>>EDR NDR, what are the differences, which one's better? Are they better together? Today's security stack contains a lot of different tools and types of data and fortunate, as you know, this creates data silos, which leads to vis visibility gaps. EDR is endpoint detection and response. It's designed to monitor and mitigate endpoint attacks, which are typically focused on computers and servers, NDR network detection, and response. On the other hand, monitors network traffic to gain visibility into potential or active cyber threats, delivering real time visibility across the broader network. One of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data, pretty easily network data. On the other hand, much harder to manipulate because attackers and malware can avoid detection at the endpoint. NDR, as you're gonna hear is the only real source for reliable, accurate, and comprehensive data. >>All endpoints use the network to communicate, which makes your network data, the ultimate source of truth. My name is Lisa Martin, and today on the special cube presentation, Tom Binkowski senior director of product marketing at net scout, and I are gonna explore the trends and the vital reasons why relying upon EDR is not quite enough. We're also gonna share with you the growing importance of advanced NDR. Welcome to the series, the growing importance of advanced NDR in the first segment, Tom's gonna talk with me about the trends that are driving enterprise security teams to implement multiple cyber security solutions that enable greater visibility, greater protection. We're also gonna explore Gartner's concept of the security operations center, SOC visibility triad, and the three main data sources for visibility, SIM EDR and NDR in segment two, Tom. And I will talk about the role of NDR and how it overcomes the challenges of EDR as Tom's gonna discuss, as you'll hear EDR is absolutely needed, but as he will explain it, can't be solely relied upon for comprehensive cybersecurity. And then finally, we'll come back for a third and final segment to discuss why not all NDR is created equal. Tom's gonna unpack the features and the capabilities that are most important when choosing an NDR solution. Let's do this. Here comes our first segment. >>Hey, everyone kicking things off. This is segment one. I'm Lisa Martin with Tom Binowski, senior director of product marketing at nets scout. Welcome to the growing importance of advanced NDR. Tom, great to have you on the program, >>Glad to be here. >>So we're gonna be talking about the trends that are driving enterprise security teams to implement multiple cyber security solutions that really enable greater visibility and protection. And there are a number of factors that continue to expand the ECAC service for enterprise networks. I always like to think of them as kind of the spreading amorphously you shared had shared some stats with me previously, Tom, some cloud adoption stats for 2022 94% of all enterprises today use a cloud service and more than 60% of all corporate data is store in the cloud. So, Tom, what are some of the key trends that nets scout is seeing in the market with respect to this? >>Yeah, so just to continue that, you know, those stats that, that migration of workloads to the cloud is a major trend that we're seeing in that was exasperated by the pandemic, right along with working from home. Those two things are probably the most dramatic changes that we we see out there today. But along with that is also this growing sophistication of the network, you know, today, you know, your network environment, isn't a simple hub and spoke or something like that. It is a very sophisticated combination of, you know, high speed backbones, potentially up to a hundred gigabits combination with partner networks. You have, like we said, workloads up in, in private clouds, pub public clouds. So you have this hybrid cloud environment. So, and then you have applications that are multi-tiered, there are pieces and parts. And in all of that, some on your premise, some up in a private cloud, some on a public cloud, some actually pulling data off when you a customer network or potentially even a, a partner network. So really, really sophisticated environment today. And that's requiring this need for very comprehensive network visibility, not only for, for cybersecurity purposes, but also just to make sure that those applications and networks are performing as you have designed them. >>So when it comes to gaining visibility into cyber threats, I, you talked about the, the sophistication and it sounds like even the complexity of these networks, Gartner introduced the concept of the security operations, visibility triad, or the SOC visibility triad break that down for us. It consists of three main data sources, but to break those three main data sources down for us. >>Sure. So Gartner came out a few years ago where they were trying to, you know, summarize where do security operations team get visibility into threats and they put together a triad and the three sides of the trier consists of one, the SIM security information event manager, two, the endpoint or, or data that you get from EDR systems, endpoint detection, response systems. And the third side is the network or the data you get from network detection, response systems. And, you know, they didn't necessarily say one is better than the other. They're basically said that you need all three in order to have comprehensive visibility for cybersecurity purposes. >>So talk, so all, all three perspectives are needed. Talk about what each provides, what are the different perspectives on threat detection and remediation? >>Yeah. So let's start with the SIM, you know, that is a device that is gathering alerts or logs from all kinds of different devices all over your network. Be it routers servers, you know, firewalls IDs, or even from endpoint detection and network detection devices too. So it is, it is the aggregator or consumer of all those alerts. The SIM is trying to correlate those alerts across all those different data sources and, and trying to the best it can to bubble up potentially the highest priority alerts or drawing correlations and, and, and, and giving you some guidance on, Hey, here's something that we think is, is really of importance or high priority. Here's some information that we have across these disparate data sources. Now go investigate the disadvantage of the SIM is that's all it gives you is just these logs or, or, or information. It doesn't give you any further context. >>Like what happened, what is really happening at the end point? Can I get visibility into the, into the files that were potentially manipulated or the, the registry setting or what, what happened on the network? And I get visibility into the packet date or things like that. It that's, so that's where it ends. And, and that's where the, so there other two sides of the equation come in, the endpoint will give you that deeper visibility, endpoint detection response. It will look for known and or unknown threats, you know, at that endpoint, it'll give you all kinds of additional information that is occurring in endpoint, whether it be a registry setting in memory on the file, et cetera. But you know, one of, some of its disadvantages, it's really difficult because really difficult to deploy pervasive because it requires an agent and, you know, not all devices can accept an agent, but what it miss, what is lacking is the context on the network. >>So if I was an analyst and I started pursuing from my SIM, I went down to the end point and, and said, I wanna investigate this further. And I hit a, I hit a dead end from some sort, or I realize that the device that's potentially I should be alerted to, or should be concerned about is an IOT device that doesn't even have an agent on it. My next source of visibility is on the network and that's where NDR comes in. It, it sees what's traversing. The entire network provides you visibility into that from both a metadata and even a ultimately a packer perspective. And maybe, you know, could be deployed a little bit more strategically, but you know, it doesn't have the perspective of the endpoint. So you can see how each of these sort of compliments each other. And that's why, you know, Gartner said that, that you need 'em all, then they all play a role. They all have their pros and cons or advantage and disadvantages, but, you know, bringing them and using 'em together is, is the key. >>I wanna kinda dig into some of the, the EDR gaps and challenges, as you talked about as, as the things evolve and change the network, environment's becoming far more sophisticated and as well as threat actors are, and malware is. So can you crack that open more on some of the challenges that EDR is presenting? What are some of those gaps and how can organizations use other, other, other data sources to solve them? >>Yeah, sure. So, you know, again, just be clear that EDR is absolutely required, right? We, we need that, but as sort of these network environments get more complex, are you getting all kinds of new devices being put on the network that devices being brought into the network that may be, you didn't know of B Y O D devices you have, I T devices, you know, popping up potentially by the thousands in, in, in some cases when new applications or world that maybe can't accept an and endpoint detection or an EDR agent, you may have environments like ICS and skate environments that just, you can't put an endpoint agent there. However, those devices can be compromised, right? You have different environments up in the cloud or SaaS environments again, where you may not be able to deploy an endpoint agent and all that together leaves visibility gaps or gaps in, in, in the security operation triad. Right. And that is basically open door for exploitation >>Open door. Go ahead. Sorry. >>Yeah. And then, then you just have the malware and the, and the attackers getting more sophisticated. They, they have malware that can detect an EDR agent running or some anti malware agent running on device. And they'll simply avoid that and move on to the next one, or they know how to hide their tracks, you know, whether it be deleting files, registry, settings, things like that. You know, so it's, that's another challenge that, that, that just an agent faces. Another one is there are certain applications like my SQL that are, you know, have ministry administrative rights into certain parts of the windows operate system that EDR doesn't have visibility into another area that maybe EDR may not have visibility is, is, is in, you know, malware that tries to compromise, you know, hardware, especially like bios or something like that. So there's a number of challenges as sort of the whole network environment and sophistication of bad actors and malware increases. >>Ultimately, I think one of the things that, that we've learned, and, and we've heard from you in this segment, is that doing business in, in today's digital economy, demands, agility, table stakes, right? Absolutely essential corporate digital infrastructures have changed a lot in response to the dynamic environment, but its businesses are racing to the clouds. Dave Alane likes to call it the forced March to the cloud, expanding activities across this globally distributed digital ecosystem. They also sounds like need to reinvent cybersecurity to defend this continuously expanding threat surface. And for that comprehensive network, visibility is, as I think you were saying is really, really fundamental and more advanced network detection is, and responses required. Is that right? >>That's correct. You know, you know, we, we at ESCO, this is, this is where we come from. Our perspective is the network. It has been over for over 30 years. And, and we, as well as others believe that that network visibility, comprehensive network visibility is fundamental for cyber security as well as network performance and application analysis. So it, it, it's sort of a core competency or need for, for modern businesses today. >>Excellent. And hold that thought, Tom, cause in a moment, you and I are gonna be back to talk about the role of NDR and how it overcomes the challenges of EDR. You're watching the cube, the leader in enterprise tech coverage. Hey everyone, welcome back. This is segment two kicking things off I'm Lisa Martin with Tom Binkowski, senior director of product marketing at nets scout, Tom, great to have you back on the program. >>Good to be here. >>We're gonna be talking about the growing importance of advanced NDR in this series. In this segment specifically, Tom's gonna be talking about the role of NDR and how it overcomes the challenges of EDR. So Tom, one of the things that we talked about previously is one of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data pretty easily, whereas network data, much harder to manipulate. So my question, Tom, for you is, is NDR the only real source for reliable, accurate, comprehensive data. >>I'm sure that's arguable, right? Depending on who you are as a vendor, but you know, it's, it's our, our answer is yes, NDR solutions also bring an analyst down to the packet level. And there's a saying, you know, the, the packet is the ultimate source or source of truth. A bad actor cannot manipulate a packet. Once it's on the wire, they could certainly manipulate it from their end point and then blast it out. But once it hits the wire, that's it they've lost control of it. And once it's captured by a network detection or, or network monitoring device, they can't manipulate it. They can't go into that packet store and, and manipulate those packets. So the ultimate source of truth is, is lies within that packet somewhere. >>Got you. Okay. So as you said in segment one EDR absolutely necessary, right. But you did point out it can't organizations can't solely rely on it for comprehensive cybersecurity. So Tom, talk about the benefits of, of this complimenting, this combination of EDR and NDR and, and how can that deliver more comprehensive cybersecurity for organizations? >>Yeah, so, so one of the things we talked about in the prior segment was where EDR, maybe can't be deployed and it's either on different types of devices like IOT devices, or even different environments. They have a tough time maybe in some of these public cloud environments, but that's where NDR can, can step in, especially in these public cloud environments. So I think there's a misconception out there that's difficult to get packet level or network visibility and public clouds like AWS or Azure or Google and so on. And that's absolutely not true. They have all kinds of virtual tapping capabilities that an NDR solution or network based monitoring solution could take advantage of. And one of the things that we know we spoke about before some of that growing trends of migrating workloads to the cloud, that's, what's driving that those virtual networks or virtual taps is providing visibility into the performance and security of those workloads. >>As they're migrated to public clouds, NDR can also be deployed more strategically, you know, prior segment talking about how the, in order to gain pervasive visibility with EDR, you have to deploy an agent everywhere agents can't be deployed everywhere. So what you can do with NDR is there's a lot fewer places in a network where you can strategically deploy a network based monitoring device to give you visibility into not only that north south traffic. So what's coming in and out of your network, but also the, the, the, the east west traffic too west traversing, you know, within your network environment between different points of your op your, your multi-tiered application, things like that. So that's where, you know, NDR has a, a, a little bit more advantage. So fewer points of points in the network, if you will, than everywhere on every single endpoint. And then, you know, NDR is out there continuously gathering network data. It's both either before, during, and even after a threat or an attack is, is detected. And it provides you with this network context of, of, you know, what's happening on the wire. And it does that through providing you access to, you know, layer two through layer seven metadata, or even ultimately packets, you know, the bottom line is simply that, you know, NDR is providing, as we said before, that that network context that is potentially missing or is missing in EDR. >>Can you talk a little bit about XDR that kind of sounds like a superhero name to me, but this is extended detection and response, and this is an evolution of EDR talk to us about XDR and maybe EDR NDR XDR is really delivering that comprehensive cybersecurity strategy for organizations. >>Yeah. So, you know, it's, it's interesting. I think there's a lot of confusion out there in the industry. What is, what is XDR, what is XDR versus an advanced SIM, et cetera. So in some cases, there are some folks that don't think it's just an evolution of EDR. You know, to me, XDR is taking, look at these, all these disparate data sources. So going back to our, when our first segment, we talked about the, the, the security operations center triad, and it has data from different perspectives, as we were saying, right? And XCR, to me is the, is, is trying to bring them all together. All these disparate data source sets or sources bring them together, conduct some level of analysis on that data for the analyst and potentially, you know, float to the top. The most, you know, important events are events that we, that you know, that the system deems high priority or most risky and so on. But as I, as I'm describing this, I know there are many advanced Sims out there trying to do this today too. Or they do do this today. So this there's this little area of confusion around, you know, what exactly is XDR, but really it is just trying to pull together these different sources of information and trying to help that analyst figure out, you know, what, where's the high priority event that's they should be looking at, >>Right? Getting those high priority events elevated to the top as soon as possible. One of the things that I wanted to ask you about was something that occurred in March of this year, just a couple of months ago, when the white house released a statement from president Biden regarding the nation's cyber security, it included recommendations for private companies. I think a lot of you are familiar with this, but the first set of recommendations were best practices that all organizations should already be following, right? Multifactor authentication, patching against known vulnerabilities, educating employees on the phishing attempts on how to be effective against them. And the next statement in the president's release, focus on data safety practices, also stuff that probably a lot of corporations doing encryption maintaining offline backups, but where the statement focused on proactive measures companies should take to modernize and improve their cybersecurity posture. It was vague. It was deploy modern security tools on your computers and devices to continuously look for and mitigate threats. So my question to you is how do, how do you advise organizations do that? Deploy modern security tools look for and mitigate threats, and where do the data sources, the SOC tri that we talked about NDR XDR EDR, where did they help fit into helping organizations take something that's a bit nebulous and really figure out how to become much more secure? >>Yeah, it was, it was definitely a little vague there with that, with that sentence. And also if you, if you, I think if, if you look at the sentence, deploy modern security tools on your computers and devices, right. It's missing the network as we've been talking about there, there's, there's a key, key point of, of reference that's missing from that, from that sentence. Right. But I think what they mean by deploying monitor security tools is, is really taking advantage of all these, these ways to gain visibility into, you know, the threats like we've been talking about, you're deploying advanced Sims that are pulling logs from all kinds of different security devices or, and, or servers cetera. You're, you're deploying advanced endpoint detection systems, advanced NDR systems. And so on, you're trying to use, you're trying to utilize XDR new technology to pull data from all those different sources and analyze it further. And then, you know, the other one we, we haven't even mentioned yet. It was the, so the security operation and automation, right. Response it's now, now what do we do? We've detected something, but now help me automate the response to that. And so I think that's what they mean by leveraging modern, you know, security tools and so on >>When you're in customer conversations, I imagine they're coming to, to Netscale looking for advice like what we just talked through the vagueness in that statement and the different tools that organizations can use. So when you're talking to customers and they're talking about, we need to gain visibility across our entire network, across all of our devices, from your perspective from net Scout's perspective, what does that visibility actually look like and deliver across an organization that does it well? >>Yeah, we, I mean, I think the simple way to put it is you need visibility. That is both broad and deep. And what I mean by broad is that you need visibility across your network, no matter where that network may reside, no matter what protocols it's running, what, you know, technologies is it, is it virtualized or, or legacy running in a hundred gigabits? Is it in a private cloud, a public cloud, a combination of both. So that broadness, meaning wherever that network is or whatever it's running, that's, that's what you need visibility into. It has to be able to support that environment. Absolutely. And the, the, absolutely when I, we talk about being deep it's, it has to get down to a packet level. It can't be, you know, as high as say, just looking at net flow records or something like that, that they are valuable, they have their role. However, you know, when we talk about getting deep, it has to ultimately get down to the packet level and that's, and we've said this in this time that it's ultimately that source of truth. So that, that's what that's, I think that's what we need. >>Got it. That that depth is incredibly important. Thanks so much, Tom, for talking about this in a moment, you and I are gonna be back, we're gonna be talking about why not all NDR is created equally, and Tom's gonna actually share with you some of the features and capabilities that you should be looking for when you're choosing an NDR solution. You're watching the cube, the leader in enterprise tech coverage, >>And we're clear. >>All right. >>10 45. Perfect. You guys are >>Okay. Good >>Cruising. Well, >>Welcome back everyone. This is segment three. I'm Lisa Martin with Tom gin. Kowski senior director of product marketing at nets scout. Welcome back to the growing importance of advanced NDR in this segment, Tom and I are gonna be talking about the fact that not all NDR is created equally. He's gonna impact the features, the capabilities that are most important when organizations are choosing an NDR solution. Tom, it's great to have you back on the program. >>Great, great to be here. >>So we've, we've covered a lot of content in the first two segments, but as we, as we see enterprises expanding their it infrastructure, enabling the remote workforce, which is here to stay leveraging the crowd cloud, driving innovation, the need for cybersecurity approaches and strategies that are far more robust and deep is really essential. But in response to those challenges, more and more enterprises are relying on NDR solutions that fill some of the gaps that we talked about with some of the existing tool sets in the last segment, we talked about some of the gaps in EDR solutions, how NDR resolves those. But we also know that not all NDR tools are created equally. So what, in your perspective, Tom are some of the absolutely fundamental components of NDR tools that organizations need to have for those tools to really be robust. >>Yeah. So we, we, we touched upon this a little bit in the previous segment when we talked about first and foremost, your NDR solution is providing you comprehensive network visibility that must support whatever your network environment is. And it should be in a single tool. It shouldn't have a one vendor per providing you, you know, network visibility in the cloud and another vendor providing network visibility in a local network. It should be a single NDR solution that provides you visibility across your entire network. So we also talked about it, not only does it need to be broadened like that, but also has to be deep too, eventually down to a packet level. So those are, those are sort of fundamental table stakes, but the NDR solution also must give you the ability to access a robust source of layer two or layer three metadata, and then ultimately give you access to, to packets. And then last but not least that solution must integrate into your existing cybersecurity stack. So in the prior segments, we talked a lot about, you know, the, the SIM, so that, that, that NDR solution must have the ability to integrate into that SIM or into your XDR system or even into your source system. >>Let's kind of double click on. Now, the evolution of NDR can explain some of the differences between the previous generations and advanced NDR. >>Yeah. So let's, let's start with what we consider the most fundamental difference. And that is solution must be packet based. There are other ways to get network visibility. One is using net flow and there are some NDR solutions that rely upon net flow for their source of, of, of visibility. But that's too shallow. You ultimately, you need to get deeper. You need to get down to a pack level and that's again where some, so, you know, you, you want to make sure that your NDR or advanced NDR solution is packet based. Number two, you wanna make sure that when you're pulling packets off the wire, you can do it at scale, that full line rate and in any environment, as we, as we spoke about previously, whether it be your local environment or a public cloud environment, number three, you wanna be able to do this when your traffic is encrypted. As we know a lot of, lot of not of network traffic is encrypted today. So you have the ability to have to have the ability to decrypt that traffic and then analyze it with your NDR system. >>Another, another, another one number four is, okay, I'm not just pulling packets off the wire, throwing full packets into a data storage someplace. That's gonna, you know, fill up a disc in a matter of seconds, right? You want the ability to extract a meaningful set of metadata from layer two to layer seven, the OSI model look at key metrics and conducting initial set of analysis, have the ability to index and compress that data, that metadata as well as packets on these local storage devices on, you know, so having the ability to do this packet capture at scale is really important, storing that packets and metadata locally versus up in a cloud to, you know, help with some compliance and, and confidentiality issues. And then, you know, last final least when we talk about integration into that security stack, it's multiple levels of integration. Sure. We wanna send alerts up into that SIM, but we also want the ability to, you know, work with that XDR system to, or that, that source system to drill back down into that metadata packets for further analysis. And then last but not least that piece of integration should be that there's a robust set of information that these NDR systems are pulling off the wire many times in more advanced mature organizations, you know, security teams, data scientists, et cetera. They just want access to that raw data, let them do their own analysis outside, say the user interface with the boundaries of a, of a vendor's user interface. Right? So have the ability to export that data too is really important and advance in the systems. >>Got it. So, so essentially that the, the, the breadth, the visibility across the entire infrastructure, the depth you mentioned going down to a packet level, the scale, the metadata encryption, is that what net scout means when you talk about visibility without borders? >>Yeah, exactly. You know, we, we have been doing this for over 30 years, pulling packets off of wire, converting them using patent technology to a robust set of metadata, you know, at, at full line rates up to a hundred in any network environment, any protocols, et cetera. So that, that's what we mean by that breadth. And in depth of visibility, >>Can you talk a little bit about smart detection if we say, okay, advanced NDR needs to deliver this threat intelligence, but it also needs to enable smart detection. What does net scout mean by that? >>So what you wanna make sure you have multiple methods of detection, not just a methods. So, you know, not just doing behavioral analysis or not just detecting threats based on known indicators or compromise, what you wanna wanna have multiple ways of detecting threats. It could be using statistical behavioral analysis. It could be using curated threat intelligence. It could be using, you know, open source signature engine, like from Sara COTA or other threat analytics, but to, but you also wanna make sure that you're doing this both in real time and have the ability to do it historically. So after a, a threat has been detected, for example, with another, with another product, say an EDR device, you now want the ability to drill into the data from the network that had occurred in, in, you know, prior to this. So historically you want the ability to comb through a historical set of metadata or packets with new threat intelligence that you've you've gathered today. I wanna be able to go back in time and look through with a whole new perspective, looking for something that I didn't know about, but you know, 30 days ago. So that's, that's what we, what we mean by smart detection. >>So really what organizations need is these tools that deliver a far more comprehensive approach. I wanna get into a little bit more on in integration. You talked about that in previous segments, but can you, can you give us an example of, of what you guys mean by smart integration? Is that, what does that deliver for organizations specifically? >>Yeah, we really it's three things. One will say the integration to the SIM to the security operations center and so on. So when, when an ed, when an NDR device detects something, have it send an alert to the SIM using, you know, open standards or, or, or like syslog standards, et cetera, the other direction is from the SIM or from the so, so one, you know, that SIM that, so is receiving information from many different devices that are, or detecting threats. The analyst now wants the ability to one determine if that's a true threat or not a false positive, if it is a true threat, you know, what help me with the remediation effort. So, you know, an example could be an alert comes into a SIM slash. So, and part of the playbook is to go out and grab the metadata packets associated with this alert sometime before and sometime after when that alert came in. >>So that could be part of the automation coming from the SIM slash. So, and then last one, not least is we alluded to this before is having the ability to export that robust set of layer two through layer seven metadata and or packets to a third party data lake, if you will, and where analysts more sophisticated analysts, data scientists, and so on, can do their own correlation, enrich it with their own data, combined it with other data sets and so on, do their own analysis. So it's that three layers of, of integration, if you will, that really what should be an advanced NDR system? >>All right, Tom, take this home for me. How does nets scout deliver advanced NDRs for organizations? >>We do that via solution. We call Omni the security. This is Netscout's portfolio of, of multiple different cyber security products. It all starts with the packets. You know, our core competency for the last 30 years has been to pull packets off the wire at scale, using patented technologies, for example, adapt service intelligence technologies to convert those broad packets into robust set of layer seven layer two through seven metadata. We refer to that data as smart data with that data in hand, you now have the ability to conduct multiple types of threat detection using statistical behavioral, you know, curative threat intelligence, or even open source. So rules engine, you have the ability to detect threats both in real time, as well as historically, but then a solution goes beyond just detecting threats or investigating threats has the ability to influence the blocking of threats too. So we have integrations with different firewall vendors like Palo Alto, for example, where they could take the results of our investigation and then, you know, create policies, blocking policies into firewall. >>In addition to that, we have our own Omni a E D product or our Arbor edge defense. That's, that's a product that sits in front of the firewall and protects the firewall from different types of attacks. We have integration that where you can, you can also influence policies being blocked in the a E and in last but not least, our, our solution integrates this sort of three methods of integration. As we mentioned before, with an existing security system, sending alerts to it, allowing for automation and investigation from it, and having the ability to export our data for, you know, custom analysis, you know, all of this makes that security stack that we've been talking about better, all those different tools that we have. That's that operations triads that we talked about or visibility triad, we talked about, you know, our data makes that entire triad just better and makes the overall security staff better and makes overall security just, just better too. So that, that that's our solution on the security. >>Got it. On the security. And what you've talked about did a great job. The last three segments talking about the differences between the different technologies, data sources, why the complimentary and collaborative nature of them working together is so important for that comprehensive cybersecurity. So Tom, thank you so much for sharing such great and thoughtful information and insight for the audience. >>Oh, you're welcome. Thank you. >>My pleasure. We wanna thank you for watching the program today. Remember that all these videos are available@thecube.net, and you can check out today's news on Silicon angle.com and of course, net scout.com. We also wanna thank net scout for making this program possible and sponsoring the cube. I'm Lisa Martin for Tomski. Thanks for watching and bye for now.

