our Studios in the heart of Silicon Valley Palo Alto California this is a cute conversation hello and welcome to the cube studios in Palo Alto California for another cube conversation where we go in-depth with thought leaders driving innovation across the tech industry I'm your host Peter Burris almost everybody's heard of the term black hat and white hat and it constitutes groups of individuals that are either attacking or defending security challenges it's been an arms race for the past 10 20 30 years as the world has become more digital and an arms race that many of us are concern that black hats appear to have the upper hand but there's new developments in technology and new classes of tooling that are actually racing to the aid of white hats and could very well upset that equilibrium in favor of the white hats to have that conversation about the Ascension of the white hats we're joined by Derek manky who's chief security insights and global threat alliances lead at Ford Annette dereck thanks for joining us for another cube conversation it's always a pleasure speaking yeah all right Derrick let's start what's going on afforda labs at four Dannette so 2019 we've seen a ton of development a lot pretty much on track with our predictions when we talked last year obviously a big increase in volume thanks offense of automation we're also seeing low volume attacks that are disrupting big business models I'm talking about targeted ransom attacks right you know criminals that are able to get into networks caused millions of dollars of damages thanks to critical revenue streams being out usually in the public sector we've seen a lot of this we've seen a rise in sophistication the adversary's are not slowing down AET s advanced evasion techniques are on the rise and so you know to do this and for the guard loves to be able to track this and map this we're not just relying on blogs anymore and you know 40 50 page white papers so we're actually looking at that playbooks now mapping the adversary's understanding their tools techniques procedures how they're operating why they're operating who are they hitting on and what what might be their next move so that's a big development on the intelligence sides here all right so I mentioned upfront this notion that the white hats may be ascending I'm implying a prediction here tell us a little bit about what we see on the horizon for that concept of the white hats ascending and specifically why is there reason to be optimistic yeah so as it's it's it's been gloomy for you for decades like he said and for many reasons right and I think those reasons there are no secrets I mean cyber criminals and black hats have always been able to move very you know with with agility right I'm sorry crime has no borders it's often a slap on the wrist that they get they can do a million things are on they don't care there's no ethics and quite frankly no no rules by right on the white hand side we've always had rules binding us we've had to we've had to take due care and we've had to move methodically which slows us down so a lot of that comes in place because of frameworks because of technology as well having to move um after it's in able to it with frameworks so specifically with you know making corrective action and things like that so those are the challenges that we face against but you know like thinking ahead to to 2020 particularly with the use of artificial intelligence everybody talks about AI you know it's it's impacted our daily lives but when it comes to cybersecurity on the white hat side um you know a proper AI and machine learning model it takes time you think it can take you years in fact in our case in our experience about four to five years before we can actually roll it out to production but the good news is that we have been investing and when I say we I'm just talking to the industry in general and wait we've been investing into this technology because quite frankly we've had to it takes a lot of data it takes a lot of smart minds a lot of investment a lot of processing power and that foundation has now been set over the last five years if we look at the blackcats it's not the case and why because they've been enjoying living off the land on a low-hanging truth path of least resistance because they've been able to so one of the things that's changing that equilibrium then is the availability of AI as you said it could take four or five years to get to a point we've actually got useful AI is it can have an impact I guess that means that we've been working on these things for four or five years what's the state of the art with AI as it pertains to security and are we seeing different phases of development start to emerge as we gain more experience with these technologies yeah absolutely and it's quite exciting right ai isn't this universal brain that's that's always good the world's problems that everyone thinks it might right it's very specific it relies on machine learning models each machine learning model is very specific to its task right I mean you know voice learning technology versus autonomous vehicle driving versus cybersecurity it's very different when it comes to the swimming purposes so so in essence the way I look at it you know there's three generations of AI we have generation 1 which was the past generation 2 which is a current where we are now and the generation 3 is where we're going so generation 1 was pretty simple right it was just a central processing lyrtle of machine learning model that'll take in data they'll correlate that data and then take action based off of it some simple inputs simple output right generation to where we're currently sitting is more advances looking at pattern recognition more