>>Welcome to this cube conversation with 40 net. I'm your host. Lisa Martin, Derek Minky is back. He's the chief security insights and global threat alliances at 40 minutes, 40 guard labs, Derek. Welcome back to the program. >>Likewise, we've talked a lot this year. And of course, when I saw that there are, uh, you guys have predictions from 40 guard labs, global threat intelligence and research team about the cyber threat landscape for 2022. I thought it was going to be a lot to talk about with Derek here. So let's go ahead and dig. Right in. First of all, one of the things that caught my attention was the title of the press release about the predictions that was just revealed. The press release says 40 guard labs, predict cyber attacks aimed at everything from crypto wallets to satellite internet, nothing. There is no surface that is safe anymore. Talk to me about some of the key challenges that organizations in every industry are facing. >>Yeah, absolutely. So this is a, as you said, you, you had the keyword there surface, right? That, and that attack surface is, is open for attack. That's the attack surface that we talk about it is literally be pushed out from the edge to space, like a lot of these places that had no connection before, particularly in OT environments off grid, we're talking about, uh, you know, um, uh, critical infrastructure, oil and gas, as an example, there's a lot of these remote units that were living out there that relied on field engineers to go in and, uh, you know, plug into them. They were air gapped, those such low. Those are the things that are going to be accessible by Elio's low earth orbit satellites. And there are 4,000 of those out there right now. There's going to be over 30,000. We're talking Starlink, we're talking at least four or five other competitors entering this space, no pun intended. And, um, and that's a big deal because that it's a gateway. It opens the door for cyber criminals to be able to have accessibility to these networks. And so security has to come, you know, from, uh, friends of mine there, right. >>It absolutely does. We've got this fragmented perimeter tools that are siloed, the expand and very expanded attack surface, as you just mentioned, but some of the other targets, the 5g enabled edge, the core network, of course, the home environment where many of us still are. >>Yeah, yeah, definitely. So that home environment like the edge, it is a, uh, it's, it's the smart edge, right? So we have things called edge access Trojans. These are Trojans that will actually impact and infect edge devices. And if you think about these edge devices, we're talking things that have machine learning and, and auto automation built into them a lot of privilege because they're actually processing commands and acting on those commands in a lot of cases, right? Everything from smart office, smart home option, even until the OT environment that we're talking about. And that is a juicy target for attackers, right? Because these devices naturally have more privileged. They have APIs and connectivity to a lot of these things where they could definitely do some serious damage and be used as these pivot within the network from the edge. Right. And that's, that's a key point there. >>Let's talk about the digital wallet that we all walk around with. You know, we think out so easy, we can do quick, simple transactions with apple wallet, Google smart tab, Venmo, what have you, but that's another growing source of that, where we need to be concerned, right? >>Yeah. So I, I I've, I've worn my cyber security hat for over 20 years and 10 years ago, even we were talking all about online banking Trojans. That was a big threat, right? Because a lot of financial institutions, they hadn't late ruled out things like multifactor authentication. It was fairly easy to get someone's bank credentials go in siphoned fans out of an account. That's a lot harder nowadays. And so cyber criminals are shifting tactics to go after the low hanging fruit, which are these digital wallets and often cryptocurrency, right? We've actually seen this already in 40 guard labs. Some of this is already starting to happen right now. I expect this to happen a lot more in 20, 22 and beyond. And it's because, you know, these wallets are, um, hold a lot of whole lot of value right now, right. With the crypto. And they can be transferred easily without having to do a, like a, you know, EFT is a Meijer transfers and all those sorts of things that includes actually a lot of paperwork from the financial institutions. And, you know, we saw something where they were actually hijacking these wallets, right. Just intercepting a copy and paste command because it takes, you know, it's a 54 character address people aren't typing that in all the time. So when they're sending or receiving funds, they're asking what we've actually seen in malware today is they're taking that, intercepting it and replacing it with the attackers. Well, it's simple as that bypassing all the, you know, authentication measures and so forth. >>And is that happening for the rest of us that don't have a crypto wallet. So is that happening for folks with apple wallets? And is that a growing threat concern that people need to be? It is >>Absolutely. Yeah. So crypto wallets is, is the majority of overseeing, but yeah, no, no digital wallet is it's unpatched here. Absolutely. These are all valid targets and we are starting to see activity in. I am, >>I'm sure going after those stored credentials, that's probably low-hanging fruit for the attackers. Another thing that was interesting that the 2022 predictions threat landscape, uh, highlighted was the e-sports industry and the vulnerabilities there. Talk to me about that. That was something that I found surprising. I didn't realize it was a billion dollar revenue, a year industry, a lot of money, >>A lot of money, a lot of money. And these are our full-blown platforms that have been developed. This is a business, this isn't, you know, again, going back to what we've seen and we still do see the online gaming itself. We've seen Trojans written for that. And oftentimes it's just trying to get into, and user's gaming account so that they can steal virtual equipment and current, you know, there there's virtual currencies as well. So there was some monetization happening, but not on a grand scale. This is about a shift attackers going after a business, just like any organization, big business, right. To be able to hold that hostage effectively in terms of DDoSs threats, in terms of vulnerabilities, in terms of also, you know, crippling these systems with ransomware, like we've already seen starting to hit OT, this is just another big target. Right. Um, and if you think about it, these are live platforms that rely on low latency. So very quick connections, anything that interrupts that think about the Olympics, right on sports environment, it's a big deal to them. And there's a lot of revenue that could be lost in cybercriminals fully realizes. And this is why, you know, we're predicting that e-sports is going to be a, um, a big target for them moving forward. >>Got it. And tell, let's talk about what's going on with brands. So when you and I spoke a few months ago, I think it was ransomware was up nearly 11 X in the first half of a calendar year, 2021. What are you seeing from an evolution perspective, uh, in the actual ransomware, um, actions themselves as well as what the, what the cyber criminals are evolving to. >>Yeah. So to where it's aggressive, destructive, not good words, right. But, but this is what we're seeing with ransomware. Now, again, they're not just going after data as the currency, we're seeing, um, destructive capabilities put into ransomware, including wiper malware. So this used to be just in the realm of, uh, APTT nation state attacks. We saw that with should moon. We saw that with dark soil back in 2013, so destructive threats, but in the world of apt and nation state, now we're seeing this in cyber crime. We're seeing it with ransomware and this, I expect to be a full-blown tactic for cyber criminals simply because they have the, the threat, right. They've already leveraged a lot of extortion and double extortion schemes. We've talked about that. Now they're going to be onboarding this as a new threat, basically planting these time bombs. He's ticking time bombs, holding systems for, for, for ransom saying, and probably crippling a couple of, to show that they mean business and saying, unless you pay us within a day or two, we're going to take all of these systems offline. We're not just going to take them offline. We're going to destroy them, right. That's a big incentive for people to, to, to pay up. So they're really playing on that fear element. That's what I mean about aggressive, right? They're going to be really shifting tactics, >>Aggressive and destructive, or two things you don't want in a cybersecurity environment or to be called by your employer. Just wanted to point that out. Talk to me about wiper malware. Is this new emerging, or is this something that's seeing a resurgence because this came up at the Olympics in the summer, right? >>Absolutely. So a resurgence in, in a sort of different way. Right. So, as I said, we have seen it before, but it's been not too prevalent. It's been very, uh, it's, it's been a niche area for them, right. It's specifically for these very highly targeted attack. So yes, the Olympics, in fact, two times at the Olympics in Tokyo, but also in the last summer Olympics as well. We also saw it with, as I mentioned in South Korea at dark school in 2013, we saw it an OT environment with the moon as an example, but we're talking handfuls here. Uh, unfortunately we have blogged about three of these in the last month to month and a half. Right. And that, and you know, this is starting to be married with ransomware, which is particularly a very dangerous cause it's not just my wiper malware, but couple that with the ransom tactics. >>And that's what we're starting to see is this new, this resurgent. Yes. But a completely new form that's taking place. Uh, even to the point I think in the future that it could, it could severely a great, now what we're seeing is it's not too critical in a sense that it's not completely destroying the system. You can recover the system still we're talking to master boot records, those sorts of things, but in the future, I think they're going to be going after the formal firmware themselves, essentially turning some of these devices into paperweights and that's going to be a very big problem. >>Wow. That's a very scary thought that getting to the firmware and turning those devices into paperweights. One of the things also that the report talked about that that was really interesting. Was that more attacks against the supply chain and Linux, particularly talk to us about that. What did you find there? What does it mean? What's the threat for organizations? >>Yeah. So we're