(upbeat music) >> Hey, welcome to this Cube conversation with NetScout. I'm Lisa Martin. Excited to talk to you. Richard Hummel, the manager of threat research for Arbor Networks, the security division of NetScout. Richard, welcome to theCube. >> Thanks for having me, Lisa, it's a pleasure to be here. >> We're going to unpack the sixth NetScout Threat Intelligence Report, which is going to be very interesting. But something I wanted to start with is we know that and yes, you're going to tell us, COVID and the pandemic has had a massive impact on DDoS attacks, ransomware. But before we dig into the report, I'd like to just kind of get some stories from you as we saw last year about this time rapid pivot to work from home, rapid pivot to distance learning. Talk to us about some of the attacks that you saw in particular that literally hit close to home. >> Sure and there's one really good prime example that comes to mind because it impacted a lot of people. There was a lot of media sensation around this but if you go and look, just Google it, Miami Dade County and DDoS, you'll see the first articles that pop up is the entire district school network going down because the students did not want to go to school and launched a DDoS attack. There was something upwards of 190,000 individuals that could no longer connect to the school's platform, whether that's a teacher, a student or parents. And so it had a very significant impact. And when you think about this in terms of the digital world, that impacted very severely, a large number of people and you can't really translate that to what would happen in a physical environment because it just doesn't compute. There's two totally different scenarios to talk about here. >> Amazing that a child can decide, "I don't want to go to school today." And as a result of a pandemic take that out for nearly 200,000 folks. So let's dig into, I said this is the sixth NetScout Threat Intelligence Report. One of the global trends and themes that is seen as evidence in what happened last year is up and to the right. Oftentimes when we're talking about technology, you know, with analyst reports up and to the right is a good thing. Not so in this case. We saw huge increases in threat vectors, more vectors weaponized per attack sophistication, expansion of threats and IOT devices. Walk us through the overall key findings from 2020 that this report discovered. >> Absolutely. And if yo glance at your screen there you'll see the key findings here where we talk about record breaking numbers. And just in 2020, we saw over 10 million attacks, which, I mean, this is a 20% increase over 2019. And what's significant about that number is COVID had a huge impact. In fact, if we go all the way back to the beginning, right around mid March, that's when the pandemic was announced, attacks skyrocketed and they didn't stop. They just kept going up and to the right. And that is true through 2021. So far in the first quarter, typically January, February is the down month that we observe in DDoS attacks. Whether this is, you know, kids going back to school from Christmas break, you have their Christmas routines and e-commerce is slowing down. January, February is typically a slow month. That was not true in 2021. In fact, we hit record numbers on a month by month in both January and February. And so not only do we see 2.9 million attacks in the first quarter of 2021, which, I mean, let's do the math here, right? We've got four quarters, you know, we're on track to hit 12 million attacks potentially, if not more. And then you have this normal where we said 800,000 approximately month over month since the pandemic started, we started 2021 at 950,000 plus. That's up and to the right and it's not slowing down. >> It's not slowing down. It's a trend that it shows, you know, significant impact across every industry. And we're going to talk about that but what are some of the new threat vectors that you saw weaponized in the last year? I mean, you talked about the example of the Miami-Dade school district but what were some of those new vectors that were really weaponized and used to help this up and to the right trend? >> So there's four in particular that we were tracking in 2020 and these nets aren't necessarily new vectors. Typically what happens when an adversary starts using this is there's a proof of concept code out there. In fact, a good example of this would be the RDP over UDP. So, I mean, we're all remotely connected, right? We're doing this over a Zoom call. If I want to connect to my organization I'm going to use some sort of remote capability whether that's a VPN or tunneling in, whatever it might be, right? And so remote desktop is something that everybody's using. And we saw actors start to kind of play around with this in mid 2020. And in right around September, November timeframe we saw a sudden spike. And typically when we see spikes in this kind of activity it's because adversaries are taking proof of concept code, that maybe has been around for a period of time, and they're incorporating those into DDoS for hire services. And so any person that wants to launch a DDoS attack can go into underground forums in marketplaces and they can purchase, maybe it's $10 in Bitcoin, and they can purchase an attack. That leverage is a bunch of different DDoS vectors. And so adversaries have no reason to remove a vector as new ones get discovered. They only have the motivation to add more, right? Because somebody comes into their platform and says, "I want to launch an attack that's going to take out my opponent." It's probably going to look a lot better if there's a lot of attack options in there where I can just go through and start clicking buttons left and right. And so all of a sudden now I've got this complex multi-vector attack that I don't have to pay anything extra for. Adversary already did all the work for me and now I can launch an attack. And so we saw four different vectors that were weaponized in 2020. One of those are notably the Jenkins that you see listed on the screen in the key findings. That one isn't necessarily a DDoS vector. It started out as one, it does amplify, but what happens is Jenkins servers are very vulnerable and when you actually initiate this attack, it tips over the Jenkins server. So it kind of operates as like a DoS event versus DDoS but it still has the same effect of availability, it takes a server offline. And then now just in the first part of 2021 we're tracking multiple other vectors that are starting to be weaponized. And when we see this, we go from a few, you know, incidents or alerts to thousands month over month. And so we're seeing even more vectors added and that's only going to continue to go up into the right. You know that theme that we talked about at the beginning here. >> As more vectors get added, and what did you see last year in terms of industries that may have been more vulnerable? As we talked about the work from home, everyone was dependent, really here we are on Zoom, dependent on Zoom, dependent on Netflix. Streaming media was kind of a lifeline for a lot of us but it also was healthcare and education. Did you see any verticals in particular that really started to see an increase in the exploitation and in the risk? >> Yeah, so let's start, let's separate this into two parts. The last part of the key findings that we had was talking about a group we, or a campaign we call Lazarus Borough Model. So this is a global DDoS extortion campaign. We're going to cover that a little bit more when we talk about kind of extorted events and how that operates but these guys, they started where the money is. And so when they first started targeting industries and this kind of coincides with COVID, so it started several months after the pandemic was announced, they started targeting a financial organizations, commercial banking. They went after stock exchange. Many of you would hear about the New Zealand Stock Exchange that went offline. That's this LBA campaign and these guys taking it off. So they started where the money is. They moved to a financial agation targeting insurance companies. They targeted currency exchange places. And then slowly from there, they started to expand. And in so much as our Arbor Cloud folks actually saw them targeting organizations that are part of vaccine development. And so these guys, they don't care who they hurt. They don't care who they're going after. They're going out there for a payday. And so that's one aspect of the industry targeting that we've seen. The other aspect is you'll see, on the next slide here, we actually saw a bunch of different verticals that we really haven't seen in the top 10 before. In fact, if you actually look at this you'll see the number one, two and three are pretty common for us. We almost always are going to see these kinds of telecommunications, wireless, satellite, broadband, these are always going to be in the top. And the reason for that is because gamers and DDoS attacks associated with gaming is kind of the predominant thing that we see in this landscape. And let's face it, gamers are on broadband operating systems. If you're in Asian communities, often they'll use mobile hotspots. So now you start to have wireless come in there. And so that makes sense seeing them. But what doesn't make sense is this internet publishing and broadcasting and you might say, "Well, what is that?" Well, that's things like Zoom and WebEx and Netflix and these other streaming services. And so we're seeing adversaries going after that because those have become critical to people's way of life. Their entertainment, what they're using to communicate for work and school. So they realized if we can go after this it's going to disrupt something and hopefully we can get some recognition. Maybe we can show this as a demonstration to get more customers on our platform or maybe we can get a payday. In a lot of the DDoS attacks that we see, in fact most of them, are all monetary focused. And so they're looking for a payday. They're going to go after something that's going to likely, you know, send out that payment. And then just walk down the line. You can see COVID through this whole thing. Electronic shopping is number five, right? Everybody turned to e-commerce because we're not going to in-person stores anymore. Electronic computer manufacturing, how many more people have to get computers at home now because they're no longer in a corporate environment? And so you can see how the pandemic has really influenced this industry target. >> Significant influencer and I also wonder too, you know, Zoom became a household name for every generation. You know, we're talking to five generations and maybe the generations that aren't as familiar with computer technology might be even more exploitable because it's easy to click on a phishing email when they don't understand how to look for the link. Let's now unpack the different types of DDoS attacks and what is on the rise. You talked about in the report the triple threat and we often think of that in entertainment. That's a good thing, but again, not here. Explain that triple threat. >> Yeah, so what we're seeing here is we have adversaries out there that are looking to take advantage of every possible angle to be able to get that payment. And everybody knows ransomware is a household name at this point, right? And so ransomware and DDoS have a lot in common because they both attack the availability of network resources, where computers or devices or whatever they might be. And so there's a lot of parallels to draw between the two of these. Now ransomware is a denial of service event, right? You're not going to have tens of thousands of computers hitting a single computer to take it down. You're going to have one exploitation of events. Somebody clicked on a link, there was a brute force attempt that managed to compromise a little boxes, credentials, whatever it might be, ransomware gets put on a system, it encrypts all your files. Well, all of a sudden, you've got this ransom note that says "If you want your files decrypted you're going to send us this amount of human Bitcoin." Well, what adversaries are doing now is they're capitalizing on the access that they already gained. So they already have access to the computer. Well, why not steal all the data first then let's encrypt whatever's there. And so now I can ask for a ransom payment to decrypt the files and I can ask for an extortion to prevent me from posting your data publicly. Maybe there's sensitive corporate information there. Maybe you're a local school system and you have all of your students' data on there. You're a hospital that has sensitive PI on it, whatever it might be, right? So now they're going to extort you to prevent them from posting that publicly. Well, why not add DDoS to this entire picture? Now you're already encrypted, we've already got your files, and I'm going to DDoS your system so you can't even access them if you wanted to. And I'm going to tell you, you have to pay me in order to stop this DDoS attack. And so this is that triple threat and we're seeing multiple different ransomware families. In fact, if you look at one of the slides here, you'll see that there's SunCrypt, there's Ragnar Cryptor, and then Maze did this initially back in September and then more recently, even the DarkSide stuff. I mean, who hasn't heard about DarkSide now with the Colonial Pipeline event, right? So they came out and said, "Hey we didn't intend for this collateral damage but it happened." Well, April 24th, they actually started offering DDoS as part of their tool kits. And so you can see how this has evolved over time. And adversaries are learning from each other and are incorporating this kind of methodology. And here we have triple extortion event. >> It almost seems like triple extortion event as a service with the opportunities, the number of vectors there. And you're right, everyone has heard of the Colonial Pipeline and that's where things like ransomware become a household term, just as much as Zoom and video conferencing and streaming media. Let's talk now about the effects that the threat report saw and uncovered region by region. Were there any regions in particular that were, that really stood out as most impacted? >> So not particularly. So one of the phenomena that we actually saw in the threat report, which, you know, we probably could have talked about it before now but it makes sense to talk about it regionally because we didn't see any one particular region, one particular vertical, a specific organization, specific country, none was more heavily targeted than another. In fact what we saw is organizations that we've never seen targeted before. We've seen industries that have never been targeted before all of a sudden are now getting DDoS attacks because we went from a local on-prem, I don't need to be connected to the internet, I don't need to have my employees remote access. And now all of a sudden you're dependent on the internet which is really, let's face it, that's critical infrastructure these days. And so now you have all of these additional people with a footprint connected to the internet then adversary can figure out and they can poke at it. And so what we saw here is just overall, all industries, all regions saw these upticks. The exception would be in China. We actually, in the Asia Pacific region specifically, but predominantly in China. But that often has to do with visibility rather than a decrease in attacks because they have their own kind of infrastructure in China. Brazil's the same way. They have their own kind of ecosystems. And so often you don't see what happens a lot outside the borders. And so from our perspective, we might see a decrease in attacks but, for all we know, they actually saw an increase in the attacks that is internal to their country against their country. And so across the board, just increases everywhere you look. >> Wow. So let's talk about what organizations can do in light of this. As we are here, we are still doing this program by video conferencing and things are opening up a little bit more, at least in the states anyway, and we're talking about more businesses going back to some degree but there's going to still be some mix, some hybrid of working from home and maybe even distance learning. So what can enterprises do to prepare for this when it happens? Because it sounds to me like with the sophistication, the up and to the right, it's not, if we get attacked, it's when. >> It's when, exactly. And that's just it. I mean, it's no longer something that you can put off. You can't just assume that I've never been DDoS attacked, I'm never going to be DDoS attacked anymore. You really need to consider this as part of your core security platform. I like to talk about defense in depth or a layer defense approach where you want to have a layered approach. So, you know, maybe they target your first layer and they don't get through. Or they do get through and now your second layer has to stop it. Well, if you have no layers or if you have one layer, it's not that hard for an adversary to figure out a way around that. And so preparation is key. Making sure that you have something in place and I'm going to give you an operational example here. One of the things we saw with the LBA campaigns is they actually started doing network of conasense for their targets. And what they would do is they would take the IP addresses belonging to your organization. They would look up the domains associated with that and they would figure out like, "Hey, this is bpn.organization.com or VPN two." And all of a sudden they've found your VPN concentrator and so that's where they're going to focus their attack. So something as simple as changing the way that you name your VPN concentrators might be sufficient to prevent them from hitting that weak link or right sizing the DDoS protection services for your company. Did you need something as big as like OnPrem Solutions? We need hardware. Do you instead want to do a managed service? Or do you want to go and talk to a cloud provider because there's right solutions and right sizes for all types of organizations. And the key here is preparation. In fact, all of the customers that we've worked with for the LBA extortion campaigns, if they were properly prepared they experienced almost no downtime or impact to their business. It's the people like the New Zealand Stock Exchange or their service provider that wasn't prepared to handle the attacks that were sent out them that were crippled. And so preparation is key. The other part is awareness. And that's part of what we do with this threat report because we want to make sure you're aware what adversaries are doing, when new attack vectors are coming out, how they're leveraging these, what industries they're targeting because that's really going to help you to figure out what your posture is, what your risk acceptance is for your organization. And in fact, there's a couple of resources that that we have here on the next slide. And you can go to both both of these. One of them is the threat report. You can view all of the details. And we only scratched the surface here in this Cube interview. So definitely recommend going there but the other one is called Horizon And netscout.com/horizon is a free resource you can register but you can actually see near real-time attacks based on industry and based on region. So if your organization out there and you're figuring, "Well I'm never attacked." Well go look up your industry. Go look up the country where you belong and see is there actually attacks against us? And I think you'll be quite surprised that there's quite a few attacks against you. And so definitely recommend checking these out >> Great resources netscout.com/horizon, netscout.com/threatreport. I do want to ask you one final question. That's in terms of timing. We saw the massive acceleration in digital transformation last year. We've already talked about this a number of times on this program. The dependence that businesses and consumers, like globally in every industry, in every country, have on streaming on communications right now. In terms of timing, though, for an organization to go from being aware to understanding what adversaries are doing, to being prepared, how quickly can an organization get up to speed and help themselves start reducing their risks? >> So I think that with DDoS, as opposed to things like ransomware, the ramp up time for that is much, much faster. There is a finite period of time with DDoS attacks that is actually going to impact you. And so maybe you're a smaller organization and you get DDoS attacked. There's a, probably a pretty high chance that that DDoS attack isn't going to last for multiple days. So maybe it's like an hour, maybe it's two hours, and then you recover. Your network resources are available again. That's not the same for something like ransomware. You get hit with ransomware, unless you pay or you have backups, you have to do the rigorous process of getting all your stuff back online. DDoS is more about as soon as the attack stops, the saturation goes away and you can start to get back online again. So it might not be as like immediate critical that you have to have something but there's also solutions, like a cloud solution, where it's as simple as signing up for the service and having your traffic redirected to their scrubbing center, their detection center. And then you may not have to do anything on-prem yourself, right? It's a matter of going out to an organization, finding a good contract, and then signing up, signing on the dotted line. And so I think that the ramp up time for mitigation services and DDoS protection can be a lot faster than many other security platforms and solutions. >> That's good to know cause with the up and to the right trend that you already said, the first quarter is usually slow. It's obviously not that way as what you've seen in 2021. And we can only expect what way, when we talk to you next year, that the up and to the right trend may continue. So hopefully organizations take advantage of these resources, Richard, that you talked about to be prepared to mediate and protect their you know, their customers, their employees, et cetera. Richard, we thank you for stopping by theCube. Talking to us about the sixth NetScout Threat Intelligence Report. Really interesting information. >> Absolutely; definitely a pleasure to have me here. Lisa, anytime you guys want to do it again, you know where I live? >> Yes. It's one of my favorite topics that you got and I got to point out the last thing, your Guardians of the Galaxy background, one of my favorite movies and it should be noted that on the NetScout website they are considered the Guardians of the Connected World. I just thought that connection was, as Richard told me before we went live, not planned, but I thought that was a great coincidence. Again, Richard, it's been a pleasure talking to you. Thank you for your time. >> Thank you so much. >> Richard Hummel, I'm Lisa Martin. You're watching this Cube conversation. (relaxing music)

