(dramatic music) >> Hi I'm Peter Burris with Wikibon, and welcome to this Cube conversation with Fortinet's Aamir Lakhani. Aamir's a world renowned cyber security expert, and lead researcher at Fortinet. And is known in the blackout world as Dr. Chaos. Aamir, thanks very much for joining us today. >> Ah, thank you, glad to be here. >> So, I'm in our Palo Alto studios, Aamir's in Houston, Texas. Aamir how did we move from a world where the issues associated with cyber security were really pertinent and relevant to a few, to an increasing emphasis across business and the concerns about cyber security. And how is that expertise becoming increasingly relevant to business today? >> Wow, that's a, that's a very interesting question. You know, the best I can say is it's a brave new world today. I mean if you think about it today, everything is connected and interconnected to the net. From our homes, to our cars, to our TVs. It's a smart world as everyone says. And because of that there's a lot of opportunity, not only to be connected, but also, a lot of opportunity for attackers to exploit systems. Use these systems as launching pads to gain access to more important information. And we're seeing that all over the place. You know, when I started off my career, it used to be that security experts were really the guys that knew how to configure the vendor boxes. The best that they knew how to. They got the certifications from the vendors. They had the best practices from the vendors. And somewhere along the line, someone realized that, hey, it's going to be a good idea to actually test the security, and pretend like we're the bad guys. And that's where the evolution of I think, penetration testing as well as a red team and offensive security came into play. Where the good guys are now actually writing bad code trying to be the hackers. And trying to guess what the hackers are going to do, before they even do it. And I think that's where we're at today. And the reason we're there is, there's a lot of opportunity with a lot of devices everywhere that's interconnected. >> So, in many respects we've moved from a world where security was a feature of the products we purchased to where today, security really is an asset. And it's an asset that the external world, especially the bad guys, are constantly trying to erode for the business. We've seen some actual resources emerge in the cyber security world. Like the dark net, for example, that is, has many purposes, it might be used in certain countries as a way of circumnavigating limitations on privacy, or access to different sources of information. But it's clearly also being used by nefarious individuals to at least, plan and set up nefarious acts. Take us through the role that the dark net is playing today in the changing landscape of cyber security. >> Exactly, and the first thing to explain is the dark net is almost the media term. Because, it means a variety of different things. First of all, in its most basic form, what it means is, it's all the information that Google doesn't have, that you can't do a Google search for. And that could include, you know, ISPs, it could include forums. But what most people talk about when they talk about the dark net is, what we call the Tor network. Or the onion routing network. Which is, basically, a specialized network that you need to specialized software to gain access to. And you need to know where to go. It's not just, you know, Google search for something. You actually have to have places that you need to go to. That really is today, what is the dark net. Now there are other aspects to the dark net. There's other peer to peer networks. But really it's a hidden network. And that's kind of the evolution of the dark net. >> So, if we think about the role that the dark net's playing. It's not so much the business itself will operate on the dark net, but it needs, at some point in time, visibility into some of the activities that are being performed on the dark net. Because dark net activities turn into surface net problems for enterprises, if they're not smart about their cyber security practices, policies and approaches. Tell us a little bit about some of the manifestations of dark net activities that are hidden, that suddenly become hidden when you don't want them to. And manifest themselves as cyber security problems. >> Exactly, one of the things that we have on the dark net is this concept called ghost markets. And what a ghost market is, think about black market. But a black market, you know, sells goods, and services that could be illegal. A ghost market is very similar, except that it's a very I would say transparent, or it could be a market that may not be up for a long time. It could be here one day, and it could disappear the next day. And that's why it's called a ghost market. Now, what you find on these ghost markets, one of the more popular ghost markets, that was in the media was Silk Roads. You essentially can find anything you want. Now most of the time they're selling illegal drugs. Anything you can think of. But there's other things that they sell on ghost markets as well, such as, exploit kids, cyber zero day attacks, credit cards, a lot of credit cards, account numbers. Account passwords for anything you can think of. Like Netflix, or HBO, or anything that's out there. And on top of that, there's a lot of forums that hackers participate in. You know sometimes a hacker may say, "Hey, I'm just interested in learning how "to create ransomware, how do I create ransomware?" And someone will say, "Well, this is how you do it. "This is a ransomware kit. "Oh, by the way, I can create ransomware for you. "And charge you some money." And other times, hackers are very specific. They're like, "I really don't like company ABC dot com, "I want to attack them, can anyone help me?" And you will find intelligence based on that. You know, we monitor companies all the time. And we know sometimes before they're going to get attacked. Because there's a lot of chatter on the dark net about that. >> So, we have this dark net in which individuals could be anonymous. And that anonymity buys them the opportunity to do some, again, bad things. But you mentioned something interesting, this notion of a ghost market. All markets feature some sort of mechanism for actually handling transactions, for remunerating exchanges. Money. But money is not an honest, at least not with credit cards. How are some of the cryptocurrencies playing a role here in mediating these exchanges in the dark net? Let's start there, and then we'll get into some other factors associated with