seeing a diversification in terms of the platforms that cyber criminals are going after. Again, it's that attack surface, um, lower hanging fruit in a sense, uh, because they've, you know, for a fully patched versions of windows, 10 windows 11, it's harder, right. For cyber criminals than it was five or 10 years ago to get into those systems. If we look at the, uh, just the prevalence, the amount of devices that are out there in IOT and OT environments, these are running on Linux, a lot of different flavors and forms of Linux, therefore this different security holes that come up with that. And that's, that's a big patch management issue as an example too. And so this is what we, you know, we've already seen it with them or I bought net and this was in our threat landscape report, or I was the number one threat that we saw. And that's a Linux-based bot net. Now, uh, Microsoft has rolled out something called WSL, which is a windows subsystem for Linux and windows 10 and windows 11, meaning that windows supports Linux now. So that all the code that's being written for botnets, for malware, all that stuff is able to run on, on new windows platforms effectively. So this is how they're trying to expand their, uh, attack surface. And, um, that ultimately gets into the supply chain because again, a lot of these devices in manufacturing and operational technology environments rely quite heavily actually on Linux. >>Well, and with all the supply chain issues that we've been facing during the pandemic, how can organizations protect themselves against this? >>Yeah. So this, this is a big thing, right? And we talked about also the weaponization of artificial intelligence, automation and all of these, there's a lot going on as you know, right from the threats a lot to get visibility on a lot, to be able to act quickly on that's a big key metric. There is how quick you can detect these and respond to them for that. You need good threat intelligence, of course, but you also truly need to enable, uh, uh, automation, things like SD wan, a mesh architecture as well, or having a security fabric that can actually integrate devices that talk to each other and can detect these threats and respond to them quickly. That's a very important piece because if you don't stop these attacks well, they're in that movement through the attack chain. So the kill chain concept we talk about, um, the risk is very high nowadays where, you know, everything we just talked about from a ransomware and destructive capabilities. So having those approaches is very important. Also having, um, you know, education and a workforce trained up is, is equally as important to, to be, you know, um, uh, to, to be aware of these threats. >>I'm glad you brought up that education piece and the training, and that's something that 49 is very dedicated to doing, but also brings up the cybersecurity skills gap. I know when I talked with Kenzie, uh, just a couple months ago at the, um, PGA tournament, it was talking about, you know, big investments in what 40 guard, 40, 40 net is doing to help reduce that gap. But the gap is still there. How do I teach teams not get overloaded with the expanding service? It seems like the surface, the surface has just, there is no limit anymore. So how does, how does it teams that are lean and small help themselves in the fact that the threat is landscape is, is expanding. The criminals are getting smarter or using AI intelligent automation, what our it teams do >>Like fire with fire. You got to use two of the same tools that they're using on their side, and you need to be able to use in your toolkit. We're talking about a security operation center perspective to have tools like, again, this comes to the threat intelligence to get visibility on these things. We're talking Simmons, sor uh, we have, you know, 40 AI out now, uh, deception products, all these sorts of things. These are all tools that need that, that, uh, can help, um, those people. So you don't have to have a, you know, uh, hire 40 or 50 people in your sock, right? It's more about how you can work together with the tools and technology to get, have escalation paths to do more people, process procedure, as we talk about to be able to educate and train on those, to be able to have incident response planning. >>So what do you do like, because inevitably you're going to be targeted, probably interacts where attack, what do you do? Um, playing out those scenarios, doing breach and attack simulation, all of those things that comes down to the skills gaps. So it's a lot about that education and awareness, not having to do that. The stuff that can be handled by automation and AI and, and training is you're absolutely right. We've dedicated a lot with our NSC program at 49. We also have our 40 net security academy. Uh, you know, we're integrating with those secondary so we can have the skillsets ready, uh, for, for new graduates. As an example, there's a lot of progress being made towards that. We've even created a new powered by 40 guard labs. There is a 40 guard labs play in our NSC seven as an example, it's, uh, you know, for, um, uh, threat hunting and offensive security as an example, understanding really how attackers are launching their, their campaigns and, um, all those things come together. But that's the good news actually, is that we've come a long way. We actually did our first machine learning and AI models over 10 years ago, Lisa, this isn't something new to us. So the technology has gone a long way. It's just a matter of how we can collaborate and obviously integrate with that for the, on the skills gap. >>And one more question on the actual threat landscape, were there any industries that came up in particular, as we talked about e-sports we talked about OT and any industries that came up in particular as, as really big hotspots that companies and organizations really need to be aware of. >>Yeah. So also, uh, this is part of OT about ICS critical infrastructure. That's a big one. Uh, absolutely there we're seeing, uh, also cyber-criminals offering more crime services now on dark web. So CAS, which is crime as a service, because it used to be a, again, a very specialized area that maybe only a handful of organized criminal organizations could actually, um, you know, launch attacks and, and impact to those targets where they're going after those targets. Now they're offering services right on to other coming cyber criminals, to be able to try to monetize that as well. Again, we're seeing this, we actually call it advanced persistent cybercrime APC instead of an apt, because they're trying to take cyber crime to these targets like ICS, critical infrastructure, um, healthcare as well is another one, again, usually in the realm of APMT, but now being targeted more by cybercriminals in ransomware, >>I've heard of ransomware as a service, is that a subcategory of crime as a service? >>Absolutely. Yeah. It is phishing as a service ransomware as, and service DDoSs as a service, but not as, as many of these subcategories, but a ransomware as a service. That's a, another big problem as well, because this is an affiliate model, right. Where they hire partners and pay them commission, uh, if they actually get payments of ransom, right? So they have literally a middle layer in this network that they're pushing out to scale their attacks, >>You know, and I think that's the last time we talked about ransomware, we talked about it's a matter of, and I talk to customers all the time who say, yes, it's a matter of when, not, if, is, is this the same sentiment? And you think for crime as a service in general, the attacks on e-sports on home networks, on, uh, internet satellites in space, is this just a matter of when, not if across the board? >>Well, yeah, absolutely. Um, you know, but the good news is it doesn't have to be a, you know, when it happens, it doesn't have to be a catastrophic situation. Again, that's the whole point about preparedness and planning and all the things I talked about, the filling the skills gap in education and having the proper, proper tools in place that will mitigate that risk. Right. And that's, and that's perfectly acceptable. And that's the way we should handle this from the industry, because we process we've talked about this, people are over a hundred billion threats a day in 40 guard labs. The volume is just going to continue to grow. It's very noisy out there. And there's a lot of automated threats, a lot of attempts knocking on organizations, doors, and networks, and, you know, um, phishing emails being sent out and all that. So it's something that we just need to be prepared for just like you do for a natural disaster planning and all these sorts of other things in the physical world. >>That's a good point. It doesn't have to be aggressive and destructive, but last question for you, how can, how is 4d guard helping companies in every industry get aggressive and disruptive against the threats? >>Yeah. Great, great, great question. So this is something I'm very passionate about, uh, as you know, uh, where, you know, we, we don't stop just with customer protection. Of course, that is as a security vendor, that's our, our primary and foremost objective is to protect and mitigate risk to the customers. That's how we're doing. You know, this is why we have 24 7, 365 operations at 40 guy labs. Then we're helping to find the latest and greatest on threat intelligence and hunting, but we don't stop there. We're actually working in the industry. Um, so I mentioned this before the cyber threat Alliance to, to collaborate and share intelligence on threats all the way down to disrupt cybercrime. This is what big target of ours is, how we can work together to disrupt cyber crime. Because unfortunately they've made a lot of money, a lot of profits, and we need to reduce that. We need to send a message back and fight that aggressiveness and we're we're on it, right? So we're working with Interpol or project gateway with the world economic forum, the partnership against cyber crime. It's a lot of initiatives with other, uh, you know, uh, the, uh, the who's who of cyber security in the industry to work together and tackle this collaboratively. Um, the good news is there's been some steps of success to that. There's a lot more, we're doing the scale of the efforts. >>Excellent. Well, Derek as always great and very informative conversation with you. I always look forward to these seeing what's going on with the threat landscape, the challenges, the increasing challenges, but also the good news, the opportunities in it, and what 40 guard is doing 40 left 40 net, excuse me, I can't speak today to help customers address that. And we always appreciate your insights and your time we look forward to talking to you and unveiling the next predictions in 2022. >>All right. Sounds good. Thanks, Lisa. >>My pleasure for Derek manky. I'm Lisa Martin. You're watching this cube conversation with 40 net. Thanks for watching.