(upbeat music) >> Hey, welcome to this Cube conversation with NetScout. I'm Lisa Martin. Excited to talk to you. Richard Hummel, the manager of threat research for Arbor Networks, the security division of NetScout. Richard, welcome to theCube. >> Thanks for having me, Lisa, it's a pleasure to be here. >> We're going to unpack the sixth NetScout Threat Intelligence Report, which is going to be very interesting. But something I wanted to start with is we know that and yes, you're going to tell us, COVID and the pandemic has had a massive impact on DDoS attacks, ransomware. But before we dig into the report, I'd like to just kind of get some stories from you as we saw last year about this time rapid pivot to work from home, rapid pivot to distance learning. Talk to us about some of the attacks that you saw in particular that literally hit close to home. >> Sure and there's one really good prime example that comes to mind because it impacted a lot of people. There was a lot of media sensation around this but if you go and look, just Google it, Miami Dade County and DDoS, you'll see the first articles that pop up is the entire district school network going down because the students did not want to go to school and launched a DDoS attack. There was something upwards of 190,000 individuals that could no longer connect to the school's platform, whether that's a teacher, a student or parents. And so it had a very significant impact. And when you think about this in terms of the digital world, that impacted very severely, a large number of people and you can't really translate that to what would happen in a physical environment because it just doesn't compute. There's two totally different scenarios to talk about here. >> Amazing that a child can decide, "I don't want to go to school today." And as a result of a pandemic take that out for nearly 200,000 folks. So let's dig into, I said this is the sixth NetScout Threat Intelligence Report. One of the global trends and themes that is seen as evidence in what happened last year is up and to the right. Oftentimes when we're talking about technology, you know, with analyst reports up and to the right is a good thing. Not so in this case. We saw huge increases in threat vectors, more vectors weaponized per attack sophistication, expansion of threats and IOT devices. Walk us through the overall key findings from 2020 that this report discovered. >> Absolutely. And if yo glance at your screen there you'll see the key findings here where we talk about record breaking numbers. And just in 2020, we saw over 10 million attacks, which, I mean, this is a 20% increase over 2019. And what's significant about that number is COVID had a huge impact. In fact, if we go all the way back to the beginning, right around mid March, that's when the pandemic was announced, attacks skyrocketed and they didn't stop. They just kept going up and to the right. And that is true through 2021. So far in the first quarter, typically January, February is the down month that we observe in DDoS attacks. Whether this is, you know, kids going back to school from Christmas break, you have their Christmas routines and e-commerce is slowing down. January, February is typically a slow month. That was not true in 2021. In fact, we hit record numbers on a month by month in both January and February. And so not only do we see 2.9 million attacks in the first quarter of 2021, which, I mean, let's do the math here, right? We've got four quarters, you know, we're on track to hit 12 million attacks potentially, if not more. And then you have this normal where we said 800,000 approximately month over month since the pandemic started, we started 2021 at 950,000 plus. That's up and to the right and it's not slowing down. >> It's not slowing down. It's a trend that it shows, you know, significant impact across every industry. And we're going to talk about that but what are some of the new threat vectors that you saw weaponized in the last year? I mean, you talked about the example of the Miami-Dade school district but what were some of those new vectors that were really weaponized and used to help this up and to the right trend? >> So there's four in particular that we were tracking in 2020 and these nets aren't necessarily new vectors. Typically what happens when an adversary starts using this is there's a proof of concept code out there. In fact, a good example of this would be the RDP over UDP. So, I mean, we're all remotely connected, right? We're doing this over a Zoom call. If I want to connect to my organization I'm going to use some sort of remote capability whether that's a VPN or tunneling in, whatever it might be, right? And so remote desktop is something that everybody's using. And we saw actors start to kind of play around with this in mid 2020. And in right around September, November timeframe we saw a sudden spike. And typically when we see spikes in this kind of activity it's because adversaries are taking proof of concept code, that maybe has been around for a period of time, and they're incorporating those into DDoS for hire services. And so any person that wants to launch a DDoS attack can go into underground forums in marketplaces and they can purchase, maybe it's $10 in Bitcoin, and they can purchase an attack. That leverage is a bunch of different DDoS vectors. And so adversaries have no reason to remove a vector as new ones get discovered. They only have the motivation to add more, right? Because somebody comes into their platform and says, "I want to launch an attack that's going to take out my opponent." It's probably going to look a lot better if there's a lot of attack options in there where I can just go through and start clicking buttons left and right. And so all of a sudden now I've got this complex multi-vector attack that I don't have to pay anything extra for. Adversary already did all the work for me and now I can launch an attack. And so we saw four different vectors that were weaponized in 2020. One of those are notably the Jenkins that you see listed on the screen in the key findings. That one isn't necessarily a DDoS vector. It started out as one, it does amplify, but what happens is Jenkins servers are very vulnerable and when you actually initiate this attack, it tips over the Jenkins server. So it kind of operates as like a DoS event versus DDoS but it still has the same effect of availability, it takes a server offline. And then now just in the first part of 2021 we're tracking multiple other vectors that are starting to be weaponized. And when we see this, we go from a few, you know, incidents or alerts to thousands month over month. And so we're seeing even more vectors added and that's only going to continue to go up into the right. You know that theme that we talked about at the beginning here. >> As more vectors get added, and what did you see last year in terms of industries that may have been more vulnerable? As we talked about the work from home, everyone was dependent, really here we are on Zoom, dependent on Zoom, dependent on Netflix. Streaming media was kind of a lifeline for a lot of us but it also was healthcare and education. Did you see any verticals in particular that really started to see an increase in the exploitation and in the risk? >> Yeah, so let's start, let's separate this into two parts. The last part of the key findings that we had was talking about a group we, or a campaign we call Lazarus Borough Model. So this is a global DDoS extortion campaign. We're going to cover that a little bit more when we talk about kind of extorted events and how that operates but these guys, they started where the money is. And so when they first started targeting industries and this kind of coincides with COVID, so it started several months after the pandemic was announced, they started targeting a financial organizations, commercial banking. They went after stock exchange. Many of you would hear about the New Zealand Stock Exchange that went offline. That's this LBA campaign and these guys taking it off. So they started where the money is. They moved to a financial agation targeting insurance companies. They targeted currency exchange places. And then slowly from there, they started to expand. And in so much as our Arbor Cloud folks actually saw them targeting organizations that are part of vaccine development. And so these guys, they don't care who they hurt. They don't care who they're going after. They're going out there for a payday. And so that's one aspect of the industry targeting that we've seen. The other aspect is you'll see, on the next slide here, we actually saw a bunch of different verticals that we really haven't seen in the top 10 before. In fact, if you actually look at this you'll see the number one, two and three are pretty common for us. We almost always are going to see these kinds of telecommunications, wireless, satellite, broadband, these are always going to be in the top. And the reason for that is because gamers and DDoS attacks associated with gaming is kind of the predominant thing that we see in this landscape. And let's face it, gamers are on broadband operating systems. If you're in Asian communities, often they'll use mobile hotspots. So now you start to have wireless come in there. And so that makes sense seeing them. But what doesn't make sense is this internet publishing and broadcasting and you might say, "Well, what is that?" Well, that's things like Zoom and WebEx and Netflix and these other streaming services. And so we're seeing adversaries going after that because those have become critical to people's way of life. Their entertainment, what they're using to communicate for work and school. So they realized if we can go after this it's going to disrupt something and hopefully we can get some recognition. Maybe we can show this as a demonstration to get more customers on our platform or maybe we can get a payday. In a lot of the DDoS attacks that we see, in fact most of them, are all monetary focused. And so they're looking for a payday. They're going to go after something that's going to likely, you know, send out that payment. And then just walk down the line. You can see COVID through this whole thing. Electronic shopping is number five, right? Everybody turned to e-commerce because we're not going to in-person stores anymore. Electronic computer manufacturing, how many more people have to get computers at home now because they're no longer in a corporate environment? And so you can see how the pandemic has really influenced this industry target. >> Significant influencer and I also wonder too, you know, Zoom became a household name for every generation. You know, we're talking to five generations and maybe the generations that aren't as familiar with computer technology might be even more exploitable because it's easy to click on a phishing email when they don't understand how to look for the link. Let's now unpack the different types of DDoS attacks and what is on the rise. You talked about in the report the triple threat and we often think of that in entertainment. That's a good thing, but again, not here. Explain that triple threat. >> Yeah, so what we're seeing here is we have adversaries out there that are looking to take advantage of every possible angle to be able to get that payment. And everybody knows ransomware is a household name at this point, right? And so ransomware and DDoS have a lot in common because they both attack the availability of network resources, where computers or devices or whatever they might be. And so there's a lot of parallels to draw between the two of these. Now ransomware is a denial of service event, right? You're not going to have tens of thousands of computers hitting a single computer to take it down. You're going to have one exploitation of events. Somebody clicked on a link, there was a brute force attempt that managed to compromise a little boxes, credentials, whatever it might be, ransomware gets put on a system, it encrypts all your files. Well, all of a sudden, you've got this ransom note that says "If you want your files decrypted you're going to send us this amount of human Bitcoin." Well, what adversaries are doing now is they're capitalizing on the access that they already gained. So they already have access to the computer. Well, why not steal all the data first then let's encrypt whatever's there. And so now I can ask for a ransom payment to decrypt the files and I can ask for an extortion to prevent me from posting your data publicly. Maybe there's sensitive corporate information there. Maybe you're a local school system and you have all of your students' data on there. You're a hospital that has sensitive PI on it, whatever it might be, right? So now they're going to extort you to prevent them from posting that publicly. Well, why not add DDoS to this entire picture? Now you're already encrypted, we've already got your files, and I'm going to DDoS your system so you can't even access them if you wanted to. And I'm going to tell you, you have to pay me in order to stop this DDoS attack. And so this is that triple threat and we're seeing multiple different ransomware families. In fact, if you look at one of the slides here, you'll see that there's SunCrypt, there's Ragnar Cryptor, and then Maze did this initially back in September and then more recently, even the DarkSide stuff. I mean, who hasn't heard about DarkSide now with the Colonial Pipeline event, right? So they came out and said, "Hey we didn't intend for this collateral damage but it happened." Well, April 24th, they actually started offering DDoS as part of their tool kits. And so you can see how this has evolved over time. And adversaries are learning from each other and are incorporating this kind of methodology. And here we have triple extortion event. >> It almost seems like triple extortion event as a service with the opportunities, the number of vectors there. And you're right, everyone has heard of the Colonial Pipeline and that's where things like ransomware become a household term, just as much as Zoom and video conferencing and streaming media. Let's talk now about the effects that the threat report saw and uncovered region by region. Were there any regions in particular that were, that really stood out as most impacted? >> So not particularly. So one of the phenomenon that we actually saw in the threat report, which, you know, we probably could have talked about it before now but it makes sense to talk about it regionally because we didn't see any one particular region, one particular vertical, a specific organization, specific country, none was more heavily targeted than another. In fact what we saw is organizations that we've never seen targeted before. We've seen industries that have never been targeted before all of a sudden are now getting DDoS attacks because we went from a local on-prem, I don't need to be connected to the internet, I don't need to have my employees remote access. And now all of a sudden you're dependent on the internet which is really, let's face it, that's critical infrastructure these days. And so now you have all of these additional people with a footprint connected to the internet then adversary can figure out and they can poke it. And so what we saw here is just overall, all industries, all regions saw these upticks. The exception would be in China. We actually, in the Asia Pacific region specifically, but predominantly in China. But that often has to do with visibility rather than a decrease in attacks because they have their own kind of infrastructure in China. Brazil's the same way. They have their own kind of ecosystems. And so often you don't see what happens a lot outside the borders. And so from our perspective, we might see a decrease in attacks but, for all we know, they actually saw an increase in the attacks that is internal to their country against their country. And so across the board, just increases everywhere you look. >> Wow. So let's talk about what organizations can do in light of this. As we are here, we are still doing this program by video conferencing and things are opening up a little bit more, at least in the states anyway, and we're talking about more businesses going back to some degree but there's going to still be some mix, some hybrid of working from home and maybe even distance learning. So what can enterprises do to prepare for this when it happens? Because it sounds to me like with the sophistication, the up and to the right, it's not, if we get attacked, it's when. >> It's when, exactly. And that's just it. I mean, it's no longer something that you can put off. You can't just assume that I've never been DDoS attacked, I'm never going to be DDoS attacked anymore. You really need to consider this as part of your core security platform. I like to talk about defense in depth or a layer defense approach where you want to have a layered approach. So, you know, maybe they target your first layer and they don't get through. Or they do get through and now your second layer has to stop it. Well, if you have no layers or if you have one layer, it's not that hard for an adversary to figure out a way around that. And so preparation is key. Making sure that you have something in place and I'm going to give you an operational example here. One of the things we saw with the LBA campaigns is they actually started doing network of conasense for their targets. And what they would do is they would take the IP addresses belonging to your organization. They would look up the domains associated with that and they would figure out like, "Hey, this is bpn.organization.com or VPN two." And all of a sudden they've found your VPN concentrator and so that's where they're going to focus their attack. So something as simple as changing the way that you name your VPN concentrators might be sufficient to prevent them from hitting that weak link or right sizing the DDoS protection services for your company. Did you need something as big as like OnPrem Solutions? We need hardware. Do you instead want to do a managed service? Or do you want to go and talk to a cloud provider because there's right solutions and right sizes for all types of organizations. And the key here is preparation. In fact, all of the customers that we've worked with for the LBA extortion campaigns, if they were properly prepared they experienced almost no downtime or impact to their business. It's the people like the New Zealand Stock Exchange or their service provider that wasn't prepared to handle the attacks that were sent out them that were crippled. And so preparation is key. The other part is awareness. And that's part of what we do with this threat report because we want to make sure you're aware what adversaries are doing, when new attack vectors are coming out, how they're leveraging these, what industries they're targeting because that's really going to help you to figure out what your posture is, what your risk acceptance is for your organization. And in fact, there's a couple of resources that that we have here on the next slide. And you can go to both both of these. One of them is the threat report. You can view all of the details. And we only scratched the surface here in this Cube interview. So definitely recommend going there but the other one is called Horizon And netscout.com/horizon is a free resource you can register but you can actually see near real-time attacks based on industry and based on region. So if your organization out there and you're figuring, "Well I'm never attacked." Well go look up your industry. Go look up the country where you belong and see is there actually attacks against us? And I think you'll be quite surprised that there's quite a few attacks against you. And so definitely recommend checking these out >> Great resources netscout.com/horizon, netscout.com/threatreport. I do want to ask you one final question. That's in terms of timing. We saw the massive acceleration in digital transformation last year. We've already talked about this a number of times on this program. The dependence that businesses and consumers, like globally in every industry, in every country, have on streaming on communications right now. In terms of timing, though, for an organization to go from being aware to understanding what adversaries are doing, to being prepared, how quickly can an organization get up to speed and help themselves start reducing their risks? >> So I think that with DDoS, as opposed to things like ransomware, the ramp up time for that is much, much faster. There is a finite period of time with DDoS attacks that is actually going to impact you. And so maybe you're a smaller organization and you get DDoS attacked. There's a, probably a pretty high chance that that DDoS attack isn't going to last for multiple days. So maybe it's like an hour, maybe it's two hours, and then you recover. Your network resources are available again. That's not the same for something like ransomware. You get hit with ransomware, unless you pay or you have backups, you have to do the rigorous process of getting all your stuff back online. DDoS is more about as soon as the attack stops, the saturation goes away and you can start to get back online again. So it might not be as like immediate critical that you have to have something but there's also solutions, like a cloud solution, where it's as simple as signing up for the service and having your traffic redirected to their scrubbing center, their detection center. And then you may not have to do anything on-prem yourself, right? It's a matter of going out to an organization, finding a good contract, and then signing up, signing on the dotted line. And so I think that the ramp up time for mitigation services and DDoS protection can be a lot faster than many other security platforms and solutions. >> That's good to know cause with the up and to the right trend that you already said, the first quarter is usually slow. It's obviously not that way as what you've seen in 2021. And we can only expect what way, when we talk to you next year, that the up and to the right trend may continue. So hopefully organizations take advantage of these resources, Richard, that you talked about to be prepared to mediate and protect their you know, their customers, their employees, et cetera. Richard, we thank you for stopping by theCube. Talking to us about the sixth NetScout Threat Intelligence Report. Really interesting information. >> Absolutely; definitely a pleasure to have me here. Lisa, anytime you guys want to do it again, you know where I live? >> Yes. It's one of my favorite topics that you got and I got to point out the last thing, your Guardians of the Galaxy background, one of my favorite movies and it should be noted that on the NetScout website they are considered the Guardians of the Connected World. I just thought that connection was, as Richard told me before we went live, not planned, but I thought that was a great coincidence. Again, Richard, it's been a pleasure talking to you. Thank you for your time. >> Thank you so much. >> Richard Hummel, I'm Lisa Martin. You're watching this Cube conversation. (relaxing music)

(upbeat music playing) >> Okay, now we're going to look deeper into the intersection of technology and money and actually a force for good mobile and the infrastructure around it has made sending money as easy as sending a text. But the capabilities that enable this to happen are quite amazing, especially because as users we don't see the underlying complexity of the transactions. We just enjoy the benefits and there's many parts of the world that historically have not been able to enjoy these benefits. And the ecosystems that are developing around these new platforms are truly transformative. And with me to explain the business impacts of these innovations is all a person who was the head of mobile financial services at Ericsson Allah. Welcome to the program. Thanks for coming on. >> Thank you, Dave. Thank you for having me here in the program. And they're really excited to tell me tell us about the product that we have within Ericsson. >> Well, let's get right into it. I mean your firm has developed the Ericsson wallet platform. What is that plan? >> Yes. The wallet platform is one of the product but being, you can say offer here by Erickson and the platform is built on enabled financial services not for only the bank segment, but also for the unbanked. And we have, the function that we are providing a such here is both transfer the service provider payment. You have the cash in the cash out you have a lots of other features that we kind of enable through the ecosystem as such. And I would really like you say to emphasize on the use. And they're the really, I would say connectivity that we have in these platform here, because looking at you can say the pandemic assaults here. Now we really have made, you can say tremendous Shane here through all the function, et cetera feature that we have here. >> Yeah. And I mean, I I'm surrounded by banks in Massachusetts. No problem. I'm in Boston, right? So, but there's a lot of places in the world that aren't I take for granted some of the capabilities that are there, but part of this is to enable people who don't have access to those types of services. Maybe you could talk about that and talk about some of the things that you're enabling with the platform >> Right? You just think of there you can say unbanked people here but we have across the emerging market. I think we have 1.7 billion unbanked people here but we actually can through one of the path from enable proof getting a bank account, et cetera, and so on here. And what we actually providing, you can say in, in this in this feature rates here is that you you can pay your electricity bill. For example, here, you can pay your bill and you can go through merchant, you can do the cash out. You can do multiple thing here, just like, I mean, to enable the, the departure that financial inclusion that we have. So, I mean, from my point of view, where we see things, as I said we also sit in Sweden, we have bank account we have something called swish where we send you can say money back and back and forth between the family, et cetera. On these type of transaction, we can have enable for all. You can say the user better come across the platform here and the, the kind of growth that we have within this usage here. And we seeing also, I mean we leverage here to get with a speed today on a fantastic scale that we actually have here with I would say are both, you can say feature performance going I will say re really in the direction. But we couldn't imagine here. You can say a few years back here. It is fantastic transformation but we undergo here through the platform of the technology that we have. >> No, it reminds me of sort of the early days of mobile people talked about being able to connect remote users in places like Africa or other parts of the world that haven't been able to enjoy things like a land line. And I presume you're seeing a lot of interest in those types of regions. Maybe you could talk about that a little bit. >> Yeah. Correct. I mean we see all of these region here about, for example, now we not only entering, you can say the specifically the Africa region but also you can say the middle East and the Asia Pacific and also actually Latin America. I mean, a lot of these country here, all looking into you can say the expansion, how they can evolve you can say the financial inclusion from what they have today, when they are, and you can say from telco provider, they would like to have an asset of different use cases here. And we're seeing that transformation, but we have right now from just voice, you can say SMS and 5G, et cetera. This is the platform that we have to sort of enable the transaction for a mobile financial system. But we would like also to see about the kind of operator or bond being the business with much more features here. And this is another, you can say, I was attraction to attract the user where the the mobile transfer system. We see these kind of expanding very heavily in these, these kind of market. >> I think this is really transformative, not, I mean in terms of people's lives. I mean, your first of all, you're talking about the convenience of being able to move money as bits as opposed to paper, but as well I would think supporting entrepreneurship and businesses getting started, I mean, there's a whole set of cultural and societal impacts that you're having. How do you see that? >> Yeah. We also provide the, you say, I mean is also supporting, say micro loans and need as an entrepreneurial sort of stock. You can say any kind of company. You need to get off these, this around here. We have seen that we have a of enterprise. Those is a cross functional, the whole asset that we are, that we are oriented today. >> Talk a little bit about partnerships and ecosystems. I know you've got big partnerships with, with HPE. We're going to get to that. They're kind of as a technology provider, but what about, other partnerships like I'm imagining that if I'm going to pay my bill with this you've got other providers that got to connect into your platform. How are those ecosystem partnerships evolving? >> Well, are kind of enabler about we are providing to the operator. The partnerships is then going through the operator. It could be any kind of you can say external instrument that we have today and they can know if you can go directly to that to the bank, you can go directly to any core provider. You have these most et cetera, so on but these are all partners would be in. You could say connected through there. You can say, operate through a subsidy. What we doing actually with our platform is to kind of make the navel and to kind of provide the food ecosystem as partnership to operate a SAS today here. That's kind of the baseline that we see how you can say. We are sort of supporting of building the full ecosystem around the platform in order to connect here. Wells come to both the light, the cord as I said, here, the merchant, the bank, any kind of, type of, you can say I would say service provider here but that we can see could enable the ecosystem. >> Okay. And I don't want to geek out here but it sounds like it's an open system that my developers can plug into through APIs. They're not going to throw cold water on it. They're going to embrace it and say, Oh yeah this is actually easy for me to integrate with. Is that correct? >> Correct. Correct. And the open API that we actually are providing today I think that you can say there