(upbeat music) (air whooshing) >> Hi everybody. John Walls here continuing our Cube Conversations here focusing on NETSCOUT today and the drawing problem of ransomware. Obviously very much in the news these days for the couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins who is the principal engineer of NETSCOUT's A-CERT team. And Ronald and good to see you today, sir. Thanks for joining us. >> Good to see you as well. And Richard Hummel who's Threat Intelligence research lead for the A-CERT Team. And Richard, thank you for being with us as well here on the Cube. >> Absolutely John, thanks for having us. >> Yeah, let's just jump right in here. Ransomware, obviously we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first, the magnitude and scale of the problem, as it currently exists. And Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenge has become today? >> Actually, John, if you don't mind I'd really like to hand that one to my colleague, Richard because >> By all means, so Richard- he's really has an in-depth background there if that's okay. >> Richard, jump in on that. >> Absolutely. Yeah. And so (clears throat) I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined Eyesight Partners, you know leading premier provider of threat intelligence who was acquired by FireEye and now Mandiat, and now even a conglomerate that just acquired Mandia. So there's been a series of acquisitions here but the reality is this threat intelligence has been pervasive across all of these. And you can see that over time that value hasn't diminished. And you can see that by all of these acquisitions. that are like that's a really good example to show how valuable this is because everybody wants it. And the reality is back then I started tracking ransomware specifically looking at a lot of the CryptoLocker variance, things like CryptoWall, and TorrentLocker, and TeslaCrypt. And there's any number I could go on and on and on about all these different variations, and how ransomware came to be, and what you know, adversaries were using it for. But the reality is ransomware has been around for a long, long time and probably three or four years ago. There was this lull in time where people are like, hey we've got these initiatives like no ransomware.org. We've got the, you know, local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware. And it's going to% be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable, sometimes the keys were stored locally, but a lot of them more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt it. You can't create a decryptor like a lot of these security companies do you would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And you know one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be like ransomware was the name that incited fear but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion. Where they will encrypt your files, they've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look you're going to pay us for this ransomware to decrypt your files, to get those back. But I'll guess what? We also have your sensitive data that we're going to post online and sell and on underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion. That is surging In fact, we did a survey of enterprise internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats, and obviously ransomware was number one but DDoS extortion was number two. And so you have this one, two bang the adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion. And now this triple extortion, in fact going all the way back to the CryptoLocker days you would have banking malware, like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts. There was steal files. And then as a last hurrah they would deploy ransomware and encrypt all your files. And so not only did they steal all your money from the bank. Now, they're going to say, you got to pay us to actually do decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year we started to see this DDoS aspect part of these operations. And so, yeah, that's kind of the history of what we're dealing with here. >> And so, and DDoS distributed denial service, Ronald let you pick up the ball at this point then. Now this evolution you will the triple threat, you know first you were talking about in encryption, in public exposure. And now this DDoS stage, this pillar of the malfeasance, if you will what kind of headaches is this causing in terms of from an engineering perspective from your side of the fence when you're looking at what your clients are dealing with when all of a sudden they have this entirely new plethora of challenges that are confronting them. >> Sure. So DDoS goes back a long ways. So it actually goes back to the late 80s and the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any, criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so in many cases using old modalities just simply transliterated into the new technology space. And that's what we see with (indistinct) extortion. DDOS attacks are attacks against availability. So the idea is to disrupt the access, (indistinct) access to applications, services, servers, data content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hard core of DDoS extortionists that we've seen over the years. And this Richard indicated what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware and it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype, it hadn't been finished, but this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where like Richard said, they, number one, they encrypt the files. Number two, they'll threaten to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic with this wholesale shift to remote work. The attackers for the first time have the ability not only to disrupt the online operations which is bad enough, but they can actually interfere with the ordinary work day activities of the first-line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits, social