do the training, we'd sell the customers you need to practice, if you practice when there's a fire, a flood, a hurricane, an earthquake or whatever is the natural disaster you're practicing that you need to practice malware and ran somewhere. And because our recovery is so rapid and the case of our ingar, our fenced environment to do the testing is actually embedded in it. Several of our competitors, if you want the fenced environment, you have to buy a second product with us. It's all embedded in the one item. So A, that makes it more effective from a CapEx and opex perspective, but it also makes it easier. So we recommend that they do the practice recoveries monthly. Now whether they do it or not separate issue, but at least that's what we're recommending and say, you should be doing this on a monthly basis just like you would practice a disaster, like a hurricane or fire or a flood or an earthquake. Need to be practicing. And I think people are starting to hear it, but they don't still think more about, you know, the flood. Yeah. Or about >>The H, the hurricane. >>Yeah. That's what they think about. They not yet thinking about cybersecurity as really a disaster model. And it is. >>Absolutely. It is. Is is the theme of cyber resilience, as you said, this is a new concept, A lot of folks are talking about it, applying it differently. Is that gonna help dial up those folks just really being much more prepared for that type of cyber disaster? >>Well, we've made it so it's automated. Once you set up the immutable snapshots, it just does its thing. You don't set it and forget it. We create the logical air back. Once you do it, same thing. Set it and forget it. The fence forensic environment, easy to deploy. You do have to just configure it once and then obviously the recovery is almost instantaneous. It's under a minute guaranteed on primary storage and under 20 minutes, like I told you when we did our launch this week, we did 20 petabytes of Veeam backup data in 12 minutes. So that's pretty incredible. That's a lot of data to have recovered in 12 minutes. So the more automated we make it, which is what our real forte is, is this autonomous automation and automating as much as possible and make it easy to configure when you do have to configure. That's what differentiates what we do from our perspective. But overall in the storage industry, it's the recognition finally by the CISOs and the CIOs that, wait a second, maybe storage might be an essential part of my corporate cybersecurity strategy. Yes. Which it has not been historically, >>But you're seeing that change. Yes. >>We're starting to see that change. >>Excellent. So talk to me a little bit before we wrap here about the go to market one. Can folks get their hands on the updates to in kindergar and Finn and Safe and Penta box? >>So all these are available right now. They're available now either through our teams or through our, our channel partners globally. We do about 80% of our business globally through the channel. So whether you talk to us or talk to our channel partners, we're there to help. And again, we put our money where your mouth is with those guarantees, make sure we stand behind our products. >>That's awesome. Eric, thank you so much for joining me on the program. Congratulations on the launch. The the year of productivity just continues for infinit out is basically what I'm hearing. But you're really going in the extra mile for customers to help them ensure that the inevitable cyber attacks, that they, that they're complete storage environment on prem will be protected and more importantly, recoverable Very quickly. We appreciate your insights and your input. >>Great. Absolutely love being on the cube. Thank you very much for having us. Of >>Course. It's great to have you back. We appreciate it. For Eric Herzog, I'm Lisa Martin. You're watching this cube conversation live from Palo Alto.

>>Yeah. Welcome back to a W s reinvent 20 twenty-one. This is the live. In addition, the last year, of course, it was virtual. This is probably the most important hybrid event of the year. Over 20,000 people. We have two sets here at the Cube. My name is David. I'm really excited to have Caroline see more on the vice president of product marketing at Serato, which is now an H p e company. And Daniel, who is the director of worldwide partner Essays at A W s. Folks, welcome to the good to see you. >>Yeah, great to be here. So, >>Caroline, you got some news. Why don't we start their hard news? We always like to start with that. >>First of all, I think I just like to talk a little bit about the acquisition because it has been acquired by H. P. And in September, we announced, um, disaster recovery as a service is part of the Green Lake platform. And so that's really exciting. Both from, uh, customers as well is also H B customers. But the innovation continues here at a W s reinvent, we are announcing a new solution 02 in cloud, which is a disaster recovery for Amazon. Easy to, um, and if I think about the value that it brings to the customers, it's delivering orchestrated disaster. Recovery is delivering that simplicity at scale and scale is very important aspect because it will deliver that from tends to thousands of work clothes and as well, it's helping organizations to drive more operational efficiencies around their processes. So that's sort of a nutshell of the news. The cloud for a W s >>great. Thank you for that. So I wanna ask you, obviously, in lock down, people look to the cloud. Uh, and you know, data protection used to be just back up, and then people realize that recovery is important, but it used to be a bolt on an afterthought. You sort of launch the application of the service. And so we got to protect this thing and whatever and throw it on there that that's unacceptable. Today, if you're not going to run your digital business with a bolt on, So what? Our customers telling you in terms of what they want to see from their data protection portfolios and how are you seeing the ecosystem and a W s helping them to integrate that >>absolutely well to your point, the pandemic has absolutely accelerated a lot of businesses movement into the cloud. So companies that hadn't formerly thought about using cloud technologies are now doing that. And for them, in order to have a very simple and easy and scalable data protection solution, is critical for them to feel comfortable into moving into a W s. And so that's what we're seeing from a lot of customers. Um, and of course, back to your point about recovery with the challenges around ransomware, Um, that is definitely an area where a lot of companies have just done their back up. But they're also testing it and making sure that it's something that they know that they can rely on, um, as they moved there, workloads into the club. >>And speaking of ransomware, I mean, it's just front and center. Anybody can be a ransomware. Today they go in the dark web by ransomware service. They put a stick into a server and then bad things happen. Hopefully that that individual ends up in handcuffs, but not always so when we've seen Ransom's getting paid $40 million ransom's multi-million dollar. And we all know about the fact that our front and center So what are you seeing in terms of the customer base? How How h b n z two helping and where does a W s fit? Maybe you could start off Caroline. >>Great question, because I think from the perspective, we look at it from the need for recovery. Uh, strategy as part of your overarching, um, security and prevention is is one aspect that you always need two prevention. But to us, it's a matter of not if you're going to be attacked. It's when and when that gets through your firewall. And so you need to be able to have a recovery strategy in place that allows you to recover in minutes to set to within seconds of when that when an attack actually happens. And, um, I can give a case in, for example, for there's a company 10 Carter Protective fabric, textiles manufacturing company, MULTI-MILLION business. And they suffered to to a tax crypto attack first time, and they were using more traditional, um, back up to take. And it took him two weeks to recover having been attacked, and they suffered significant data loss, and then they deployed photo photo. Um, unfortunately, a little while later, they were attacked a second time with more sophisticated case of So it continues. Um, but this time the recovery was very different. What happened was that they were able to recover within minutes and they had seconds of data loss. And that is because of r c d p technology C D. P. Being continuous data protection. And that is with our replication and a unique journaling capability that allows you to, uh, set up the different checkpoint. So you have thousands of recovery points and you can recover to a specific recovery point with within seconds of that attack. Very, very powerful. >>I wanna ask you a question and what Caroline was just talking about with the classic metrics in this business r P O R T r P o recovery point objective. Always say, how much data do you want to lose? And people say none. Okay, how much? What kind of budget do you have? So that's always been the trade-off, although, as you mentioned, it's getting a little bit more cost-effective and then recovery time objective. How long does it take you to get back up. Absolutely. So so. Those are some of the concepts that you were talking about. I wanna ask you, Daniel, it feels like an Caroline. You feel like data protection is now becoming. It's certainly a tight adjacent to overall security. It's not security per se sick of it, so but it's but it's becoming. The lines are blurring. How do you see that you have a shared responsibility model? Where does this whole topic fit in? >>Well, I think lots of companies are really finding a lot of value in their data, right. Whereas, you know, perhaps years ago it was less. It was easy to hang on to it, to actually make it valuable to do metrics and analytics on it to do machine learning, perhaps on it. And so, by having, um, products such as the product, you know, they're now able to hang on to that data and make sure that they have it in perpetuity so that they can do what they need to do on it. So, yes, we're seeing, you know, companies that were traditionally storage cos thinking about security, security cos thinking about data, so yes, all of those lines are being blurred for sure. And I think that, you know, as far as the short security model we think of the you know, we think of our partners and ourselves, obviously as extensions. And we're really looking to have the best customer experience that we can >>can I think every company security company, Obviously you impact enterprise care a lot about security A W s. I don't know any company because I don't really care about security. That's that's not my swim land out of business. If you If you had that attitude now. So from from your standpoint, where does it fit inside of you know, you're you're thinking, How are you guys thinking about security and data protection? Back up and recovery? Is it all just coming together or they still kind of separate entities? >>No, you're absolutely right. It is coming together, and what we're seeing is we're having a lot more conversations with ISO's, um so the more the security offices of organizations and I think what's happening is that's where the budget is to. And so you're saying they're sort of the working together on the I T and also the Office of Security to um so we're having more conversations there, and we see that, as I mentioned before, the recovery strategy is a key element of our focus. And what we can do is part of the overarching strategy of an organization. >>So what? How should we think about the cloud? Is it another layer of protection? Um, is it a replacement for tape? Maybe not, but we need as much protection as possible. So how should we think about the cloud in the context of data protection? >>Well, the cloud, Yeah, absolutely. Um can provide an alternative to tape or, um disc, for example, of this year. We also added support for a mutability preserved for A W S. With so we are ensuring in the fact that you know you can be changed so that that's absolutely critical. >>So that's a a right once read only technology. That's a service that you tap. So your integrating zero was integrating with that capability. So that's another layer of protection. That's another layer of protection. And then, of course, you know there's there's gaps, is another part of the strategy. So let's talk strategy for a minute. What's the I know it's not one size fits all, but what are you seeing as best practice strategies for customers to protect themselves against traditional just human error? Cyber attacks? What's the what's the sort of prevailing approach? How should we think about that? >>Well, I mean, you're absolutely right. Those the, you know, the filed elections, the database corruptions, and so our solutions, that is, our continuous data protection. It absolutely is, um, the ability to be able to get that granular level of recovery, which you can do with backups. I'm not saying that backup isn't part of your overall strategy, but if you're actually trying to recover quickly and within seconds to whether it's an attack to whether it's a file deleted, a database corruption, you need that continuous data protection. And that's something that you need to us that we've been delivering since the day that um was formed. So >>that's your secret sauce is it is a very granular ability to dial down based on your r p o. That's requirements based on the application requirements, uh, and then bring in the cloud for things like mutability. Maybe gapping. Maybe Last resort is still the last resort. I don't know. Maybe >>there. So, um, you know, a w s to be a target for disaster recovery. So all back up. >>You talk about that? >>Yeah. So, with what we have enabled is first of all, if you want to, um, my great, your work clothes to a W s. And we're seeing an awful lot of that. We provide that capability. So the mobility aspect, if you are looking at instead of an on premises disaster recovery site, you can use a W S D R site. Um, And if you want to back up to a W s and use, um, cost efficient storage, we support that with cloud tearing and mutability. And as I say today, we're announcing cloud for a W s, which is once you've got your work clothes in a W s. We can protect them now in, um, in a W s itself. So the full spectrum. And then earlier this year, we announced for communities for US work clothes, So we're really trying to ensure that we can protect any A W s workload wherever it is. >>So I look around here pretty impressive given that we're in the second year of a pandemic here, pretty packed floor. But the ecosystem is just exploding. That's gonna make you feel good. Cos like choosing to partner with a W s leaning in writing to your cloud-native fooling. Maybe give us the update on how you see this partnership. >>Well, I mean, just to Caroline's earlier point, you can see how Xero is continuing to innovate, right? And that's really key. So, um, having a cloud-native solution and then also having a solution that works for us. We're seeing a lot of companies thinking about containers thinking about server lists. And so, you know, the best partnerships that we have are the ones in which they're innovating with us continuously. And I've known about since I started in 2014. So they've been around for a long time, and they're continuing, um, to do that. And they are working closely with us to do P O. C. D. S. And and to help our customers really get what they need, um, in the data protection space and continuing to innovate, which is >>your customers, they want that they need that your your deep into data protection. Yes. You're scale of cloud But you're not going to have the the capabilities of Stack. So that one plus one hopefully is greater than to How do you where can we find out more information about you know, the new solutions? What's the what's the call to >>action culture as well? A couple of things. We've, uh we just We just launched deserted for a W s hands-on lab. And what that does is allow in your own time in your own environment to be able to try with a W S as a target and back up. Um, so we've just launched that and that enables you to see how it works with a W S. We also have for communities, um, lab as well, so you can see how it works with a K s. Uh, coming soon, we're going to have to in cloud lab that you can actually see how to protect your workload in the cloud in a W s. So those are the really the best ways to be able to Well, for a call to action is try. The lab really is >>awesome. Guys, thanks so much for coming to the Cube. Very important topic and keep up the good work. >>Thank you. Thank you. Very well. So >>we're seeing the evolution of data protection rethinking data protection in 2020. No longer is it a Bolton cloud modernization with deep stacks. Fine granularity for your r p o. But also quick recovery protection from Ransomware. It's a whole new world, and we're here to cover it. My name is David. You're watching the Cube, the leader in high tech coverage. We'll be right back. Yeah, Yeah, yeah. Mm, yeah.