are thousands of you can say developer, just you can say connecting to our system. And actually we also providing both sandbox and Ann Arbor. You can see the application in order to support this to developers in order to kind of create this ecosystem here. It's a multiple things that we see through what you can say here, they're both the partners partnership, the open API, or you can say that the development that is doing for prudent channels. So, I mean, it's an fascinating amazing development that we'll see our frontier right now. >> Now what's HP's role in all this, what are they providing? How are you partnering with them? >> It's very good question. I will say. And we look back, you can say, and we have evaluate a lot of you say that the provide the fruit year here and you can just imagine the kind of stability that we need to provide when come to the financial inclusion system here because what we need to have a very strong uptake of making sure that we don't both go with the performance and the stability. And what we have seen in our lab is that the partnership with HP have domestically evolve. Our, you can say our stability assessed on the system. And right now we are leveraging the Dockers with the microservices here to get with HB on the platform that you're providing. I would say that the transformation we have done in disability, but we have get through the food. You can say HP system is, is really fantastic at the moment. >> I'm no security expert, but I talked to a lot of security experts in what I do know is they tell me that, that you can't just bolt security on. It's going to be designed in from the start. I would imagine that that's part of the HPP partnership but what about security? Can I fully trust this platform? >> No, it's very valid question. I will say we have one of the most you can say secure system here we also running multiple external. You can say a system validation data it's called the PRD assess certification is a certification but we have external auditor. You can say trying to breach the system look at the process that we are developing making sure that we have, you can say, or off you can say the documentation really in shape. And seeing that we follow the procedure when we are both developing the code. And also when we look into all the API that we actually exposed to our end users. I would say that we haven't had any breach on our system. And we really work in tightly. I would say both to get with, I would say HP and the of course the customers out and every time we do a low once, we also make you can say final security validation on the system here in order to sort of see that we have an end to end because the application, but it's completely secure. That's a very important topic from our point of view. >> There's a usual, I don't even want to think about that. Like I said, up front it's going to be hidden from me all that complexity, but it's sort of same question around compliance and privacy. I an often, security, privacy there's sort of two sides of the same coin, but compliance privacy you've got to worry about KYC, know your customer. There's a lot of complexity around that. And that's another key piece. >> Now, like you said, the KYC is an important part that we have food support in our system. And then we validate you can say all the users, we also are running you can say without credit scoring companies, the you can say operator or partnering with, his combined you can say with both the KYC and the credit scoring that we are performing, that's make us a very you can say unique, stable platform and such. >> Last question is, what about going forward? What's the roadmap look like? What can you share? What should we expect going forward in terms of the impact that this will have on society and how the technology will evolve? >> Well, what is he going forward? That's very interesting question because what we see right now is how we kind of have changed the life for so many. You can say unbanked people here, and we would like to have you can say any kind of assets that going forward here, any kind of you can see that the digital currency is evolving through both government. You can see over the top players like Google you can say WhatsApp, all of these things here. We want to be the one that also connecting. You can say these type of platform together and see that we could be the heart of the ecosystem going forward here, independent in what kind of, you can say customer we aiming for. I will say this is kind of the role that we will play in the future here, depending on what kind of currency it would be. It's a very interesting future. We see with this you can say overall digital currency, the market and the trends that we are now right now evolving on. >> Very exciting. And we were talking about elevating, potentially billions of people, all... Thanks very much for sharing this innovation with the audience and best of luck with this incredible platform. Congratulations. >> Thank you so much, Dave. And once again, thank you for having me here. And I'll talk to you soon again. Thank you. >> Thank you. It's been our pleasure and thank you for watching. This is Dave Vellante. (upbeat music playing)

>> Narrator: From around the globe, It's the Cube. With digital coverage of AWS reinvent 2020. Sponsored by Intel, AWS, and our commudity partners. >> Okay, Welcome back. You're ready. Jeff Frick here with the cube. We are, coming to you from our Palo Alto studio with our continuing coverage of AWS reinvent 2020 digital this year, like everything in 2020 but we're excited to welcome back to The Cube. He's been on a number of times, he's Russ Currie. The vice president enterprise strategy for Netscout systems. Russ great to see you. >> Great to see you, Jeff. Thank you. >> Absolutely. So before we jump into there's so(laughs), so many things going on in 2020. What I do want to do is, is reflect back a little bit. You were first on The Cube at AWS reinvent 2017. So it's been about three years. And I remember, one of the lines you had said, I believe that was your guys' first, AWS show as well. So I wonder if you could reflect on kind of how the world has changed in terms of your business, and the importance of AWS and public cloud within the infrastructure systems of your clients. >> Yeah, well, it was interesting, right? We were just getting our feet wet at that point, and had just introduced some of our technology for use in AWS, and it was kind of a interesting little adventure. So we were looking at it and saying, okay where's this going to lead us? And ultimately now we're just really waist deep in it, and really having a great partnership with AWS, and delivering new technologies, new capabilities, and our customer base also is becoming so much more reliant on public cloud in particular AWS and the services that they can provide. So as we've gone and they've gone it's been a journey that we've taken together, and it's been quite, fruitful and exciting. >> Right, right. And it really reinforces this concept of I think you'd mentioned it before, a blended, you know kind of a blended infrastructure approach. So there's a lot of conversations about public cloud, hybrid cloud, multicloud, et cetera, et cetera. But at the, at the end of the day from a customer perspective, as you've mentioned it's really kind of a blended network, right. And it's really application centric, and you put the applications where those applications need to be to be the most appropriate, and that might even change over time from, from test dev to really roll out to, to scale. So you're seeing that consistency. Consistency, >> Absolutely. Yeah. The, the blended environment that in it it's so incredibly complex of our customers. As they take a look at the way that the world has changed, right? When we take a look at what has happened with people working remotely, working from home and having to come into access services in such a, a completely blended and hybrid environment as you say, not only the move to the cloud, but the move to Colo, and bringing all of this together for interconnect, it's definitely a complex environment that they have to have their fingers on the pulse of. Right? >> Yep, yep. And then of course there was this little thing that happened this year with COVID. And really right in March, April timeframe light switch moment, everybody worked from home, whether you're ready or not. And that was a very different kind of situation. Cause we had to get people secure and safe, and get them up and operating. So I'm sure you(laugh) saw a lot of interesting stuff at your business there, but I'm even more interested in how that's evolved over time. Here we are at the end of 2020, there's going to be you know, some version of this for the foreseeable future. And a lot of companies are saying that, you know there'll be a lot of, kind of work from anywhere pieces that continue forward. So again, with your customers and looking kind of the change between what happened in the spring, and now what's happening as they really of kind of put in the systems that'll enable them to continue to support, you know people working from anywhere, not even really working from home, but working from anywhere. >> Right. Exactly. I mean, as our customers had to bring up more connectivity, new connectivity, and start to add licenses for virtual desktop or for their VPN connectivity ultimately how they got it done, most of our customers said, you know we're running hot, but stable. And I think that that was, that was great for most folks. But now they're leaning into it and saying, okay how do we continue to make this happen? And how do we provide the visibility that we need to ensure that the services that we're delivering are, making it possible for their users to be productive and successful. A user doesn't want to feel that they're not contributing as much as someone else that may be able to make it into the office. And, it's a, it's a challenging time, but with that being said, technology has really stepped up, and in particular, the way that they're able to stand up services in the cloud, and the automation, and potential cost savings that they get from standing up in the cloud has really been a bood for most of our users. And some of the users, you know, the high end enterprise that we're a little bit slow to adopt, now are just turning it on as fast as they possibly can. >> Yeah, it's pretty wild. And then, we had another representative from Netscout on earlier this year. One of the, the kind of recurring themes that we've seen is you know, changes in the threat landscape. So clearly the increased attack surfaces as more and more people are working from home. They're not working from the secure environment at the office. But you guys notice some interesting things about what's happening, and we've, we've seen a little bit too in terms of kind of, ransomware and the increase in ransomware as a particular type of attack that, that seems to be growing in popularity. And these, these people are a little bit more thorough in the badness that they caused before they, they throw in the ransom request, and that they're looking for a little bit more fundamental disruption to enable them to basically extract that ransom is which they hope to do. >> Yeah. I mean the amount of DDoS attacks that we've seen has just grown incredibly over the past several months. And these extortion attacks they come in and they often hit the customer quickly and hard, and then say, turn it back for a bit and say, pay us, or we're going to shut you down. And they're really coming in more towards the back office aspects of things. So, going in and attacking that part of the business is kind of a new environment for a lot of folks. But one of the other interesting(laughs) challenges here with us is that, oftentimes those extortion notes don't make it through to the people that really need to act on them because they get caught in spam filters or they like so they're finding these DDoS attacks, and don't necessarily understand that they're under an extortion attack. So it's a real challenge for folks. And we've seen a good uptake with our on-prem capabilities to provide that kind of protection, right at the top of the security stack with our Arbor edge defense products. So it's been something that we're trying to get out there and help our customers as much as we can. And even that new, folks. >> Yeah. It's a, it's an interesting environment. And we found out from somebody too that sometimes if you actually pay the bad guys you can be breaking other rules for doing business with countries >> Yeah. >> Or people that we're not supposed to be doing business with. Like, that's the last thing you need to think about when you're trying to get all your data, and your company back online. >> Right, yeah, I mean, are you trying to make sure that you're keeping yourself stood up right? And, it's tough and you know kind of the rule one is never pay the extortion right? But you kind of got to take a look at it and say, hey, you know, what do I do? >> Right, right. So, you guys been around for a while. I wonder if we could dive in a little bit, we're at reinvent. Some of the things you guys are doing specifically on the product side to, basically increase your, your AWS capabilities. >> Sure. Thanks, yeah. We've been working really closely with AWS as they start to roll out new technologies. Last year, we were fundamental in the VPC ingress routing announcement that they have. We've been working with them with their traffic mirroring capabilities. So technology-wise, we keep in close touch with them in terms of everything that they are delivering. But also on the business side of it, we have our networking competency and just last week got our migration competency. So what we're really doing is, trying to both work the technical and the business relationship, as much as we can to try and expand our overall capabilities of book print with AWS. And, having that visibility and being able to kind of provide that same level of control and capability that you had, on-prem in your enterprise network as you move into the public cloud is a great benefit to a lot of our customers. They really have the ability now, to deliver services the way they have been delivering it for years and years. >> Now, what do you mean specifically, when you say migration competency or networking competency? >> So, they have these different competency programs for their technology partners. And the networking competency is, that you've demonstrated capabilities in your ability to provide network monitoring, or network management capabilities, or network connectivity. In the applica--, migration side you've really provided the ability to show that you have the tools, and solution set to drive, and help people become successful migrations into AWS. As you can imagine right now, a lot of folks are just lifting and shifting, putting stuff into AWS as quickly as they can to try and take advantage of the automation and the operational efficiencies that you get when you move into public cloud settings. As you make those migrations, you want to ensure that you're not either leaving something behind, that needed to move with it, or building a dependency onto something that's in the background that's going to have an adverse effect on, user experience. And ultimately, it really all comes down to the user experience that are, delivering to your customers and or your user base. Right? >> Right. Right. So what are the things you talked about in a prior interview was kind of the shifting dynamic in terms of network traffic. As there's more and more, you know kind of SAS based applications, and there's more kind of an application centric, and in this kind of API interface between all the applications that, you know the North-south is still significant, but the growth in the East-west traffic, meaning, you know kind of inside, if you will. And that some of the unique challenges that come from that from kind of a network monitoring. I wonder if you can share a little bit more color on that, as to, and are you continuing to see this increase in East West relative to North-south, and what kind of special opportunities and challenges that that presents? >> Yeah, absolu--. There is an absolute growth in terms of the East-west connectivity and, traffic that exists out there. In particular, when we take a look at the way that people are implementing software defined networks, NSX, for example NSXT has now provided the ability to blend your environment whether you're going to any cloud, any vendor as you move between these environments having that ability to deliver network services under the same framework is really beneficial to our customer base. And we've also been partnering very closely with VM-ware, and a lot of our customers are implementing VMware cloud on AWS. So, they have that ability to stand up services in a consistent manner whether it be in their legacy environments, or into the public cloud environments, and have that same ability to provide visibility down into the East-west traffic so that you can see that. So when you're part of the NSX framework, what you're able to do is really leverage the service framework that they have the service and search it, and be part of the clusters and host groups that are exchanging traffic East-west. And our ability to see into that really exposes chall--, not, exposes challenges but exposes potential issues that(laughs) our customers might be having in delivering high quality services. So that visibility is really what we've been keying on. >> Right. I'm just curious to get your take, you know as people kind of, as you said, make this move to public cloud, and, you know, you talked about wholesale migrations, and wholesale lifts and shifts. You know, there, there's kind of a couple trains of thought. One is, you know, using cloud for just pure economics, and trying to save money, and the flexibility. The second one is, is to is to add this automation as things grow in this, these great opportunities to automate, and try to reduce air. But the third one, right, the big one is to drive innovation, and to unlock innovation enable better innovation, and speed of delivery, and, you know, moving at the speed of business, pick your favorite buzzword. I'm curious whether your customers, as you have you seen them all jumping in? How much of it is still, you know, to save money or to, or to, you know, kind of use the basic, you know cost saving economics versus people really embracing the opportunity to use this as a method to drive innovation, and change within their own business? >> So I, I think the realities of 2020 have been forcing people to look at primarily from operational and cost efficiency perspectives, however with an eye towards innovation, and as they start to get themselves into a, zone where they're comfortable, they look to see how they can leverage the cloud to provide new services, and new ways in which they provide their services, and avail themselves of, the underlying technologies that are there to build something that's new and exciting in their overall portfolio. So, I think that 2021 is probably going to be a little bit more of where can I innovate as opposed to, how do I get there? (Jeff laughs) >> It's probably an unfair question here at 2020 cause priorities certainly got turned upside down in the middle of the year. So maybe, maybe innovation got pushed down a little bit from, you know, let's get people up, let's get people safe, and let's make sure they can access all the systems and all this crazy stuff that we've got available to them from wherever they are. >> Yeah, yeah. >> Not just within the, within the home office. >> I was listening to a, panel from federal government a couple of weeks ago, and it was really the way the they've adopted kind of commercial cha-- commercial capabilities to meet some of these challenges things that they wouldn't normally look at. But now it's a set of innovation that they're looking at, to try and make sure that they can avail themselves of the services that are out there and available in the public cloud. >> Yeah. Well, that's great, Russ. It's great to catch up. I'm sure you must be as amazed as anybody as the rapid acceleration of this, you know since the short time you went to your first re-invent and, >> Yeah. >> And clearly AWS and Amazon generally is an execution we're seeing. So, I think they'll keep doing it. So I think you're, you're probably sitting in a good spot. >> I think so. (Jeff laughs) Thank you. (Russ laughs) >> All right. Thank you Russ for, for stopping by and sharing your insight. Look forward to catching up next time. >> Thanks a lot, Jeff. Really appreciate it. >> Alrighty. He's Russ, I'm Jeff. You're watching The Cube's, continuous coverage of AWS reinvent 2020, the virtual event. Thanks for watching and we'll see you next time. (bright music)

>>from around the globe. It's the Cube with digital coverage of workplace next made possible by Hewlett Packard Enterprise. >>Hello, everyone. We're here covering workplace next on the Cube For years, you know, we've talked about new ways to work, and it was great thought exercise. And then overnight the pandemic heightened the challenges of creating an effective work force. Most of the executives that we talked to in our survey say that productivity actually has improved since the work from Home Mandate was initiative. But, you know, we're talking not just about productivity, but the well being of our associates and managing the unknown. We're going to shift gears a little bit now. We've heard some interesting real world examples of how organizations are dealing with the rapid change in workplace, and we've heard about some lessons to take into the future. But now we're going to get more practical and look at some of the tools that are available to help you navigate. The changes that we've been discussing and with me to talk about these trends related to the future of work are are are Qadoura, who's the vice president of worldwide sales and go to market for Green Lake at HP Sadat Malik is the VP of I O t and Intelligent Edge at HP and Satish Yarra Valley is the global cloud and infrastructure practice Head at Whip Probe guys welcomes. Good to see you. Thanks for coming on. >>Thanks for having us. >>You're very welcome. Let me start with Sadat. You're coming from Austin, Texas here. So thank you. Stay crazy. As they say in Austin, for the uninitiated, maybe you could talk a little bit about h p E point. Next. It's a strategic component of H p. E. And maybe tell us a little bit about those services. >>Thank you so much for taking the time today. Appreciate everybody's participation here. So absolutely so point Next is HP Services on. This is the 23,000 strong organization globally spread out, and we have a very strong ecosystem of partners that be leveraged to deliver services to our customers. Um, our organization differentiates itself in the market by focusing on digital digital transformation journeys for our customers. For customers looking toe move to a different way off, engaging with its customers, transforming the way its employees work, figuring out a different way off producing the products that it sells to. His customers are changing the way it operationalize these things. For example, moving to the cloud going to a hybrid model, we help them achieve any of these four transformation outcomes. So point next job is toe point. What is next in this digital transformation journey and then partner with our customers to make that happen? So that's what we do. >>Thank you for that. I mean, obviously, you're gonna be seeing a lot of activity around workplace with shift from work from home, changes in the network changes in security. I mean the whole deal. What are some of your top takeaways that you can share with our audience? >>Yeah, they're >>so a lot has been happening in the workplace arena lately. So this is not new, right? This is not something that all of a sudden side happening when Kobe 19 hit, uh, the digital workplace was already transforming before over 19 happened. What over 19 has done is that it has massively accelerated the pace at which this change was happening. So, for example, right remote work was already there before over 19. But now everybody is working remotely so, in many ways, the solution that we have for remote work. They have been strained to appoint, never seen before. Networks that support these remote work environments have been pushed to their limits. Security was already there, right? So security was a critical piece off any off the thinking, any of the frameworks that we had. But now security is pivotal and central. Any discussion that we're having about the workplace environment data is being generated all across the all across the environment that we operated, right? So it's no longer being generated. One place being stored. Another. It's all over the place now. So what Kobe, 19 has done is that the transformation that was already underway in the digital workplace, it has taken that and accelerated it massive. The key take away for me is right that we have to make sure that when we're working with our customers, our clients, we don't just look at the technology aspect of things. We have to look at all the other aspect as well the people in the process aspect off this environment. It is critical that we don't assume that just because the technology is there to address these challenges that I just mentioned. Our people and our processes would be able to handle that as well. We need to bring everybody along. Everybody has different needs, and we need to be able to cater to those needs effectively. So that's my biggest take away. Make sure that the process and the people aspect of things was hand in glove with the technology that we were able to bring to bear here. >>Got it. Thank you. So, ah, let's go to San Francisco, bringing our war to the conversation. You're one of your areas of focus is is HP Green Lake. You guys were early on with the as a service model. Clearly, we've seen Mawr interest in cloud and cloud like models. I wonder if you could just start by sharing. What's Green Lake all about? Where does it fit into this whole workplace? Next, Uh, conversation that we're having? >>Yeah, absolutely. Um HP Green lake effectively is the cloud that comes to your data center to your Coehlo or to your edge, right? We saw with Public Cloud. The public cloud brought a ton of innovations, um, into the sort of hyper scale model. Now, with HP. What we've done is we've said, Look, customers need this level of innovation and this level of, you know, pay as you go economics the, you know, management layer the automation layer not just in a public cloud environment, but also in our customers data center or to the other potential edges or Coehlo