engineering, along with technological exploits to exploit the confidentiality and the integrity of data, and to restrict that stuff which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and coupled out with a real DDoS attack, and it can be very, very challenging. But one thing John that we've seen is that organizations if they have prepared to deal with a DDoS attack in form an architectural perspective, from an operational perspective. If they have done the things they need to do, to be able to maintain availability, even in the face of attack. There are about 80% of where they need to be to be to able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they are something that organizations need to be aware of, the good news is that a lot of the planning, and resources, and organizational changes that need to be made to face these threats are in fact very similar. >> Yeah, but (indistinct) mean the challenge is, it's hard work, right? It, there's an enormous amount of preparations got to go into this, and pre-planning, pre-thought, and that's what NETSCOUT is all about obviously is trying to get people onto that journey and getting into this examination of their services, and their networks, and... The fact that this can happen on multiple layers, right? It could be application, be protocols, transport, network, whatever, you know just multiple ways that these DDoS attacks can occur. What kind of I'd say well, challenges again does that present in the fact that it is, there are many doors, right? That these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? >> It's really about business continuity. Now business continuity planning, we used to be called "disaster recovery planning", right? Is something that organizations are very familiar with. It often has executive sponsorship and a lot of planning has gone into it. The thing is DDoS attacks, which were attacks against availability are in fact a manmade disaster, right? And they interrupt the continuity of business. Same thing with the ransomware, and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency and to attack, and the ability to maintain availability and continue with operations in the face of attack is really really key for any organization today which has any kind of significant online presence. And that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint whether we're talking about things like network infrastructure, or DNS, or software applications. It's important from an operational standpoint. So one of the things that we see for example is that many organizations don't really have a good communications plan. They don't have a good internal communications plan nor do they have a good external communications plan for communicating during an event. And they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor, understanding the business, understanding the types of risks to the business's ability to execute on its mission and then doing the things from a technological perspective, from an operational perspective, and from a communications perspective to maintain operations, and communications throughout an event and to be able to emerge on the other side of that agenda successfully. >> So Richard you're in threat intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess getting people's attention that has been accomplished now with obviously some, with some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these. I mean, what's the difference maybe in the mindset now, as opposed to where maybe that conversation was being had a few years ago? >> I think the biggest difference here is a matter of when and not if. It used to be, you could say, "Oh I'm never going to get hit by ransomware or I'm never going to get DDoS attacked." But that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that then they're not going to be able to connect with their consumers, their shoppers, if they're a retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed in an adversary where you can actually find your internet space by doing some forensics, such as network scanning, being able to walk that back like a passive DNS but their historical records use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time you're also exposing yourself to these ransomware operators and really any kind of crime ware operator out there, because they're going to exploit you over the internet. We actually did a case study probably two years ago. Looking at brute forcing on networks and looking at exploitation attempts to figure out like what is the Delta? If you have an online internet presence are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes, from the time a brand new IOT device goes online to the time it starts getting brute force attacked. And within 24 hours you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is not if you're going to get attacked, it's when? And so understanding that is the nature of the threat landscape right now and having this kind of security awareness. Actually another good point that Roland just brought up was that human element. The human element is kind of the linchpin for any security organization. And as part of my master's I had wrote a dissertation about, and I named it as such my professor didn't really care for this, but I said, "The humans are the weakest link." Because in the security posture, that is essentially true. If you don't have the expertise on a team you're not going to be able to get things configured properly. If you don't have the expertise you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations and that manipulates the human element. And so having the security awareness in what we do here, on this cube interview, the threat reports, we publish, the blogs that we do, all the threads summaries, all of that goes hand-in-hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. >> So Roland in your mind and you've already walked us through a little bit of this about certain steps