advanced inputs are distributed models where we have the you know sensor is lying around networks I'm talking about even IOT devices security appliances and so forth but still report up to this centralized brain that's learning and acting on things but where things get really interesting moving forward in 2020 gets into this third generation where you have especially you know moving towards about computer sorry I'm computing where you have localized learning notes that are actually processing and learning so you can think of them as these mini brains instead of having this monolithic centralized brain you have individual learning modes individual brains doing their own machine learning that are actually connected to each other learning from each other speaking to each other it's a very powerful model we actually refer to this as federated machine learning in our industry so we've been first phase we simply use statistics to correlate events take action yeah now we're doing exceptions pattern recognition or exceptions and building patterns and in the future we're going to be able to further distribute at that so that increasingly the AI is going to work with other AI so that the aggregate this federated aggregate gets better I got that right yeah absolutely and what's the advantage of that a couple of things I'm it's very similar to the human immune system right I mean if you have you know if I were to cut my finger on my hand what's gonna happen well localized white blood cells get localized not nothing from a foreign entity or further away in my body are gonna come to the rescue and start healing right it's the same idea it's because it's interconnected within the nervous system it's the same idea of this federated machine learning right if security appliance is to detect a threat locally on-site its able to alert other security appliances so that they can actually take action on this and learn from that as well so connected machine learning models it means that that you know by properly implementing these these AI this federated AI machine learning models in an organization that that system is able to actually in an auto you may pick up what that threat is be able to act on that threat which means it's able to respond to these threats quicker shut them down to the point where it can be you know virtually instantaneous right before you know that the damage is done and bleeding starts happening so the common time safe common baseline is constantly getting better even as we're giving opportunities for local local managers to perform the work in response to local conditions so that takes us to the next notion of we've got this federated a la a I on the horizon how are people how is the role of people security professionals going to change what kind of recipes are they going to follow to ensure that they are working in a maximally productive way with these new capabilities these new federated capabilities especially as we think about the introduction of 5g and greater density of devices and faster speeds and lower latencies yeah so you know that the the the the world of cyber computer cyber security has always been incredibly complex so we're trying to simplify that and that's where again this this federated machine learning comes into place particularly with playbooks so you know if we look at 2019 and where we're going in 2020 we've put a lot of a lot of groundwork quite frankly into pioneering the work of playbooks right so when I say playbooks I'm talking about adversary's playbook knowing the offense knowing the tools techniques procedures the way that these cybercrime operations are moving right and the black hats are moving the more that we can understand that the more we can predict their next move and that centralized language right once you know that offense we can start to create automated Blue Team playbook so defensive play books that a human that that's a security technology can automatically integrate and respond to it but to getting back to your question we can actually create human readable sea cecil guides that can actually say look there's a threat here's why it's a problem here's here here are the gaps in your security that we've identified if you're some recommended course of action as my deity right so that's that's where the humans and the machines are really going to be worked working together and and quite frankly moving speed being able to do that a machine level but also being being able to simplify a complex landscape that is where we can actually gain traction right that this is part of that ascendancy of the white hat because because it's it's allowing us to move in a more agile nature it's an it's allowing us to gain ground against heat actors and quite frankly it allows us to start disrupting their business model right it's more resilient Network in the future this leads to the whole notion of self-healing networks as well that quite frankly just makes it a big pain it disrupts your business model it forces them to go back to the drawing board - well it also seems as though when we start talking about 5g that the speeds as I said the speeds the dentin see the reduced latency the the potential for a bad thing to propagate very quickly demands that we have a more consistent coherent response at both the Machine level but also at the people level we 5g into this conversation what's what will be the impact of 5g on how these playbooks and AI start to come together over the next few years yeah it's it's it's it's gonna be very impactful it's gonna take a couple of years and we're just at the dawn of 5g right now but if you think of 5g you're talking about a lot more volume essentially as we move to the future we're entering into the age of