(calm electronic music) >> Welcome to this CUBE Conversation with Fortinet. I'm Lisa Martin. John Madison joins me, the CMO and EVP of products. John, welcome back to the program. >> Thanks Lisa. Good to be here. >> Good to see you. So, so much has changed since I last saw you. The move to remote work caused by the pandemic led so many organizations to invest in modern networking and security technologies. And we see, you know, the rise in the threat landscape that protecting digital assets is becoming even more and more urgent because the threats are continuing to escalate. Talk to me about some of the things that you're seeing with this current threat landscape. >> Yeah. Well, it keeps changing that's for sure. You saw some recent surveys where, you know, now companies are seeing, in terms of where employees are located, you know, 25% expecting to be in the office, 25% expected to be permanently in the home. And then there's this big 50% of hybrid, which we think will move a bit more towards the office as people get back in the office. But that's going to take some time. We're actually starting to move back in the office here in Santa Clara, Sunnyvale. but it's very different in every region in the U.S and regulations and laws around the world. And so we think it's going to be very much work from anywhere. There's a bit of travel starting as well. And so this work from anywhere concept is going to be very important to customers going forward. And the ability to change the dynamics of that ratio as they go forward. >> (indistinct) This work from anywhere that over- last year overnight sort of became an absolute essential. But now, as you said, we're going to have this hybrid model of some going back, some staying home and the security and the perimeter is dissolving. When you look at supporting customers and their remote work from anywhere, their new work from anywhere model, what are some of the things that are top of mind that you're hearing from customers? >> Well, I, you know, I sometimes hear this premise is disappearing. I think in some ways it's moving to the user and the devices. And there's this concept called zero trust network access which I've said in many occasions should be zero trust application access, but they named it that way which is going to be an important technology because as I said, it kind of moves that premise then to that user and previous technology that we had VPN technology was good technology. And in fact, a lot of companies, if you go back to when the pandemic started last year, put a lot of people on the VPN technology as quick as possible and it was reasonably robust. But as we go forward, what we're going to have to do is make sure that perimeter- at that perimeter, that users only get access to the applications they're using rather than the whole network. Eventually when they're on the network you need to make sure that it's segmented so they can't go everywhere as well. And so this zero trust network access or zero trust or zero trust access, there's lots of kind of different versions of it, is going to be very important concept for users. The other piece of it, I think, is also that it needs to be more intuitive to use, as anything you kind of have users do like the VPN where you had to kind of dial in and- or bring up- you're bringing up your connection and your IPsec connection, et cetera, et cetera means that people tend not to use it. And so to make it intuitive and automatic is going to be really important. >> Intuitive and automatic. One of the things that we also saw was this massive rise in digital transformation last year, right? SAS adoption, these SAS applications keeping many of us in collaboration. So I'm thinking, you know, in that sense with the perimeter changing and the work from anywhere, this consistent, secure internet connection among users at the branch or the branch of one has to be there to keep organizations productive and safe. How is the Fortinet enabling the ZTNA- this evolution of VPN? >> Yeah. That's another piece of it. So not only are users on and off the network or traveling so that- or both, so the applications are moving. So a lot of them are moved from data centers to public cloud in the form of infrastructure or SAS. We're now seeing customers actually move some applications towards the building or building compute or edge compute. So the applications keep moving which also causes this problem. And so another function of zero trust access or ZTNA is to not care where the application is. You rely on some technology and it's called proxy technology, which allows the proxy to track where the applications are. And for us, that sits inside of our firewalls. And that makes it very flexible. And so we've been able to kind of just ramp up that proxy against the policy engine, whether it be in the data center or in the cloud, or even on your premise. Even integrated inside a branch or something like that. That's going to be very important because, as you just said, those applications will just keep moving into different areas and different zones as you go forward. >> (Lisa) And that's probably going to be permanent for a lot of organizations. So it- so they haven't renamed it zero trust application access, like you think it should be. But when organizations are looking into zero trust network access, what should- what are some of the key things that they need to be looking for and mindful of? >> Yeah, (indistinct) And so it's probably the, you know, the number one conversation they've had over the last six months. I think people initially just had to get something working. Now they're looking seriously at a longer term architecture for their access, their user access and device access. I think what I find is that something like zero trust network access is more of a use case across multiple components. And so if you look inside it, you need a client component endpoint; you need a proxy that in front of the cloud capabilities; you need a policy engine; you need to use identity-based systems. If you haven't got- if you can't get an agent on the device, you may need a NAC system. And so usually what customers find is I've got four or five current- different vendors in those areas. And cybersecurity vendors are not the best at working together, which they were, because then we do better for customers. And so trying to get two vendors to work is hard enough, trying to get five or six is really hard. And so what they're looking at over time is to say, maybe I get the minimum basic ZTNA working. And then as I go forward, for example, what they really want is this continuing posture assessment. Well, you can do that with some EDR technology, but is that EDR technology integrated into your policy engine? No. So I think what customers are saying is, let me start with the base ZTNA with maybe two vendors. And then as I go forward implement a, you know, a fabric or a platform approach to get everything working together. 'Cause it's just too hard with five or six vendors. >> Right. Is there, I'm curious if there's a shared responsibility model with customers working with different vendors; what actions and security responsibilities fall on the customer that they need to be aware of? >> Well, and it also comes back to this, you know, there's convergence of networking and security. And I've said a few times I'm definitely seeing CIOs and CSOs, security teams, and networking teams working much more closely. And especially when you've got a use case now that goes across security items and networking items and networking, the proxy has always been in the control of the networking team. Endpoint security is always been in the- you know, the security team. It's just forcing this convergence not just of the technologies itself but of the organizations inside enterprises. >> (Lisa) Well, and that's a challenging one for every organization is getting, you know, if you're talking about it in general, the business folks, the IT folks. Now this is not just a security problem. This is a problem for the entire corporation, as we just saw with the Colonial Pipeline. Ransomware is now becoming a household name. These are business-critical board-level discussions I imagine on the security side. How is Fortinet helping customers kind of bridge that gap between the biz folks and the IT folks where security is concerned? >> Yeah. You know, ransomware has been around quite a while. I think two years ago, we saw a lot of it in the schools. K-12 schools in the U.S. I think they're picking some richer targets now. The colonial one, I think there was a 4 million ransom. I think that they managed to get some of that money back. But, you know, instead of, you know, demanding $5,000 or $10,000 from a small business or a school they're obviously demanding millions from these larger companies. And you know, one of the problems with ransomware is, you know, it still relies heavily on social engineering. I don't think you can eliminate that people clicking on stuff, you know, a very small percentage still. I think what it means is you have to put some more proactive things in place, like the zero trust, like micro-segmentation, like web application file warning. All these capabilities to try and make your systems as strong as possible. So then put in detection and response systems to assume that someone's clicking on something somewhere just to help. But it's definitely the environment. You know, the threat environment. It's not really gotten more sophisticated; yes, there are still advanced threats. I fear more about those weaponized APTs and state sponsored, but there's definitely a huge volume of ransomware now going after, you know, not only, you know, meat processing factories, but pipelines and critical infrastructure as we go forward. That's the more worrying. >> (Lisa) Right. You bring up a good point about, sort of, people being one of the biggest challenges from a security perspective. Clicking on links, not checking to see if a link is bogus or legitimate. So, help me understand a little bit more how is zero trust can help maybe take some of that human error out of the equation? >> Well, because I think before, you know, when you got access, when you're off the network and you've got access to the network, you've got access to everything, okay. So once you're on the network, and I think the Colonial Pipeline was a good example where traditionally, operational technology networks, physical networks sort of separate from the IT network and they had something called an air gap. And that air gap meant you really couldn't get to it. Now when people had to be remote because of the pandemic, they started taking these air gaps. And so now we had remote access. And so again, when you- when they got that remote access and they got into the network, they could- the network was very flat and you could see everything you can go anywhere. And so that's what zero trust does. It kind of says, I kind of did the zero trust approach to you that I'm only going to allow you access to this application. And I'm going to keep checking on you to make sure you are you are who you say you are on a continuous basis. And that really provides a bit more safety. Now, I still- we still think you need to put things like segmentation in place and some other capabilities and monitoring everything else, but it just narrows the attack surface down from this giant network approach to a specific application >> Narrowing that is the right direction. How do organizations, when you're working with customers, how do they go- How do they evolve from a traditional VPN to zero trust? What are some of the steps involved in that? >> Well, I think it's, you know, what's interesting is customers still have data centers. In fact, you know, some of the customers who have legacy applications will have a data center for a long time. And in fact, what I find is even if you've implemented zero trust to a certain population, employee population, they still have VPNs in place. And sometimes they use them for the IT folks. Sometimes they use them for a specialized developers and stuff like that. And so I think it's going to be like everything, everything goes a hundred percent this way and it stays this way. And so it's going to be hybrid for a while where we see VPN technology and zero trust together. You know- our approach is that you can have both together and it's both on the same platform and it'll just gradually evolve as you go forward. >> What are some of the things you're looking forward to in the next year as this hybrid environment continues, but hopefully things start to open up more? What are some of the things that we can expect to hear and see from Fortinet? >> Well, I'm looking forward to getting out of my home office, that's for sure. >> (Lisa laughing) >> It's like I've been imprisoned here for eighteen months. >> I agree with you on that! So we'll try that. And, you know, I always thought I traveled too much before and now I'm contemplating on the travel piece. But from, you know, Fortinet's perspective, you know, our goal is to make sure that, you know, our customers can increase. We'll make sure they can protect themselves. And so we want to help them and keep working with them such that they put best practices in place and they start architecting longer-term to implement things like zero trust or sassy or some of these other capabilities. And so, you know, I think the- we've had a lot of interest with customers on these virtual sessions. I'm really looking forward to getting them back in our new building, our new executive briefing center, which we're opening up in the next few weeks. You may have more of those face-to-face and white boarding conversations with customers. >> Oh, that sounds so exciting. I agree with you on the travel front, but going from traveling a ton to none was a big challenge. But also, I imagined it'll be great to actually get to collaborate with customers again, and partners. You know, you can only do so much by Zoom. Talk to me a little bit about some of the things on the partnership front that we might be seeing. >> Yeah, our partners, you know, we're a hundred percent partner-driven company and partners