and measures. Do you think that could be taken safeguards basically, that everybody should have in the place? What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces as you see it now, understanding as Richard just told us that it's matter of not if, but when? >> Right. So availability, redundancy these have to be core architectural principles whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access. All of these different elements and many many more have to be designed from the out. All the services in the applications whether they're used internally, whether they are part of service delivery that an organization is doing across the internet, publicly there has to be redundancy and resiliency. There has to be a defense plan in order to defend these assets in these organizations against attack. Whether it's DDoS attack or whether it's a containment plan to deal with a ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it, and deal with it, and restore from backup. These plans have to be continuously updated because IT is not static. There are always noose and nance and changes this organizations provision new services offer new products, move into new markets and new new sub-specializations. And so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphorous somewhere. The plan has to be executed because you're going to find that there's some scenario, some service, or application, or operational process that needs to be updated or that needs to be included in the plan. And this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding. And either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. >> Well, is, you both certainly exhibit the depth and the breadth to fight this issue(chuckles) I certainly appreciate the time, the insights, and the warning is quite clear. Be prepared, do the hard work upfront. It could save you a lot of headache on the backside. And it is a matter of when and not if, these days. Richard Roland, thanks for being with us here on the Cube >> Thank you so much. >> Thank you so much. It's a pleasure. >> All right, talking about the triple threat of extortion, cyber extortion these days, and DDoS, the distributed denial of service in the growing problem. It is, but there is a way that you can combat it. And you just learned about that (indistinct) NETSCOUT here on the Cube. (upbeat music)

(upbeat music) (air whooshing) >> Hi everybody. John Walls here continuing our Cube Conversations here focusing on NETSCOUT today and the drawing problem of ransomware. Obviously very much in the news these days for the couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins who is the principal engineer of NETSCOUT's A-CERT team. And Ronald and good to see you today, sir. Thanks for joining us. >> Good to see you as well. And Richard Hummel who's Threat Intelligence research lead for the A-CERT Team. And Richard, thank you for being with us as well here on the Cube. >> Absolutely John, thanks for having us. >> Yeah, let's just jump right in here. Ransomware, obviously we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first, the magnitude and scale of the problem, as it currently exists. And Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenge has become today? >> Actually, John, if you don't mind I'd really like to hand that one to my colleague, Richard because >> By all means, so Richard- he's really has an in-depth background there if that's okay. >> Richard, jump in on that. >> Absolutely. Yeah. And so (clears throat) I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined Eyesight Partners, you know leading premier provider of threat intelligence who was acquired by FireEye and now Mandiat, and now even a conglomerate that just acquired Mandia. So there's been a series of acquisitions here but the reality is this threat intelligence has been pervasive across all of these. And you can see that over time that value hasn't diminished. And you can see that by all of these acquisitions. that are like that's a really good example to show how valuable this is because everybody wants it. And the reality is back then I started tracking ransomware specifically looking at a lot of the CryptoLocker variance, things like CryptoWall, and TorrentLocker, and TeslaCrypt. And there's any number I could go on and on and on about all these different variations, and how ransomware came to be, and what you know, adversaries were using it for. But the reality is ransomware has been around for a long, long time and probably three or four years ago. There was this lull in time where people are like, hey we've got these initiatives like no ransomware.org. We've got the, you know, local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware. And it's going to% be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable, sometimes the keys were stored locally, but a lot of them more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt it. You can't create a decryptor like a lot of these security companies do you would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And you know one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be like ransomware was the name that incited fear but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion. Where they will encrypt your files, they've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look you're going to pay us for this ransomware to decrypt your files, to get those back. But I'll guess what? We also have your sensitive data that we're going to post online and sell and on underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion. That is surging In fact, we did a survey of enterprise internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats, and obviously ransomware was number one but DDoS extortion was number two. And so you have this one, two bang the adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion. And now this triple extortion, in fact going all the way back to the CryptoLocker days you would have banking