five G and edge computing and 5g and edge computing is gonna start eating the cloud in a sense that more of that processing power that was in the cloud is starting to shift now towards edge computing right this is that on-premises so it is gonna allow models like I was talking about federated machine learning models at first from the the white hats point of view which I again I think we are in the driver's seat and in a better you know more advantageous position here because we have more experience again like I said we've been doing this for years where the black hats quite frankly haven't yes they're toying with it but not to the same level at scale that we have but you know you know it's I'm always a realist this isn't a completely rosy picture I mean there it is optimistic that we are able to get this upper hand it has to be done right but if we think about the weaponization of 5g that's also very large problem right last year we're talking about sworn networks right the idea of sworn networks is a whole bunch of devices that can connect to each other share intelligence and then act to do something like a large-scale DDoS attack that's absolutely in the in the realm of possibility when it comes to the weaponization of 5g as well so one of the things I guess the last question I want to ask you is you noted that these play books incorporate the human element in ways that are uniquely human so having C so readable recipes for how people have to respond does that also elevate the conversation with the business and does allows us to do a better job of understanding risk pricing risk and appropriately investing to manage and assure the business against risk in the right way absolutely absolutely it does yeah yeah because the more you know about going back to the playbook some more you know about the office and their tools you know you the more you know about how much of a danger it is what sort of targets they're after right I mean if they're just going trying to look to to to collect a little bit of information on you know to do some reconnaissance that first phase attack might not cause a lot of damage but if this group is knowing to go in hit hard steal intellectual property shut down critical business streams to do s that in the past we know and we've seen has caused four or five million dollars from one you know from one breach that's a very good way to start classifying risk so yeah I mean it's all about really understanding the picture first on the offense and that's exactly what these automated playbook guides are going to be doing on the on the on the blue team and again not only from a CSE suite perspective certainly that on the human level but the nice thing about the play books is because we've done the research the threat hunting and understood this you know from a machine level it's also able to put a lot of those automated let's say day-to-day decisions making security operation center is so I'm talking about like sect DevOps much more efficient to so he's talking about more density at the edge amongst these devices I also want to bring back one last thought here and that is you said that historically some of the black hats have been able to act with a degree of impunity they haven't necessarily been hit hard there a lot of slapping on the wrist as I think you said talk about how the playbooks and AI is going to allow them to more appropriately share data with others that can help both now but also in some of the forensics and the the enforcement side namely the the legal and policing world how are we going to share the responsibility or how is that going to change over the next few years to incorporate some of the folks that actually can then turn a defense into a legal attack illumination this is what I call it right so again if we look at the current state we've made great strides great progress you know working with law enforcement so we've set up public private sector relationships we need to do that have security experts working with law enforcement law enforcement working on there and to train process prosecutors to understand cybercrime and so forth that foundation has been set but it's still slow-moving you know there's only a limited amount of playbooks right now it takes a lot of work to unearth and and and do to really move the needle what we need to do again like we're talking about is to integrate artificial intelligence with playbooks the more that we understand about groups the more that we do this threat illumination the more we have cover about them the more we know about them and by doing that we can start to form predictive models right basically I always say old habits die hard so you know if an attacker goes in hits a network and they're successful following a certain sequence of patterns they're likely going to follow that say that's that same sequence on their next victim or their next target so the more that we understand about that the more that we can forecast eight from a mitigation standpoint but the also by the same token the more correlation we're doing on these playbooks the more machine learning we're doing on this playbooks the more we were able to do attribution and attribution is the Holy Grail it's always been the toughest thing to do when it comes to research but by combining the framework that we're using with playbooks and AI machine learning it's a very very powerful recipe and that's that's what we need to get right and move forward in the right direction Derrick McKey ordinance chief of security insights and threat alliances thanks again for being on the cube it's a pleasure anytime happy to talk and I want to thank you for joining us for another cube conversation I'm Peter Burris see you next time [Music]