are very important to us. And, you know, and that's why we always, when we introduce new technology, we work with the partners to make sure that they understand it. So for example, we provide free what they call an NSE training to all our partners. And then we also work with them very closely to put systems in their labs and the demos and make sure they can architect. And so partners are really important to us and, you know, making sure that they can provide value as part of a solution set to our customers, because customers trust them. And so we want to make sure that we work with our partners closely so they can help the customer implementing architect solutions as they go forward. >> That trust is critical. Right? I mean, we can talk about that at every event, every CUBE Conversation, the trust that an a customer has in you, the trust that you have in a partner and vice versa. That whole trust circle kind of goes along the lines with what we're talking about in terms of being able to establish that trust. So that threat landscape that's probably only going to continue to get bigger is in the trusted hands of folks like Fortinet and your partners to be able to enable those customers to narrow that threat landscape. >> Yeah, yeah. And so it could be the smallest partner to the largest service provider. We don't mind. We want to make sure that we're working with them to provide that implementation from the customers. And again, the word trust is sometimes overused, but that's what customers are looking for. >> (Lisa) So, John, point me to when our audience is some of the information that they can find on Dotcom about zero trust. What are some of the things that you think are great calls to action for the audience? >> Yeah. I mean, it depends. I think it depends on what level you want to get into where we have a bunch of assets, videos, and training but start at the very highest level, you know, why is zero trust something you need to implement? And then it goes down into more details and then even the architecture, long-term architecture and connectivity and implementation. So there's a lot of assets on Fortinet.com If you go on our training sessions, there's- all our training's free to our customers. And so you can go in all those NSE levels and look at the capabilities. So yeah, definitely it's a- it's an area of high interest from our customers. But as I say to them, it's more of a journey. Yes, you can implement something today really quickly, but will that work for you over the long-term in making sure you can take all the information from the, like I said, you know, how is the voice, the posture of that device? What is the device with an agent doing, you know, as my contextual engine integrated as well? So it's a journey for customers and, but you can start with something simple but you need to have that plan for that journey in place. >> I imagine though, John, it's a journey that is either accelerating, or with the threat landscape and some of the things that we've already talked about, is becoming an absolutely board-critical conversation. So, and on that journey, does Fortinet work with customers to accelerate certain parts of it? Because you know, these businesses have been pivoting so much in the last year and they've got to not just survive, but now thrive in this new landscape, this new hybrid work from home, work from anywhere environment and also with more threats. >> Yeah, no, it's a good point. And so, you know, even those internally are implementing it starting the most critical assets first. So let's say, you know, I've got somebody working on source code, they should be the first ones to get the zero trust implementation. I've got somebody asking from the internet to search for stuff. Maybe they're okay for now, but yeah. So you kind of prioritize your assets and users against, you know, the threat and then implement. That's why I'm saying you can roll it out across everyone as, you know, a certain version of it. But I think it's better to prioritize first the most important assets in IP and then roll it out that way. >> (Lisa) Great advice. >> Because some of- a lot of those assets are still sitting in the data center. >> Right. >> So they're not sitting in the cloud. >> Right. John, great advice. Thank you so much for joining me. Good to see you, glad all is well and that you will be able to get out of your home office. You're just days away from that. I'm sure that's going to feel great. >> Certainly is. And thank you, Lisa. >> Nice to see you. For John Madison, I'm Lisa Martin. You're watching this CUBE Conversation. (calm electronic music with piano)

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest ransomware trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we worked on some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches that we're seeing which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on paste and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had about 14 months ago, this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest around some of the trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we're working some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches ever seen which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on piece and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

>>from around the globe. It's the Cube with digital coverage of VM World 2020 brought to you by VM Ware and its ecosystem partners. Welcome back. I'm stupid a man. And this is the cubes coverage of VM World 2020 our 11th year at VM World. And of course, we've been watching VM where they're doing a lot more in the cloud the last few years. Big partnership with A W s. And part of that is they bring their ecosystem with them. So Justus, they've had hundreds of companies working with them in the data center. When they do VM ware cloud on AWS in azure oracle, all the cloud service fighters, the data protection companies can come along and continue to partner with them. That's part of what we're gonna be discussing. Happened. Welcome back to the program. It's been a few years. Deepak Mohan. He's the executive vice president of products organization at Veritas. Deepak, thank you so much for joining us. You've got a beautiful veritas facility behind you there. >>Yeah. Nice to meet you. Stew. Yeah. We're really excited about the way in world event and a happy to be on the show. with you? >>Yes. So? So? So let's before we dig in tow data, resiliency and all the other pieces, you know, the Veritas VM relationship goes, goes way back. I mean, I think back to the early oughts, uh, you know, talk about the software companies. You know, Veritas was the, you know, software company in the industry that really got a lot of it started. Yeah, a little company that you and I both know knee M c picked up VM where the rest is history there. But veritas that that partnership has been there since the early early days off from VM ware. So just free refresh our viewers a little bit on on that partnership. >>Yeah, So we, um we're and Veritas have bean partners for, like 20 years. In fact, I'll say, both companies were founded about the same time. We, uh, neighbors in Silicon Valley and Veritas was actually one of the first companies to have introduced the concept off software defined data center software, defined storage. In fact, even before, you know, visa and all came into the picture. But as we and we're progressed with, the virtual is ations off the infrastructure. It was really important for enterprise customers to ensure that both their applications stay resilient and highly available, and all that data remains protected. So at 87% off the global fortune 500 customers are veritas customers. They're all using we and we're in their infrastructures. So any time we, um we're introduces a technology we have to ensure it is available, it's protected eso that partnership goes along a long way where every remember platform has way supported on day one for the Veritas solution. So very tight partnership. We get to see each other frequently and make sure that our solutions are joined at the hip. >>Yeah, Deepak, the term we hear from Veritas, we talked about data resiliency. And as you laid out there, you know, some things have changed. You know, 20 years ago, we weren't talking about cloud native environments, and you know all of these various pieces. Uh, it was really multi vendor heterogeneous environments that veritas lived in. Um, but even in all of these environments of, of course, you know, data resiliency, you know, making sure my data is protected, making sure things they're secure. Um, is still, you know, top of mine and so important for organizations. So, you know, talk to us a little bit about you know what that means here in 2020. With Veritas? Yes. >>So I'll say. 20 years ago, uh, we had one application. One server. Life was very fairly simple. Um, you know? Then came William where? You know, now we have the hybrid private clouds, public clouds, hybrid clouds. So the infrastructure is shifting into these other models, but the need for application resiliency and data resiliency is getting more and more complex because now we have applications that are running on Prem. They're running in virtual machines. They're running in hybrid environments. They're running in private clouds. They're running in infrastructure as a service. SAAS applications. So they're all over the place now, think about the job off the CEO. First, you have to make sure all these applications are up and running 24 by seven. Second, these applications have to be protected, which means, in case off a disaster in case often issue, you have to be ableto recover them a third. How do you be compliant with regulations with things? So so customers now have to have visibility into their infrastructure. So the job of the CEO is becoming super complex to keep in handle on everything. And that's where, uh, the companies like Veritas who are doing application resiliency data resiliency has become really important. I mean, as an example, last year at VM World Show floor, I actually counted the number off backup vendors compared to storage vendors. And there was actually more data protection and resiliency vendors on the floor. Then they were actually storage. Wentz. >>Yeah, Deepak here. You're absolutely right. We saw that, you know, for for years we used to call it storage world because they had all come in partner with VM Ware. But data protection. So So eso important here when one of the big conversations this year, of course, is that rollout of Project Pacific with VCR 77 update one just right, right ahead of the M world. Uh, I'm assuming Veritas is just keeping in lockstep with vm ware, but, you know, talk a bit about you know how that fits into the portfolio. >>Oh, absolutely. So, uh so one off the keys for veritas success over the last 20 years, uh, is that we have kept up with all the technology transformations and all the technology disruptions that happened. And as these hybrid cloud disruption that happening with you mentioned Project Pacific. But you know that it's the 10 zoo platform we are. We are one off the design partners with VM ware for to ensure the data protection layers are done correctly. Eso So we are definitely working with VM ware on the on the Chenzhou uh, resiliency as well as leveraging the Valero platform. So we'll make sure that as a customers are deploying these new solutions the Veritas Solutions out there or or to offer them the resiliency and data protection needed >>Deepak, we've watched that that real maturation of what VM was doing in the cloud, of course, the partnership, you know, first with IBM at VM World a few years ago, right after VM world, it was with a W s. And there was a lot of interest. But we are seeing that customer adoption. I wonder if you talk about how closely you worked with them. Do you have any, you know, maybe anonymous customers that you talk about? You know what they're seeing in the cloud? Why vm ware and Veritas went when they go to this environment. >>Yes. So I'll we have several customers who are moving into the cloud space, uh, leveraging VMC or now with the azure reimburse solutions. So what happens is when these customers we have large financials, for example, who are using now we anywhere and migrating their workloads into the cloud have eso. So they may be deploying virtual machines there. But the need for H A and data resilience in backup actually gets a little bit more complex because the old environments are still there on prime. Some workloads are now moving to the cloud, and they're leveraging The Veritas Solutions want to support the migration. Second, to offer the resiliency, leveraging the Veritas resiliency platform or net backup overeaters input scale. An example is I'll use an example of an air one airline customer reservation systems now moving to KWS within two availability zones. The application availability comes with the Veritas solution. So Veritas is Prue is on their journey to the cloud helping enterprise customers work in these hybrid use cases. >>Deepak, since you've got so many customers and they're going through their cloud journeys, uh, Veritas works across all the environment. You get a good view point as to where we are. One of the things we're really trying to help clarify people. We throw out these terms Hybrid cloud and multi cloud. Most customers I talked to we have a cloud strategy and you use more than one cloud. Yes. Is portability the big concern? Well, no, I'm not moving things all over the time. I don't wake up and say, you know, I'm checking the stock market and therefore I'm gonna, you know, move toe one of the other, but I need tohave my multiple environment. It's difficult on them with different skill sets. Uh, and you know, we're seeing, you know, companies like Veritas and VM where, you know, living where the customer is. So give us a little insight as toe what you're seeing from the customers, this whole hybrid, multi cloud environment. What? What does it mean to to your customers? >>Eso what? What? And says, You know, we have a variety of customers and, you know, invariably, when we talked to them, each one of