scenarios. And what we've done is we've brought together Asada just mentioned the best of our point next services our software management layer as well as H. P. E s rich portfolio of hardware to come together to create that cloud experience. Um, of course, we can't do this without the rich ecosystem around us as well. And so everything from you know, some of our big S I partners like we bro, who also have the virtual desktop expertise or virtual desk that then come together to start helping us launch some of these new workloads supported cloud services such as D. D i eso for my perspective, v. D. I is the most important topic for a lot of our customers right now, especially in sectors like financial services, um, advanced engineering scenarios and health care where they need access to those, uh to their data centers in a very secure way and in a highly cost optimized way as well. >>Well, okay. Thank you. And then let's let's bring in, uh, petition talk a little bit about the ecosystem. I mean, we're pro. That's really kind of your wheelhouse. We've been talking a lot on the cube about moving from an industry of point products to platforms and now ecosystem innovation, Uh, are are mentioned VD I we saw that exploding eso teach. Maybe you could weigh in here and and share with us what you're seeing in the market and specifically around ecosystem. >>As we all know, the pandemic has redefined the way we collaborate to support this collaboration. We have set up huge campuses and office infrastructure In summary, our industry has centralized approach. Now, the very premise of the centralization bringing people together for work has changed. This evolving workspace dynamics have triggered the agency to reimagine the workspace strategy. CEO, CEO S and C H R ose are all coming together to redefine the business process and find new ways off engaging with customers and employees as organizations embrace work from home for the foreseeable future. Customer need to create secure by design workspaces for remote working environments. With the pro virtual disk platform, we can help create such seamless distal workspaces and enable customers to connect, collaborate and communicate with ease from anywhere securely. They're consistent user experience. Through this platform led approach, we are able to utter the market demands which are focused on business outcomes. >>Okay, and this is the specifics of this hard news that you're talking about Video on demand and Citrix coming together with your ecosystem. H p E were pro and again, the many partners that you work with is that correct? >>Well, actually, Dave, we see a strong playoff ecosystem partners coming together to achieve transformative business outcomes. As Arbor said earlier, HP and Wipro have long standing partnership, and today's announcement around HP Green Lake is an extension off this collaboration, where we provide leverage HP Green Leg Andre Pro, which elders platform to offer video as a service in a paper user model. Our aim is to enable customers fast track there. It is still works based transformation efforts by eliminating the need to support upfront capital investments and old provisioning costs while allowing customers to enjoy the benefit off compromise, control, security and compliance. Together, we have implemented our solution across various industry segments and deliver exceptional customer experiences by helping customer businesses in their workspace. Transformation journeys by defining their workspace strategy with an intelligent, platform led approach that enables responsiveness, scalability and resilience. It's known that Wipro is recognized as a global leader in the distal workspace and video I, with HP being a technology leader, enabling us with high level of program ability on integration capabilities. We see tremendous potential to jointly address the industry challenges as we move forward. >>Excellent. Uh, sad. I wanna come back to you. We talk a lot about the digital business, the mandate for digital business, especially with the pandemic. Let's talk about data. Earlier this year, HP announced the number of solutions that used data to help organizations work more productively safely. You know, the gamut talk about data and the importance of data and what you guys were doing there specifically, >>Yeah, that's a great question. So that is fundamental to everything that we're doing in the workplace arena, right? So from a technology perspective that provides us with the wherewithal to be able to make all the changes that we want to make happen for the people in the process side of things. So the journey that we've been on this past year is a very interesting one. Let me share with the audience a little bit of what's been going on on the ground with our customers. Um, what's what's been happening in the field? So when the when Kobe 19 hit right, a lot of our customers were subjected to these shutdown, which were very pervasive, and they had to stop their operations. In many cases, they had to send their employees home. So at that point, HB stepped in the point. Next organization stepped in and helped these customers set up remote work out options, which allowed them to keep their businesses going while they handle these shutdowns. Fast forward. Six months and the shutdown. We're starting to get lifted and our customers were coming back to us and saying to us that Hey, we would now like to get a least a portion off our workforce back to the normal place of work. But we're concerned that if we do that, it's gonna jeopardize their safety because off the infection concerned that were there. So what we did was that we built a cities or five solutions using various types of video analytics and data analysis analysis technologies that allowed these customers to make that move. So these five solutions, uh, let me walk, walk our customers and our clients and audience through those. The first two of these solutions are touchless entry and fever detection. So this is the access control off your premise, right? So to make sure that whoever is entering the building that's in a safe manner and any infection concerned, we stop it at the very get go once the employees inside the workplace, the next thing that we have is a set of two solutions. What one is social distance tracing and tracking, and the other one is workplace alerting. What these two solutions do is that they use video analytics and data technology is to figure out if there is a concern with employees adhering to the various guidelines that are in place on alerting the employees and the employers if there is any infringement happening which could risk overall environment. Finally, we realized right that irrespective off how much technology and process we put in place. Not everybody will be able to come into the normal place of work. So what we have done is that the first solution that we have is augmented reality and visual remote guidance. This solution uses a our technologies allow. People were on site to take advantage of the expertise that resides offsite to undertake complex task task, which could be as complex as overhauling a machine on ah factory floor using augmented reality where somebody off site who's an expert in that machine is helping somebody on site data has become central to a lot of the things that we do. But as I said, technology is one aspect of things. So ultimately the people process technology continuum has to come together to make these solutions real for our customers. >>Thank you, Arwa. We just have just about 30 seconds left and I wonder if you could close on. We're talking about cloud hybrid. Uh, everybody's talking about hybrid. We're talking about the hybrid workplace. What do you see for the for the future over the next 2345 years? >>Absolutely. And I think you're right, Dave. It is, ah, hybrid world. It's a multi cloud world. Ultimately, what our customers want is the choice and the flexibility to bring in the capabilities that drive the business outcomes that they need to support. And that has multiple dimensions, right? It's making sure that they are minimizing their egress costs, right. And many of our on Prem solutions do give them that flexibility. It is the paper use economics that we talked about. It is about our collective capability as an ecosystem to come together. You know, with Citrix and NVIDIA with R s I partner we pro and the rich heritage of HP es services as well as hardware to bring together these solutions that are fully managed on behalf of our customers so that they can focus their staff their i t capabilities on the products and services they need to deliver to their customers. >>Awesome. Guys, I wish we had more time. We got to go day volonte for the cube. Keep it right there. Lots of great more content coming your way. >>Yeah,

>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation. Hi, >>I'm stupid, man. And welcome to another cube conversation. I'm here in our Boston area studio. And of course, the intersection of networking and security has always been a hot topic. Even Mawr, if you look at it in 2020 everybody working from home their stresses and strains and a lot more changes than usual for what corporate I t has to deal with. Happy to welcome to the program. Tom Bonkowski. Hey, is the director of product marketing with Net Scout. We're gonna get into some of those topics. Um or Tom, thanks so much for joining us. Welcome. Alright. Eso you came to Donetsk out by way of the Arbor Networks acquisition. Ah, few years ago when I want to give our audience just a little bit about your background, what your team works on and we're gonna be talking about the the edge defense. A solution Said >>Sure. Yes, I I've been with Arbor Networks for over 10 years. I've been the director of product marketing for the DDOS line of products during that time and when we came over to Netsch e still have kind of continue that role. So I'm basically responsible for anything that you know to do with the Arbor Adidas Solutions. We have solutions for the service Friars of the world, large enterprises in the world. >>Yeah, maybe it would help if you just refresh our audience so, you know, generally out in the marketplace. You know d das? It's, you know, attacks on the internet. If I if I was, you know, a big provider technology. It's like, Hey, why can't I get to that website? Oh, they had a DDOS attack that hit them. But you know when when it comes to the enterprise you talked about about service brighter also, you know, when is this hitting them? You know, who are the ones causing this kind of thing? It just kind of give our audience a little bit of level. Said if you would in 2020. >>Oh, yeah. I mean, you know, Adidas attacks have been around for over 20 years. This isn't anything new, as you know, um, but the reality is is as that these attacks have been getting bigger. We're getting more frequent. They're getting more complex. Um, and like I said before, I've been here for over 10 years, and I feel like I say that every single year, but it is absolutely true. Um, and you know, the service Fridays of the world Bear the brunt of this. This problem, they're the ones taking on these large attacks. They're the ones trying to stop it not only to protect their own infrastructure, but also potentially the target, which could or could not be one of their customers. There's a lot of collateral damage associated with the details attacks, especially from a service buyer's perspective, because it impacts everything running on their backbone or in their whatever facility that this attack is flowing through. And then, obviously, you have potentially the target of these attacks, which could be any enterprise, any large government, whatever its very indiscriminate, uh, anyone could be a potential target on br. All >>right. And for for the enterprises themselves, you know, how are they making sure that they are protecting their perimeter? Where does Netsch out? You know, fit in tow, helping protect them against the sort of malicious >>attack. Yeah. So when When it comes to protecting your perimeter in particular. Let's let's talk about where we are today in this whole cove in 19 Pandemic. Um, a zoo. We all know this. This caused a massive work slash. Uh, you know, learn from home scenarios never seen before. And you know the quote. New perimeter is everyone who was once inside the organization now home coming back in, right. And, you know, the the Internet inbound Internet circuit, the firewall, the VPN, gateway, the load master all now coming from the opposite direction that maybe they were utilized in the past. Um, it is really the new perimeter, and it is has become very crucial to maintain business continuity, especially in this time. But as we'll talk about it also has become very vulnerable to to DDOs attacks in particular. And, you know, one of the areas that we'll talk about it is how one particular piece of that infrastructure, the VPN gateway, is actually become not only one of the most critical pieces in that chain of communication, but also one of the most vulnerable pieces to simply because it was never anticipated that this many users would would utilize that VPN gateway, and it was never designed for that on. Therefore, it's running at, you know, high or near capacity or at capacity, and it and it could be toppled over pretty easily with fairly small DDOS attacks. We'll get into that a little bit later. Yeah, >>absolutely, Tom. So I've had so many conversations over the last few months about, you know, the ripple effects of what? Work from home. Or, you know, if we think about however things play out in the next few months, it really will be almost work from anywhere. Um, is what will happen on Dwell. Everyone is working at home. That doesn't mean that some of those bad actors out there have gone away. In fact, you know, every company I talked to that's involved with security has seen way need to raise our capabilities and often are getting mawr attacks out there. What have you been seeing out there in the marketplace? You know, how have things been so far in 2020 when it when it comes, toe your space? >>Yeah, I know the same thing. So I'm gonna put up a chart here. And this is a chart which shows, uh DDOs attacks during the first, um, of six months of 2000 and 20 and this data comes from what we call our cyber threat horizon. This is This is a free online portal that anyone could access and see this information if they wish, But it's fueled by the deployment of our products all over the world. So our our DDOS protection products are utilized by a majority of the world's Internet service fighters. And from that deployment, they send this information about DDOS attack activity like, you know, the size of attack. Who is being tacked? Who was being attacked? Where is it coming from? The protocols or vector is being used, etcetera. So we we gather this information on a daily basis presented in this portal. So what this represents is the first six months of 2000 and 20 and as you can see, there's been over 4.8 million attacks thus far in 2000 and 20. That's about 15% higher than last year at the same exact time period. But if you look at the chart a little bit closer, we snapped the line at February, sort of the start of the global pandemic and the lock down periods, if you will and what you can see February, March, April May as it is an uptick in the number of DDOS attacks almost up to 36% in in May. Eso all this is happening during the time of this lock down, right? All this is happening where organizations are struggling to maintain a new a new normal. If you are this. But this is continuity, right? Eso what you represented before you said before that organizations are still struggling with cyber attacks. In fact, probably more is exactly what's happened to in the DDOS realm. And then finally like if you look at June, you see this little drop off there and you know, here everyone talking about the new normal, the new normal is not the new normal. Possibly. It's still too soon to tell. I think we'll wait for another couple of months here. But the bottom line is that during the midst of all this, as organizations trying to maintain some level of this canoe, they're also being faced with cyber threats like Adidas attacks to like they've never seen before. So amazing challenge that that folks have faced out there. >>Yeah, Tom, there's a few spaces in the marketplace that were already very important, you know, really top of mind from the business. I think about automation security being to the ones that come up most often. And when I talked to the participant in the space they like, I thought I was busy in 2019 and had ah lot playing for 2020 and oh, my gosh. I had no idea what 2020 was really going to bring. So that that data that you showed, you know, you're talking about millions of attacks, and you know that that increase, they're putting a focus on it. Even mawr here. So ah, lot of work for people to be done. So but bring us inside a little bit. Uh, you know how Net Scout, How are you helping customers? What invite you have for them, You know, how do we make sure that we can curb, You know, the the the impact of these attacks? Which is that in the millions? >>Sure. So let's go back to that. That inbound infrastructure now, right? Where everyone working from home, coming into the in down router hitting a firewall and but more likely, hitting a VPN gateway of some sort. That's what's allowing them to get access into these internal resource. Is that VPN? Gateway? As I mentioned before, uh, has been crucial during this time, but it also has been very susceptible to denounce attacks that VPN gateways a zwelling that firewall these air. You know what was referred to a state ful devices? They have to track TCP state in order to work properly? Well, there are three types of DDOS attacks, if you will, to make things simple. One is the volumetric attack, which people normally think of as a DDOS attack. It is designed to saturate that that inbound circuit that that Internet facing router interface, right? Um, and then their application layer taxis. They're very small, stealthy attacks. They're going after specific application servers. They're trying to bleed off. Resource is there. And then there's an attack called state exhaustion attacks these air, specifically designed to go after stay full devices like firewalls or, in today's world, the VPN gateway, and it doesn't take much. It takes a small 100 megabit per second attack lasting for 5 10 minutes to potentially fill the state tables in some of these VPN gateways, especially in light of the fact that they weren't prepared or designed to take on all the legitimate users right there coming in as a result of the pandemic. So the key to stopping these sorts of attacks the state full attacks and protecting at VPN Gateway is to put something on premise that iss stateless, meaning it has the ability to inspect packets using stateless packet processing technology. And we have such products are our product, which we call the Arbor edge defense eyes designed to stop all types of attacks. But in this in this particular environment, uh, it is our excels at stopping state exhaustion attacks, and you deploy it just inside the Internet router and in front of the VPN gateway or that firewall there, it could pick off short lived state exhaustion attacks and protect the availability of the VPN, gateway and firewall. Now, if you're relying upon which rating organizations do relying upon a cloud based data protection service, which we have to we have something called Arbor Cloud. Uh, it may not be able to stop those attacks in time, So you're running a little risk by relying on more traditional cloud based protection services. That's why you need this product Arbor Edge defense on premise, because it will react instantaneously and protect that VPN gateway from going on and maintain that business continuity for you. >>You know, Tom, when I think about that that footprint that you have in a customer's environment, you know, in addition to the D DOS services, it would seem like that Ah, prime opportunity that that there's other services and applications that could be run there. Is that the case with with your your solution to >>Well, if I understand what you mean by the services, well, we have the ability Thio conducted fully managed services that Are you going with that? >>Yeah, I e think Think that Yeah, that z one of right. Understand how how that service works. Yes. >>So? So the our bridge defense, um, is a system that once you have it configured, you design it for protecting sort of the interior services like the protective VPN gateway firewalls. Any other application running internal in the event of a large attack that we've been talking that will fill that Internet pipe, It has a feature called Cloud Signaling, where it will intelligently call for help upstream to either in Arbor Cloud service. This is a fully managed details protection service. We have global scrubbing centers, uh, and or call your I S P, who may you may be getting your data protection service from already. So it has the ability to link the on premise with the with the cloud based protection. And this hybrid approach to protection is absolutely industry best practice. This is this is how you protect yourself from the multiple vector DDOs attacks, as we mentioned previously. Now, if you're an organization that maybe doesn't have enough experience, uh doesn't want to deal with the on Prem our bridge defense. You know, we have you covered there, too. We have the ability to manage that that scenario or that device for you. We have to manage the ability to manage not only the arbor edge of the fence, but they also integration in the arbor cloud. So that whole hybrid scenario that we're talking about could be fully managed by, um, you know, by our folks who do this every single day 24 7. >>Yeah, it's any breakdown. Is thio your customers as toe. You know, when they choose that that that fully managed solution versus on Prem recommendation we've had for a long time is you wanna have your i t focused on things that have differentiation in your environment and seems like a natural thing that, you know, your team has the expertise. Eso What is that decision point as to whether they do it themselves or go with the manage solution? >>I think it really just has to do with the culture and the experience of the company. Really, What we're seeing is some of the smaller organizations that, you know, you have smaller teams, right? That wear multiple hats. They just cannot stay abreast of the latest threats. Indeed, us A. Z I mentioned before these things were getting more and more complex. So I think they're they're coming to the conclusion that all right, this is something that I can't do my by myself anyway for the large attacks. I need a cloud based service, part of some sort. I need someone to help me there anyway. So why don't they just handled the whole thing? Why don't they just handle the on premise component and in the cloud based component of this and make sure that it's running is officially as possible. But you know, even that said, it's not just the smaller org's. We're seeing larger organs do it, too, just to push things off their plates. Let's let's leave Dido's to the experts again because I can't do about myself. Anyway. >>Tom, I I saw a video. I think it was you that did actually talking about how our bridge defense is the first and last defense. When, when, when it comes to DDOS may explain that a little bit or audience. >>Yeah, So our tagline for the product is first and last line of defense. The first lines which we've been talking about all along here, is the ability to stop the inbound DDOS attacks. Now it also acts as the last line of defense, too. So, as we were alluding to before, you know, all you here during this time of the pandemic is watch out for you know, Kobe 19 related ransomware and things like that, right? Um, because the Arbit edge defense, it's just inside the rotter and outside that for a while, it is literally the last component in that cybersecurity change before the let's look from the outbound perspective packets, leaving the enterprising going out to the Internet. It is the last piece of product in that security chain, right, for it leaves the Internet. The arbor edge of the fence has the ability to consume threat intelligence not only from our own atlas system, which we spoke about earlier about third parties to via sticks and taxi. It has the ability to consume threat intelligence. And they're sitting on that. That last piece of you know, the security pipe, if you will or chain it has the ability to intercept. Uh, indicators of compromise have come from internal compromise devices that have made it through the entire security chain. Outgoing. Reach outside the farewell. Now it's one last one last line of defense, if you will, that has ability to recognize and stop that internal indicator compromise. And this is going to help stop the proliferation of malware that, and ultimately avoid that data breach that everyone is fearful. So it has a dual role. It could protect you from inbound DDOS attacks and Uncle also gonna as his last line defense stopping the proliferation this now where we're talking about? Yeah. Great, >>Tom. That actually refers I was curious about you know what other things your your your device did. And you know, there's the intelligence baked into their toe have kind of a multipurpose when you're in that environment. All right, Tom, I want to give you the last word here. You know, cos today they often need to react very fast to be able to deal with, you know, the changing dynamics of their business. You know, spinning up resource is everybody, you know, working from home. And like so, you know, what final advice do you have for them And, you know, give us the final >>word? Yeah. You know, during this time, president times, You know, we all unfortunately thought to me remain very vigilant when it comes to protecting our organization from cyberattacks. One of the one of the areas that seems to get overlooked as eyes DDOs protection. Right? Everyone is focused on malware and things like that, but don't overlook DDOs attacks. These things were happening on a daily basis, as I showed you over almost five million so far this year. Uh, it is an absolute part. Maintain the availability of your organization. It's part of the security Triad, as we know. And, you know, it's it's really their thio, you know? Do you disrupt your business continuity if you are getting hit, So don't overlook your and don't under underestimate your videos protection. All >>right, Well, Tom Bonkowski, thank you so much for the update and, uh, appreciate everything you shared. >>Welcome. All >>right. Be sure to check out the cube dot net for lots more coverage from the Cube. I'm still madman. Thanks for watching.