our Studios in the heart of Silicon Valley Palo Alto California this is a cute conversation hello and welcome to the cube studios in Palo Alto California for another cube conversation where we go in-depth with thought leaders driving innovation across the tech industry I'm your host Peter Burris almost everybody's heard of the term black hat and white hat and it constitutes groups of individuals that are either attacking or defending security challenges it's been an arms race for the past 10 20 30 years as the world has become more digital and an arms race that many of us are concern that black hats appear to have the upper hand but there's new developments in technology and new classes of tooling that are actually racing to the aid of white hats and could very well upset that equilibrium in favor of the white hats to have that conversation about the Ascension of the white hats we're joined by Derek manky who's chief security insights and global threat alliances lead at Ford Annette dereck thanks for joining us for another cube conversation it's always a pleasure speaking yeah all right Derrick let's start what's going on afforda labs at four Dannette so 2019 we've seen a ton of development a lot pretty much on track with our predictions when we talked last year obviously a big increase in volume thanks offense of automation we're also seeing low volume attacks that are disrupting big business models I'm talking about targeted ransom attacks right you know criminals that are able to get into networks caused millions of dollars of damages thanks to critical revenue streams being out usually in the public sector we've seen a lot of this we've seen a rise in sophistication the adversary's are not slowing down AET s advanced evasion techniques are on the rise and so you know to do this and for the guard loves to be able to track this and map this we're not just relying on blogs anymore and you know 40 50 page white papers so we're actually looking at that playbooks now mapping the adversary's understanding their tools techniques procedures how they're operating why they're operating who are they hitting on and what what might be their next move so that's a big development on the intelligence sides here all right so I mentioned upfront this notion that the white hats may be ascending I'm implying a prediction here tell us a little bit about what we see on the horizon for that concept of the white hats ascending and specifically why is there reason to be optimistic yeah so as it's it's it's been gloomy for you for decades like he said and for many reasons right and I think those reasons there are no secrets I mean cyber criminals and black hats have always been able to move very you know with with agility right I'm sorry crime has no borders it's often a slap on the wrist that they get they can do a million things are on they don't care there's no ethics and quite frankly no no rules by right on the white hand side we've always had rules binding us we've had to we've had to take due care and we've had to move methodically which slows us down so a lot of that comes in place because of frameworks because of technology as well having to move um after it's in able to it with frameworks so specifically with you know making corrective action and things like that so those are the challenges that we face against but you know like thinking ahead to to 2020 particularly with the use of artificial intelligence everybody talks about AI you know it's it's impacted our daily lives but when it comes to cybersecurity on the white hat side um you know a proper AI and machine learning model it takes time you think it can take you years in fact in our case in our experience about four to five years before we can actually roll it out to production but the good news is that we have been investing and when I say we I'm just talking to the industry in general and wait we've been investing into this technology because quite frankly we've had to it takes a lot of data it takes a lot of smart minds a lot of investment a lot of processing power and that foundation has now been set over the last five years if we look at the blackcats it's not the case and why because they've been enjoying living off the land on a low-hanging truth path of least resistance because they've been able to so one of the things that's changing that equilibrium then is the availability of AI as you said it could take four or five years to get to a point we've actually got useful AI is it can have an impact I guess that means that we've been working on these things for four or five years what's the state of the art with AI as it pertains to security and are we seeing different phases of development start to emerge as we gain more experience with these technologies yeah absolutely and it's quite exciting right ai isn't this universal brain that's that's always good the world's problems that everyone thinks it might right it's very specific it relies on machine learning models each machine learning model is very specific to its task right I mean you know voice learning technology versus autonomous vehicle driving versus cybersecurity it's very different when it comes to the swimming purposes so so in essence the way I look at it you know there's three generations of AI we have generation 1 which was the past generation 2 which is a current where we are now and the generation 3 is where we're going so generation 1 was pretty simple right it was just a central processing lyrtle of machine learning model that'll take in data they'll correlate that data and then take action based off of it some simple inputs simple output right generation to where we're currently sitting is more advances looking at pattern recognition more