them has, ah, little bit different journey to the cloud. I you know, some customers I'd say maybe more mid market. Want to move completely towards ah platform as a service approach and leverage either azure or a W s. Uh, but I'll say most of the enterprise customers are looking at, uh, taking workloads. It could be one of the applications. Some are further ahead in the journey, and they're taking now a mission Critical application. Okay, You know, it could be and s a p workload. It could be a thumb mission critical, you know, building system reservation systems and then using VM ware as the mechanism to go into the cloud with it and and and And when they do that, they're looking for the same level and same level of tools for both availability and data protection. Eso I'll say that we have lots of different examples between utilities, healthcare companies, financials, government. Yeah, who are ill say the common theme is now they're moving towards. I'll say the harder workloads are now moving to the cloud. And now they're absolutely leveraging tools from where eaters. They want to make sure that our solutions actually support those complex and highly scalable use cases. And we're absolutely doing that with the solutions. >>Deepak, you talk about some of the challenges that customers have. You know, some things have changed in 2021 thing that has not changed eyes that security is top of mind. We often see the, you know, data protection and security. Some of those pieces go hand in hand. I remember years ago talking at at the Veritas conference, it was G, D, p. R. And Ransom. Where were the big things that we talked about with every single customer as to how they were defending and preparing for that? So give us, give us the state of your environment. We know that even when everybody's working from home, unfortunately, the bad actors they're actually working over telling >>No. Yes. So I'll see the problem off. Ran somewhere has actually gotten a whole lot worse over the last couple of years. Uh, so, Aziz, we think about ransom where, uh, we have the security layer, which means, you know, first is you have to make sure your infrastructure is protected. You know, the second layer is detection. Which means how do you know if there's ransomware sitting in your environment? Because it could have come in and it may actually click in at a much later time, and the third is recovery. And to be able to recover, you need really good data protection and back up policies within the companies were able to recover it. So, of course, uh, most companies invest a lot in the security software, but we know that ransomware still get sent. It can get into a phishing attack. It can get into email some one off the employees at home clicks on something. You know, Ransomware is in eso the backup, and the data protection is the last line of defense from to be able to recover. So now you have it. You're stuck. What do you do? You want to find the last best copy, uh, be able to recover very, very quickly, and and the problem is is really serious. I was actually talking to my one off our tech support leaders, and we get at least one color day with one of our customers that have been hit with ransom er and we helped them through the recovery process s Oh, that's a heavy investment area for Veritas. Without that backup software backup exact software, but also with the hardened very terse appliances. We provide a very solid way for our customers to be able to protect and recover from Ransomware. The only thing I suggest is you know, once you have been hit at and if you don't have a good backup you know, I talked about that huge. Just state that entire state has to be protected also from ransomware, which means standardization is key. So when something happens, are you going to look at nine products to recover from or you want all your catalogs, all your data, all your insights in one place, so you can then go quickly, come back online and not have to pay the ransom? >>All right. Well, Deepak, let's let's bring it home. We're here at VM World. We we talked at the beginning about the long partnership. You were there, you know, Day zero with the VCR seven activity. What do you want people to take away from VM World 2020. When it comes to Veritas, >>I'm a key message. Tow our mutual customers as that veritas is here to support your journey to the hybrid cloud to the cloud. We are investing heavily in the solutions we Our goal is to continue providing today zero support for all we end where solutions and releases. And we're working very closely with VM ware on the 10 zoo platform rollout. We have a design partner with me and were there as well as leveraging the right AP eyes, whether to be a d. P. V i o P sent were certified on every latest versions off the VM Ware portfolio. We have several 100 engineers that work the just to make sure that we support these platforms, you know, in additional say's as the women were connects toe aws and to azure. Those solutions are also extremely well certified. So where it'll works very closely with AWS we were the first to be certified on the the AWS solutions. >>Uh, you're you're you're talking about like outposts, I believe. >>Oh, yes. Outpost. Yeah, so we just got the outpost ready. Certification, you know, works extremely well with the reimburse solutions. A swell Aziz A V s, uh, azure reimburse solutions so heavy areas off investment for us. So the same way that our customers have depended on us over the last 20 years. We are writing the technology disruptions to help our customers into the next wave with the same set off solutions working both on prime hybrid and clouds. >>Yeah, Deepak, I'm having flashbacks. You and I remember the things when it was the V x f s and the Vieques VM. And now we've got the, uh you know, uh, you know all the very the VM Ware versions on A V s and Google Cloud VM Ware engine. It gets a little confusing out there. But, hey, I really appreciate you giving us some clarity as to how you're helping customers with their their data resiliency supporting and ransomware and the deepen long partnership that Veritas and VM Ware have. Thanks so much for joining us. >>Thank you. Thank you. Stew. >>Alright, Stay tuned. Lots more coverage from VM World 2020. I'm stew minimum and thank you for watching the Cube

>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation, >>Everyone. Welcome to this cube conversation. I'm John for host of the Cube here in the Cubes Palo Alto studios during the co vid crisis. Square Quarantine with our crew, but we got the remote interviews. Got great to get great guests here from 44 to guard Fortinet, 40 Guard Labs, Derek Manky chief Security Insights and Global Threat alliances. At 14 it's 40 guard labs and, um, are Lakhani. Who's the lead researcher for the Guard Labs. Guys, great to see you. Derek. Good to see you again. Um, are you meet you? >>Hey, it's it's it's been a while and that it happened so fast, >>it just seems, are say it was just the other day. Derek, we've done a couple interviews in between. A lot of flow coming out of Florida net for the guards. A lot of action, certainly with co vid everyone's pulled back home. The bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security. Uh, in terms of action, bad actors are at all time high new threats here is going on. Take us through what you guys were doing. What's your team makeup look like? What are some of the roles and you guys were seeing on your team? And how's that transcend to the market? >>Yeah, sure, Absolutely. So you're right. I mean, like, you know, like I was saying earlier this this is all this always happens fast and furious. We couldn't do this without, you know, a world class team at 40 guard labs eso we've grown our team now to over 235 globally. There's different rules within the team. You know, if we look 20 years ago, the rules used to be just very pigeonholed into, say, anti virus analysis. Right now we have Thio account for when we're looking at threats. We have to look at that growing attack surface. We have to look at where these threats coming from. How frequently are they hitting? What verticals are they hitting? You know what regions? What are the particular techniques? Tactics, procedures, You know, we have threat. This is the world of threat Intelligence, Of course. Contextualizing that information and it takes different skill sets on the back end, and a lot of people don't really realize the behind the scenes. You know what's happening on bears. A lot of magic happen not only from what we talked about before in our last conversation from artificial intelligence and machine learning, that we do a 40 yard labs and automation, but the people. And so today we want to focus on the people on and talk about you know how on the back ends, we approach a particular threat. We're going to talk to the world, a ransom and ransomware. Look at how we dissect threats. How correlate that how we use tools in terms of threat hunting as an example, And then how we actually take that to that last mile and and make it actionable so that, you know, customers are protected. How we share that information with Keith, right until sharing partners. But again it comes down to the people. We never have enough people in the industry. There's a big shortages, we know, but it it's a really key critical element, and we've been building these training programs for over a decade within 40 guard lab. So you know, you know, John, this this to me is why, exactly why, I always say, and I'm sure Americans share this to that. There's never a dull day in the office. I know we hear that all the time, but I think today you know, all the viewers really get a new idea of why that is, because this is very dynamic. And on the back end, there's a lot of things that doing together our hands dirty with this, >>you know, the old expression started playing Silicon Valley is if you're in the arena, that's where the action and it's different than sitting in the stands watching the game. You guys are certainly in that arena. And, you know, we've talked and we cover your your threat report that comes out, Um, frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware. What's going on? What's the state of the ransomware situation? Um, set the stage because that's still continues to be a threat. I don't go a week, but I don't read a story about another ransomware and then it leaks out. Yeah, they paid 10 million in Bitcoin or something like I mean, this Israel. That's a real ongoing threat. What is it, >>quite a bit? Yeah, eso I'll give sort of the one on one and then maybe capacity toe mark, who's on the front lines dealing with this every day. You know, if we look at the world of I mean, first of all, the concept to ransom, obviously you have people that that has gone extended way, way before, you know, cybersecurity. Right? Um, in the world of physical crime s Oh, of course. You know the world's first ransom, where viruses actually called PC cyborg. This is in 1989. The ransom payment was demanded to appeal box from leave. It was Panama City at the time not to effective on floppy disk. Very small audience. Not a big attack surface. I didn't hear much about it for years. Um, you know, in really it was around 2000 and 10. We started to see ransomware becoming prolific, and what they did was somewhat cybercriminals. Did was shift on success from ah, fake antivirus software model, which was, you know, popping up a whole bunch of, you know said your computer is infected with 50 or 60 viruses. Chaos will give you an anti virus solution, Which was, of course, fake. You know, people started catching on. You know, the giggles up people caught onto that. So they weren't making a lot of money selling this project software. Uh, enter Ransomware. And this is where ransomware really started to take hold because it wasn't optional to pay for the software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer the current. Uh, the encryption kind of decrypt it with any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw we've seen things like master boot record nbr around somewhere. This is persistent. It sits before your operating system when you boot up your computer. So it's hard to get rid of, um, very strong. Um, you know, public by the key cryptography that's being so each victim is infected with the different key is an example. The list goes on, and you know I'll save that for for the demo today. But that's basically it's It's very it's prolific and we're seeing shit. Not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted ransom cases that we're going after, you know, critical business. Essentially, it's like a D O s holding revenue streams around too. So the ransom demands were getting higher because of this is Well, it's complicated. >>Yeah, I was mentioning, Omar, I want you to weigh in. I mean, 10 million is a lot we reported earlier this month. Garment was the company that was act I t guy completely locked down. They pay 10 million. Um, garment makes all those devices and a Z. We know this is impacting That's real numbers. So I mean, it's another little ones, but for the most part, it's new. It's, you know, pain in the butt Thio full on business disruption and extortion. Can you explain how it all works before I got it? Before we go to the demo, >>you know, you're you're absolutely right. It is a big number, and a lot of organizations are willing to pay that number to get their data back. Essentially their organization and their business is at a complete standstill. When they don't pay, all their files are inaccessible to them. Ransomware in general, what does end up from a very basic or review is it basically makes your files not available to you. They're encrypted. They have a essentially a pass code on them that you have to have the correct pass code to decode them. Ah, lot of times that's in the form of a program or actually a physical password you have type in. But you don't get that access to get your files back unless you pay the ransom. Ah, lot of corporations these days, they are not only paying the ransom, they're actually negotiating with the criminals as well. They're trying to say, Oh, you want 10 million? How about four