malware, like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts. There was steal files. And then as a last hurrah they would deploy ransomware and encrypt all your files. And so not only did they steal all your money from the bank. Now, they're going to say, you got to pay us to actually do decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year we started to see this DDoS aspect part of these operations. And so, yeah, that's kind of the history of what we're dealing with here. >> And so, and DDoS distributed denial service, Ronald let you pick up the ball at this point then. Now this evolution you will the triple threat, you know first you were talking about in encryption, in public exposure. And now this DDoS stage, this pillar of the malfeasance, if you will what kind of headaches is this causing in terms of from an engineering perspective from your side of the fence when you're looking at what your clients are dealing with when all of a sudden they have this entirely new plethora of challenges that are confronting them. >> Sure. So DDoS goes back a long ways. So it actually goes back to the late 80s and the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any, criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so in many cases using old modalities just simply transliterated into the new technology space. And that's what we see with (indistinct) extortion. DDOS attacks are attacks against availability. So the idea is to disrupt the access, (indistinct) access to applications, services, servers, data content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hard core of DDoS extortionists that we've seen over the years. And this Richard indicated what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware and it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype, it hadn't been finished, but this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where like Richard said, they, number one, they encrypt the files. Number two, they'll threatened to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic with this wholesale shift to remote work. The attackers for the first time have the ability not only to disrupt the online operations which is bad enough, but they can actually interfere with the ordinary work day activities of the first-line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits (indistinct), social engineering, along with technological exploits to exploit the confidentiality and the integrity of data, and to restrict that stuff which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and coupled out with a real DDoS attack, and it can be very, very challenging. But one thing John that we've seen is that organizations if they have prepared to deal with a DDoS attack in form an architectural perspective, from an operational perspective. If they have done the things they need to do, to be able to maintain availability, even in the face of attack. There are about 80% of where they need to be to be to able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they are something that organizations need to be aware of, the good news is that a lot of the planning, and resources, and organizational changes that need to be made to face these threats are in fact very similar. >> Yeah, but (indistinct) mean the challenge is, it's hard work, right? It, there's an enormous amount of preparations got to go into this, and pre-planning, pre-thought, and that's what NETSCOUT is all about obviously is trying to get people onto that journey and getting into this examination of their services, and their networks, and... The fact that this can happen on multiple layers, right? It could be application, be protocols, transport, network, whatever, you know just multiple ways that these DDoS attacks can occur. What kind of I'd say well, challenges again does that present in the fact that it is, there are many doors, right? That these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? >> It's really about business continuity. Now business continuity planning, we used to be called "disaster recovery planning", right? Is something that organizations are very familiar with. It often has executive sponsorship and a lot of planning has gone into it. The thing is DDoS attacks, which were attacks against availability are in fact a manmade disaster, right? And they interrupt the continuity of business. Same thing with the ransomware, and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency and to attack, and the ability to maintain availability and continue with operations in the face of attack is really really key for any organization today which has any kind of significant online presence. And that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint whether we're talking about things like network infrastructure, or DNS, or software applications. It's important from an operational standpoint. So one of the things that we see for example is that many organizations don't really have a good communications plan. They don't have a good internal communications plan nor do they have a good external communications plan for communicating during an event. And they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor, understanding the business, understanding the types of risks to the business's ability to execute on its mission and then doing the things from a technological perspective, from an operational perspective, and from a communications perspective to maintain operations, and communications throughout an event and to be able to emerge on the other side of that agenda successfully. >> So Richard you're in threat intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess getting people's attention that has been accomplished now with obviously some, with some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these. I mean, what's the difference maybe in the mindset now, as opposed to where maybe that conversation was being had a few years ago? >> I think the biggest difference