>> Welcome to this Cube Conversation, I'm Lisa Martin. I'm joined by Derek Manky next, the Chief Security Insights and Global Threat Alliances at Fortiguard Labs. Derek, welcome back to the program. >> Hey, it's great to be here again. A lot of stuff's happened since we last talked. >> So Derek, one of the things that was really surprising from this year's Global Threat Landscape Report is a 10, more than 10x increase in ransomware. What's going on? What have you guys seen? >> Yeah so this is massive. We're talking over a thousand percent over a 10x increase. This has been building Lisa, So this has been building since December of 2020. Up until then we saw relatively low high watermark with ransomware. It had taken a hiatus really because cyber criminals were going after COVID-19 lawyers and doing some other things at the time. But we did see a seven fold increase in December, 2020. That has absolutely continued this year into a momentum up until today, it continues to build, never subsided. Now it's built to this monster, you know, almost 11 times increase from, from what we saw back last December. And the reason, what's fueling this is a new verticals that cyber criminals are targeting. We've seen the usual suspects like telecommunication, government in position one and two. But new verticals that have risen up into this third and fourth position following are MSSP, and this is on the heels of the Kaseya attack of course, that happened in 2021, as well as operational technology. There's actually four segments, there's transportation, automotive, manufacturing, and then of course, energy and utility, all subsequent to each other. So there's a huge focus now on, OT and MSSP for cyber criminals. >> One of the things that we saw last year this time, was that attackers had shifted their focus away from enterprise infrastructure devices, to home networks and consumer grade products. And now it looks like they're focusing on both. Are you seeing that? >> Yes, absolutely. In two ways, so first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure, and then they can load things like ransomware on there. They can little things like information stealers as an example. The way they do that is through botnets. And what we reported in this in the first half of 2021 is that Mirai, which is about a two to three-year old botnet now is number one by far, it was the most prevalent botnet we've seen. Of course, the thing about Mirai is that it's an IOT based botnet. So it sits on devices, sitting inside consumer networks as an example, or home networks, right. And that can be a big problem. So that's the targets that cyber criminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. And so what that means Lisa, is that cyber criminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to web born threats, right. So they're infecting sites, waterhole attacks, where, you know, people will go to read their daily updates as an example of things that they do as part of their habits. They're getting sent links to these sites that when they go to it, it's actually installing those botnets onto those systems, so they can get a foothold. We've also seen scare tactics, right. So they're doing new social engineering lures, pretending to be human resource departments. IT staff and personnel, as an example, with popups through the web browser that look like these people to fill out different forms and ultimately get infected on home devices. >> Well, the home device use is proliferate. It continues because we are still in this work from home, work from anywhere environment. Is that, you think a big factor in this increase from 7x to nearly 11x? >> It is a factor, absolutely. Yeah, like I said, it's also, it's a hybrid of sorts. So a lot of that activity is going to the MSSP angle, like I said to the OT. And to those new verticals, which by the way, are actually even larger than traditional targets in the past, like finance and banking, is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's, further backed up from what we're seeing on with the, the botnet activity specifically with Mirai too. >> Are you seeing anything in terms of the ferocity, we know that the volume is increasing, are they becoming more ferocious, these attacks? >> Yeah, there is a lot of aggression out there, certainly from, from cyber criminals. And I would say that the velocity is increasing, but the amount, if you look at the cyber criminal ecosystem, the stakeholders, right, that is increasing, it's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record cases year, almost every week we've seen one or two significant, cyber security events that are happening. That is a dramatic shift compared to last year or even, two years ago too. And this is because, because the cyber criminals are getting deeper pockets now. They're becoming more well-funded and they have business partners, affiliates that they're hiring, each one of those has their own methodology, and they're getting paid big. We're talking up to 70 to 80% commission, just if they actually successfully, infect someone that pays for the ransom as an example. And so that's really, what's driving this too. It's a combination of this kind of perfect storm as we call it, right. You have this growing attack surface, work from home environments and footholds into those networks, but you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. >> So what can organizations do to start- to slow down or limit the impacts of this growing ransomware as a service? >> Yeah, great question. Everybody has their role in this, I say, right? So if we look at, from a strategic point of view, we have to disrupt cyber crime, how do we do that? It starts with the kill chain. It starts with trying to build resilient networks. So things like ZTA and a zero trust network access, SD-WAN as an example for protecting that WAN infrastructure. 'Cause that's where the threats are floating to, right. That's how they get the initial footholds. So anything we can do on the preventative side, making networks more resilient, also education and training is really key. Things like multi-factor authentication are all key to this because if you build that preventatively and it's a relatively small investment upfront Lisa, compared to the collateral damage that can happen with these ransomware paths, the risk is very high. That goes a long way, it also forces the attackers to- it slows down their velocity, it forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here, too, that we can talk about because there's things that we can actually do apart from that to really fight cyber crime, to try to take the cyber criminals offline too. >> All right, hit me with the good news Derek. >> Yeah, so a couple of things, right. If we look at the botnet activity, there's a couple of interesting things in there. Yes, we are seeing Mirai rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples, EMOTET, that was one of the most prolific botnets that was out there for the past two to three years, there is a take-down that happened in January of this year. It's still on our radar but immediately after that takedown, it literally dropped to half of the activity it had before. And it's been consistently staying at that low watermark now at that half percentage since then, six months later. So that's very good news showing that the actual coordinated efforts that were getting involved with law enforcement, with our partners and so forth, to take down these are actually hitting their supply chain where it hurts, right. So that's good news part one. Trickbot was another example, this is also a notorious botnet, takedown attempt in Q4 of 2020. It went offline for about six months in our landscape report, we actually show that it came back online in about June this year. But again, it came back weaker and now the form is not nearly as prolific as before. So we are hitting them where it hurts, that's that's the really good news. And we're able to do that through new, what I call high resolution intelligence that we're looking at too. >> Talk to me about that high resolution intelligence, what do you mean by that? >> Yeah, so this is cutting edge stuff really, gets me excited, keeps me up at night in a good way. 'Cause we we're looking at this under the microscope, right. It's not just talking about the what, we know there's problems out there, we know there's ransomware, we know there's a botnets, all these things, and that's good to know, and we have to know that, but we're able to actually zoom in on this now and look at- So we, for the first time in the threat landscape report, we've published TTPs, the techniques, tactics, procedures. So it's not just talking about the what, it's talking about the how, how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system? And exactly how are they doing that? What's the technique? And so we've highlighted that, it's using the MITRE attack framework TTP, but this is real time data. And it's very interesting, so we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defense innovation, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. As an example, lateral movement, there's still a preferred over 75%, 77 I believe percent of activity we observed from malware was still trying to move from system to system, by infecting removable media like thumb drives. And so it's interesting, right. It's a brand new look on these, a fresh look, but it's this high resolution, is allowing us to get a clear image, so that when we come to providing strategic guides and solutions in defense, and also even working on these takedown efforts, allows us to be much more effective. >> So one of the things that you said in the beginning was we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that ceiling yet, but are we at an inflection point? Data showing that we're at an inflection point here with being able to get ahead of this? >> Yeah, I would like to believe so, there is still a lot of work to be done unfortunately. If we look at, there's a recent report put out by the Department of Justice in the US saying that, the chance of a criminal to be committing a crime, to be caught in the US is somewhere between 55 to 60%, the same chance for a cyber criminal lies less than 1%, well 0.5%. And that's the bad news, the good news is we are making progress in sending messages back and seeing results. But I think there's a long road ahead. So, there's a lot of work to be done, We're heading in the right direction. But like I said, they say, it's not just about that. It's, everyone has their role in this, all the way down to organizations and end users. If they're doing their part of making their networks more resilient through this, through all of the, increasing their security stack and strategy. That is also really going to stop the- really ultimately the profiteering that wave, 'cause that continues to build too. So it's a multi-stakeholder effort and I believe we are getting there, but I continue to still, I continue to expect the ransomware wave to build in the meantime. >> On the end-user front, that's always one of the vectors that we talk about, it's people, right? There's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the White House, but other organizations like Interpol, the World Economic Forum, Cyber Crime Unit, what are some of the things that governments are doing that you're seeing that as really advantageous here for the good guys? >> Yeah, so absolutely. This is all about collaboration. Governments are really focused on public, private sector collaboration. So we've seen this across the board with Fortiguard Labs, we're on the forefront with this, and it's really exciting to see that, it's great. There's always been a lot of will to work together, but we're starting to see action now, right? Interpol is a great example, they recently this year, held a high level forum on ransomware. I actually spoke and was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world, that public, private sector we need. They actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too. Because it is becoming that much of a problem and that we need to work together to be able to create action, action against this, measure success, become more strategic. The World Economic Forum were leading a project called the Partnership Against Cyber Crime Threat Map Project. And this is to identify, not just all this stuff we talked about in the threat landscape report, but also looking at, things like, how many different ransomware gangs are there out there. What do the money laundering networks look like? It's that side of the supply chain to map out, so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's innovation and there's R&D behind this as well, that's coming to the table to be able to make it impactful. >> So it sounds to me like