million? Sometimes that it goes on as well, but it's Ah, it's something that organizations know that if they don't have the proper backups and the Attackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicate files, so sometimes you don't have a choice, and organizations will will pay the ransom >>and it's you know they're smart. There's a business they know the probability of buy versus build or pay versus rebuild, so they kind of know where to attack. They know the tactics. The name is vulnerable. It's not like just some kitty script thing going on. This is riel system fistic ated stuff. It's and it's and this highly targeted. Can you talk about some use cases there and what's goes on with that kind of attack? >>Absolutely. The cybercriminals are doing reconnaissance. They're trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. Eh? So there's a lot of attacks going on. We usually we're finding now is ransomware is sometimes the last stage of an attack, so an attacker may go into on organization. They may already be taking data out of that organization. They may be stealing customer data P I, which is personal, identifiable information such as Social Security numbers or or driver's licenses or credit card information. Once they've done their entire attack, once they've gone, everything they can Ah, lot of times their end stage. There last attack is ransomware, and they encrypt all the files on the system and try and try and motivate the victim to pay as fast as possible and as much as possible as well. >>You know, it's interesting. I thought of my buddy today. It's like casing the joint. They check it out. They do their re kon reconnaissance. They go in, identify what's the move that's move to make. How to extract the most out of the victim in this case, Target. Um, and it really I mean, it's just go on a tangent, you know? Why don't we have the right to bear our own arms? Why can't we fight back? I mean, the end of the day, Derek, this is like, Who's protecting me? I mean, >>e do >>what? To protect my own, build my own army, or does the government help us? I mean, that's at some point, I got a right to bear my own arms here, right? I mean, this is the whole security paradigm. >>Yeah, so I mean, there's a couple of things, right? So first of all, this is exactly why we do a lot of that. I was mentioning the skills shortage and cyber cyber security professionals. Example. This is why we do a lot of the heavy lifting on the back end. Obviously, from a defensive standpoint, you obviously have the red team blue team aspect. How do you first, Um, no. There is what is to fight back by being defensive as well, too, and also by, you know, in the world that threat intelligence. One of the ways that we're fighting back is not necessarily by going and hacking the bad guys, because that's illegal in jurisdictions, right? But how we can actually find out who these people are, hit them where it hurts. Freeze assets go after money laundering that works. You follow the cash transactions where it's happening. This is where we actually work with key law enforcement partners such as Inter Pool is an example. This is the world, the threat intelligence. That's why we're doing a lot of that intelligence work on the back end. So there's other ways toe actually go on the offense without necessarily weaponizing it per se right like he's using, you know, bearing your own arms, Aziz said. There's different forms that people may not be aware of with that and that actually gets into the world of, you know, if you see attacks happening on your system, how you how you can use security tools and collaborate with threat intelligence? >>Yeah, I think that I think that's the key. I think the key is these new sharing technologies around collective intelligence is gonna be, ah, great way to kind of have more of an offensive collective strike. But I think fortifying the defense is critical. I mean, that's there's no other way to do that. >>Absolutely. I mean the you know, we say that's almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cyber criminal to operate. And there's many ways to do that right you could be could be a pain to them by by having a very rigid, hard and defense. That means that if if it's too much effort on their end, I mean, they have roos and their in their sense, right, too much effort on there, and they're gonna go knocking somewhere else. Um, there's also, you know, a zay said things like disruption, so ripping infrastructure offline that cripples them. Yeah, it's wack a mole they're going to set up somewhere else. But then also going after people themselves, Um, again, the cash networks, these sorts of things. So it's sort of a holistic approach between anything. >>Hey, it's an arms race. Better ai better cloud scale always helps. You know, it's a ratchet game. Okay, tomorrow I want to get into this video. It's of ransomware four minute video. I'd like you to take us through you to lead you to read. Researcher, >>take us >>through this video and, uh, explain what we're looking at. Let's roll the video. >>All right? Sure s. So what we have here is we have the victims. That's top over here. We have a couple of things on this. Victims that stop. We have ah, batch file, which is essentially going to run the ransom where we have the payload, which is the code behind the ransomware. And then we have files in this folder, and this is where you typically find user files and, ah, really world case. This would be like Microsoft Microsoft Word documents or your Power point presentations. Over here, we just have a couple of text files that we've set up we're going to go ahead and run the ransomware and sometimes Attackers. What they do is they disguise this like they make it look like a like, important word document. They make it look like something else. But once you run, the ransomware usually get a ransom message. And in this case, the ransom message says your files are encrypted. Uh, please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address that usually they look a little more complicated. But this is our fake Bitcoin address, but you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as the researchers, we see files like this all the time. We see ransomware all the all the time. So we use a variety of tools, internal tools, custom tools as well as open source tools. And what you're seeing here is open source tool is called the cuckoo sandbox, and it shows us the behavior of the ransomware. What exactly is a ransom we're doing in this case? You can see just clicking on that file launched a couple of different things that launched basically a command execute herbal, a power shell. It launched our windows shell and then it did things on the file. It basically had registry keys. It had network connections. It changed the disk. So this kind of gives us behind the scenes. Look at all the processes that's happening on the ransomware and just that one file itself. Like I said, there's multiple different things now what we want to do As researchers, we want to categorize this ransomware into families. We wanna try and determine the actors behind that. So we dump everything we know in the ransomware in the central databases. And then we mind these databases. What we're doing here is we're actually using another tool called malt ego and, uh, use custom tools as well as commercial and open source tools. But but this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking malty, go to look through our database and say, like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system because that helps us identify maybe where the ransom that's connecting to where it's going thio other processes that may be doing. In this case, we can see multiple I P addresses that are connected to it so we can possibly see multiple infections weaken block different external websites. If we can identify a command and control system, we can categorize this to a family. And sometimes we can even categorize this to a threat actor that has claimed responsibility for it. Eso It's essentially visualizing all the connections and the relationship between one file and everything else we have in our database in this example. Off course, we put this in multiple ways. We can save these as reports as pdf type reports or, you know, usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets when we're researching file based attacks when we're researching, um, you know, I P reputation We have a lot of different IOC's or indicators of compromise that we can correlate where attacks goes through and maybe even detective new types of attacks as well. >>So the bottom line is you got the tools using combination of open source and commercial products. Toe look at the patterns of all ransomware across your observation space. Is that right? >>Exactly. I should you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic that that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At four of our labs intelligence that we acquire that product, that product of intelligence, it's consumed directly by our projects. >>Also take me through what, what's actually going on? What it means for the customers. So border guard labs. You're looking at all the ransom where you see in the patterns Are you guys proactively looking? Is is that you guys were researching you Look at something pops on the radar. I mean, take us through What is what What goes on? And then how does that translate into a customer notification or impact? >>So So, yeah, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be a wear Some of the solutions we talked about before. And if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can't see. So you got to get your hands on visibility. We call these I, O. C s indicators a compromise. So this is usually something like, um, actual execute herbal file, like the virus from the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that seed, we call it a seed. We could do threat hunting from there, so we can analyze that right? If it's ah piece of malware or a botnet weaken do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things and we really you know, it's similar to the world of C. S. I write have these different gods that they're connecting. We're doing that at hyper scale on DWI. Use that through these tools that Omar was talking. So it's really a life cycle of getting, you know, the malware incoming seeing it first, um, analyzing it on, then doing action on that. Right? So it's sort of a three step process, and the action comes down to what tomorrow is saying water following that to our customers so that they're protected. But then in tandem with that, we're also going further. And I'm sharing it, if if applicable to, say, law enforcement partners, other threat Intel sharing partners to And, um, there's not just humans doing that, right? So the proactive peace again, This is where it comes to artificial intelligence machine learning. Um, there's a lot of cases where we're automatically doing that analysis without humans. So we have a I systems that are analyzing and actually creating protection on its own. Two. So it Zack white interest technology. >>A decision. At the end of the day, you want to protect your customers. And so this renders out if I'm afford a net customer across the portfolio. The goal here is to protect them from ransomware. Right? That's the end of game. >>Yeah, And that's a very important thing when you start talking these big dollar amounts that were talking earlier comes Thio the damages that air down from estimates. >>E not only is a good insurance, it's just good to have that fortification. Alright, So dark. I gotta ask you about the term the last mile because, you know, we were before we came on camera. You know, I'm band with junkie, always want more bandwidth. So the last mile used to be a term for last mile to the home where there was telephone lines. Now it's fiber and by five. But what does that mean to you guys and security is that Does that mean something specific? >>Yeah, Yeah, absolutely. The easiest way to describe that is actionable, right? So one of the challenges in the industry is we live in a very noisy industry when it comes thio cybersecurity. What I mean by that is because of that growing attacks for fists on do you know, you have these different attack vectors. You have attacks not only coming in from email, but websites from, you know, DDOS attacks. There's there's a lot of volume that's just going to continue to grow is the world of I G N O T. S O. What ends up happening is when you look at a lot of security operation centers for customers as an example, um, there are it's very noisy. It's, um you can guarantee that every day you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs, and when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually started to say, Hey, this looks like an attack. I'm gonna go investigate it and block it. So this is where the last mile comes in because ah, lot of the times that you know these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because The reality is, if it's just humans, doing it on that last mile is often going back to your bandwidth terms. There's too much too much lately. See right, So how do you reduce that late and see? That's where the automation the AI machine learning comes in. Thio solve that last mile problem toe automatically either protection. Especially important because you have to be quicker than the attacker. It's an arms race like E. >>I think what you guys do with four to Guard Labs is super important. Not like the industry, but for society at large, as you have kind of all this, you know, shadow, cloak and dagger kind of attacks systems, whether it's National Security international or just for, you know, mafias and racketeering and the bad guys. Can you guys take a minute and explain the role of 40 guards specifically and and why you guys exist? I mean, obviously there's a commercial reason you both on the four net that you know trickles down into the products. That's all good for the customers. I get that, but there's more to the fore to guard than just that. You guys talk about this trend and security business because it is very clear that there's a you