here is a matter of when and not if. It used to be, you could say, "Oh I'm never going to get hit by ransomware or I'm never going to get DDoS attacked." But that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that then they're not going to be able to connect with their consumers, their shoppers, if they're a retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed in an adversary where you can actually find your internet space by doing some forensics, such as network scanning, being able to walk that back like a passive DNS but their historical records use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time you're also exposing yourself to these ransomware operators and really any kind of crime ware operator out there, because they're going to exploit you over the internet. We actually did a case study probably two years ago. Looking at brute forcing on networks and looking at exploitation attempts to figure out like what is the Delta? If you have an online internet presence are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes, from the time a brand new IOT device goes online to the time it starts getting brute force attacked. And within 24 hours you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is not if you're going to get attacked, it's when? And so understanding that is the nature of the threat landscape right now and having this kind of security awareness. Actually another good point that Roland just brought up was that human element. The human element is kind of the linchpin for any security organization. And as part of my master's I had wrote a dissertation about, and I named it as such my professor didn't really care for this, but I said, "The humans are the weakest link." Because in the security posture, that is essentially true. If you don't have the expertise on a team you're not going to be able to get things configured properly. If you don't have the expertise you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations and that manipulates the human element. And so having the security awareness in what we do here, on this cube interview, the threat reports, we publish, the blogs that we do, all the threads summaries, all of that goes hand-in-hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. >> So Roland in your mind and you've already walked us through a little bit of this about certain steps and measures. Do you think that could be taken safeguards basically, that everybody should have in the place? What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces as you see it now, understanding as Richard just told us that it's matter of not if, but when? >> Right. So availability, redundancy these have to be core architectural principles whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access. All of these different elements and many many more have to be designed from the out. All the services in the applications whether they're used internally, whether they are part of service delivery that an organization is doing across the internet, publicly there has to be redundancy and resiliency. There has to be a defense plan in order to defend these assets in these organizations against attack. Whether it's DDoS attack or whether it's a containment plan to deal with a ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it, and deal with it, and restore from backup. These plans have to be continuously updated because IT is not static. There are always noose and nance and changes this organizations provision new services offer new products, move into new markets and new new sub-specializations. And so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphorous somewhere. The plan has to be executed because you're going to find that there's some scenario, some service, or application, or operational process that needs to be updated or that needs to be included in the plan. And this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding. And either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. >> Well, is, you both certainly exhibit the depth and the breadth to fight this issue(chuckles) I certainly appreciate the time, the insights, and the warning is quite clear. Be prepared, do the hard work upfront. It could save you a lot of headache on the backside. And it is a matter of when and not if, these days. Richard Roland, thanks for being with us here on the Cube >> Thank you so much. >> Thank you so much. It's a pleasure. >> All right, talking about the triple threat of extortion, cyber extortion these days, and DDoS, the distributed denial of service in the growing problem. It is, but there is a way that you can combat it. And you just learned about that (indistinct) NETSCOUT here on the Cube. (upbeat music)

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.

(upbeat techno music) >> Narrator: Live from Las Vegas, it's The Cube, covering Fortinet Accelerate '18, brought to you by Fortinet. >> Welcome back to The Cube's continuing coverage live from Fortinet Accelerate 2018. I'm Lisa Martin with The Cube, along with my co-host Peter Burris, and we're very excited to welcome a Cube alumni back to The Cube, Derek Manky, the global security strategist from Fortinet - welcome back! >> Derek: Thank you, it's always good to be here. We have great conversations. >> Lisa: We do. We're happy that you think that. So, lots of news coming out today. But, I want to kind of start with, maybe a top-down approach, the theme of the event: strength in numbers. >> Derek: Yes. >> Lisa: As a marketer I'm like, "What are they going to share?" And of course, Ken and a lot of your peers shared a lot of interesting statistics. From your standpoint - what you're doing with FortiGuard Labs, strength in numbers, help us understand that from the technology standpoint. What does that mean to you? >> Derek: Sure, sure. So, there's a couple aspects to that. First of all, I've always been a firm advocate that we can never win the war on cybercrime alone. We have to be able to