advanced inputs are distributed models where we have the you know sensor is lying around networks I'm talking about even IOT devices security appliances and so forth but still report up to this centralized brain that's learning and acting on things but where things get really interesting moving forward in 2020 gets into this third generation where you have especially you know moving towards about computer sorry I'm computing where you have localized learning notes that are actually processing and learning so you can think of them as these mini brains instead of having this monolithic centralized brain you have individual learning modes individual brains doing their own machine learning that are actually connected to each other learning from each other speaking to each other it's a very powerful model we actually refer to this as federated machine learning in our industry so we've been first phase we simply use statistics to correlate events take action yeah now we're doing exceptions pattern recognition or exceptions and building patterns and in the future we're going to be able to further distribute at that so that increasingly the AI is going to work with other AI so that the aggregate this federated aggregate gets better I got that right yeah absolutely and what's the advantage of that a couple of things I'm it's very similar to the human immune system right I mean if you have you know if I were to cut my finger on my hand what's gonna happen well localized white blood cells get localized not nothing from a foreign entity or further away in my body are gonna come to the rescue and start healing right it's the same idea it's because it's interconnected within the nervous system it's the same idea of this federated machine learning right if security appliance is to detect a threat locally on-site its able to alert other security appliances so that they can actually take action on this and learn from that as well so connected machine learning models it means that that you know by properly implementing these these AI this federated AI machine learning models in an organization that that system is able to actually in an auto you may pick up what that threat is be able to act on that threat which means it's able to respond to these threats quicker shut them down to the point where it can be you know virtually instantaneous right before you know that the damage is done and bleeding starts happening so the common time safe common baseline is constantly getting better even as we're giving opportunities for local local managers to perform the work in response to local conditions so that takes us to the next notion of we've got this federated a la a I on the horizon how are people how is the role of people security professionals going to change what kind of recipes are they going to follow to ensure that they are working in a maximally productive way with these new capabilities these new federated capabilities especially as we think about the introduction of 5g and greater density of devices and faster speeds and lower latencies yeah so you know that the the the the world of cyber computer cyber security has always been incredibly complex so we're trying to simplify that and that's where again this this federated machine learning comes into place particularly with playbooks so you know if we look at 2019 and where we're going in 2020 we've put a lot of a lot of groundwork quite frankly into pioneering the work of playbooks right so when I say playbooks I'm talking about adversary's playbook knowing the offense knowing the tools techniques procedures the way that these cybercrime operations are moving right and the black hats are moving the more that we can understand that the more we can predict their next move and that centralized language right once you know that offense we can start to create automated Blue Team playbook so defensive play books that a human that that's a security technology can automatically integrate and respond to it but to getting back to your question we can actually create human readable sea cecil guides that can actually say look there's a threat here's why it's a problem here's here here are the gaps in your security that we've identified if you're some recommended course of action as my deity right so that's that's where the humans and the machines are really going to be worked working together and and quite frankly moving speed being able to do that a machine level but also being being able to simplify a complex landscape that is where we can actually gain traction right that this is part of that ascendancy of the white hat because because it's it's allowing us to move in a more agile nature it's an it's allowing us to gain ground against heat actors and quite frankly it allows us to start disrupting their business model right it's more resilient Network in the future this leads to the whole notion of self-healing networks as well that quite frankly just makes it a big pain it disrupts your business model it forces them to go back to the drawing board - well it also seems as though when we start talking about 5g that the speeds as I said the speeds the dentin see the reduced latency the the potential for a bad thing to propagate very quickly demands that we have a more consistent coherent response at both the Machine level but also at the people level we 5g into this conversation what's what will be the impact of 5g on how these playbooks and AI start to come together over the next few years yeah it's it's it's it's gonna be very impactful it's gonna take a couple of years and we're just at the dawn of 5g right now but if you think of 5g you're talking about a lot more volume essentially as we move to the future we're entering into the age of