cryptocurrencies. And how they are important enterprises. Let's start with that one. >> Yeah, so first, you're right, you know, everyone wants to buy and sell something off the dark net. And at first when this was first coming into play, these ghost markets, back in the day people used to use things like gift cards, and re-loaded cards, and web money. And, you know, those things really didn't last. And really what exploded on the dark net what became the de facto currency on the dark net was Bitcoins, and that's how people started transacting with Bitcoins and it, in my opinion, my personal opinion, I think that's one of the reasons why Bitcoins really took off. Now Bitcoins unlike popular belief, they're not really anonymous, there is a public ledger. That keeps track of all the transactions taking place. So, there are other cryptocurrencies that are coming into play that are more anonymous. Mineiro, for example, is not a new cryptocurrency. But it's a popular cryptocurrency that's coming into play in the dark market. In fact, one of the largest dark markets, ghost markets, today called the Dream Market on the dark net, announced that they're going to start accepting Mineiro. So, because of that, I personally believe Mineiro's going to start like gaining more and more popularity. Because now the bad guys, now the criminals are actually using it, it's worth value to them, and they're going to start exchanging information. And of course, with these cryptocurrencies, you can always take it to some sort of exchange, and you can also launder these currencies. And maybe even trade it in for real cash. >> So, many people talk about the need to expect the best, but plan for the worst. And a lot of enterprises today need to start to being more planful about what to do in the event that they encounter a problem. So, for example, some of their data gets stolen, and they end up with some ransomware. That leads the acid question, should firms actually start thinking about creating reserves of some of these currencies? Should they find themselves being attacked? >> You know, so, first of all, I do think it makes sense for firms to at least understand, you know, how cryptocurrency works. Now, I would never promote a, you know, suggest that firms pay a ransom in any type of manner. Because, obviously, it just encourages, and drives the cyber criminal underground. And we've seen that. In fact, in these forums, in these dark net forums, there are attackers out there that say, "Hey, I've attacked this firm, "or I've targeted this industry, "and they're well known to pay, so let's go after them." The healthcare industry is a good example of that. Obviously, for various reasons the healthcare industry can take very little downtime. I mean, there's medical, you know, concerns people's lives, and concerns. So, generally they've been known to pay for ransomware. And that's documented all over the dark web. So, people actually encourage attackers, encourage those attackers to go after their healthcare. Just getting back to your question. You know, one of the last things that you want be in a situation is, you don't ever want to be in the situation where you have to, come up, and understand how cryptocurrencies works, and try and learn it on the fly, while your, you know, while your entire system's are down. While your networks are being held hostage. So, for that reason I would absolutely recommend at least to my customers, hey, learn about cryptocurrency. How it works, what the upside, and what the bad side is. Obviously, in today's market, there's a lot of volatility in cryptocurrency because, you know, it's not being held, or created like currencies, it's being held more like a resource, like gold. You know, people are investing into it. It's becoming, you know, something like this dark market of futures. And, but I think customers need to, and the general public probably needs to learn about how exactly that works. Because there's a lot of misconceptions in cryptocurrency today. >> So, you mentioned that perhaps they shouldn't have a reserve of cryptocurrency, because we don't want to encourage anybody to pay for it. Once you pay you've put a target on your back as someone who's willing to pay. But you also mentioned that firms have to learn something about cryptocurrencies, in advance of actually having a problem. What is a good high quality, world class stance for enterprise relative to cryptocurrency? What are the say, the two or three points that you would suggest, a CEO, board of directors, worry about, and what do they need to really understand now as part of their cryptocurrency stance, what do you think? >> Well, for a cryptocurrency specifically, I think, you know, businesses really need to understand the volatility of it. You know, it is a face, face currency. You know, what does that exactly mean? Who's backing that up? You know, how does it, how does it, you know, drive its value, I think those are very important questions. You know, I do have, you know, clients that actually do hold a very large reserves of cryptocurrency for various reasons. Not only for cyber security reasons. But also, potentially, for investment reasons as well. And that's getting into a whole another world. But I think they need to understand what that really means. But being on those, you know, let's take it back to the cyber aspect of things. One of the things that attackers do concentrate on is attacking cryptocurrency wallets. If you can attack a wallet, and steal the actual cryptocurrency that's obviously worth money to them. A lot of business that do invest in cryptocurrency, or, you know, have any type of cryptocurrency holdings really don't understand how to secure their wallets. Sometimes they use the online methods, which are fine. I mean you are relying on, on the online provider, or the Cloud provider that's providing that wallet. Or other customers that do understand details on cryptocurrency make, keep complete offline wallets. Remember, a cryptocurrency is basically a math algorithm, it's a hash, it's a set of numbers. It doesn't matter if it's really digital online, or if it's stored on a piece of paper in your draw. As long as you have that number you have that cryptocurrency. And so, it's a, I think when you're getting into the dynamics of money, and how it works it's always a little interesting. But I want to stress to you, you know, it's very common for people not to understand how to store cryptocurrency and get those wallets stolen, or hi-jacked, and once that's done, it's gone. It's like cash, you're not going to get that back. >> So, we've talked a little