>>buy from San Francisco. It's the queue covering our essay conference 2020. San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in downtown San Francisco. It is absolutely spectacular. Day outside. I'm not sure why were incited. Mosconi. That's where we are. It's the RCC conference, I think 50,000 people the biggest security conference in the world here in Mosconi this week. We've been here, wall to wall coverage. We'll be here all the way till Thursday. So thanks for joining us. We're excited to have our next guest. He's got a lot of great data to share, so let's jump into it. It's hard mode. He's a VP engineering threat and mitigation products for nets. Cowhearted. Great to meet you. >>Thank you. Good to be here, >>too. So for people who aren't familiar with Net Scout, give em kind of the basic overview. What do you guys all about? Yes, and that's what we consider >>ourselves their guardians of the connected world. And so our job is to protect, like, you know, companies, enterprises, service providers, anybody who has on the Internet and help keep their services running your applications and things returned deliver to your customers would make sure that it's up there performing to, like, you know the way you want them to, but also kind of give you visibility and protect you against DDOS attacks on other kind of security threats. That's basically in a nutshell. What we do as a company and, yeah, wear the garden of connected world. >>So So I just from a vendor point of the I always I feel so sorry for >>buyers in this environment because you walk around. I don't know how many vendors are in here. A lot of >>big boost, little boost. So how do you kind of help separate? >>You know, Netsch out from the noise? How what's your guys? Secret sauce? What's your kind of special things? >>Really, it's like 30 years >>off investment in like, network based visibility, and >>we truly >>believe in the network. Our CEO, he says, like you know the network like, you know, actually, when you monitor the network, it's like taking a blood test. It tells you the truth, right? And it's really like how you find out, like, you know, some things right or wrong. I mean, I actually, for my background to like network monitoring. There's a lot of our what we think of as like the endpoint is actually contested territory. That's where the adversary is. When you're on the network and your monitoring all activity, it really gives you a vantage point. You know, that's >>really special. So we really focus on the network. Our heritage and the network is is one of our key strengths and then, you know, as part of >>us as a company like Arbor Arbor. Networks with coming in that's got acquired some years ago were very much part of Net Scout with our brand of products. Part of that, you know, the Arbor legacy includes huge visibility into what's happening across the Internet and visibility like nobody else like in terms of the number of service providers and large enterprises who work with us, help us understand what's happening across the landscape. That's like nobody else out here. And that is what we consider a key differentiator. >>Okay, great. So one of the things you guys do >>a couple times years, I understand his publisher reporting solution, gift people. Some information as to what's going on. So we've got the We've >>got the version over four here. Right Net scout threat, intelligence report. So you said this comes out twice a year, twice a year. So what is the latest giving some scoop >>here, Hot off the presses we published last week. Okay, so it's really just a few days old and, you know, our focus here is what happened in the last six months of last year. So that and then what we do is we compare it against data that we've collected a year prior. >>So really a few things >>that we want you to remember if you're on the right, you know, the first number is 8.4 million. That's the number of D DOS attacks that >>we saw. This doesn't mean that >>we've seen every attack, you know, in the world, but that's like, you know just how many DDOS attacks we saw through the eyes of our customers. That's >>in this in six months. 8.4 number is >>actually for the entire year here in an entire year of 2019. There's a little bit of seasonality to it. So if you think of it like a 4.4, maybe something that that was the second half of the year. But that's where I want to start. That's just how many DDOS attacks we observed. And so, in the >>course of the report, what we can do a >>slice and dice that number talk about, like, different sizes, like, what are we seeing? Between zero and 100 gigabits per 2nd 102 104 100 above and >>kind of give you a sense of just what kind of this separation there is who is being targeted >>like we had a very broad level, like in some of the verticals and geographies. We kind of lay out this number and give you like, a lot of contact. So if you're if you're in finance and you're in the UK, you want to know like, Hey, what happened? What happened in Europe, for example, In the past 66 months, we have that data right, and we've got to give you that awareness of what's happening now. The second number I want you to remember is seven seven or the number of new attack vectors reflection application attack vectors that we observed being used widely in in in the second half. >>Seven new 17 new ones. So that now kind of brings our tally >>up to 31 like that. We have those listed out in here. We talk about >>just how much? Uh huh. Really? Just how many of these vectors, how they're used. Also, these each of these vectors >>leverage vulnerabilities in devices that are deployed across the Internet. So we kind of laid out like, you know, just how many of them are out there. But that's like, You know that to us seven is reflecting how the adversary is innovating. They're looking for new ways to attack us. They've found 71 last year. They're going to war, right? Right. And that's that's kind of what we focus on. >>Let's go back to the 8.4. So of those 8.4 million, how many would you declare >>successful from the attacker point of view? >>Yeah, You know something that this is always >>like, you know, you know, it's difficult to go estimate precisely or kind of get within some level of >>precision. I think that you know, the the adversaries, always trying to >>of course, they love to deliver a knockout blow and like all your services down but even like every attack inflicts a cost right and the cost is whether it's, you know, it's made its way all the way through to the end target. And now you know, they're using more network and computing resource is just to kind of keep their services going while they're under attack. The attack is low, You're still kind of you. You're still paying that cost or, you know, the cost of paid upstream by maybe the service provider. Somebody was defending your network for you. So that way, like, you know, there's like there's a cost to every one of these, right? In >>terms of like outages. I should also point out that the attacks that you might think >>that this attack is like, you know, hey, you know, there was a specific victim and that victim suffered as a result of but >>in many cases, the adversaries going after people who are providing services to others. So I mean, if a Turkish bank >>goes down right, like, you know, our cannot like services, customers for a month are maybe even a few hours, right, And you know, the number of victims in this case is fairly broad. Might be one attacks that might be one target, however, like the impact is fairly, >>is very large. What's interesting is, have begs a question. Kind of. How do you >>define success or failure from both the attacker's point of view as well as the defender? >>Yeah, I mean, I mean and again, like there's a lot of conversation in the industry about for every attack, right? Any kind of attack. What? When do I say that? You know what? I was ready for it. And, you know, I was I was fine. I mean, I don't care about, you know, ultimately, there's a cost to each of these things. I'd say that everybody kind of comes at it with their You know, if you're a bank, that you might go. Okay. You know what? If my if I'm paying a little bit extra to keep the service up and running while the Attackers coming at me, No problem. If I if my customers air aren't able to log in, some subset of my customers aren't able to log in. Maybe I can live through that. A large number of my customers can't log in. That's actually a really big problem. And if it's sustained, then you make your way into the media or you're forced to report to the government by like, outages are like, You know, maybe, you know, you have to go to your board and go like a sorry, right? Something just happened. >>But are the escalation procedures >>in the definition of consistency? Right? Getting banged all the time right? And there's something like you said, there's some disruption at some level before it fires off triggers and remediation. So so is there some level of okay, that's kind of a cost of doing business versus, you know, we caught it at this. They're kind of like escalation points that define kind of very short of a full line. >>I think when we talk to our service provider customers, we talked to the very large kind of critical enterprises. They tend to be more methodical about how they think of like, Okay, you know, degradation of the service right now, relative to the attack. I think I think for a lot of people, it's like in the eyes of the beholder. Here's Here's something. Here's an S L. A. That I missed the result of the attack at that point. Like you know, I have, I certainly have a failure, but, you know, it's it's up until there is kind of like, Okay, you're right >>in the eyes the attacker to delay service >>at the at the Turkish bank because now their teams operate twice, twice the duration per transaction. Is it? Just holding for ransom is what benefit it raises. A range >>of motivations is basically the full range of human nature. There's They're certainly like we still see attacks that are straight journalism. I just I just cause I could just I wanted I wanted to write. I wanted to show my friend like, you know, that I could do this. There's there's definitely a lot of attacks that have that are like, you know, Hey, I'm a gamer and I'm like, you know, there's I know that person I'm competing with is coming from this I p address. Let me let me bombard them with >>an attack. And you know, there's a huge kind of it could be >>a lot of collateral damage along the way because, you know, you think you're going after this one person in their house. But actually, if you're taking out the network upstream and there's a lot of other people that are on that network, like you know, there's certain competitive element to it. They're definitely from time to time. There are extortion campaigns pay up or we'll do this again right in some parts of the world, like in the way we think of it. It's like cost of doing business. You are almost like a business dispute resolution. You better be. You know, you better settle my invoice or like I'm about, Maybe maybe I'll try and uses take you out crazy. Yeah, >>it, Jeff. I mean things >>like, you know the way talked about this in previous reports, and it's still true. There's especially with d dos. There's what we think of it, like a democratization off the off the attack tools where you don't have to be technical right. You don't have to have a lot of knowledge, you know, their services available. You know, like here's who I'm going to the market by the booth, so I'd like to go after and, you know, here's my $50 or like a big point equivalent. All right, >>let's jump to >>the seven. We talked about 8.4 and the seven new attack vectors and you outline, You know, I think, uh, the top level themes I took from the summary, right? Weaponizing new attack vectors, leveraging mobile hot spots targeting compromised in point >>about the end points. I o t is >>like all the rage people have mess and five G's just rolling out, which is going to see this huge i o t expansion, especially in industrial and all these connected devices and factories in from that power people. How are people protecting those differently now, as we're getting to this kind of exponential curve of the deployment of all these devices, >>I mean, there are a lot of serious people thinking about how to protect individual devices, but infrastructure and large. So I'm not gonna go like, Hey, it's all bad, right? Is plenty back on it all to be the next number, like 17 and 17 as the number of architectures for which Amir, I mean, I was really popular, like in a bar right from a few years ago. That still exists. But over time, what's happened is people have reported Mirai to different architectures so that, you know, think of it like, you know, if you have your your refrigerator connected to the Internet, it comes. It's coming with a little board, has CPU on it like >>running a little OS >>runs and runs in the West on it. Well, there's a Mirai variant ready for that. Essentially, as new devices are getting deployed like, you know, there's, you know, that's kind of our observation that there's even as new CPUs are introduced, a new chips or even the West they're introduced. There's somebody out there. We're ready to port it to that very now, Like, you know, the next level challenges that these devices, you know, they don't often get upgraded. There's no real. In many cases, they're not like, you know, there's very little thought given to really kind of security around it. Right? There are back doors and, like default passwords used on a lot of them. And so you take this combination. I have a whole you know, we talk about, you know, large deployments of devices every year. So you have these large deployments and now, you know, bought is just waiting for ready for it Now again, I will say that it's not. It's not all bad, but there are serious people who were thinking about this and their devices that are deployed on private networks. From the get go, there was a VPN tunnel back to a particular control point that the the commercial vendor operates. I mean, there are things like that, like, hardening that people have done right, So not every device is gonna find its way into a botnet. However, like, you know, you feel like you're getting a toy like Christmas and against $20 you know, and it can connect to the Internet. The odds are nobody's >>thinking not well. The thing we've heard, too, about kind of down the i t and kind of bringing of operations technology and I t is. A lot of those devices weren't developed for upgrades and patches, and Lord knows what Os is running underneath the covers was a single kind of use device. It wasn't really ever going to be connected to the outside world. But now you're connecting with the I t. Suddenly exposing a whole host of issues that were never kind of part of the plan when whoever designed that thing in the first place for sure for sure is crazy. Alright, so that's that. Carpet bombing tactics, increased sector attack, availability. What is there's carpet bomb and carpet bombing generally? What's going on in this space? >>Well, so carpet bombing is a term that we applied a few years ago to a kind of a variation of attack which, like >>traditionally, you know, we see an attack >>against a specific I P address or a specific domain, right? That's that's where that's what I'm targeting. Carpet bombing is taking a range of API's and go like, you know, hey, almost like cycling through every single one of them. So you're so if your filters, if your defense is based on Hey, if my one server sees a spike, let me let me block traffic while now you're actually not seeing enough of a spike on an individual I p. But across a range there's a huge you know, there's a lot of traffic that you're gonna be. >>So this is kind of like trips people >>up from time to time, like are we certainly have defensive built for it. But >>now what? We're you know, it's it's really like what we're seeing is the use >>off Muehr, our other known vectors. We're not like, Okay, C l dap is a protocol feel that we see we see attacks, sealed up attacks all the time. Now what we're >>seeing is like C l >>dap with carpet bombing. Now we're seeing, like, even other other reflection application protocols, which the attack isn't like an individual system, but instead the range. And so that's that's what has changed. Way saw a lot of like, you know, TCP kind of reflection attacks, TCP reflection attacks last year. And then and then the novelty was that Now, like okay, alongside that is the technique, right? Carpet bombing technique. That's that's a pipe >>amounts never stops right? Right hard. We're out of time. I give you the final word. One. Where can people go get the information in this report? And more importantly, for people that aren't part of our is a matter that you know kind of observers or they want to be more spark. How should they be thinking about security when this thing is such a rapidly evolving space? >>So let me give you two resource is really quickly. There's this this >>report available Dub dub dub dub dot com slash threat report. That's that's that's what That's where this report is available on Google Next Threat report and you'll find your way there. We've also, you know, we made another platform available that gives you more continuous visibility into the landscape. So if you read this and like Okay, what's happening now? Then you would go to what we call Met Scout Cyber Threat Horizon. So that's >>kind of tell you >>what's happening over the horizon. It's not just like, you know, Hey, what's what am I seeing? What are people like me seeing maybe other people other elsewhere in the world scene. So that's like the next dot com slash horizon. Okay, to find >>that. And I think like between those two, resource is you get >>access to all of our visibility and then, you know, really, in terms of like, our focus is not just to drive awareness, but all of this knowledge is being built into our products. So the Net's got like arbor line of products. We're continually innovating and evolving and driving like more intelligence into them, right? That's that's really? How We help protect our customers. Right >>hearted. Thanks for taking a few minutes >>and sharing the story. Thank you. 18 Scary. But I'm glad you said it's not all bad. So that's good. >>Alright, he started. I'm Jeff. You're watching the Cube. We're at the RSA conference 2020 >>Mosconi. Thanks for watching. We'll see you next time. >>Yeah, yeah, yeah.

from the silicon angle media office in Boston Massachusetts it's the queue now here's your host David on tape hello everyone and welcome to this cube conversation today we're gonna dig into the challenges of defending distributed denial of service or DDoS attacks we're gonna look at what DDoS attacks are why they occur and how defense techniques have evolved over time and with me to discuss these issues as Darin and Steve he's the CTO of security at net Scout Darren good to see you again can you tell me about your role your CTO of security so you got CTO specific to the different areas of your business yeah so I work within the broader CTO office at net Scout and we really act as a bridge between customers engineering teams our product management and the broader market and we're all about making sure that our strategy aligns with that of our customers that we're delivering what they need and when they need it and we're really about thought leadership so looking at the unique technologies and capabilities that that scout has and how we can pull those things together to deliver new value propositions new capabilities that can move our customers businesses forward and obviously taking us with of them great so let's get into it I mean everybody hears of DDoS attacks but specifically you know what are they why do they occur when what's the motivation behind the bad guys hitting us so a distributed denial of service attack is simply when an attacker is looking to consume some or all of the resources that are assigned to a network service or application so that a genuine user can't get through so that you can't get to that website so that your network is full of traffic so that firewall is no longer forwarding packets that's fundamentally what a DDoS attack is all about in terms of the motivations behind them they are many and varied there's a wide wide range of motivations behind the DDoS activity that we see going on out there today everything from cybercrime where people are holding people to ransom so I will take your website down unless you pay me you know X Bitcoin from ideological disputes through to nation-state attacks and then of course you get the you know things like students in higher educational establishments targeting online coursework submission and testing systems because they simply you know don't want to do the work fundamentally the issue you have around the motivations today is that it's so easy for anyone to get access to fairly sophisticated attack capabilities that anyone can launch an attack for pretty much any reason and that means that pretty much anyone can be targeted okay so you gotta be ready so are there different types of attacks I guess so right used to be denial of service now I'm distributed the service but what are the different types of attacks so the three main categories of distributed denial of service attack of what we call volumetric attacks State exhaustion attacks and application-layer attacks and you can kind of think of them around the different aspects of our infrastructure or the infrastructure of an organization that gets targeted so volumetric attacks are all about saturating Internet connectivity filling up the pipe as it were state exhaustion attacks are all about exhausting the state tables in specific pieces of infrastructure so if you think about load balancers and firewalls they maintain state on the traffic that they're forwarding if you can fill those tables up they stop doing their job and you can't get through them and then you have the application layer attacks which is their name would suggest is simply an attacker targeting an attack targeting a service at the application layer so for example flooding a website with requests for a download something like that so that genuine user can't get through it presumably some of those attacks for the infiltrators some of them are probably easier have a lower bar than others is that right or they pretty much also the same level of sophistication in terms of the attacks themselves there's big differences in the sophistication of the attack in terms of launching the attack it's really easy now so a lot of the attack tools that are out there today would be you know are fully weaponized so you click a button it launches multiple attack vectors at a target some of them will even rotate those attack vectors to make it harder for you to deal with the attack and then you have the DDoS for hire services that will do all of this for you is effectively a managed service so there's a whole economy around this stuff so common challenge and security very low barriers to entry how have these attacks changed over time so DDoS is nothing new it's been around for over 20 years and it has changed significantly over that time period as you would expect with anything in technology if you go back 20 years a DDoS attack of a couple of gigabits a second would be considered very very large last year we obviously saw saw DDoS attacks break the terabit barrier so you know that's an awful lot of traffic if we look in a more focused way at what's changed over the last 18 months I think there's a couple of things that are worth highlighting firstly we've seen the numbers of what we would consider to be midsize attacks and really grow very quickly over the last 12 months mid-sized to us is between 100 and 400 gigabits per second so we're still talking about very significant traffic volumes that can do a lot of damage you know saturate the internet connectivity of pretty much any enterprise out there between 2018 2019 looking at the two first halves respectively you're looking at about seven hundred and seventy six percent growth so there are literally thousands of these attacks going on out there now in that hundred to four hundred gig band and that's changing the way that network operators are thinking about dealing with them second thing that's changed is in the complexity of attacks now I've already mentioned this a little bit but there are now a lot of attack tools out there that completely automate the rotation of attack vectors during an attack so changing the way the attack works periodically every few minutes or every few seconds and they do that because it makes it harder to mitigate it makes it more likely that they'll succeed in their goal and then the third thing that I suppose has changed is simply the breadth of devices and protocols that are being used to launch attacks so we all remember in 2016 when Dyne was attacked and we started hearing about IOT and mirai and things like that that CCTV and DVR devices were being used there since then a much broader range of device types being targeted compromised subsumed into botnets and used to generate DDoS attacks and we're also seeing them use a much wider range of protocols within those DDoS attacks so there's a technique called reflection amplification which has been behind many of the largest DDoS attacks over the last 15 years or so traditionally it used a fairly narrow band of protocols over the last year or so we've seen attackers researching and then weaponizing a new range of protocols expanding their capability getting around existing defenses so there's a lot changing out there so you talking about mitigation how do you mitigate how do you defend against these attacks so that's changing actually so if you look at the way that the service provider world used to deal with DDoS predominantly what you would find is they would be investing in intelligent DDoS mitigation systems such as the Arbour TMS and they'd be deploying those solutions into their primary peering locations potentially into centralized data centers and then when they detected an attack using our sight line platform they would identify where it was coming in they identify the target of the attack and they divert the traffic across their network to those TMS locations inspect the traffic clean away the bad forward on the good protect the customer protect the infrastructure protect the service what's happening now is that the shape of service provider networks is changing so if we look at the way the content used to be distributed in service providers they pull it in centrally push it out to their customers if we look at the way that value-added service infrastructure used to be deployed it was very similar they deploy it centrally and then serve the customer all of that is starting to push out to the edge now contents coming in in many more locations nearer to areas delivered value-added service infrastructure is being pushed into virtual network functions at the edge of the network and that means that operators are not engineering the core of their networks in the same way they want to move DDoS attack traffic across their network so that they can then inspect and discard it they want to be doing things right at the edge and they want to be doing things at the edge combining together the capabilities of their router and switch infrastructure which they've already invested in with the intelligent DDoS mitigation capabilities of something like Ann Arbor TMS and they're looking for solutions that really orchestrate those combinations of mitigation mechanisms to deal with attacks as efficiently and effectively as possible and that's very much where we're going with the site line with sentinel products okay and we're gonna get into that you'd mentioned service providers do enterprises the same way and what's different so some enterprises approaching in exactly the same way so your larger scale enterprises that have networks that look a bit like those of service providers very much looking to use their router and switch infrastructure very much looking for a fully automated orchestrated attack response that leverages all capabilities within a given network with full reporting all of those kind two things for other enterprises hybrid DDoS defense has always been seen as the best practice which is really this combination of a service provider or cloud-based service to deal with high-volume attacks that would simply saturate connectivity with an on-prem or virtually on-prem capability that has a much more focused view of that enterprises traffic that can look at what's going on around the applications potentially decrypt traffic for those applications so that you can find those more stealthy more sophisticated attacks and deal with them very proactively do you you know a lot of times companies don't want to collaborate because their competitors but security is somewhat different are you finding that service providers or maybe even large organizations but not financial services that are are they collaborating and sharing information they're starting to so with the scale of DDoS now especially in terms of the size of the attacks and the frequency of the tax we are starting to