know, uh, collective sharing culture developing rapidly for societal benefit. Can you take them into something that, >>Yeah, sure, I'll get my thoughts. Are you gonna that? So I'm going to that Teoh from my point of view, I mean, there's various functions, So we've just talked about that last mile problem. That's the commercial aspect we create through 40 yard labs, 40 yards, services that are dynamic and updated to security products because you need intelligence products to be ableto protect against intelligence attacks. That's just the defense again, going back to How can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that you do. But we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court, and because of that, a lot of these cybercriminals rain free. That's been a big challenge in the industry. So, you know, this has been close to my heart over 10 years, I've been building a lot of these key relationships between private public sector as an example, but also private sector things like Cyber Threat Alliance, where a founding member of the Cyber Threat Alliance, if over 28 members and that alliance. And it's about sharing intelligence to level that playing field because Attackers room freely. What I mean by that is there's no jurisdictions for them. Cybercrime has no borders. Um, they could do a million things, uh, wrong and they don't care. We do a million things right. One thing wrong, and it's a challenge. So there's this big collaboration that's a big part of 40 guard. Why exists to is to make the industry better. Thio, you know, work on protocols and automation and and really fight fight this together. Well, remaining competitors. I mean, we have competitors out there, of course, on DSO it comes down to that last mile problem. John is like we can share intelligence within the industry, but it's on Lee. Intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. And, >>um, are what's your take on this, uh, societal benefit because, you know, I've been saying since the Sony hack years ago that, you know, when you have nation states that if they put troops on our soil, the government would respond. Um, but yet virtually they're here, and the private sector's defend for themselves. No support. So I think this private public partnership thing is very relevant. I think is ground zero of the future build out of policy because, you know, we pay for freedom. Why don't we have cyber freedom is if we're gonna run a business. Where's our help from the government? Pay taxes. So again, if a military showed up, you're not gonna see, you know, cos fighting the foreign enemy, right? So, again, this is a whole new change over it >>really is. You have to remember that cyberattacks puts everyone on even playing field, right? I mean, you know, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that, right? Anyone can basically come up to speed on cyber weapons as long as they have an Internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies, you know, But absolutely that I think a lot of us, You know, from a personal standpoint, a lot of us have seen researchers have seen organizations fail through cyber attacks. We've seen the frustration we've seen. Like, you know, besides organization, we've seen people like, just like grandma's loser pictures of their, you know, other loved ones because they can being attacked by ransom, where I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But But I will add that the least here in the U. S. The federal government actually has a lot of partnerships and ah, lot of programs to help organizations with cyber attacks. Three us cert is always continuously updating, you know, organizations about the latest attacks. Infra Guard is another organization run by the FBI, and a lot of companies like Fortinet and even a lot of other security companies participate in these organizations so everyone can come up to speed and everyone share information. So we all have a fighting chance. >>It's a whole new wave paradigm. You guys on the cutting edge, Derek? Always great to see a mark. Great to meet you remotely looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >>All right. Thank God. Pleasure is always >>okay. Q conversation here. I'm John for a host of the Cube. Great insightful conversation around security Ransomware with a great demo. Check it out from Derek and, um, are from 14 guard labs. I'm John Ferrier. Thanks for watching.

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.

>>law from Las Vegas. It's the Q covering a ws re invent 2019. Brought to you by Amazon Web service is and Intel along with its ecosystem partners. >>Welcome back to the Sands. We continue our coverage here on the Cube of Day, one of a W s ram in 2019 show. Bigger and better than ever. Tough to say, because last year was awesome. This year if they think you're gonna have a little bit higher on the knots. Justin Warren, I'm John Walls were joined by Brandon Walsh, who is the s creepy apartment relations at the 1901 group. Good to see you, sir. >>Thank you. Thank you for having me. >>Right now. I can't imagine anything intact dating back to 1901 So I'm trying to think What What was the origination of? Of the company? First off, tell us a little bit about what you do, but what's the name all about? >>Well, real quick for the name are our CEO. So new Singh came up with this idea for automation of I t routine. I t management in 1901 was the year the assembly line was invented, so a gentleman named Ransom E. Olds from the famed Oldsmobile gets credit for that. So so new named the company after that automation breakthrough of an assembly line model. And we have built an assembly line concept what we call an I T factory for a cloud migration factory into our operations center. And that's part of our managed service is offering that we sell, promote, provide to our customers. >>And, of course, you're doing that with the help of a company called Cohee City. Find Data Management Solutions provider. So let's talk a little bit about cohesively as well. And your relationship, how that works and what you're I guess, of deriving are extracted from their service is that you find that great value in that >>absolutely were. Maybe this is a little different for today in the show. We actually are a customer of Cohee City. We consume cohesive. So in our managed service offering portfolio, one of the things that we've been using Holy City four is helping our customers set, create or start up. Disaster recovery or backup service is capability. In 1901 group has been packaging marketing, selling that D R. As a service and that bur back up as a service to our federal state, local customers. >>A longtime fan of the Toyota production system, I am very pleased that you are turning an assembly line concept. You know, I think it's vastly overdue. So it's great to hear you focus a lot on the public sector is my understanding absolutely. Tell me a little bit more about what the public sector is. A very complicated based is a >>complicated is putting it politely. >>So walk us through how you're using cohesive toe help. Public sector organizations transform themselves to use this kind of as a service back up and disaster recovery. >>You hit on a really good point. It's sort of two points. One is the term is I t modernization. So in order to modernize a very large complex, I T Environment Assets Systems Service is multi locations, various data centers, multiple data classifications that that complexity with the cohesive product. What has allowed us to do is to start incrementally by doing a disaster recovery or a backup on premise that gives the agency since a confidence we get to show success and progress and that sort of a win win for everyone involved, where the growth with a future and how those agencies will modernize is once you start getting the data backed up properly, prepped for disaster, recover properly. You can also start migrating data toward Native Cloud. And particularly we've been working with AWS aws govcloud in particular, but also a WC commercial clout. >>I like how you mentioned that building trust part with the agencies to begin with. It's not so much about the technology, but about the human part of the process. Way heard that came out this morning with Andy Jesse talking about how data transfer transformation happens, and it's a lot to do with the humans. It's not all about technology. >>At the the organizational change, management is important as the technology change management and incremental shift toward the cloud and migration toward the cloud allows for both time and and reallocation of resource is both by the agency's contractors supporting the agencies and manage service providers like us, who are really providing more as a service. Models meaning way generally consumed the technology for the client, which is a little bit different of a model from the past, but that is the trend of the future. >>It's not purely incremental, though, because you're not. You have to change the way that you're doing things, to be using it as a service, as this thing from the way that you would have done it is purely on premises type infrastructure. Explain a little bit about how you helped these agencies to change the way they think to be able to use this as a service >>approach. Well, one of the one of the reasons we selected Cohesive E is because of their ability to scale out and their pricing model that allows us to better forecast costs and because we're managed service provider price to the government. So the scale out capability that Callie City provides allows us to buy technology capacity nodes as we need them so we don't have a large capital expenditure up front as orders come in. As agencies purchase as we grow, we can add to that capacity incrementally. That's lower risk for us. Lower risk for the client. So again it's a it's a win win in their pricing model. Their licensing model allows us to work with our agency customers and predict costing and pricing for next year, two years out, three years out, which, in the federal budget cycle appropriations are not appropriated. It is a pretty important thing >>got on a wire in the business. Frankly, it's such a, you know, just pull your hair out. I'm sure they're wonderful. This roast ready to say the least, but way heard a lot about a pretty big major theme, this transformation versus transition and in terms of government users, how do you get them into the transformation mindset when you have those obstacles you just talked about that you have a number of times, cycles and our funding cycles and development cycles. And so regulatory psychic, I mean and you write those concerns whatever they will throws their way, states what they throw their way. I think that would be just looking at it from the outside. Tough to get into a transformer mode when you are almost are constantly transitioning. It seems >>you bring up a good point. A. If I can make a comment about eight of us, AWS has been investing in in what's called Fed Ramp that's a federal accreditation program that insurers that that cloud systems and in the case of AWS have their security controls documented, properly documented to a standard and then enforced, so continuously monitored and reported on the investments AWS have been making. And and that speed of investment has been increasing over the last few years has really helped manage service providers. And I t providers like like 1901 group help the agency's understand how to transition and transform. But it's definitely a step. It's a step across. It's incremental in nature, but I congratulate AWS on that investment of time and resource is for Fed Ramp Way also are federally authorized way. We're going into our fifth year so we were early on and being able to watch A W s grow expand helps us helps our competition, but helps the agencies and helps. In the end, all citizens of the United States. So missions air getting better. Theodore Option is speeding up. I think a ws for that investment >>tell us a little bit more about how these federal agencies are using both AWS and Cohee City to work together because you mentioned that your business is built built on Cohee City. So where does that go? Where's coming >>s so So way started out using Cohee City in on premise environment to support federal civilian agencies. That model has been growing, so that was a single tenant, meaning we had one customer. On a single instance. We've expanded to a multi tenant instance. And now we're expanding into a AWS Cloud native instance, so being able to work with a complex environment, a complex data management environment being able to go from on prim to cloud of being will go from AWS back and forth, being able to manage that seamlessly, ensuring there's encryption of data at rest and in motion. That just makes our job that much easier. >>Now we know that Cohee City is a software data management company. It's not just about backup on D are so cohesive is making some inroads into other secondary data management service is, and some other things they're So what are you looking at to expand into what what a customer is asking you to do for them now that you've already proven yourself with with some of the D. R and back up type ability? Yeah, >>I mean, it really varies. It does very agency to agency smaller, independent agencies really may be looking at a cohesive technology to manage fragmented data. Larger agencies and groups and programs within agencies have different. Different asks different requirements. It's really hard to say a single what is the thing? I would say that the flexibility cohesive he gives us is the ability to go hybrid. So depending on what the customers asking feature wise functionality, wise architecture wise way think that Cally city is very flexible >>and about the public sector market. Then if you if you could put your headlight on that for the next 23 years, he was talked about some cycles of that far out. What do you think it would be? A. I guess shift is the right word. What would be a useful or valuable shift in terms of the public sector in terms of their acceptance or adoption in your world? >>Well, so as applications are lifted and shifted or migrated re factored rewritten into cloud environments, you're gonna we're going to see you're going to see mission applications at the agency level moved to cloud reside in the cloud, so data for performance reasons is gonna have to be right next to that application. So the data management, whether it's for production or test Dev Kohli City's got emerging capability for for Dev Test. I think it's a test of but deaf task. So all these pieces sort of go together as a CZ, you said, going from transitioning to transforming and you start looking to three years out. I do believe the agencies have a lot of momentum. There are some really interesting activities being done in the federal state local realm, around artificial intelligence machine learning. So being able to do the compute storage, the networking and security all within a A W s cloud, it's just going to speed things up and make cost and performance more manageable and transparent. >>Thank you for the time. We appreciate that. We find out earlier that Brendan is a Washington Redskins fan and a D. C. Resident, as am I. And I thought 90 No. One was the last time we had a playoff tape. It was quite that far back, but it certainly seems like it, doesn't it? Hang in there, Thank you very much. Enjoy that. Brenda Walsh joining us from the 1901 group back lot with more live here from AWS reinvent with just a warning. I'm John Walls and you are watching the Cube