ransomware is no longer a- for any organization in any industry you were talking about the expansion of verticals. It's no longer a, "If this happens to us," but a matter of when and how do we actually prepare to remediate, prevent any damage? >> Yeah, absolutely, how do we prepare? The other thing is that there's a lot of, with just the nature of cyber, there's a lot of connectivity, there's a lot of different, it's not just always siloed attacks, right. We saw that with Colonial obviously, this year where you have attacks on IT, that can affect consumers, right down to consumers, right. And so for that very reason, everybody's infected in this. it truly is a pandemic I believe on its own. But the good news is, there's a lot of smart people on the good side and that's what gets me excited. Like I said, we're working with a lot of these initiatives. And like I said, some of those examples I called up before, we're actually starting to see measurable progress against this as well. >> That's good, well never a dull day I'm sure in your world. Any thing that you think when we talk about this again, in a few more months of the second half of 2021, anything you predict crystal ball wise that we're going to see? >> Yeah, I think that we're going to continue to see more of the, I mean, ransomware, absolutely, more of the targeted attacks. That's been a shift this year that we've seen, right. So instead of just trying to infect everybody for ransom, as an example, going after some of these new, high profile targets, I think we're going to continue to see that happening from the ransomware side and because of that, the average costs of these data breaches, I think they're going to continue to increase, it already did in 2021 as an example, if we look at the cost of a data breach report, it's gone up to about $5 million US on average, I think that's going to continue to increase as well too. And then the other thing too is, I think that we're going to start to see more, more action on the good side like we talked about. There was already a record amount of takedowns that have happened, five takedowns that happened in January. There were arrests made to these business partners, that was also new. So I'm expecting to see a lot more of that coming out towards the end of the year too. >> So as the challenges persist, so do the good things that are coming out of this. Where can folks go to get this first half 2021 Global Threat Landscape? What's the URL that they can go to? >> Yeah, you can check it out, all of our updates and blogs including the threat landscape reports on blog.fortinet.com under our threat research category. >> Excellent, I read that blog, it's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for us, showing what's going on. Both the challenging things, as well as the good news. I look forward to our next conversation. >> Absolutely, it was great chatting with you again, Lisa. Thanks. >> Likewise for Derek Manky, I'm Lisa Martin. You're watching this Cube Conversation. (exciting music)

>>Welcome to this cube conversation. I'm Lisa Martin. I'm joined by Derek manky next, the chief security insights and global threat alliances at 40 guard labs. Derek. Welcome back. >>Yeah, it's great to be here again. So then, uh, uh, a lot of stuff's happened since we last talked. >>One of the things that was really surprising from this year's global threat landscape report is a 10 more than 10 X increase in ransomware. What's going on? What have you guys seen? >>Yeah, so, uh, th th this is, is massive. We're talking about a thousand percent over a 10, a 10 X increase. This has been building police. So this, this has been building since, uh, December of 2020 up until then we saw relatively low, uh, high watermark with ransomware. Um, it had taken a hiatus really because cyber criminals were going after COVID-19 lawyers and doing some other things at the time, but we did see us a seven fold increase in December, 2020. That is absolutely continued. Uh, continued this year into a momentum up until today. It continues to build never subsided. Now it's built to this monster, you know, almost 11 times increase from, from what we saw back last December and what the, uh, the reason what's fueling. This is a new verticals that cyber criminals are targeting. We've seen the usual suspects like telecommunication government and, uh, position one and two, but new verticals that have risen up into this, uh, third and fourth position following our MSSP. And this is on the heels of the Casia attack. Of course, that happened in 2021, as well as operational technology. There's actually four segments, there's transportation, uh, automotive manufacturing, and then of course, energy and utility all subsequent to each other. So there's a huge focus now on, on OTA and MSSP for cybercriminals. >>One of the things that we saw last year, this time was that attackers had shifted their focus away from enterprise infrastructure devices, to home networks and consumer grade products. And now it looks like they're focusing on both. Are you seeing that? >>Yes, absolutely. I in two ways. So first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure, and then they can load things like ransomware on there. They can little things like information Steelers as an example, the way they do that is through botnets. And, uh, what we reported in this, um, in the first half of 2021 is that Mariah, which is about a two to three-year old button that now is, is number one by far, it was the most prevalent bond that we've seen. Of course, the thing about Mariah is that it's an IOT based bot net. So it sits on devices, uh, sitting inside a consumer networks as an example, or home networks, right? And that, that can be a big problem. So that's the targets that cyber criminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. >>And so what that means at least, is that cyber criminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to a web born threats, right? So they're infecting sites, waterhole attacks, where people would go to read their, their, their daily updates as an example of things that they do as part of their habits. Um, they're getting sent links to these sites that when they go to it, it's actually installing those botnets onto those systems. So they can get a foothold. We've also seen scare tactics, right? So they're doing new social engineering Lewis pretending to be human resource departments, uh, you know, uh, uh, it staff and personnel, as an example, with pop-ups through the web browser that looked like these people to fill out different forms and ultimately get infected on, on a home devices. >>Well, the home device we use is proliferate. It continues because we are still in this work from home work, from anywhere environment. Is that when you think a big factor in this increased from seven X to nearly 11 X, >>It is a factor. Absolutely. Yeah. Like I said, it's, it's also, it's a hybrid of sorts. So, so a lot of that activity is going to the MSSP, uh, angle, like I said, uh, to, to the OT. And so to those verticals, which by the way, are actually even larger than traditional targets in the past, like, uh, finance and banking is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's, that's further, uh, backed up from what we're seeing on with the, the, the, the botnet activity specifically with Veronica too. Are >>You seeing anything in terms of the ferocity? We know that the volume is increasing. Are they becoming more ferocious? These attacks? >>Yeah. Yeah. There, there is. There's a lot of aggression out there, certainly from, from criminals. And I would say that the velocity is increasing, but the amount of, if you look at the cyber criminal ecosystem, the, the stakeholders, right. Um, that is increasing, it's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record cases here almost every week. We've seen one or two significant, you know, cyber security events that are happening. That is a dramatic shift compared to, to, to last year or even, you know, two years ago too. And this is because, um, because the cyber criminals are getting deeper pockets now, they're, they're becoming more well-funded and they have business partners, affiliates that they're hiring each one of those has their own methodology, and they're getting paid big. We're talking up to 70 to 80% commission, just if they actually successfully, you know, in fact, someone that pays for the ransom as an example. And so that's really, what's driving this too. It's, it's, it's a combination of this kind of perfect storm as we call it. Right. You have this growing attack surface and work from home, uh, environments, um, and footholds into those networks. But you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. >>What can organizations do to start to slow down or limit the impacts of this growing ransomware as a service? >>Yeah, great question. Um, everybody has their role in this, I say, right? So, uh, if we look at, from a strategic point of view, we have to disrupt cyber crime. How do we do that? Um, it starts with the kill chain. It starts with trying to build resilient networks. So things like a ZTE and a zero trust network access, a SD LAN as an example, as an example for producting that land infrastructure on, because that's where the threats are floating to, right? That's how they get the initial footholds. So anything we can do on the, on the, you know, preventative, preventative side, making, uh, networks more resilient, um, also education and training is really key. Things like multi-factor authentication are all key to this because if you build that, uh, uh, preventatively and that's a relatively small investment upfront, Lisa compared to the collateral damage that can happen with these ransomware, it passes, the risk is very high. Um, that goes a long way. It also forces the attackers to it slows down their velocity. It forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here too, uh, that we can talk about because there's, there's things that we can actually do. Um, apart from that to, to really fight cyber crime, to try to take the cyber criminal cell phone. >>All right. Hit me with the good news Derek. >>Yeah. So, so a couple of things, right. If we look at the bot net activity, there's a couple of interesting things in there. Yes, we are seeing Mariah rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples, a motel that was one of the most prolific botnets that was out there for the past two to three years, there is a take-down that happened in January of this year. Uh, it's still on our radar, but immediately after that takedown, it literally dropped to half of the activity. It hadn't before. And it's been consistently staying at that low watermark now had that half percentage since, since that six months later. So that's very good news showing that the actual coordinated efforts that we're getting involved with law enforcement, with our partners and so forth to take down, these are actually hitting their supply chain where it hurts. >>Right. So that's good news part one trick. Bob was another example. This is also a notorious spot net take down attempt in Q4 of 2020. It went offline for about six months. Um, in our landscape report, we actually show that it came back online, uh, in about June this year. But again, it came down, it came back weaker and another form is not nearly as prolific as before. So we are hitting them where it hurts. That's, that's the really good news. And we're able to do that through new, um, what I call high resolution intelligence. >>Talk to me about that high resolution intelligence. What do you mean by that? >>Yeah, so this is cutting edge stuff really gets me excited and keeps, keeps me up at night in a good way. Uh, cause we're, we're looking at this under the microscope, right? It's not just talking about the why we know there's problems out there. We know there's, there's ransomware. We know there's the botnets, all these things, and that's good to know, and we have to know that, but we're able to actually zoom in on this now and look at it. So we, for the first time in the threat landscape report, we've published TTPs, the techniques, tactics procedures. So it's not just talking about the, what it's talking about, the how, how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system and exactly how are they doing that? What's the technique. And so we've highlighted that it's using the MITRE attack framework TTP, but this is real-time data. >>And it's very interesting. So we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defensive, Asian, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. Uh, as an example, a lateral movement on there's still a preferred over 75%, 77, I believe percent of activity we observed from malware was still trying to move from system to system by infecting removable media