see I suppose two areas where there's collaboration firstly you're seeing groups of organizations who are looking to offer services in a unified way to a customer outside of their normal reach so you know service provider a has reach in region area service provider B in region B see in region C they're looking to offer a unified service to a customer that has offices in all of those regions so they need to collaborate in order to offer that unified service so that's one driver for collaboration another one is where you see large service providers who have multiple kind of satellite operating companies so you know you think of some of the big brands that are out there in the search provider world they have networks in lots of parts of your well then they have other networks that join those networks together and they would very much like to share information kind of within that the challenge has always been well there are really two challenges to sharing information to deal with DDoS firstly there's a trust challenge so if I'm going to tell you about a DDoS attack are you simply going to start doing something with that information that might potentially drop traffic for a customer that might impact your network in some way that's one challenge the second challenge is invisibility in if I tell you about something how do you tell me what you actually did how do I find out what actually happened how do I tell my customer that I might be defending what happened overall so one of the things that we're doing in site language we're building in a new smart signaling mechanism where our customers will be able to cooperate with each other they'll be able to share information safely between one another and they'll be able to get feedback from one another on what actually happened what traffic was forwarded what traffic was dropped that's critical because you've mentioned the first challenges you got the balance of okay I'm business disruption versus protecting in the second is hey something's going wrong I don't really know what it is well that's not really very helpful well let's get more into the the Arbour platform and talk about how you guys are helping solve this this problem okay so sight line the honest sight line platform has been the market leading DDoS detection and mitigation solutions for network operators for well over the last decade obviously we were required by Netscape back in 2015 and what we've really been looking at is how we can integrate the two sets of technologies to deliver a real step change in capability to the market and that's really what we're doing with the site language Sentinel product site language Sentinel integrates net Scout and Arbor Technology so Arbor is traditionally provided our customers our sight line customers with visibility of what's happening across their networks at layer 3 and 4 so very much a network focus net Scout has smart data technology Smart Data technology is effectively about acquiring packet data in pretty much any environment whether we're talking physical virtual container public or private cloud and turning those packets into metadata into what we call smart data what we're doing in sight line with sentinel is combining packet and flow data together so you can think of it as kind of like colorizing a black and white photo so if you think about the picture we used to have insight line as being black and white we add this Smart Data suddenly we've colorized it when you look at that picture you can see more you can engage with it more you understand more about what was going on we're moving our visibility from the network layer up to the service layer and that will allow our customers to optimize the way that they deliver content across their networks it will allow them to understand what kinds of services their customers are accessing across their network so that they can optimize their value-added service portfolios drive additional revenue they'll be able to detect a broader range of threats things like botnet monitoring that kind of thing and they'll also be able to report on distributed denial of service attacks in a very different way if you look at the way in which much the reporting that happens out there today is designed it's very much network layer how many bits are forwarded how many packets are dropped when you're trying to explain to an end customer the value of the service that you offer that's a bit kind of vague what they want to know is how did my service perform how is my service protected and by bringing in that service layer visibility we can do that and that whole smarter visibility anger will drive a new intelligent automation engine which will really look at any attack and then provide a fully automated orchestrated attack response using all of the capabilities within a given network even outside a given network using the the the smarter signaling mechanism very whilst delivering a full suite of reporting on what's going on so that you're relying on the solution to deal with the attack for you to some degree but you're also being told exactly what's happening why it's happening and where it's happening in your secret sauce is this the way in which you handle the the metadata what you call smart data is that right I'll secret sauce really is in I think it's in a couple of different areas so with site language Sentinel the smart data is really a key one I think the other key one is our experience in the DDoS space so we understand how our customers are looking to use their router and switch infrastructure we understand the nature of the attacks that are going on out there we have a unique set of visibility into the attack landscape through the Netscape Atlas platform when you combine all of those things together we can look at a given network and we can understand for this attack at this this second this is the best way of dealing with that attack using these different mechanisms if the attack changes we love to our strategy and building that intelligent automation needs that smarter visibility so all of those different bits of our secret sauce really come together in centers so is that really your differentiator from you know your key competitors that you've got the experience you've got obviously the the tech anything else you'd add to that I think the other thing that we've got is two people so we've got a lot of research kind of capability in the DDoS space so we are we are delivering a lot of intelligence into our products as well now it's not just about what you detect locally anymore and we look at the way that the attack landscape is changing I mentioned that attackers are researching and weaponizing new protocols you know we're learning about that as it happens by looking at our honey pots by looking at our sinkholes by looking at our atlas data we're pushing that information down into site language Sentinel as well so that our customers are best prepared to deal with what's facing them when you talk to customers can you kind of summarize for our audience the the key to the business challenges you talked about some of the technical there may be some others that you can mention but try to get to that business impact yeah so on the business side of it there's a few different things so a lot of it comes down to operational cost and complexity and also obviously the cost of deploying infrastructure so and both of those things are changing because of the way that networks are changing and business models are changing on the operational side everyone is looking for their solutions to be more intelligent and more automated but they don't want them simply to be a black box if it's a black box it either works or it doesn't and if it doesn't you've got big problems especially if you've got service level agreements and things tied to services so intelligent automation to reduce operational overhead is key and we're very focused on that second thing is around deployment of capability into networks so I mentioned that the traditional DDoS that that the traditional DDoS mitigation kind of strategy was to deploy intelligent DDoS mitigation capability in to keep hearing locations and centralized data centers as we push things out towards the edge our customers are looking for those capabilities to be deployed more flexibly they're looking for them to be deployed on common off-the-shelf hardware they're looking for different kinds of software licensing models which again is something that we've already addressed to kind of allow our customers to move in that direction and then the third thing I think is really half opportunity and half business challenge and that's that when you look at service providers today they're very very focused on how they can generate additional revenue so they're looking very much at how they can take a service that maybe they've offered in the past to their top hundred customers and offer it to their top thousand or five thousand customers part of that is dry is intelligent automation part of that is getting the visibility but part of that again is partnering with an organization like netskope that can really help them to do that and so it's kind of part challenge part opportunity there but that's again something we're very focused on I want to come back and double down on the the point about automation seems to me the unique thing one of the unique things about security is this huge skills gap and people complain about that all the time a lot of infrastructure businesses you know automation means that you can take people and put them on you know different tasks more strategic and I'm sure that's true also its security but there's because of that skills gap automation is the only way to solve these problems right I mean you can't just keep throwing people at the problem because you don't have the skilled people and you can't take that brute force approach does that make sense to you it's scale and speed when it comes to distributed denial-of-service so given the attack vectors are changing very rapidly now because the tools support that you've got two choices as an operator you either have somebody focused on watching what the attack is doing and changing your mitigation strategy dynamically or you invest in a solution that has more intelligent art and more intelligent analytics better visibility of what's going on and that's slightly and with Sentinel fundamentally the other key thing is the scale aspect which is if you're looking to drive value-added services to a broader addressable market you can't really do that you know by simply hiring more and more people because the services don't cost in so that's where the intelligent automation comes in it's about scaling the capability that operators already have and most of them have a lot of you know very clever very good people in the security space you know it's about scaling the capability they already have to drive that additional revenue to drive the additional value so if I had to boil it down the business is obviously lower cost it's mentioned scale more effective mitigation which yeah which you know lowers your risk and then for the service providers it's monetization as well yeah and the more effective mitigation is a key one as well so you know leveraging that router and switch infrastructure to deal with the bulk of attack so that you can then use the intelligent DDoS mitigation capability the Arbour TMS to deal with the more sophisticated components combining those two things together all right we'll give you the final word Darren you know takeaways and you know any key point that you want to drive home yeah I mean sightline has been a market leading product for a number of years now what we're really doing in Nets care is investing in that we're pulling together the different technologies that we have available within the business to deliver a real step change in capability to our customer base so that they can have a fully automated and orchestrated attack response capability that allows them to defend themselves better and allows them to drive a new range of value-added services well Dara thanks for coming on you guys doing great work really appreciate your insights thanks Dave you're welcome and thank you for watching everybody this is Dave Volante we'll see you next time

>> from our studios in the heart of Silicon Valley. HOLLOWAY ALTO, California It is a cube conversation. >> Hi, and welcome to the Cube studios for another cube conversation where we go in depth with thought leaders driving innovation across the tech industry. I'm your host today, Peter Boris. One of the biggest challenges that every enterprise faces is how best to focus attention on the most important assets that are driving or facilitating that drive the digital business and digital business transformation. There's been a lot of emphasis over the last 50 years in tech on the hardware assets, but increasingly we need to look at the elements of it that are actually creating net new value within a business now, maybe the people, the services and the data that make digital business possible. And that requires that we rethink our approach is to how we actually manage, conceive of and monitor those key assets and is likely to lead to some very interesting unification Tze over the next few years, especially in SEC ups and neck cops now and have that conversation got a great guest today. Sanjay Moon. She is the vice president, product management, that net scout Technologies. Sanjay, welcome to the >> Cube. Thank you, Peter. Thank you. >> So, Sanjay, I said a lot upfront. But before we get into that, tell us a little bit about Net Scout. >> Thank you, Peter, for the introduction. Net Scout is a smart data company. Net Scout has three decades of leadership and innovation in troubleshooting monitoring and securing it based networks. We are deployed in 90% off the Fortune 500 companies and 90% off the top communication service providers. World White. We have 50% market teacher In each of the three segments that we playing. Where is the next biggest competitor? We have has less than 5%. Those three areas are number one network and application performance monitoring for hybrid cloud infrastructure for enterprises, D does and on security for enterprise and service providers and service assurance for service providers, which includes mobile operators, cable providers as well as I speak. Today we operate in 50 plus countries worldwide. We have 25 100 plus employees and 500 plus pattern store credit. >> Impressive story. Let's get right to the issue, though, and how Net scout is actually participating in some of these crucial transformations. I mentioned upfront that one of the biggest challenges that every enterprise has is to focus Maura their attention on those digital assets that are actually driving change and new sources of value named of the data, the services and the devices and the people, the applications or people that use those. So one >> of >> the challenges that we've had is that, ah, focus on devices leads to a focus on certain classes of data that are mainly improved or focus on improving the productivity of devices. Give us a background and how that's what that means. >> Let me in to do the concept of smart data that's that's born out ofthe nets, calibrated with smart data. Next called Pioneer. The leverage off Wired ate our package data three decades back that drives over ingenious portfolio that drives net ops and cloud tops. S i r. Adapt to service intelligence. This is a smart data that comes out ofthe packets with S I smart data. We uniquely converge application and network performance monitoring you are customers Toro visibility across application tears and two and networks and diverse data center locations. >> So just toe pick up on that moving away from a log focus, which is again mainly, Let's improve the productivity of the device. We're moving in a sigh, which is focus on Let's improve the productivity of the connection in the application. >> Absolutely absolute. And we'll talk a little bit more about long. Let's talk about Log and Net flew other sources of data that folks have gravitated towards, which is not there, not there, not authority to by any means. Let's say log data, for example, this log data, you know, as soon as a threat actor, for example, gets access to your systems. The first thing the protector will do is to turn off flogging are doing verse changed the log days, change the cyst, log messaging itself. Let's take a look at net flow data. For example, Net flow data number one Problem is, it's not Doesn't have layers. Seven. Intelligence, innit? Number two. It's not generated by all the devices in the network. For example, the Coyote devices do not generate any kind of flow data, so only data that authoritative and that comes with high fidelity is packet or wire data. That's one element off of smart data that we have the other element of smart data comes from our arbor portfolio. Arbor products are deployed in 400 plus tier one operators, mobile operators and service providers worldwide. And as such, we see 1/3 of the Internet traffic to our strategically located. Sensors in the service provider corps were able to generate another type of smart data that we call Atlas Intelligence feed R A F in sharp air for it. Plus intelligence Feed essentially tracks cyber reputation across domains across joe locations and across user identities. The combination of the A S I smart data that is generated from the core of the hybrid cloud infrastructure. Let's call it intranet and F Smart data that is generated from the Internet Corps gives Net Scout a unique data set combination that's unparalleled in the marketplace and makes us perhaps Lee, one of the food vendors who can drive a consolidated visibility architectures across net ops, cloud ups and second >> Okay, So let's turn that into against very practical things for folks, because what it has historically done is by focusing on individual devices or classes of devices and the data that those devices generate, they end up with a panoply Ah, wide arrangement of security tools that are each good at optimizing those devices with those, he said, they may not necessarily be a forte tive, but it's difficult to weave that into a consolidated, unified SEC ops Net ops overall, not just architecture but platform for performing the work crucial work of sustaining your digital business infrastructure. How does smart data translate into unified operation >> is appoint Peter? Thank you. That's a very good point. So let me give an example and talk about the customers that we have deployed our smart data, our hybrid cloud infrastructure. This is a typical Fortune 500 where we are deployed. Next card is deployed as the hybrid cloud monitoring infrastructure, and the networks in the club cloud upside. Typically, you will see this type of organization has one tool to cover the entire hybrid cloud monitoring infrastructure across their entire portfolio, whether it is on Prem, whether it's in the cloud, whether it's in the core location facility. But when you look at the SEC locks and the security side, the story is completely different. The same organization, the same Enterprise customer, has 25 to 30 different disparate display tools As a matter of fact, analysts are saying today that a typical Fortune 500 the US has 70 disparate security tools. Why is that the case? Why is it that on the net tops and cloud upside, they need 11 tool net scout, for example? But in the second up there, 70 different products. The reason is not only smart data but also smart architecture. So what? We have seen what we have done over the past three decades, We have designed this two tier architecture that generates Margarita. The dear one is our distributed instrumentation of sense of framework, which we call in Finnish Stream or the Stream. This is the distributor sensor framework that is deployed in the hybrid cloud infrastructure that generates the smart data. And then we had the centralized Analytics layer, which is our ingenious platform that essentially correlates data across the hybrid cloud infrastructure and provide customers complete visibility across the portfolio off the data centers. On the second upside, security side security is roughly 1 10 to 15 years old. Security tried to emulate the studio model as well, but the security industry failed. In doing that, nobody could design this distributed sensor instrumentation cost effectively tto make violate our feasible for analytics with the result they migrated to. As you said, this subpar sources of data like CeCe log like net flow. And today they put all the emphasis on the analytics layer with the result. They need one tool for use case or one vendor per use case on the second offside. And that's why you see the two proliferation because they don't have this distributed sensor framework that will make violate our package data feasible for the analytics lately. >> And I want I want to build on something you're saying because, uh, the it's a It's a misperception that all resources and all work of digital business and technology is going to end up in a central crowd location. The cloud really is an architecture form or broad distribution of data and work, which means, ultimately, that if we don't deal with this proliferation security tools now we're going tow. Probably have an even greater explosion in the number of security tools, which will mohr radically diminish or ability to establish new classes of options and digital business. >> Very good point. As a matter of fact, just a couple of years back, the average number of tools was 40 in in a SEC cops portfolio on enterprise has in the U. S. To date 70 it could go 200. But if you look at the risk profile, well, this profile has stayed the same, are in and make mint. Many cases deteriorated, right? What we found is the tool that a number of tools is going up. The cost of breaches going up the third. The number of breaches are going up, and at the same time, the number of analysts is always and Earth. So in short, high investments on the security side failed to reduce risk. So the risk and investment factor both are going in the north bound go, both are going up. So how do you control that? How do you make them come down? The only way? Smart data on a smart platform on a smart analytics later. >> Yeah. Again, let me emphasize this crucial point because it's one of things that we've seen in our conversation with clients is, ah, proliferation of tools. Proliferation of data leads to a proliferation of tasks and response responsibilities within a business, and you end up with more human failures of consequence. So by bringing all these things together, you end up with smarter data, smarter platform, simpler operations, more unified operations and get greater leverage. So so, let's talk then about ultimately, how should a business What's the road map? What's the next two or three things that an enterprise needs to do to start bringing these to start unifying these resources and generating the simplicity so that you open up greater strategic options for how you configure your digital business? >> That's a very good point. So >> two things we talked about already one is smart data relying on smart data, which comes from wide ate our package data. And the second is smart, smart architecture, which comprises of this two tier architecture with distributed instrumentation and centralized analytics. What happens when you do that is the first thing is early warning detection. What we have realized, Peter, is that if you look at the traditional kill chain in Lockheed Martin's kill chain, our miter mortal that people are using now traditional reconnaissance weaponization shin as well as ex filtration, we have seen that if you rely, if you generate analytics based on packet date are smart data, which we do as a net scow. You can detect these phases much earlier than if you rely on device data. Net floor, sis log. So what I call day minus not day zero, but day minus so leveraging the smart data and smart architecture. Er, we're able tto detect these threats or compromises much earlier than a traditional kill chain more than lot of miter models, >> but But again, the reason why is because we're looking at patterns in the traffic. >> We're looking at behavioral patterns in the traffic. That's correct. Let me go little bit more technical, if you will, were looking at transactions at the DNA's level, transactions at the CP level or at the active directly level that happened much earlier than when electoral movement or a reconnaissance is detected. This happens much earlier because we have the smart data, the wide ADA that enables us to do this early warning detection, >> get more visibility to source as opposed to the target. >> That's correct. The second thing that happens with US smart architecture, the two tier architecture is the consolidation of fuse case. We talked about it a little bit, so today if you want in our in our hybrid cloud scenario that we the next card is deployed in Fortune five hundreds. Over the past 23 decades, our customers have moved from private cloud infrastructure. First they had the core righty. Then they moved Private cloud. You know, I am Francisco. Then they moved echolocation clinics and others. And then they moved also to public cloud. All the workloads are migrating and everywhere we did not make any change to our instrumentation there. Can you believe it? No changes You only changes we made was in the analytics layer to take care of the news cases. So with the result, we could consolidate multiple whose case is in the cloud monitoring in tow. One platform, the smart platform that smart data. Now we're building that value into security with the smart platform and smart data that we talked about. So the consolidation of use cases on the security side is the second advantage other than the early warning detection that we talked about. >> So this has got to improve. Detection has got intrude. Management's gonna improve. Forensics. If I got that right, >> made a good point. And forensics we should talk about a little bit more. Perhaps the second set of things that we're doing is we have done is consolidate in the SEC upside forensics and detection. So let me explain that a little bit more. If you look at a typical enterprise today, they use Seymour security information and even management platforms to correlate data from multiple sources. So in the event off a seam alert, off alert generated best SIM platform forensics teams need to determine what happened and what systems were impacted. Essentially the what when, how, where off, the off the alert or the compromise that has been detected today. As we said, security teams are not using packet data at all but foreign. 16. In orderto validate that alert, they need toe access sessions. They need to access packets belonging to that Ellen, but they cannot today because none of the devices none of the security platforms is using violator in the first place. So what the security teams are doing? Forensic analysts. They're leveraging devices like via shark and tracking investigations with spreadsheets. This is delaying the investigation time. As you know today, it's well known that this cause is alert, fatigue and 50% of the alerts that are going to the seam today are disregarded by the security analysts. With the result, the real threats are getting unabated, and enterprises come to know about a security breach from the media rather than from their own IT department. >> Sanjay. So we've had a great conversation talking about how smart data smart platform is going to lead to greater unification of tasks, people, responsibilities and set ups and net tops and some of the it impacts on eh enterprises Overall response stance both from a detection, management and forensic standpoint. So what's going on? Thank you very much for being on the cue. Sanjay Moon. She Thank you. Thank you. And thanks again for joining us for the Cube conversation. We've been Sanjay Moon, she of Net scout technology. I'm Peter Burke's. See you next time