>> Live from Anaheim, California It's the queue covering nutanix dot next twenty nineteen. Brought to you by Nutanix >> Welcome back, everyone to the Cubes Live coverage of nutanix dot Next here in Anaheim, I'm your host, Rebecca Night, along with my co host, John Furrier. We are joined by Victoria Hurtado. She is the director I t operations at current Health Care System's Welcome, Victoria. I think >> you've having me >> So for our viewers that are not familiar with current to tell us a little bit about what you do and what you're all about. >> Sure. So we're a health payer provider. So we are managed care medical plan. We have a contract with the state of California to provide medical services. Teo, about two hundred fifty five thousand members, and Kern County, located in Bakersfield, California s. So if you really think no one to know more about this like a Kaiser without the provider network and so we pay, uh, the services, the bills that come in a swell is authorized the services that need to be rendered for members. >> So talk about your decision to move from traditional storage to H. C. I. >> So really, where decisions stemmed from was our road map. And over the last several years we have had a three tier traditional storage, Um, and the daily task of our system administrators have increased over time with integration and as technology increases, there's more integration. And so we really wanted to focus on how do we decrease that as well as increased efficiencies so that we can for her by the services that we need Teo, for our internal customers as well as our external customers are members and providers >> and and the efficiency. Suppose the project plan. How did you go? Proud. You approach it? >> Sure, So her strategy was really a three phase approach. So we wanted to implement VD I for our internal employees. So we started off with VD. I Once we have transition to that, we will be migrating or in the process of right now, our core claim system, which is that are our bread and butter really on DH? So we'll do a six plant a month plan on that, see how that goes and then once that is successful, which I feel will be successful, we will migrate our entire infrastructure over >> and you're happy with the new tactics so far? >> Yes. So the first deployment was nutanix with Citrix and VM Where that entire combination I've had a few consultants come in and they're like, Oh, you've got the Ferrari of Edie I. And I'm like, Yes, we absolutely dio s Oh, yes, >> when you're thinking about efficiencies. I mean, one of the things Before the cameras were rolling, you were talking a little bit about what it means for employees. Can you talk a little bit about how they then structure of their day? They structure how which projects they work on and how they are more productive given these different changes? >> Sure. So unorganised ation like us, we are always challenged with guidelines changing from the state. They have a tendency to want to change things very frequently. So we often have a lot of critical projects that were doing on an everyday basis, and that work really gets them consumed. And so what we're able to do with nutanix is alleviate those responsibility so that we can focus on the more critical, you know, impacting scenarios versus, you know, managing alone and moving a volume and making sure the system is up and running. We're really focused on providing care to our members because our members or what count, Um and, you know, it also allows for, you know, a member to get the services that they need while they're sitting in the doctor's office waiting for a response from our organization. >> How's the cops world these days? Because there's so much tech out there. When you look at the landscape because you got you got unique situation, you got care and you got payments were relying on this so you don't have a lot of room for mistakes. Crap. What do you guys see in that Operations suppliers out there, Other people you looked at, what was some of the solutions and why need nutanix? >> So it actually took us a while to make that decision. We made a collaborative decision with our engineers, uh, my CEO and some of our business units. We compared different technologies that were out in the landscape of both storage and hyper converged. What was the right path for us? We did a very thorough cost analysis of five year ten year what that road map looks like for us. And, um, like you said. Mistakes. We can't make mistakes. And with growing security risk and healthcare industry and more people wanting that data, it's really important for us to protect it and have it secure. Eso nutanix really offered us a lot of the key components that we were looking for in our grading system. When we you know, we're looking for a storage solution, >> how's the event here? What's what you would have you learned? Tell us your experience. Nutanix next. >> Sure. So coming to this event, I really thought that we would be looking into new technologies. What other integration? Like typical conferences, I think. Sitting in the initial Kino, I heard a lot of great positive things that are aligned with the industry. The buzz words right now in technology as well as our own road mount for technology going to the cloud convergence, using multiple technologies for integration so really kind of paved what this conference was going to be. In addition, I think the sessions having thie cheered approach of you can follow a pathway throughout the conference was a brilliant idea and planning. Um, so I think there's much to learn about how this conference was put on. So >> I want to ask you about your role as the as the director of operation. I mean, somewhere. So you're hearing so much that these roles air really being dramatically transformed that it's not just about keeping the lights on, it really is. You're taking a much more strategic role in the business. How would you say you approach your job differently? How would you say it is changed? Your leadership style And And how much? How much time do you spend thinking about being more visionary? More forward? Thinking versus this is what we're doing each day. >> Yeah, s o I think Historically traditional technology departments and and management within technology of really focused on technology on Lee. Um, over the last several years, I've made it a point to learn our business units so that we can apply good technology, Teo, a good process. I'm a true believer in an advocate for our technology department and our staff to really know the business so that we're not putting technology on a bad process and because that doesn't really help anyone to be successful. So I would say the shift in transition is being merged and converges ight hee in business entity a ce faras approach Getting the business to come uphill with us has been really important. I'm not on ly for technology for the the underlying infrastructure, but systems today systems there so much ability to customize it to your heart's content, which also leads to different issue. So using technology with business process to gain efficiencies is really the road that is ahead of us. >> One of the things that the senior execs that nutanix talk about it their value propositions about, you know, helping consolidate little bit. Here is one of the side benefits. But there's a new role in the kind of looking for spent the new kind of persona person with nutanix solution is a new kind of operator. Yes. What? What? What do you think he means by that? >> So I really think it means And I had this challenge internally, actually, a cz You know, we we have a lot of technical engineers that have grown up with the mentality that I have to know everything about this one silo topic. Right? I need to be the expert in this Andre. Really? Where we're going is you don't have to worry about that. I need you to know about the business. I need you to know about how you can make change, inefficiencies, to help us be successful. And that is a transition for a lot of technologist. And we will get there. I truly believe that because we have Tio. >> It's a cultural thing. >> It is definitely a culture >> of an old dog. New tricks? Kind of >> Yes, Absolutely. How do you hire? I mean, look, what's weirder that what air to you? An applicant comes into your office. What? What do you want to see? >> So technology has historically been the focus of what do you know? How well can you do it? To what experience? You have enterprise grade level experience and now that's really shifting. Teo, are you able to participate on our project? Can you build requirements? Do you understand what your customers asking for? A swell is asking the questions of Is this the right thing to Dio? I'm not just doing what our customer asked us to dio. Does it make sense? If we're going archive data Do we need to secure it when we're transferring that in and out of the organization. Uh, does that make sense? And so they were looking for people that are going to be out spoken a little bit and ask those hard questions. >> Now, we have always talk about Ransomware because healthcare's been targeted. You got your mission's security earlier. Thinking broadly. You got data? Yes. Got the crown jewels, bread in butter. As you said, the data are you Have you experience ransom? Where you guys ready for it? What's the strategy? >> So we've actually take a layered approach to security. Obviously, in health care, there is no single pane of glass for security. We've really stepped into the world of having our data encrypted at rest in transit. Uh, multi layers. We do audits every >> year >> to make sure that we're compliance. We pay people to try to hack us, you know, legally because we want to know where are our possibilities are s o wait. Do that purposefully with intent to make sure that we have the technologies and place that are going to provide us what we need for our data. >> Fascinating. Victoria, Thank you so much for coming on the Cube. It was a pleasure having you. Thank you. I'm Rebecca Knight for John Farrier. You are watching the Cube

(techno music) [Announcer] Live from Las Vegas, its the Cube! Covering Fortinet Accelerate 18. Brought to you buy Fortinet. >> Welcome back to the Cube's continuing coverage of Fortinet Accelerate 2018. I'm Lisa Martin joined by my cohost Peter Burris, and we have a very cozy set. Right now, I'd like to introduce you to our next guests, Daniel Bernard, the vice-president of business development for SentinelOne, and Basil Habib, you are the IT director at Tri City Foods. Gentleman, welcome to the Cube. >> Great to be here, thanks. >> We're excited to have you guys here. So first, Daniel first question to you. Tell us about SentinelOne, what's your role there, and how does SentinelOne partner with Fortinet? >> Sure, I run technologies integration and alliances. SentinelOne is a next generation endpoint protection platform company. Where we converge EPP and EDR into one agent that operates autonomously. So whether its connected to the internet or not, we don't rely on a cloud deliver solution. It works just as well online and offline. And we're there to disrupt the legacy AV players that have been in this market for 25 years with technology driven by artificial intelligence to map every part of the threat life cycle to specific AI capabilities, so we can stop attacks before they even occur. >> And your partnership with Fortinet, this is your first Accelerate, so talk to us about the duration of that partnership and what is differentiating-- >> Yeah. >> Lisa: For you. >> Its great to be here at Accelerate and also to work with Fortinet. We've been working with them for about a year and a half, and we're proud members of the Fortinet Security Fabric. What it means to us is that for enterprises, like Tri City Foods that we'll talk about, a defense and depth approach is really the way to go. Fortinet, leading edge, network security solutions. We have a very meaningful and exciting opportunity to work with Fortinet, given the breadth of our APIs. We have over 250 APIs, the most of any endpoint solution out there on the market. So the things we can enable within Fortinet's broad stack is really powerful. Fortinet has a lot of customers, a lot of endpoints in their environments to protect. So we're proud to partner with Fortinet to help go after those accounts together. To not only go into those accounts ourselves but also strengthen the security that Fortinet is able to offer their customers as well. >> If we can pivot on that for just a second. How do you-- how does SentinelOne help strengthen, for example, some of the announcements that came out from Fortinet this morning about the Security Fabric? How do you give an advantage to Fortinet? >> Sure. So where we come in, is we sit at the endpoint level and we're able