collaborate; collaboration is a key aspect. The attack surface today now, just from if you look at the complexity of attacks, the attack surface is massive today. And it's going to continue to expand. I mean, 15 years ago, we're just dealing with you know, threats that would operate on IRC channels or something, you know, some websites, and just some spam attacks. Now, we have to deal with that in addition to this growing attack surface, right? Specifically, with IOMT - the Internet of Medical Things, OT, as well. You have within that OT umbrella, obviously, things like the connected vehicles and all of these different things, which I know you've seen here, also, at Accelerate. So, when we look at that attack surface, you need security in all aspects - end-to-end, right? And so, from a security architecture perspective, strength in numbers is important to have that whole coverage of the attack surface, right? That's not complex and easy to manage. At the same time, being able to inter-operate: that's another strength. You know, the more a structure is bonded or glued together, the more resilient it's going to become. That's the exact concept of the fabric, right? The more that we can inter-weave the fabric and connect the different nodes together and share intelligence, that becomes a much, much stronger structure. So, to me, the strength in numbers means collaboration, information flow, and also end-to-end coverage between the security solutions. >> Peter: But it also means, you know, the growing ecosystem; the need for additional expertise, greater specialization in people. Talk a little bit about how, from a strategy standpoint, Fortinet is helping prepare people for different types of inclusion, different types of participation; what it means to be great, in a security way. >> Derek: Yeah, absolutely. I think there's very (mumbles) We're taking a multi-pronged approach to that. If you look at things like our NSC training program - it's the largest in the industry - so, training other experts through our partners. Growing, doing that knowledge transfer in expertise onto new features, like we're doing here at Accelerate, is critically important. So, that's one aspect when you look at the ecosystem. When you look at something for FortiGuard, as an example, what we're doing. We have, traditionally, you know, we've trained up a very large team; we have 215 security experts at FortiGuard, which is, for a network security organization one of the largest in the world, if not the largest. >> Peter: And FortiGuard is a practical and active think tank, right? >> Derek: Absolutely, yeah. It's many things, it's reactive protection, it's proactive protection, it's - now we've just launched the FortiGuard AI, as well; artificial intelligence, machine learning, that's all the threat intelligence aspect. So, it's threat detection and response. Again, if you look at technology, when we started just with antivirus and intrusion prevention and things like this, it was very signature-based and reactive. We went from signature-based detections to anomaly-based detections. Now, the third generation of this is machine learning and deep learning And going back to your question: we don't ever want to replace humans - because humans are very important in this ecosystem - rather, repurpose them, right? So, what we're doing, as an example, is when we, you know, train our analysts. Instead of having them do day to day tasks like some signature creation or something like this, we can actually have AI systems replace that to identify a threat, respond to it, and then repurpose those humans for something more strategic, you know, looking at the context, "How bad is this threat?" "Why is it a threat?" "How do we respond to it?" "How do we work with partners and customers?" We've launched our threat intelligence service, as well. This is a good example of something we've used internally within FortiGuard to protect customers. Now, we're offering this as a service to customers for security operation centers. We also have our Forti analyzer product and incident response framework. These are all key components that we're empowering organizations to be able to respond those threats. But, again, strength in numbers, it's this ecosystem working together. So, fabric-ready partners is another good example of that strength in numbers, I think, too. >> Peter: Well, I remember the first time I walked into a knock and found the security person and their eyes were literally bleeding. (Derek chuckles) And it's nice to have AI be able to take that kind of a load off, to be looking at some of these challenges, some of these anomalies, things previously we expected people to be able to uncover. >> Derek: Yeah, and (mumbles) when we talk about AI, to me, it's a trust exercise, as well. When you talk about machine learning, it's an accuracy problem, right? "How accurate can the machines really be?" When we pass the torch, as I say, to the machines to be able to take on those day to day jobs, we have to be able to trust it, saying, "You're doing a good job and you're accurate." So, we're using supervised learning, right, where we have our human experts actually training the machines - that's a good use for them, instead of just doing the same cycles day to day, you know, as an example. That's another way that we're scaling out that way. I think it's absolutely required in today's day and age. If you look at the numbers, it's an exponential curve right now. Last year, one year ago today, on average we're seeing about a million hacking attempts in just a minute across the entire globe, right? Now, we're seeing that number up over four million. So, it's increased four-fold in just a year, and that's just going to continue to rise. So, having that automated defense and AI machine learning; machine learning's just a learning aspect; the AI is the actionable part - how we can take that intelligence and put that into the fabric so that the customer doesn't