five G and edge computing and 5g and edge computing is gonna start eating the cloud in a sense that more of that processing power that was in the cloud is starting to shift now towards edge computing right this is that on-premises so it is gonna allow models like I was talking about federated machine learning models at first from the the white hats point of view which I again I think we are in the driver's seat and in a better you know more advantageous position here because we have more experience again like I said we've been doing this for years where the black hats quite frankly haven't yes they're toying with it but not to the same level at scale that we have but you know you know it's I'm always a realist this isn't a completely rosy picture I mean there it is optimistic that we are able to get this upper hand it has to be done right but if we think about the weaponization of 5g that's also very large problem right last year we're talking about sworn networks right the idea of sworn networks is a whole bunch of devices that can connect to each other share intelligence and then act to do something like a large-scale DDoS attack that's absolutely in the in the realm of possibility when it comes to the weaponization of 5g as well so one of the things I guess the last question I want to ask you is you noted that these play books incorporate the human element in ways that are uniquely human so having C so readable recipes for how people have to respond does that also elevate the conversation with the business and does allows us to do a better job of understanding risk pricing risk and appropriately investing to manage and assure the business against risk in the right way absolutely absolutely it does yeah yeah because the more you know about going back to the playbook some more you know about the office and their tools you know you the more you know about how much of a danger it is what sort of targets they're after right I mean if they're just going trying to look to to to collect a little bit of information on you know to do some reconnaissance that first phase attack might not cause a lot of damage but if this group is knowing to go in hit hard steal intellectual property shut down critical business streams to do s that in the past we know and we've seen has caused four or five million dollars from one you know from one breach that's a very good way to start classifying risk so yeah I mean it's all about really understanding the picture first on the offense and that's exactly what these automated playbook guides are going to be doing on the on the on the blue team and again not only from a CSE suite perspective certainly that on the human level but the nice thing about the play books is because we've done the research the threat hunting and understood this you know from a machine level it's also able to put a lot of those automated let's say day-to-day decisions making security operation center is so I'm talking about like sect DevOps much more efficient to so he's talking about more density at the edge amongst these devices I also want to bring back one last thought here and that is you said that historically some of the black hats have been able to act with a degree of impunity they haven't necessarily been hit hard there a lot of slapping on the wrist as I think you said talk about how the playbooks and AI is going to allow them to more appropriately share data with others that can help both now but also in some of the forensics and the the enforcement side namely the the legal and policing world how are we going to share the responsibility or how is that going to change over the next few years to incorporate some of the folks that actually can then turn a defense into a legal attack illumination this is what I call it right so again if we look at the current state we've made great strides great progress you know working with law enforcement so we've set up public private sector relationships we need to do that have security experts working with law enforcement law enforcement working on there and to train process prosecutors to understand cybercrime and so forth that foundation has been set but it's still slow-moving you know there's only a limited amount of playbooks right now it takes a lot of work to unearth and and and do to really move the needle what we need to do again like we're talking about is to integrate artificial intelligence with playbooks the more that we understand about groups the more that we do this threat illumination the more we have cover about them the more we know about them and by doing that we can start to form predictive models right basically I always say old habits die hard so you know if an attacker goes in hits a network and they're successful following a certain sequence of patterns they're likely going to follow that say that's that same sequence on their next victim or their next target so the more that we understand about that the more that we can forecast eight from a mitigation standpoint but the also by the same token the more correlation we're doing on these playbooks the more machine learning we're doing on this playbooks the more we were able to do attribution and attribution is the Holy Grail it's always been the toughest thing to do when it comes to research but by combining the framework that we're using with playbooks and AI machine learning it's a very very powerful recipe and that's that's what we need to get right and move forward in the right direction Derrick McKey ordinance chief of security insights and threat alliances thanks again for being on the cube it's a pleasure anytime happy to talk and I want to thank you for joining us for another cube conversation I'm Peter Burris see you next time [Music]