>> (upbeat electronic music) >> Live, from Washington D.C., it's theCUBE. Covering AWS Public Sector Summit 2018. Brought to you by Amazon Web Services and it's ecosystem partners. (upbeat techno music) >> Welcome back to the nation's capital, everybody. You're watching theCUBE, the leader in live tech coverage. My name is Dave Vellante and I'm here with Stu Miniman. This is day two of the AWS Public Sector Summit. Taylor Carol is here. He's the co-founder of the GameChanger charity and ZOTT. Taylor, welcome to theCUBE. Thanks for coming on. >> Thank you, glad to be here. >> Keynote yesterday got rave reviews. Let me just set this up. So, ZOTT is a content platform that creates virtual experiences for children, giving them an outlet for creativity, intellectual engagement, a lot more. We're going to talk about that. And then GameChanger is the non-profit and it's a majority share holder of the for-profit organization. So, that's an interesting business model. >> Thank you. >> Explain, please. >> Absolutely, we started GameChanger roughly twelve years ago, when I, at 11, was diagnosed terminal, with a rare form of cancer, given roughly two weeks left to live, thankfully a long two weeks, totally healthy now. But-- >> Congratulations, that's awesome. >> Hey, thank you so much. >> Good to have you with us. >> Glad to be here. But, from those five years I spent in hospital, combined with the 20,000 hospital rooms my dad and I have visited on behalf of GameChanger charity we saw how much need there was in the patient care space and the patient engagement space. And those insights led to first found GameChanger charity, now a nearly 12 year old 501(c)(3), an international non-profit. Started an endeavor in our garage. This year, we've taken in over 20 million dollars in donations, 93 cents on every dollar going to the cause. And GameChanger really focuses in on leveraging gaming, technology, and innovation to support patient's rights to play, learn and socialize. And we do that through virtual reality, through augmented reality, through custom gaming solutions, through character based scholarships, to support post-hospital dreams. And then with GameChanger days, where we go in and we bring in bundles of toys for the patients and a catered meal for staff, to sit down to talk with them and to learn about the bespoke gaming and tech solutions we can make to support each individual hospital's needs. So that's GameChanger. And then from that insight, from all that time in the hospital, something we really saw was that the strict patient engagement. How patients watch TV or get clinical health content was so broken. It's one TV mounted on the wall with 20 channels of basic cable. We saw it could be so much better. So, we made ZOTT, which is a device agnostic, cloud-based content distribution system. So, now, through ZOTT, from participating hospitals, any patient, any family member can get their own content, their own experiences, from any device, a laptop, a tablet, a phone, everywhere in the hospital. So, linear TV, gaming, clinical health content, even custom live-streams exclusively for the patients. And ZOTT is owned in entirety by GameChanger charity. >> That's awesome. >> So anything good that happens to ZOTT, goes back to support the GameChanger cause. >> So, completely changing the experience for the patient, from first-hand. What's been some of the outcomes, just in, either anecdotally, or I don't know if you have any kind of measurements. You're changing the world, but if you could share with us how, and any examples, would be great. >> Thank you for saying that. One of the most profound things we've seen at GameChanger charity and at ZOTT is how deleterious boredom is for the patient experience. Understandably, individuals are locked in a boring, white room for a day, a week, a month, years at times. >> Craving visitors, anything. >> Any form of interaction or social engagement. And you know something we've seen, is that boredom often magnifies pain and anxiety, isolation, over use of pain medication. And understanding that issue, that pain, something we've been able to do is incorporate custom VR rigs, custom VR experiences, for distraction therapy. So that's where we'll go in, meet with patients, and bring the care providers VR sets so when a patient is getting ready for a surgery, they can put on a VR rig, try a tranquil experience, and we've seen pain scores go down by as much as six points on a 10 point pain scale, as a result of such distraction therapy. >> That's fantastic. >> Yeah. >> Thank you. >> It's fascinating, we're really powerful the discussion we had in the keynote. So, making this happen, there's some technology behind this. Maybe walk us through a little bit, what's the connection with the cloud discussion. >> Absolutely, absolutely. Something we've seen in growing from a garage endeavor, to now an international organization that supports 11 countries, 20 million dollars in revenue this year, is the importance of scalability and being able to, one, help as many patients as possible, while still focusing on the individual and never losing sight of the fact that each patient we work with is an individual life and truly a family, impacted by acute or prolonged illnesses. So, what the cloud has really allowed us to do is to magnify our efforts and to take it from, say, five hospitals to now over 100. And, one example of that would be in how we use AWS's Sumerian. So, that is a cloud-based VR experience. And rather than needing to download really content-heavy VR experiences on say a gaming computer, in order to facilitate these experiences, now care providers can interact with them through the cloud. And go beyond that, they can actually customize a VR experiences for the needs of each patient. So, let's say there's a patient who needs to get a tour through their new hospital ward. Thanks to creating templates on Amazon Sumerian, GameChanger creating them, these care specialists now can go in and customize the script that that AR or VR host will speak to include the patient's name or to say I know this is a big change from California, or from Colorado or wherever they hail from. Really making that otherwise generic hospital integration experience feels so bespoke, so personalized to the individual. >> And if I remember right, one of the things you can do is actually, get them engaged with their care. Like, here's the surgery, going to take you inside what's going to be, and I've heard studies of this, you understand, what's going to be doing and can focus on it, kind of the power of understanding and thinking on it can actually improve the results that you get out of it. >> You are so right. That has been one of the most profound things for me personally. When I was sick, I was in the hospital for five years, and for roughly six months of those five years, I was in an isolation unit, where the only person that could come in was my doctor, my nurse in a hazmat suit. And, during that time, I was scared. I was an 11 year old boy, didn't understand what was happening. And I felt an utter loss of agency. An utter loss of empowerment regarding my illness and more importantly my healing. So, what we're able to do now with Sumerian, is we created a collaborative learning experience between CS Mott Children's Hospital in Ann Arbor, Michigan, and Children's Hospital, Colorado in Denver. So, experts 1200 miles apart, were able to collaborate in real time, through the cloud, through Amazon Sumerian, to make a VR experience where patients about to receive aortic valve replacements could actually go through human hearts in virtual reality and simulate the surgery they would soon be receiving leading to this huge spike in empowerment and identity and ownership over their healing. >> That's amazing. I mean, I remember, I've only had surgery once, I've been really lucky, >> Yeah. >> But when the surgeon explained to me how it worked and just opened up my mind, and made me so much more comfortable when I understood that, being able to visualize that has to be a complete game changer. Taylor, what does the hospital have to do? Take us through their infrastructure needs, or how do hospitals get on-boarded? >> That's a fantastic question. An anecdote or a saying that we always hold on to near and dear to our heart, at GameChanger and at ZOTT, is that when you know one hospital you know one hospital. (laughter) And we mean that in the sense that every hospital is it's own behemoth, it's own ecosystem that has spent the past one, five, ten, 50 years building what is now an incredibly outdated technology stack. So, purely from the patient engagement side, let's say looking at ZOTT, traditional engagement, just to get that TV on the wall, and to get the cable going and the basic clinical health information there's a satellite on the roof, there are server racks in the basement, there's a TV with a computer mounted on the back, there's a laptop in the waiting room. It's just everything is so cumbersome, so outdated. And what we've been able to do is take this really thin client-based cloud approach where we're able to create a bespoke cloud solution that totally bypasses all of that heavy technology stack. Equally, because Amazon and AWS services are so modifiable and you can really pick and choose what you need from the suite, we've been able to go in and instead of have the hospital change to us, we've been able to modify to the hospital, to fit into their ecosystem rather than bring in a bull dozer and try and change everything that they have. >> Awesome. So you can utilizing their existing infrastructure, and bring in a light-weight both cloud and thin-client infrastructure and be up and running. >> Absolutely. A metric that we have to speak to the groundbreaking nature of what we're able to do now is typical patient engagement systems can take up to 18 months to install. Cost millions of dollars, be incredibly cumbersome, and expensive in terms of hours it takes to maintain the hardware. ZOTT, our technology, when we bring it in, goes live in hospitals in as little as 15 minutes. >> And not millions and millions of dollars? >> (laughs) Exponentially less. >> Okay, so the hospital has to buy into it, they really don't have to bring in any new infrastructure. You guys kind of turn-key that for them. So really need a champion inside the hospital. And a go. >> Absolutely, absolutely. A mindfulness we really maintain is where in the hospital is that each hospital decision maker's priority is to safeguard the individual patient and their families. We understand that there's sensitivity, there's a lot of security requirements. And one of the beauties of working with AWS, as you all know is, is AWS is HIPAA compliant. And, in working with AWS, we've been able to add an extra degree of security and safeguarding for any information we collect, any experience we work with the hospitals, so that everyone is safe. That all decision makers feel like their needs and requirements are being satisfied and safeguarded. >> So does that mean the kids can't play Fortnite? >> Fortnite (laughs). Neither Fortnite nor PUBG's (laughs). >> Well, because if they're playing Fortnite, you'd never get 'em home. >> (laughs) >> Same with PUBG. >> One thing that is pretty fun is through ZOTT and through GameChanger, all of our relationships with all of the big game developers around the world, is we may not have PUBG, but we do have Steam integration, and through our game developers, we have over a million dollars worth of Steam codes continually replenished, so patients and their siblings can download a 20, 30, 40, 50 dollar game, keep it on their laptop, on their tablet, take it with them when they leave. As a gift for their strength while they were in the hospital. >> Amazing. Taylor, thanks so much for the contribution you're making to the children and to the world. Really a phenomenal story. Appreciate you coming on theCUBE. >> Thank you both so much for letting us be here and sharing our story. >> You're very welcome. All right, keep it right there, buddy. We'll be back with our next guest. You're watching theCUBE from AWS Public Sector Summit. Stay right there. (upbeat electronic music)

>> Announcer: From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now here's your host, Dave Vellante. >> In the early days of big data and Hadoop, the focus was really on operational efficiency where ROI was largely centered on reduction of investment. Fast forward 10 years and you're seeing a plethora of activity around machine learning, and deep learning, and artificial intelligence, and deeper business integration as a function of machine intelligence. Welcome to this Cube conversation, The Skinny on Machine Intelligence. I'm Dave Vellante and I'm excited to have Jim Kobielus here up from the District area. Jim, great to see you. Thanks for coming into the office today. >> Thanks a lot, Dave, yes great to be here in beautiful Marlboro, Massachusetts. >> Yes, so you know Jim, when you think about all the buzz words in this big data business, I have to ask you, is this just sort of same wine, new bottle when we talk about all this AI and machine intelligence stuff? >> It's actually new wine. But of course there's various bottles and they have different vintages, and much of that wine is still quite tasty, and let me just break it out for you, the skinny on machine intelligence. AI as a buzzword and as a set of practices really goes back of course to the early post-World War II era, as we know Alan Turing and the Imitation Game and so forth. There are other developers, theorists, academics in the '40s and the '50s and '60s that pioneered in this field. So we don't want to give Alan Turing too much credit, but he was clearly a mathematician who laid down the theoretical framework for much of what we now call Artificial Intelligence. But when you look at Artificial Intelligence as a ever-evolving set of practices, where it began was in an area that focused on deterministic rules, rule-driven expert systems, and that was really the state of the art of AI for a long, long time. And so you had expert systems in a variety of areas that became useful or used in business, and science, and government and so forth. Cut ahead to the turn of the millennium, we are now in the 21st century, and what's different, the new wine, is big data, larger and larger data sets that can reveal great insights, patterns, correlations that might be highly useful if you have the right statistical modeling tools and approaches to be able to surface up these patterns in an automated or semi-automated fashion. So one of the core areas is what we now call machine learning, which really is using statistical models to infer correlations, anomalies, trends, and so forth in the data itself, and machine learning, the core approach for machine learning is something called Artificial Neural Networks, which is essentially modeling a statistical model along the lines of how, at a very high level, the nervous system is made up, with neurons connected by synapses, and so forth. It's an analog in statistical modeling called a perceptron. The whole theoretical framework of perceptrons actually got started in the 1950s with the first flush of AI, but didn't become a practical reality until after the turn of this millennium, really after the turn of this particular decade, 2010, when we started to see not only very large big data sets emerge and new approaches for managing it all, like Hadoop, come to the fore. But we've seen artificial neural nets get more sophisticated in terms of their capabilities, and a new approach for doing machine learning, artificial neural networks, with deeper layers of perceptrons, neurons, called deep learning has come to the fore. With deep learning, you have new algorithms like convolutional neural networks, recurrent neural networks, generative adversarial neural networks. These are different ways of surfacing up higher level abstractions in the data, for example for face recognition and object recognition, voice recognition and so forth. These all depend on this new state of the art for machine learning called deep learning. So what we have now in the year 2017 is we have quite a mania for all things AI, much of it is focused on deep learning, much of it is focused on tools that your average data scientist or your average developer increasingly can use and get very productive with and build these models and train and test them, and deploy them into working applications like going forward, things like autonomous vehicles would be impossible without this. >> Right, and we'll get some of that. But so you're saying that machine learning is essentially math that infers patterns from data. And math, it's new math, math that's been around for awhile or. >> Yeah, and inferring patterns from data has been done for a long time with software, and we have some established approaches that in many ways predate the current vogue for neural networks. We have support vector machines, and decision trees, and Bayesian logic. These are different ways of approaches statistical for inferring patterns, correlations in the data. They haven't gone away, they're a big part of the overall AI space, but it's a growing area that I've only skimmed the surface of. >> And they've been around for many many years, like SVM for example. Okay, now describe further, add some color to deep learning. You sort of painted a picture of this sort of deep layers of these machine learning algorithms and this network with some depth to it, but help us better understand the difference between machine learning and deep learning, and then ultimately AI. >> Yeah, well with machine learning generally, you know, inferring patterns from data that I said, artificial neural networks of which the deep learning networks are one subset. Artificial neural networks can be two or more layers of perceptrons or neurons, they have relationship to each other in terms of their activation according to various mathematical functions. So when you look at an artificial neural network, it basically does very complex math equations through a combination of what they call scalar functions, like multiplication and so forth, and then you have these non-linear functions, like cosine and so forth, tangent, all that kind of math playing together in these deep structures that are triggered by data, data input that's processed according to activation functions that set weights and reset the weights among all the various neural processing elements, that ultimately output something, the insight or the intelligence that you're looking for, like a yes or no, is this a face or not a face, that these incoming bits are presenting. Or it might present output in terms of categories. What category of face is this, a man, a woman, a child, or whatever. What I'm getting at is that so deep learning is more layers of these neural processing elements that are specialized to various functions to be able to abstract higher level phenomena from the data, it's not just, "Is this a face," but if it's a scene recognition deep learning network, it might recognize that this is a face that corresponds to a person named Dave who also happens to be the father in the particular family scene, and by the way this is a family scene that this deep learning network is able to ascertain. What I'm getting at is those are the higher level abstractions that deep learning algorithms of various sorts are built to identify in an automated way. >> Okay, and these in your view all fit under the umbrella of artificial intelligence, or is that sort of an uber field that we should be thinking of. >> Yeah, artificial intelligence as the broad envelope essentially refers to any number of approaches that help machines to think like humans, essentially. When you say, "Think like humans," what does that mean actually? To do predictions like humans, to look for anomalies or outliers like a human might, you know separate figure from ground for example in a scene, to identify the correlations or trends in a given scene. Like I said, to do categorization or classification based on what they're seeing in a given frame or what they're hearing in a given speech sample. So all these cognitive processes just skim the surface, or what AI is all about, automating to a great degree. When I say cognitive, but I'm also referring to affective like emotion detection, that's another set of processes that goes on in our heads or our hearts, that AI based on deep learning and so forth is able to do depending on different types of artificial neural networks are specialized particular functions, and they can only perform these functions if A, they've been built and optimized for those functions, and B, they have been trained with actual data from the phenomenon of interest. Training the algorithms with the actual data to determine how effective the algorithms are is the key linchpin of the process, 'cause without training the algorithms you don't know if the algorithm is effective for its intended purpose, so in Wikibon what we're doing is in the whole development process, DevOps cycle, for all things AI, training the models through a process called supervised learning is absolutely an essential component of ascertaining the quality of the network that you've built. >> So that's the calibration and the iteration to increase the accuracy, and like I say, the quality of the outcome. Okay, what are some of the practical applications that you're seeing for AI, and ML, and DL. >> Well, chat bots, you know voice recognition in general, Siri and Alexa, and so forth. Without machine learning, without deep learning to do speech recognition, those can't work, right? Pretty much in every field, now for example, IT service management tools of all sorts. When you have a large network that's logging data at the server level, at the application level and so forth, those data logs are too large and too complex and changing too fast for humans to be able to identify the patterns related to issues and faults and incidents. So AI, machine learning, deep learning is being used to fathom those anomalies and so forth in an automated fashion to be able to alert a human to take action, like an IT administrator, or to be able to trigger a response work flow, either human or automated. So AI within IT service management, hot hot topic, and we're seeing a lot of vendors incorporate that capability into their tools. Like I said, in the broad world we live in in terms of face recognition and Facebook, the fact is when I load a new picture of myself or my family or even with some friends or brothers in it, Facebook knows lickity-split whether it's my brother Tom or it's my wife or whoever, because of face recognition which obviously depends, well it's not obvious to everybody, depends on deep learning algorithms running inside Facebook's big data network, big data infrastructure. They're able to immediately know this. We see this all around us now, speech recognition, face recognition, and we just take it for granted that it's done, but it's done through the magic of AI. >> I want to get to the development angle scenario that you specialize in. Part of the reason why you came to Wikibon is to really focus on that whole application development angle. But before we get there, I want to follow the data for a bit 'cause you mentioned that was really the catalyst for the resurgence in AI, and last week at the Wikibon research meeting we talked about this three-tiered model. Edge, as edge piece, and then something in the middle which is this aggregation point for all this edge data, and then cloud which is where I guess all the deep modeling occurs, so sort of a three-tier model for the data flow. >> John: Yes. >> So I wonder if you could comment on that in the context of AI, it means more data, more I guess opportunities for machine learning and digital twins, and all this other cool stuff that's going on. But I'm really interested in how that is going to affect the application development and the programming model. John Farrier has a phrase that he says that, "Data is the new development kit." Well, if you got all this data that's distributed all over the place, that changes the application development model, at least you think it does. So I wonder if you could comment on that edge explosion, the data explosion as a result, and what it means for application development. >> Right, so more and more deep learning algorithms are being pushed to edge devices, by that I mean smartphones, and smart appliances like the ones that incorporate Alexa and so forth. And so what we're talking about is the algorithms themselves are being put into CPUs and FPGAs and ASICs and GPUs. All that stuff's getting embedded in everything that we're using, everything's that got autonomous, more and more devices have the ability if not to be autonomous in terms of making decisions, independent of us, or simply to serve as augmentation vehicles for our own whatever we happen to be doing thanks to the power of deep learning at the client. Okay, so when deep learning algorithms are embedded in say an internet of things edge device, what the deep learning algorithms are doing is A, they're ingesting the data through the sensors of that device, B, they're making inferences, deep learning algorithmic-driven inferences, based on that data. It might be speech recognition, face recognition, environmental sensing and being able to sense geospatially where you are and whether you're in a hospitable climate for whatever. And then the inferences might drive what we call actuation. Now in the autonomous vehicle scenario, the autonomous vehicle is equipped with all manner of sensors in terms of LiDAR and sonar and GPS and so forth, and it's taking readings all the time. It's doing inferences that either autonomously or in conjunction with inferences that are being made through deep learning and machine learning algorithms that are executing in those intermediary hubs like you described, or back in the cloud, or in a combination of all of that. But ultimately, the results of all those analytics, all those deep learning models, feed the what we call actuation of the car itself. Should it stop, should it put on the brakes 'cause it's about to hit a wall, should it turn right, should it turn left, should it slow down because it happened to have entered a new speed zone or whatever. All of the decisions, the actions that the edge device, like a car would be an edge device in this scenario, are being driven by evermore complex algorithms that are trained by data. Now, let's stay with the autonomous vehicle because that's an extreme case of a very powerful edge device. To train an autonomous vehicle you need of course lots and lots of data that's acquired from possibly a prototype that you, a Google or a Tesla, or whoever you might be, have deployed into the field or your customers are using, B, proving grounds like there's one out by my stomping ground out in Ann Arbor, a proving ground for the auto industry for self-driving vehicles and gaining enough real training data based on the operation of these vehicles in various simulated scenarios, and so forth. This data is used to build and iterate and refine the algorithms, the deep learning models that are doing the various operations of not only the vehicles in isolation but the vehicles operating as a fleet within an entire end to end transportation system. So what I'm getting at, is if you look at that three-tier model, then the edge device is the car, it's running under its own algorithms, the middle tier the hub might be a hub that's controlling a particular zone within a traffic system, like in my neck of the woods it might be a hub that's controlling congestion management among self-driving vehicles in eastern Fairfax County, Virginia. And then the cloud itself might be managing an entire fleet of vehicles, let's say you might have an entire fleet of vehicles under the control of say an Uber, or whatever is managing its own cars from a cloud-based center. So when you look at the tiering model that analytics, deep learning analytics is being performed, increasingly it will be for various, not just self-driving vehicles, through this tiered model, because the edge device needs to make decisions based on local data. The hub needs to make decisions based on a wider view of data across a wider range of edge entities. And then the cloud itself has responsibility or visibility for making deep learning driven determinations for some larger swath. And the cloud might be managing both the deep learning driven edge devices, as well as monitoring other related systems that self-driving network needs to coordinate with, like the government or whatever, or police. >> So envisioning that three-tier model then, how does the programming paradigm change and evolve as a result of that. >> Yeah, the programming paradigm is the modeling itself, the building and the training and the iterating the models generally will stay centralized, meaning to do all these functions, I mean to do modeling and training and iteration of these models, you need teams of data scientists and other developers who are both adept as to statistical modeling, who are adept at acquiring the training data, at labeling it, labeling is an important function there, and who are adept at basically developing and deploying one model after another in an iterative fashion through DevOps, through a standard release pipeline with version controls, and so forth built in, the governance built in. And that's really it needs to be a centralized function, and it's also very compute and data intensive, so you need storage resources, you need large clouds full of high performance computing, and so forth. Be able to handle these functions over and over. Now the edge devices themselves will feed in the data in just the data that is fed into the centralized platform where the training and the modeling is done. So what we're going to see is more and more centralized modeling and training with decentralized execution of the actual inferences that are driven by those models is the way it works in this distributive environment. >> It's the Holy Grail. All right, Jim, we're out of time but thanks very much for helping us unpack and giving us the skinny on machine learning. >> John: It's a fat stack. >> Great to have you in the office and to be continued. Thanks again. >> John: Sure. >> All right, thanks for watching everybody. This is Dave Vellante with Jim Kobelius, and you're watching theCUBE at the Marlboro offices. See ya next time. (upbeat music)