have to do that themselves. I mean, the customer doesn't always have to be involved in the security aspect of that, and that's how we start reducing on the complexity, too. >> Lisa: You mentioned a couple terms that I wanted to pivot on: proactive/reactive. One of the biggest challenges that we hear from the C-suite in this perspective is visibility, complexity, but also high TCO reactivity. Where is Fortinet enabling, when you talk to customers, that shift, that successful shift from reactive to proactive? >> Derek: Right, yeah. Good question, very good question. I think - just parallels - I mean, they're both always going to have to exist, that's just their nature. I mean, if you keep walking across, you know, it's like Frogger - if you keep walking across a busy highway, you're going to get hit eventually, 'cause there's that much traffic, that much attacks coming, right? So, again, the incident response angle - using detection systems and, you know, threat reporting, and this intelligence service to be able to, you know, alert on what sort of attacks are happening and how to prioritize that is one way on the reactive end. On the proactive end: consulting. We have a team of consulting engineers and specifically, ones on FortiGuard, so threat experts that are able to actually analyze. So, we have programs, like CTAP, as a cyberthreat assessment program that is able to able to go into these new networks as a free service and do assessments. So, audits and assessments on the state of security on that network - end-to-end, right? So, we're talking even up to the distributed enterprise level. It's very, very important because we're in a day and age of information overload, especially if you talk to, you know, most CSOs (chief security officer) I talk to, they say "Derek, I got so much traffic being thrown at me; I have all these security logs that are letting up - how do I prioritize and respond to that?" So, if you can understand who your enemy is - what they're up to, then you can start building an appropriate security strategy around that, as opposed to just building checkboxes and, you know, building a fort and thinking you're protected against everything. That's a very important part. And, of course, there's proactive security technologies: anomaly-based, you know, things like sandbox detection that we've already integrated into the fabric ecosystem. But, visibility is key first; know your enemy, understand it, then build up a stack around that. >> Peter: So you're a strategist? >> Derek: Yes. >> Peter: What's the difference between a security strategist and a strategist - a business strategist? And, specifically, how is security strategy starting to find its way into business strategy? >> Derek: Really good question. So, it's becoming blended, right, because security is a vital part of business today. So, if you look at some attacks that even happened last year, there's targeted attacks that are starting to go after big businesses; critical revenue streams and services, because these are high payouts, right? And so, you know, if you look at building a business, you have to identify what are your digital assets: that can include services, intellectual property, and what would happen if that service was, you know, if there was a denial-of-service attack on that? How much lead or revenue loss are you going to have versus the cost of implementing, you know, an adequate security structure around that? So, you know, security's a board-level discussion right now, right? And so, when I think you look at building up these businesses, security should be, by design, from the top down - let's start it there. >> Peter: But, is it finding its way, and we've asked this question a couple times - at least I have - is it finding its way into "Hey, my balance sheet is a source of competitive advantage; my sales force is a source of competitive advantage." Is your security capabilities a source of competitive advantage in a digital business? >> Derek: I would say absolutely, yeah. It's starting to find its way in there. If you look at regions like Australia, you know, they just implemented a mandatory breach disclosure, right, so then, any business that is earning, I think it's like over two million dollars in revenue, needs to, you know, have a certain security posture in place and be able to respond to that. And that's trust and brand recognition. So, because, having, you know, cases like this, building trust with your provider, especially if we talk about, you know, cloud services; I'm putting my data into your hands and trust. How well do you trust that? Of course, if there's good reputation and a powerful security solution, you know customers are going to feel safer doing that. It's like, are you going to, you know, put your gold in Fort Knox or are you going to put it, you know, bury it in your backyard? There's a definite relationship happening there. >> Lisa: I read (hesitates) I didn't read this report, but I saw it the other day that in 2017, a kind of cybercrime report that said by 2021, which isn't that far away, that the global impact will be six trillion dollars in cybercrime. >> Derek: Yeah. >> How do you see the public sector, the private sector working together to help mitigate that, where that cybercrime is concerned and the costs that are so varied and large. >> Derek: Yeah, it's not just cybercrime, either. It's cyberterrorism, these other aspects, especially if you're talking about public sector, if you're talking about critical infrastructure and also with, you know, energy sector and operational technology and all of these things, too. So, you know, it becomes very important for doing a collaboration in alliances - that's something that's actually close to my heart. You know, at FortiNet and FortiGuard, we've formed several strategic partnerships in alliance with public sector, mostly, you know, national computer emergency response, because we feel that we have a lot of intelligence. We're very