like thumb drives. And so it's interesting, right? It's a brand new look on the, these a fresh look, but it's this high resolution is allowing us to get a clear image so that when we come to providing strategic guidance and solutions of defense, and also even working on these, take down that Fritz, it allows us to be much more effective. So >>One of the things that you said in the beginning was we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that, that ceiling yet, but are we at an inflection points, the data showing that we're at an inflection point here with being able to get ahead of this? >>Yeah, I, I, I would like to believe so. Um, it, there is still a lot of work to be done. Unfortunately, if we look at, you know, there is a, a recent report put out by the department of justice in the S saying that, you know, the chance of, uh, criminal, uh, to be committing a crime, but to be caught in the U S is somewhere between 55 to 60%, the same chance for a cyber criminal lies less than 1% above 0.5%. And that's the bad news. The good news is we are making progress and sending messages back and seeing results. But I think there's a long road ahead. So, um, you know, there there's a lot of work to be done. We're heading in the right direction. But like I said, they say, it's not just about that. It's everyone has, has their role in this all the way down to organizations and end users. If they're doing their part and making their networks more resilient through this, through all the, you know, increasing their security stack and strategy, um, that is also really going to stop the, you know, really ultimately the profiteering, uh, that, that wave, you know, cause that continues to build too. So it's, it's a multi-stakeholder effort and I believe we are, we are getting there, but I continue to still, uh, you know, I continue to expect the ransomware wave to build. In the meantime, >>On the end user front, that's always one of the vectors that we talk about it's people, right? It's there's so there's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the white house, but other organizations like Interpol, the world, economic forum, cyber crime unit, what are some of the things that governments are doing that you're seeing that as really advantageous here for the good guys? >>Yeah, so absolutely. This is all about collaboration. Governments are really focused on public private sector collaboration. Um, so we've seen this across the board, uh, with 40 guard labs, we're on the forefront with this, and it's really exciting to see that it's great. Uh, there, there, there's always been a lot of will work together, but we're starting to see action now. Right. Um, Interpol is a great example. They recently this year held a high level forum on ransomware. I was actually spoken was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world, that public private sector we need. They actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too, because it is becoming that much of a problem and that we need to work together to be able to create action, action action against this measure, success become more strategic. >>The world economic forum, uh, were, were, uh, leading a project called the partnership against cyber crime threat map project. And this is to identify not just all this stuff we talked about in the threat landscape report, but also looking at, um, you know, things like how many different ransomware gangs are there out there. Uh, what are their money laundering networks look like? It's that side of the side of the supply chains of apple so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's, um, innovation and there's R and D behind this as well. That's coming to the table to be able to make, you know, make it impactful. >>So it sounds to me like ransomware is no longer a for any organization in any, any industry you were talking about the expansion of verticals, it's no longer a, if this happens to us, but a matter of when and how do we actually prepare to remediate prevent any damage? Yeah, >>Absolutely. How do we prepare? The other thing is that there's a lot of, um, you know, with just the nature of, of, of cyber, there's a lot of, uh, connectivity. There's a lot of different, uh, it's not just always siloed attacks. Right? We saw that with colonial obviously this year where you have the talks on, on it that can affect consumers right now to consumers. Right. And so for that very reason, um, everybody's infected in this, uh, it, it truly is a pandemic, I believe on its own. Uh, but the good news is there's a lot of smart people, uh, on the good side and, you know, that's what gets me excited. Like I said, we're working with a lot of these initiatives and like I said, some of those examples I called up before, we're actually starting to see measurable progress against this as well. >>That's good. Well, never adult day, I'm sure. In your world, any thing that you think when we talk about this again, in a few more months of the second half of 2021, anything that, that you predict crystal ball wise that we're going to see? >>Yeah. I think that we're going to continue to see more of the, I mean, ransomware, absolutely. More of the targeted attacks. That's been a shift this year that we've seen. Right. So instead of just trying to infect everybody for ransom, but as an example of going after some of these new, um, you know, high profile targets, I think we're going to continue to see that happening from there. Add some more side on, on, and because of that, the average costs of these data breaches, I think they're going to continue to increase. Um, they had already did, uh, in, uh, 20, uh, 2021, as an example, if we look at the cost of the data breach report, it's gone up to about $5 million us on average, I think that's going to continue to increase as well too. And then the other thing too, is I think that we're going to start to see more, um, more, more action on the good side. Like we talked about, there was already a record amount of take downs that have happened five take downs that happened in January. Um, there were, uh, arrests made to these business partners that was also new. So I'm expecting to see a lot more of that coming out, uh, uh, towards the end of the year, too. >>So as the challenges persist, so do the good things that are coming out of this. They're working folks go to get this first half 2021 global threat landscape. What's the URL that they can go to. >>Yeah, you can check it all, all of our updates and blogs, including the threat landscape reports on blog about 40 nine.com under our threat research category. >>Excellent. I read that blog. It's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for us showing what's going on. Both the challenging things, as well as the good news. I look forward to our next conversation. >>Absolutely. It's great. Chatting with you again, Lisa. Thanks. >>Likewise for Derek manky. I'm Lisa Martin. You're watching this cube conversation.

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest ransomware trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we worked on some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches that we're seeing which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on paste and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had about 14 months ago, this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest around some of the trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we're working some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches ever seen which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on piece and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>> From "The Cube studios" in Palo Alto and Boston, connecting with thought leaders all around the world. This, is a cube conversation. >> Welcome to this Cube Virtual conversation. I'm Lisa Martin and I'm excited to be talking to one of our cube alumni again, very socially distant, Derek Manky joins me the chief security insights and global for alliances, Fortinet's FortiGuard labs, Derek it's great to see you, even though virtually >> Yep, better safe better safe these days, right? But yeah, it's great to see you again and um I'm really looking forward to a great conversation, as always. >> Yeah! So Wow Has a lot changed since I last saw you? I-I think that's an epic understatement.. But each year we talk with you about the upcoming What's coming up in the threat landscape, what you guys are seeing Some of the attack trends. What are some of the things that you've seen in this very eventful year since we last spoke? >> Yeah.. a lot of a lot of things.. um.. Obviously.. uh.. with the pandemic there has been this big shift in landscape, right? So particularly uh Q3 Q4. So the last half of the year uh now we have a lot of things that were traditionally in corporate safeguards um you know, actual workstations, laptops that were sitting within networks and perimeters of-of organizations, that have obviously moved to work from home. And So, with that, comes a lot of new a-attack opportunities Um We track as, you know, threat until at 40 minutes, so 40 guard labs on a daily basis. And.. uh.. we are clearly seeing that and we're seeing a huge rise in things like um IOT targets, being the number one attacks, so consumer grade routers, um IOT devices, like printers and network attached storage. Those are um some of the most, favorite attack vehicles that cyber criminals are using to get into the-those devices. Of course, once they get in those devices, they can then move, laterally to compromise the..uh corporate laptop as an example. So those are-are very concerning The other thing has been that email that traditionally has been our number one um Another favorite attack platform always has! It's not going away but for the first time this year in.. um in about September, the second half, we saw a web based attacks taking priority for attackers and that's because of this new working environment. A lot of people I'm serving the websites from Again, these devices that were, not, were previously within Um you know, organizations email security is centralized a lot of the times but the web security always isn't. So that's another another shift that we've seen. We're now in the full-blown midst of the online shopping season um action and shopping season is almost every day now (laughter) since this summer >> Yep.. Yep.. >> And we've clearly seen that And we- Just from September up to October we saw over a trillion, not a billion, but a trillion new flows to shopping websites uh In just one month Um So that can- than number continues to rise and continues to rising quickly. >> Yeah. So the- the expanding threat landscape I've talked to a number of Companies the last few months that we're in this situation where it's suddenly It was a maybe 100% onsite workforce now going to work from home taking uh either desktops from uh their offices or using personal devices and that was a huge challenge that we were talking about with respect to endpoint and laptop security But interesting that you- you're seeing now this web security, I know phishing emails are getting more personal but the fact that um That website attacks are going up What are some of the things that you think, especially yo-you bring up a point we are we are now and maybe even s- more supercharged e-commerce season. How can businesses prepare a-and become proactive to defend against some of these things that, since now the threat surface is even bigger? >> Yeah. Multi-pronged approach. You know, Lisa, like we always say that, first of all, it's just like we have physical distancing, cyber distancing, just like we're doing now on this call. But same thing for reuse. I think there's always a false sense of security, right? When you're just in the home office, doing some browsing to a site, you really have to understand that these sites just by touching, literally touching it by going to the URL and clicking on that link you can get infected that easily. We're seeing that, there's a lot of these attacks being driven So, education, there's a lot of free programs. We have one on Fortinet information security awareness training. That is something that we continually need to hone the skills of end users first of all, so that's an easy win I would say, to my eyes in terms of organizations, but then this multi-pronged approach, right? So things like having EDR endpoint detection response, and being able to manage those end users while they're on on their devices at home Being able to have security and making sure those are up to date in terms of patches. So centralized management is important, two factor authentication, or multi-factor authentication Also equally as important. Doing things like network segmentation. For end users and the devices too. So there's a lot of these Things