to bring a lot of different pieces of intelligence to core and critical Fortinet assets. For example, with the Fortinet connector that we are going to be releasing tomorrow, so a little sneak peek on that right here on the Cube. The endpoint intelligence is actually through API to API connections able to go immediately into FortiSandbox and then be pushed to FortiGate. And that's in real time. So, whether an endpoint is inside of a network or running around somewhere in the world, whether its online or offline, a detection and a conviction we make through the SentinelOne client and the agent that actually sits on the endpoint, all the sudden is able to enrich and make every single endpoint inside of a Fortinet network much smarter and prone and also immune from attacks before they even occur. >> So as you think about that, how does it translate into a company like Tri City which has a large number of franchises, typically without a lot of expertise in those franchises, to do complex IT security but still very crucial data that has to be maintained and propagated. >> Well from Tri City's perspective, we look into security environment. And when you look into the Security Fabric between Fortinet and SentinelOne, that really helps us out a great deal. By looking into automating some of theses processes, mitigating some of these threats, that integration and the zero-day attack that can be prevented, that really helps us out day one. >> So tell us a little bit about Tri City. >> Well Tri City Foods is basically the second largest Franchisees for Burger King. We currently have approximately about 500 locations. Everybody thinks about Burger King as just the, you know, you go purchase Whopper. But nobody knows about all of the technology that goes in the back and in order to support that environment. You look into it, you got the Point of Sale, taking your credit card transaction, you got your digital menu board, you got all of the items in the back end, the drive-through. And we support all of those devices and we ensure that all of these are working properly, and operating efficiently. So if one of these devices is not functioning, that's all goes down. The other thing we do is basically we need to ensure that the security is up, most important for us. We're processing credit card transaction, we cannot afford to have any kind of issue to the environment. And this is, again, this is were SentinelOne comes into the picture where all of our devices down there are protected with the solution, as well as protecting the assets with Fortinet security. >> So I hear big environment complexity. Tell us about the evolution of security in your environment. You mention SentinelOne but how has that evolved as you have to, you said so many different endpoints that are vulnerable and there's personal information. Tell us about this evolution that you helped drive. >> The issue I put an end to when I first started on that is, we had the traditional antivirus. We had traditional antivirus, its just basically protecting what it knows about, it did not protect anything that is zero-day. We got in a head to a couple ransom wares. Which we are not willing to take any chances with the environment. That evolution came through as, no we cannot afford to have these type of system be taken down or be compromised. And we do like to assure the security of our clients. So this is, again, this is where we decided to go into the next gen and for protection. Ensuring the uptime and the security of the environment. >> But very importantly, you also don't have the opportunity to hire really, really expensive talent in the store to make sure that the store is digitally secure. Talk a little bit about what Daniel was talking about, relative to AI, automation, and some of the other features that you're looking for as you ensure security in those locations. >> The process to go down there is basically, we cannot expect everybody to understand security. So in order-- >> That's a good bet! (laughing) >> So in order to make-- >> While we're all here! >> That's right! >> So in order to make it easy for everybody to process the solutions, its best if we have to simplify as much as possible. We need to make sure its zero touch, we need to make sure that it works all the time, irrelevant to if you are on the network or off the network. We needed to make sure that its reliable and it works without any compromise. >> And very importantly, its multibonal right? It can be online, offline, you can have a variety of different operator characteristics, centralized, more regional. Is that all accurate? >> Multi-tenant, on-prem. >> Definitely. With every location, you got your local users, you have your managers, the district managers, they are mobile. These are mobile users that we have to protect. And in order to protect them we need to make sure that they are protected offline as well as online. And again, the SentinelOne client basically provided that security for us. It is always on, its available offline, and its preventing a lot of malware from coming in. >> Talk to us about, kind of the reduction in complexity and visibility. Cause I'm hearing that visibility is probably a key capability that you now have achieved across a pretty big environment. >> Correct. So, before with the traditional antivirus, you got on-prem solution. On-prem solution, in order to see that visibility, you have be logged in, you have to be able to access that solution, you have to be pushing application updates, signature updates, its very static. Moving into SentinelOne, its a successful solution. I don't have to touch anything, basically everything works in the background. We update the backend and just the clients get pushed, the updates get pushed, and its protected. I only have one engineer basically looking after the solution. Which is great in this environment. Because again, everywhere you go, up access is a big problem. So in order to reduce the cost, we need to make sure that we have that automation in place. We need to make sure that everything works with minimal intervention. That issues were mitigated dynamically without having any physical intervention to it. And this where the solution came in handy. >> So I'm hearing some really strong positive business outcomes. If we can kind of shift, Daniel, back to you. This is a great testimonial for how a business is continuing to evolve and grow at the speed and scale that consumers are demanding. Tell us a little bit on the SentinelOne side about some of the announcements that Fortinet has made today. For example, the Security Fabric, as well as what they announced with AI. How is that going to help your partnership and help companies like Tri City Foods and others achieve the visibility and the security that they need, at that scale and speed that they demand. >> Yeah I think Fortinet has very progressive approach when it comes to every part of their stack. What we see with the Fortinet Security Fabric is a real desire to work with best of breed vendors and bring in their capabilities so that customers can still utilize all the different pieces of what Fortinet offers, whether it be FortiGate, FortiSandbox, FortiMail, all these different fantastic products but compliment those products and enrich them with all these other great vendors here on the floor. And what we heard from Basil is what we hear from our other 2000 customers, these themes of we need something that's simple. With two people on the team, you can easily spend all your time just logging into every single console. Fortinet brings that light so seamlessly in their stack 20, 30 products that are able to be easily managed. But if you don't partner with a vendor like Fortinet or SentinelOne and your going into all these different products all day long, there's no time to actually do anything with that data. I think the problem in cyber security today is really one of data overload. What do you do with all this data? You need something that's going to be autonomous and work online and offline but also bring in this level of automation to connect all these different pieces of a security ecosystem together to make what Fortinet has very nicely labeled a Security Fabric. And that's what I believe is what's going inside Basil's environment, that's what we see in our 2000 customers and hopefully that's something that all of Fortinet's customers can benefit from. >> Basil, one of the many things that people think about is they associate digital transformation with larger businesses. Now, Tri City Food is not a small business, 500 Burger King franchises is a pretty sizable business, when you come right down to it. But how is SentinelOne, Fortinet facilitating changes in the in-store experience? Digital changes in the in-store experience? Are there things that you can now think about doing as a consequence of bringing this endpoint security into the store, in an automated, facile, simple way that you couldn't think about before? >> Actually yes, by using the Fortinet platform we deployed the FortiAPs. We have the FortiManager, we're looking into, basically, trying to manage and push all of the guest services, to provide guest services. Before we had to touch a lot of different devices, right now its just two click of a button and I'm able to provide that SSID to all of my stores. We're able to change the security settings with basically couple clicks. We don't have to go and manage 500 locations. I'm only managing a single platform and FortiManager, for instance, or FortiCloud. So this is very progressive for us. Again, when you're working with a small staff, the more automation and the more management you can do on the backend to simplify the environment, as well as providing the required security is a big plus for us. >> There's some key features that we've brought to market to help teams like Basil's. A couple ones that come to mind, our deep visibility capability where you can actually see into encrypted traffic directly from the endpoint, without any changes in network topography. That's something that's pretty groundbreaking. We're the only endpoint technology to actually do that, where you can actually threat hunt for IOCs and look around and see 70 percent of traffics encrypted today and that number is rising. You can actually see into all that traffic and look for specific data points. That's a really good example, where you can turn what you use to have to go to a very high level of SOC analyst and you can have anybody actually benefit from a tool like that. The other one that comes to mind is our rollback capability, where if something does get through or we're just operating in EDR mode, by customer choice, you can actually completely rollback a system to the previously noninfected, nonencrypted state directly from that central location. So whether that person is on an island or in Bermuda, or sitting in a store somewhere, if a system is compromise you don't need to re-image it anymore. You can just click rollback and within 90 seconds its back to where it was before. So, the time savings we can drive is really the key value proposition from a business outcome standpoint because you need all these different check boxes and more than check boxes, but frankly there's just not the people and the hours in the day to do it all. >> So, you said time savings affects maybe resource allocation. I'm wondering in terms of leveraging what you've established from a security standpoint as differentiation as Tri City is looking to grow and expand. Tell us a little bit about how this is a differentiator for your business, compared to your competition. >> I cannot speak to the competition. (all laughs) What I can speak to is, again, the differentiator for us as Daniel mentioned is basically, again, the automation pieces, the rollback features. The minimizing the threat analyses into the environment. All these features basically is going to make us more available for our customers, the environment is going to be secure and customers will be more than welcome to come into us and they know that their coming in their information is secure and their not going to be compromised. >> Well are you able to set up stores faster? Are you able to, as you've said, roll out changes faster? So you do get that common kind of view of things. >> We're at zero zero breach. >> We're at zero zero breach yes. So, basically, in order through a lot faster, we do it lock the source faster. We basically, with the zero touch deployment, that Fortinet is offering, basically send the device to the store, bring it online and its functional. We just push it out the door and its operational. With the SentinelOne platform, push the client to the store and set it and forget it. That is basically the best solution that we ever deployed. >> Set it and forget it. >> I like that. >> Set it and forget it. >> That's why you look so relaxed. (laughs) >> I can sleep at night. (all laugh) >> That's what we want to hear. >> Exactly. So Daniel, last question to you, this is your first Accelerate? >> It is our first Accelerate. >> Tell us about what excites you about being here? What are some of the things that you've heard and what are you excited about going forward in 2018 with this partnership? >> Yeah, well as we launch our Fortinet connector tomorrow, what really excites me about being here is the huge partner and customer base that Fortinet has built over the last 20 years. Customers and partners that have not only bought the first time, but they're in it to win it with Fortinet. And that's what we are too. I'm excited about the year ahead and enabling people like Basil to be able to sleep on the weekends because they can stitch they're security solutions together in a meaningful way with best of breed technologies and we're honored to be part of that Fortinet Security Fabric for that very reason. >> Well gentleman thank you both so much for taking the time to chat with us today and share your story at Accelerate 2018. >> Thanks a lot. >> Thank you. >> For this cozy panel up here, I'm Lisa Martin my cohost with the Cube is Peter Burris. You're watching us live at Fortinet Accelerate 2018. Stick around we will be right back. (techno music)