bit about how we got to this point today with cyber security, and how it's becoming, while still very specialized and highly technical, more, and more people have to be, at least, be aware of it. So that they can act rapidly, and properly when they encounter a problem. Look forward the next few years Aamir. And give us some visibility into where you think the cyber security world's going to be? How is this going to play out? If we think about 2020, 2021? >> Wow, that's a loaded question. You know, to keep in the context of this talk. You know, we spoke a little bit about the dark net. And, you know, it's an evolving marketplace, and maybe the dark net was responsible for a little bit of the ignition behind cryptocurrencies. And I think cryptocurrencies, a good thing that came out of it was the blockchain, this public ledger. On basically keeping transactions public, while keeping identities anonymous. I think the blockchain is very powerful even outside of cryptocurrencies. When you're talking about sharing medical information, and research, and actually talking about verifying things, or making a smart contract. A smart contract is basically, a contract that will automatically execute on the Internet, based after certain conditions are met. I think based on those technologies, you know, we're going to see some sort of an evolution of how, you know how security, how cyber security, and technology is really being integrated into our everyday lives. And I know people say, "Well it's already "integrated into our everyday lives." But I don't think you've seen anything yet. I mean I think that cyber security is going to be part of the ecosystem. It's not going to be a bolt on product. It's going to have to be built in from day one. From design, and everything that we do. Whether it's from heart monitors, and heart pumps, to your smart TVs, to of course, your computers, and data centers. >> So, last question, Aamir, we had, or I introduced the segment by talking about how security used to be a feature of different products, and you mentioned this as well, and increasingly it's becoming an asset, a crucial asset of the business. Now, some companies are a little bit more orientated towards that perspective than others. Fortinet, for example, I would argue is very strong on the orientation towards the idea that you have to, that security should be an asset. You have to invest in that appropriately. But identify some things that CIOs, CSOs, CDOs, can do to try to up level the stance within the business of security as an asset. That combines both technology, but also practice processes, and people. >> Right, no, that's a good point. You know, you cannot think of security just as a bolt on technology. I think that's very important. You know, one of things that we do at Fortinet. It's a practice that we preach. And I think a lot of professionals would agree with this. Is that security has to be built all around your ecosystem. That all your devices just can't be specialized add on products. All your devices have to be participating in security. You know, that's why at Fortinet we have what we call our security fabric. Where it's not only our products. But other products as well, are continuously sharing information about blocking attacks. And blocking threats, as well as providing visibility into corporations. And I think corporations kind of miss that sometimes. They're like, "Hey, I bought a product, "I should be good, right?" But they don't really understand what that product does. The effectiveness of that product. How well is it actually blocking the threats. And what is it not doing. What are the questions that you should be asking about the product, or about the environment that you don't know about. And I think once you start building security as a fabric embedded into an ecosystem, embedded into your business practices, right from everything. From, you know, from your charter, from your board of directors understanding, you know, cyber security all the way down to the secretary that's opening up email links. Understanding that, hey, I could be actually putting my company and my business at risk. I think once you've started instilling that mindset, you become more successful. >> Well it's more than just-- >> You know-- >> It's more than just the technology. It's also you. How does, how do people like you, how does your insight, your expertise, your content get distributed and adopted as a consequence of relationships at Fortinet. And obviously others as well? >> Yeah, I mean, I'm really lucky. Our team of researchers, 200 plus researchers, looking for the most common threats. The most updated techniques that the hackers, that the bad guys, that cyber criminals are using. We're examining threats across the board. From everything that you hear on the news. We're on top of it. And the nice thing is, we digest all of that information, and we look at the inner workings of that information. And then we use advanced technologies. Such as artificial intelligence, neural networks, or just a, good old grease work on figuring how to stop these attacks. And that brainpower, that trust that we have, gets actually digested into all the products. And that's very important. Now on top of just being smart guys that create good technology to stop that, we definitely believe that, you know, sharing is caring. And that's why we work with not only government agencies, not only with large businesses, but we also work with, I would say even our competitors, and tell them right away, "Hey, you know, we." When we see a problem, "You guys, look out for this problem. "This could be a big deal. "This could even affect your customers." And that's one of the reasons Fortinet was one of the founding members of the Cyber Threat Alliance which is a lot of security vendors sharing information about threats, and letting the technology speak for itself. >> And a lot of very savvy large enterprises that have a major stake to play in security world as well, again, successfully sharing their insight. Because security as you said, it's a team sport. It takes a village, to secure a business. I guess you could say. Aamir Lakhani, lead researcher, Dr. Chaos thanks very much for joining us in this Cube conversation about cyber security, the dark net, cryptocurrencies. And some of the things that businesses have to worry about as they move forward, and increase their activity. And their dependency on digital technologies. Once again, this is Peter Burris, Wikibon. I've been speaking with Aamir Lakhani at Fortinet. Hope you enjoyed this Cube conversation. >> Aamir: Thanks. (dramatic music)