that you look at the risk that's associated The risk is always way higher than the investment upfront in terms of hours, in terms of security platforms. So the good thing is there's a lot of Solutions out there and it doesn't have to be complicated. >> That's good because we have enough complication everywhere else. But you bring up a point, you know, about humans, about education. We're kind of always that weakest link, but so many of us, now that are home, have distractions going on all around. So you might be going, "I've got to do some bill pay and go onto your bank" without thinking that that's that's now a threat landscape. What are some of the things that you're seeing that you think we're going to face in 2021, which is just around the corner? >> Yeah so So we're just talking about those IOT devices They're the main culprit right now. They can continue to be for a while We have this new class of threat emerging technology, which is edge computing. So people always talked about the perimeter of the perimeter being dead in other words, not just building up a wall on the outside, but understanding what's inside, right? That's been the case of IOT, but now edge computing is the emerging technology The main difference You know, we say, is that the edge devices are virtual assistant is the best example I could give, right? That, that users will be aware of in-home networks. Because these devices, traditionally, have more processing power, they handle more data, they have more access and privilege to devices like things like security systems, lights, as an example Beyond home networks, these edge devices are also As an example, being put into military and defense into critical infrastructure, field units for oil and gas and electricity as an example. So this is the new emerging threat, more processing power, more access and privilege, smarter decisions that are being made on those devices Those devices, are going to be targets for cyber criminals. And that's something, I think next year, we're going to see a lot of because it's a Bigger reward to the cyber criminal if they can get into it. And So targeting the edge is going to be a big thing. I think there's going to be a new class of threats. I'm calling these, I haven't heard this coined in the industry yet, but I'm calling these or "EAT"s or "Edge Access Trojans" because that's what it is, they compromise these devices. They can then control and get access to the data. If you think of a virtual assistant, and somebody that can actually compromise that device, think about that data. Voice data that's flowing through those devices that they can then use as a cleverly engineered, you know, attack a social engineering attack to phish a user as an example. >> Wow! I never thought about it from that perspective before Do you think, with all the talk about 5G, and what's coming with 5G, is that going to be an accelerator of some of these trends? Of some of these "EAT"s that you talk about? >> Yeah, definitely. Yeah So 5G is just a conduit. It's an accelerator. Absolutely um Catalyst called, if you will, It's here. Um, it's been deployed, not worldwide, but in many regions, it's going to continue to be 5G is all about, um, speed.. Um right? And so if you think about how swiftly these attacks are moving, you be abl- you need to be able to keep up with that from a defense standpoint, um Threats move without borders, they move without Uh, uh, Unfortunately, without restriction a lot of the time, right? Cyber crime has no borders. Um, the-they don't have rules, or if they have, they don't care about rules (laughter) So break those rules. So they are able to move quickly, right? And that's th- the problem with 5G, of course, is that these devices now can communicate quicker, they can launch even larger scale things like "DDOS", "Distributed Denial Of Service attacks". And That is, is a very big threat. And it also allows the other thing about 5G, Lisa, is that it allows.. um.. Peer to peer connectivity too. Right? So it's like Bluetooth, Um, Bluetooth's um enhanced in a sense, because now you have devices that interact with each other as well, by interacting with each other Um that also uh, you know, what are they talking about? What data are they passing? That's a whole new security inspection point that we need to And that's what I mean about this.. Um that's just It reconfirms that the.. Perimeters that. >> Right. Something we've been talking about, as you said for a while, but That's some pretty hard hitting evidence that it is, indeed, a thing of the past Something that we've talked to you about - with you in the past is Swarm attacks. Ho- What's, What's going on there? How are they progressing? >> Yeah, so this is a real threat, but there's good news, bad news. The Good news is this is a long progressing threat, which means we have more time to prepare. Bad news is we have seen developments in terms of weaponizing this, It's like anything.. Swarm is a tool. It can be as good.. DARPA, as an example, has invested a lot into this from military research, it's all around us now in terms of good applications things like for redundancy, right? Robotics, as an example, there's a lot of good things that come from Swarm technology, but.. There's use for If it's weaponized, It can have some very scary prospects. And that's what we're starting to see. There's a new botnet that was created this year. It is called the "HTH" this is written in Golang. So it's a language that basically allows it to infect any number of devices. It's not just your PC Right? It's the same, it's the same virus, but it can morph into all these different platforms, devices, whether it's a, an IOT device, an edge device But the main, characteristic of this is that it's able to actually have communication. They built a communication protocol into it. So the devices can pass files between each other, talk to each other They don't have a machine learning models yet, so in other words, they're not quote-in-quote "smart" yet, but that's coming. Once that intelligence starts getting baked in, then we have the weaponized Swarm technology And what this means, is that you know, when you have those devices that are making decisions on their own, talking to each other >> A: they're harder to kill. You take one down, another one takes its place. >> B: um They are able to move very swiftly, especially when that piggybacking leveraging on things like 5G. >> So . the I'm just blown away at all these things that you're talking about They are so So talk about how companies, and even individuals, can defend against this and become proactive. As we know one of the things we know about 2020 is all the uncertainty, we're going to continue to see uncertainty, but we also know that we- there's expectation.. globally, that a good amount of people are going to be working from home and connecting to corporate networks for a very long time. So, how can companies and people become proactive against these threats? >> Yes People process procedures and technology. So, we talked, as I really looked at this as a stacked approach, first of all, threats, as it is said, they're becoming quicker, the attack surface is larger, you need threat intelligence visibility This comes down to security platforms from a technology piece. So a security driven networking, AI driven security operations Centers These are new. But it's, it's becoming, as you can imagine, when we talked about critical, to fill that gap, to be able to move as quickly as the attackers you need to be able to use intelligent technology on your end. So people are just too slow. But we can still use people from the process, you know, making sure You know, Trying to understand what the risk is. So looking at threat intelligence reports, we put out weekly threat intelligence briefs as an example of as Fortiguard Labs, to be able to understand what the threats are, how to respond to those, how to prioritize them and then put the proper security measures in place. So, there are absolutely relevant technologies that exist today, And in fact now I think is the time to really get those in deployment before this becomes worse, as we're talking about. And then as I said earlier, there's also free things that can be just part of our daily lives, right? So we don't have this false sense of security. So understanding that that threat is real following up on the threat and being on doing education There's phishing services Again, phishing can be a good tool when it's used in a non-malicious way, to test people's skills sets as an example. So all of that combined is But the biggest thing is definitely relying on things like machine learning, artificial intelligence, to be able to work at speed with these threats. >> Right. So, you also have global threat alliances under your portfolio. Talk to me about how 40 net is working with global Alliance partners to fight this growing attack surface. >> Yeah. So this is the ecosystem. Every, every organization, whether it's private or public sector, has a different role to play in essence, right? So you look at things in the public sector, you have law enforcement, they're focused on attribution, so when we look at cyber crime, and if we find It's the hardest thing to do, but if we find out who these cyber criminals are, we can bring them to justice. Right? Our whole goal is to make it more expensive for the cyber criminals to operate, So by doing this, if we work with law enforcement and it leads to a successful arrest and prosecution, because we've done it in the past, that takes them off line to hit somewhere it hurts Law enforcement will typically work with intelligence leads to freeze assets, as an example from maybe ransom attacks that are happening. So that's one aspect, but then you have other things like working with national computer emergency response. So disrupting cyber crime, we work with national series. If we know that, you know, the bad guys are hosting stolen data or communication infrastructure in public, you know, servers, we can work with them to actually disrupt that, to take those servers offline. Then you have the private space. So this, you know Fortinet we're a founding member of the Cyber Threat Alliance. I'm on the steering committee there. And this is working with even competitors around in our space where we can share quickly up-to-date intelligence on, on attackers. We remain competitive on the technology itself, but, you know, we're working together to actually share as much as we know about the bad guys. And recently we're also a founding member of the "Center for Cyber Security", "C for C" with World Economic Forum. And This is another crucial effort that is basically trying to bridge all of that. To mend all of that together, right? Law enforcement, prosecutors, security vendors, intelligence organizations, all under one roof because we really do need that. It's an entire ecosystem to make this an effective fight. So it's, it's interesting because a lot of people, I don't think see what's happening behind the scenes a lot of the times, but there is a tremendous effort globally that's happening between all the players. So that's really good news. And the industry piece is something close to my heart. I've been involved in a lot of time and we continue to support. >> That's exciting. And that's something that is, you know, unfortunately, so very, very needed and will continue to be as emerging technologies evolve and we get to use them for good things. And to your point, that bad actors also get to take advantage of that for nefarious things as well. Derek it's always great to have you on the program, any particular things on the 40 net website that you would point viewers to to learn more about like the 20, 20 front landscape? >> Sure. You can always check out our blogs, So it's on blogged@fortynet.com, under "Threat Research", As I said on 40 guard.com, we also have our playbooks on there. We have podcasts, we have our updated threat intelligence briefs too. So those are always great to check out and just be rest assured that, you know, everything I've been talking about, we're doing a lot of that heavy lift on the backend. So by having working with managing security service providers and having all this intelligence baked in, organizations don't have to go and have a huge OPEX by you know, hiring, you know, trying to create a massive security center on their own. I mean, it's about this technology working together and that's that's what we're here for, its we can ask what do you guard lapse? >> Awesome Derek, thank you so much for joining me today in this Cube Conversation. Lots of exciting stuff going on at 40 net and 40 guard labs as always, which we expect, it's been great to have you. Thank you. >> It's a pleasure. Thanks Lisa. >> For Derek Manky. I'm Lisa Martin. You're watching the Virtual Cube.