good at what we do, you know, we can protect customers; detecting threats. But, if there's an attack happening on a national level, you know, we should be able to empower - to be able to work together to combat the threat. It's the same thing even with cybercrime, right? So, as an example, we work with law enforcement, as well with cybercrime, trying to find threat actors in the adversary; cybercriminals are running their own business, and the more expensive you can make it for them to operate, it slows down their operations. >> Peter: A COGS approach to competition. >> Derek: Yeah. (chuckles) Yeah, yeah. And, you know, they're always going to find the path of least resistance, right? That's the whole idea of security, strategy too, is, we call it the "attack chain," right, this layered security - that's the strength in numbers theme again, right; end-to-end security that makes the whole security chain stronger 'cause of that bond and that makes it more expensive for the cybercriminals to operate, too. So, as an example, like I said, national CERT, law enforcement; we're even teaming up in the private sector - a cyberthreat alliance, as well, that's been a very successful project; Fortinet's a founding member, I'm on the steering committee of the cyberthreat alliance. >> Peter: It was Ken's brainchild, wasn't it? >> Derek: Yeah, yep, yeah. And so, you know, we're competitors in the industry but we're actually - it's a friendly environment when we meet and it's actionable intelligence that's being shared. Again, it comes down to how well you can implement that technology, or that (hesitates) information in your technology - that's an important part. >> Lisa: So, here we are at Accelerate 2018 the - I think Ken was saying the 16th year of this event. What are you looking forward to in 2018 for Fortinet, looking at the strength of the partners - those behind us. What's exciting you about the opportunities that Fortinet has in 2018? >> Derek: It's never a boring day. (laughs) There's a lot of interesting opportunities to work with. I think it's - what's exciting to me is the vibe. People are very keen on this, right? If you look at our fabric-ready program, it's growing quite significantly and I think it's fantastic, there's a lot of people, you know, that are energized and willing to work in these programs. There's a lot of programs we can build at, specifically, FortiGuard, as well. Like I said, these threat intelligence services that we're offering to our partners now, which include, you know, proactive alerts, early warning systems. That empowerment and, you know, working together definitely excites me - there's a lot of opportunities there. And there's going to be a lot of, you know, challenges to overcome. If we look at the threat landscape right now, you know, one thing I'm talking about is swarm bots. It's this swarm intelligence - there's parallels here again; we talk about strength in numbers and what we're doing on our side. The bad guys are also teaming up and doing strength in numbers on their side, too. So, we're looking at on the horizon threats like this that are using, leveraging, their own learning mechanisms, being able to self-adapt to be much quicker to attack systems, right, because that's on the horizon - we're already seeing indications of that; we have to get this right. I think for the first time in the industry, you know, we're doing this right. You know, if you look at years past, cybercriminals, they can do a million things wrong and they don't care, right? So, we need to be able to overcome more hurdles. If we work together, which we're doing right now; I think for the first time, we have the opportunity to have an advantage over the cybercriminals, too. So, that's also exciting. >> Lisa: Definitely. We've heard a lot of, I think, conversation today along the spirit of collaboration, compatibility. So, that sentiment, I think, was well represented from your peers that we've spoken with today. >> Derek: Yeah. Everybody has a part to play, I think, right? And that's the thing - you mentioned the word "ecosystem" and that's exactly what it is, right? And that's another brilliant thing we're finding is that everybody brings some strength to the table, so that's another aspect, and I think people, you know, are realizing that organizations are realizing that they can actually play in these collaborations. >> Peter: It's not a zero sum game. >> Derek: No. >> Peter: It's not. I mean, there's so much diversity and so much opportunity and this digital transformation going to have touched so many different corners in so many different ways. >> Derek: Yeah. >> At this point in time, it's "How fast can we all work together to take advantage of the opportunities?" and not "Eh, I want that piece and I want that piece." because then the whole thing won't grow as fast. >> Derek: Yeah, and, you know, the other challenges - the technology challenge, and that's something we are addressing as well. Like, we're actually creating a solution to this - a framework, as we did with the cyberthreat alliance, but also with the fabric program, as well, so having those tools is very important, I think, as well, to help grow that ecosystem, right? >> Lisa: Exciting stuff, Derek. Thanks so much for joining us on The Cube and sharing some of the things that you're working on, and, it sounds, like you said earlier, never a dull moment; every day is a busy day. >> Derek: Absolutely not. Yeah, there's a long road ahead and I think there always will be. But, like I said, it's a lot of exciting times and it's good to see progress in the industry. >> Lisa: Absolutely. Well, thanks for your time. We look forward to our chat next year and to see what happens then. >> Derek: Okay, thank you so much! >> Lisa: Absolutely. We want to thank you for watching The Cube's continuing coverage of Fortinet Accelerate 2018. For Peter Burris, I'm Lisa Martin, and we'll be right back after a short break. (subtle electronic song)