>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation, >>Everyone. Welcome to this cube conversation. I'm John for host of the Cube here in the Cubes Palo Alto studios during the co vid crisis. Square Quarantine with our crew, but we got the remote interviews. Got great to get great guests here from 44 to guard Fortinet, 40 Guard Labs, Derek Manky chief Security Insights and Global Threat alliances. At 14 it's 40 guard labs and, um, are Lakhani. Who's the lead researcher for the Guard Labs. Guys, great to see you. Derek. Good to see you again. Um, are you meet you? >>Hey, it's it's it's been a while and that it happened so fast, >>it just seems, are say it was just the other day. Derek, we've done a couple interviews in between. A lot of flow coming out of Florida net for the guards. A lot of action, certainly with co vid everyone's pulled back home. The bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security. Uh, in terms of action, bad actors are at all time high new threats here is going on. Take us through what you guys were doing. What's your team makeup look like? What are some of the roles and you guys were seeing on your team? And how's that transcend to the market? >>Yeah, sure, Absolutely. So you're right. I mean, like, you know, like I was saying earlier this this is all this always happens fast and furious. We couldn't do this without, you know, a world class team at 40 guard labs eso we've grown our team now to over 235 globally. There's different rules within the team. You know, if we look 20 years ago, the rules used to be just very pigeonholed into, say, anti virus analysis. Right now we have Thio account for when we're looking at threats. We have to look at that growing attack surface. We have to look at where these threats coming from. How frequently are they hitting? What verticals are they hitting? You know what regions? What are the particular techniques? Tactics, procedures, You know, we have threat. This is the world of threat Intelligence, Of course. Contextualizing that information and it takes different skill sets on the back end, and a lot of people don't really realize the behind the scenes. You know what's happening on bears. A lot of magic happen not only from what we talked about before in our last conversation from artificial intelligence and machine learning, that we do a 40 yard labs and automation, but the people. And so today we want to focus on the people on and talk about you know how on the back ends, we approach a particular threat. We're going to talk to the world, a ransom and ransomware. Look at how we dissect threats. How correlate that how we use tools in terms of threat hunting as an example, And then how we actually take that to that last mile and and make it actionable so that, you know, customers are protected. How we share that information with Keith, right until sharing partners. But again it comes down to the people. We never have enough people in the industry. There's a big shortages, we know, but it it's a really key critical element, and we've been building these training programs for over a decade within 40 guard lab. So you know, you know, John, this this to me is why, exactly why, I always say, and I'm sure Americans share this to that. There's never a dull day in the office. I know we hear that all the time, but I think today you know, all the viewers really get a new idea of why that is, because this is very dynamic. And on the back end, there's a lot of things that doing together our hands dirty with this, >>you know, the old expression started playing Silicon Valley is if you're in the arena, that's where the action and it's different than sitting in the stands watching the game. You guys are certainly in that arena. And, you know, we've talked and we cover your your threat report that comes out, Um, frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware. What's going on? What's the state of the ransomware situation? Um, set the stage because that's still continues to be a threat. I don't go a week, but I don't read a story about another ransomware and then it leaks out. Yeah, they paid 10 million in Bitcoin or something like I mean, this Israel. That's a real ongoing threat. What is it, >>quite a bit? Yeah, eso I'll give sort of the one on one and then maybe capacity toe mark, who's on the front lines dealing with this every day. You know, if we look at the world of I mean, first of all, the concept to ransom, obviously you have people that that has gone extended way, way before, you know, cybersecurity. Right? Um, in the world of physical crime s Oh, of course. You know the world's first ransom, where viruses actually called PC cyborg. This is in 1989. The ransom payment was demanded to appeal box from leave. It was Panama City at the time not to effective on floppy disk. Very small audience. Not a big attack surface. I didn't hear much about it for years. Um, you know, in really it was around 2000 and 10. We started to see ransomware becoming prolific, and what they did was somewhat cybercriminals. Did was shift on success from ah, fake antivirus software model, which was, you know, popping up a whole bunch of, you know said your computer is infected with 50 or 60 viruses. Chaos will give you an anti virus solution, Which was, of course, fake. You know, people started catching on. You know, the giggles up people caught onto that. So they weren't making a lot of money selling this project software. Uh, enter Ransomware. And this is where ransomware really started to take hold because it wasn't optional to pay for the software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer the current. Uh, the encryption kind of decrypt it with any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw we've seen things like master boot record nbr around somewhere. This is persistent. It sits before your operating system when you boot up your computer. So it's hard to get rid of, um, very strong. Um, you know, public by the key cryptography that's being so each victim is infected with the different key is an example. The list goes on, and you know I'll save that for for the demo today. But that's basically it's It's very it's prolific and we're seeing shit. Not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted ransom cases that we're going after, you know, critical business. Essentially, it's like a D O s holding revenue streams around too. So the ransom demands were getting higher because of this is Well, it's complicated. >>Yeah, I was mentioning, Omar, I want you to weigh in. I mean, 10 million is a lot we reported earlier this month. Garment was the company that was act I t guy completely locked down. They pay 10 million. Um, garment makes all those devices and a Z. We know this is impacting That's real numbers. So I mean, it's another little ones, but for the most part, it's new. It's, you know, pain in the butt Thio full on business disruption and extortion. Can you explain how it all works before I got it? Before we go to the demo, >>you know, you're you're absolutely right. It is a big number, and a lot of organizations are willing to pay that number to get their data back. Essentially their organization and their business is at a complete standstill. When they don't pay, all their files are inaccessible to them. Ransomware in general, what does end up from a very basic or review is it basically makes your files not available to you. They're encrypted. They have a essentially a pass code on them that you have to have the correct pass code to decode them. Ah, lot of times that's in the form of a program or actually a physical password you have type in. But you don't get that access to get your files back unless you pay the ransom. Ah, lot of corporations these days, they are not only paying the ransom, they're actually negotiating with the criminals as well. They're trying to say, Oh, you want 10 million? How about four million? Sometimes that it goes on as well, but it's Ah, it's something that organizations know that if they don't have the proper backups and the Attackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicate files, so sometimes you don't have a choice, and organizations will will pay the ransom >>and it's you know they're smart. There's a business they know the probability of buy versus build or pay versus rebuild, so they kind of know where to attack. They know the tactics. The name is vulnerable. It's not like just some kitty script thing going on. This is riel system fistic ated stuff. It's and it's and this highly targeted. Can you talk about some use cases there and what's goes on with that kind of attack? >>Absolutely. The cybercriminals are doing reconnaissance. They're trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. Eh? So there's a lot of attacks going on. We usually we're finding now is ransomware is sometimes the last stage of an attack, so an attacker may go into on organization. They may already be taking data out of that organization. They may be stealing customer data P I, which is personal, identifiable information such as Social Security numbers or or driver's licenses or credit card information. Once they've done their entire attack, once they've gone, everything they can Ah, lot of times their end stage. There last attack is ransomware, and they encrypt all the files on the system and try and try and motivate the victim to pay as fast as possible and as much as possible as well. >>You know, it's interesting. I thought of my buddy today. It's like casing the joint. They check it out. They do their re kon reconnaissance. They go in, identify what's the move that's move to make. How to extract the most out of the victim in this case, Target. Um, and it really I mean, it's just go on a tangent, you know? Why don't we have the right to bear our own arms? Why can't we fight back? I mean, the end of the day, Derek, this is like, Who's protecting me? I mean, >>e do >>what? To protect my own, build my own army, or does the government help us? I mean, that's at some point, I got a right to bear my own arms here, right? I mean, this is the whole security paradigm. >>Yeah, so I mean, there's a couple of things, right? So first of all, this is exactly why we do a lot of that. I was mentioning the skills shortage and cyber cyber security professionals. Example. This is why we do a lot of the heavy lifting on the back end. Obviously, from a defensive standpoint, you obviously have the red team blue team aspect. How do you first, Um, no. There is what is to fight back by being defensive as well, too, and also by, you know, in the world that threat intelligence. One of the ways that we're fighting back is not necessarily by going and hacking the bad guys, because that's illegal in jurisdictions, right? But how we can actually find out who these people are, hit them where it hurts. Freeze assets go after money laundering that works. You follow the cash transactions where it's happening. This is where we actually work with key law enforcement partners such as Inter Pool is an example. This is the world, the threat intelligence. That's why we're doing a lot of that intelligence work on the back end. So there's other ways toe actually go on the offense without necessarily weaponizing it per se right like he's using, you know, bearing your own arms, Aziz said. There's different forms that people may not be aware of with that and that actually gets into the world of, you know, if you see attacks happening on your system, how you how you can use security tools and collaborate with threat intelligence? >>Yeah, I think that I think that's the key. I think the key is these new sharing technologies around collective intelligence is gonna be, ah, great way to kind of have more of an offensive collective strike. But I think fortifying the defense is critical. I mean, that's there's no other way to do that. >>Absolutely. I mean the you know, we say that's almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cyber criminal to operate. And there's many ways to do that right you could be could be a pain to them by by having a very rigid, hard and defense. That means that if if it's too much effort on their end, I mean, they have roos and their in their sense, right, too much effort on there, and they're gonna go knocking somewhere else. Um, there's also, you know, a zay said things like disruption, so ripping infrastructure offline that cripples them. Yeah, it's wack a mole they're going to set up somewhere else. But then also going after people themselves, Um, again, the cash networks, these sorts of things. So it's sort of a holistic approach between anything. >>Hey, it's an arms race. Better ai better cloud scale always helps. You know, it's a ratchet game. Okay, tomorrow I want to get into this video. It's of ransomware four minute video. I'd like you to take us through you to lead you to read. Researcher, >>take us >>through this video and, uh, explain what we're looking at. Let's roll the video. >>All right? Sure s. So what we have here is we have the victims. That's top over here. We have a couple of things on this. Victims that stop. We have ah, batch file, which is essentially going to run the ransom where we have the payload, which is the code behind the ransomware. And then we have files in this folder, and this is where you typically find user files and, ah, really world case. This would be like Microsoft Microsoft Word documents or your Power point presentations. Over here, we just have a couple of text files that we've set up we're going to go ahead and run the ransomware and sometimes Attackers. What they do is they disguise this like they make it look like a like, important word document. They make it look like something else. But once you run, the ransomware usually get a ransom message. And in this case, the ransom message says your files are encrypted. Uh, please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address that usually they look a little more complicated. But this is our fake Bitcoin address, but you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as the researchers, we see files like this all the time. We see ransomware all the all the time. So we use a variety of tools, internal tools, custom tools as well as open source tools. And what you're seeing here is open source tool is called the cuckoo sandbox, and it shows us the behavior of the ransomware. What exactly is a ransom we're doing in this case? You can see just clicking on that file launched a couple of different things that launched basically a command execute herbal, a power shell. It launched our windows shell and then it did things on the file. It basically had registry keys. It had network connections. It changed the disk. So this kind of gives us behind the scenes. Look at all the processes that's happening on the ransomware and just that one file itself. Like I said, there's multiple different things now what we want to do As researchers, we want to categorize this ransomware into families. We wanna try and determine the actors behind that. So we dump everything we know in the ransomware in the central databases. And then we mind these databases. What we're doing here is we're actually using another tool called malt ego and, uh, use custom tools as well as commercial and open source tools. But but this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking malty, go to look through our database and say, like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system because that helps us identify maybe where the ransom that's connecting to where it's going thio other processes that may be doing. In this case, we can see multiple I P addresses that are connected to it so we can possibly see multiple infections weaken block different external websites. If we can identify a command and control system, we can categorize this to a family. And sometimes we can even categorize this to a threat actor that has claimed responsibility for it. Eso It's essentially visualizing all the connections and the relationship between one file and everything else we have in our database in this example. Off course, we put this in multiple ways. We can save these as reports as pdf type reports or, you know, usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets when we're researching file based attacks when we're researching, um, you know, I P reputation We have a lot of different IOC's or indicators of compromise that we can correlate where attacks goes through and maybe even detective new types of attacks as well. >>So the bottom line is you got the tools using combination of open source and commercial products. Toe look at the patterns of all ransomware across your observation space. Is that right? >>Exactly. I should you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic that that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At four of our labs intelligence that we acquire that product, that product of intelligence, it's consumed directly by our projects. >>Also take me through what, what's actually going on? What it means for the customers. So border guard labs. You're looking at all the ransom where you see in the patterns Are you guys proactively looking? Is is that you guys were researching you Look at something pops on the radar. I mean, take us through What is what What goes on? And then how does that translate into a customer notification or impact? >>So So, yeah, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be a wear Some of the solutions we talked about before. And if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can't see. So you got to get your hands on visibility. We call these I, O. C s indicators a compromise. So this is usually something like, um, actual execute herbal file, like the virus from the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that seed, we call it a seed. We could do threat hunting from there, so we can analyze that right? If it's ah piece of malware or a botnet weaken do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things and we really you know, it's similar to the world of C. S. I write have these different gods that they're connecting. We're doing that at hyper scale on DWI. Use that through these tools that Omar was talking. So it's really a life cycle of getting, you know, the malware incoming seeing it first, um, analyzing it on, then doing action on that. Right? So it's sort of a three step process, and the action comes down to what tomorrow is saying water following that to our customers so that they're protected. But then in tandem with that, we're also going further. And I'm sharing it, if if applicable to, say, law enforcement partners, other threat Intel sharing partners to And, um, there's not just humans doing that, right? So the proactive peace again, This is where it comes to artificial intelligence machine learning. Um, there's a lot of cases where we're automatically doing that analysis without humans. So we have a I systems that are analyzing and actually creating protection on its own. Two. So it Zack white interest technology. >>A decision. At the end of the day, you want to protect your customers. And so this renders out if I'm afford a net customer across the portfolio. The goal here is to protect them from ransomware. Right? That's the end of game. >>Yeah, And that's a very important thing when you start talking these big dollar amounts that were talking earlier comes Thio the damages that air down from estimates. >>E not only is a good insurance, it's just good to have that fortification. Alright, So dark. I gotta ask you about the term the last mile because, you know, we were before we came on camera. You know, I'm band with junkie, always want more bandwidth. So the last mile used to be a term for last mile to the home where there was telephone lines. Now it's fiber and by five. But what does that mean to you guys and security is that Does that mean something specific? >>Yeah, Yeah, absolutely. The easiest way to describe that is actionable, right? So one of the challenges in the industry is we live in a very noisy industry when it comes thio cybersecurity. What I mean by that is because of that growing attacks for fists on do you know, you have these different attack vectors. You have attacks not only coming in from email, but websites from, you know, DDOS attacks. There's there's a lot of volume that's just going to continue to grow is the world of I G N O T. S O. What ends up happening is when you look at a lot of security operation centers for customers as an example, um, there are it's very noisy. It's, um you can guarantee that every day you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs, and when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually started to say, Hey, this looks like an attack. I'm gonna go investigate it and block it. So this is where the last mile comes in because ah, lot of the times that you know these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because The reality is, if it's just humans, doing it on that last mile is often going back to your bandwidth terms. There's too much too much lately. See right, So how do you reduce that late and see? That's where the automation the AI machine learning comes in. Thio solve that last mile problem toe automatically either protection. Especially important because you have to be quicker than the attacker. It's an arms race like E. >>I think what you guys do with four to Guard Labs is super important. Not like the industry, but for society at large, as you have kind of all this, you know, shadow, cloak and dagger kind of attacks systems, whether it's National Security international or just for, you know, mafias and racketeering and the bad guys. Can you guys take a minute and explain the role of 40 guards specifically and and why you guys exist? I mean, obviously there's a commercial reason you both on the four net that you know trickles down into the products. That's all good for the customers. I get that, but there's more to the fore to guard than just that. You guys talk about this trend and security business because it is very clear that there's a you know, uh, collective sharing culture developing rapidly for societal benefit. Can you take them into something that, >>Yeah, sure, I'll get my thoughts. Are you gonna that? So I'm going to that Teoh from my point of view, I mean, there's various functions, So we've just talked about that last mile problem. That's the commercial aspect we create through 40 yard labs, 40 yards, services that are dynamic and updated to security products because you need intelligence products to be ableto protect against intelligence attacks. That's just the defense again, going back to How can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that you do. But we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court, and because of that, a lot of these cybercriminals rain free. That's been a big challenge in the industry. So, you know, this has been close to my heart over 10 years, I've been building a lot of these key relationships between private public sector as an example, but also private sector things like Cyber Threat Alliance, where a founding member of the Cyber Threat Alliance, if over 28 members and that alliance. And it's about sharing intelligence to level that playing field because Attackers room freely. What I mean by that is there's no jurisdictions for them. Cybercrime has no borders. Um, they could do a million things, uh, wrong and they don't care. We do a million things right. One thing wrong, and it's a challenge. So there's this big collaboration that's a big part of 40 guard. Why exists to is to make the industry better. Thio, you know, work on protocols and automation and and really fight fight this together. Well, remaining competitors. I mean, we have competitors out there, of course, on DSO it comes down to that last mile problem. John is like we can share intelligence within the industry, but it's on Lee. Intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. And, >>um, are what's your take on this, uh, societal benefit because, you know, I've been saying since the Sony hack years ago that, you know, when you have nation states that if they put troops on our soil, the government would respond. Um, but yet virtually they're here, and the private sector's defend for themselves. No support. So I think this private public partnership thing is very relevant. I think is ground zero of the future build out of policy because, you know, we pay for freedom. Why don't we have cyber freedom is if we're gonna run a business. Where's our help from the government? Pay taxes. So again, if a military showed up, you're not gonna see, you know, cos fighting the foreign enemy, right? So, again, this is a whole new change over it >>really is. You have to remember that cyberattacks puts everyone on even playing field, right? I mean, you know, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that, right? Anyone can basically come up to speed on cyber weapons as long as they have an Internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies, you know, But absolutely that I think a lot of us, You know, from a personal standpoint, a lot of us have seen researchers have seen organizations fail through cyber attacks. We've seen the frustration we've seen. Like, you know, besides organization, we've seen people like, just like grandma's loser pictures of their, you know, other loved ones because they can being attacked by ransom, where I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But But I will add that the least here in the U. S. The federal government actually has a lot of partnerships and ah, lot of programs to help organizations with cyber attacks. Three us cert is always continuously updating, you know, organizations about the latest attacks. Infra Guard is another organization run by the FBI, and a lot of companies like Fortinet and even a lot of other security companies participate in these organizations so everyone can come up to speed and everyone share information. So we all have a fighting chance. >>It's a whole new wave paradigm. You guys on the cutting edge, Derek? Always great to see a mark. Great to meet you remotely looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >>All right. Thank God. Pleasure is always >>okay. Q conversation here. I'm John for a host of the Cube. Great insightful conversation around security Ransomware with a great demo. Check it out from Derek and, um, are from 14 guard labs. I'm John Ferrier. Thanks for watching.

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.

(soft music) >> Narrator: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world: this is a CUBE conversation. >> Everyone, welcome to this special cube conversation. We're here in the Palo Alto studios, where I am; here during this critical time during the corona virus and this work at home current situation across the United States and around the world. We've got a great interview here today around cybersecurity and the threats that are out there. The threats that are changing as a result of the current situation. We got two great guests; Derek Manky, Chief Security Insights and Global Threat Alliances at FortiGuard labs. And Renee Tarun, deputy Chief Information Security Officer with Fortinet net. Guys, thanks for remotely coming in. Obviously, we're working remotely. Thanks for joining me today on this really important conversation. >> It's a pleasure to be here. >> Thanks for having us. >> So Renee and Derek. Renee, I want to start with you as deputing CISO. There's always been threats. Every day is a crazy day. But now more than ever over the past 30 to 45 days we've seen a surge in activity with remote workers. Everyone's working at home. It's disrupting family's lives. How people do business. And also they're connected to the internet. So it's an endpoint. It's a (laughs) hackable environment. We've had different conversation with you guys about this. But now more than ever, it's an at scale problem. What is the impact of the current situation for that problem statement of from working at home, at scale. Are there new threats? What's happening? >> Yeah, I think you're seeing some organizations have always traditionally had that work at home ability. But now what you're seeing is now entire workforces that are working home and now some companies are scrambling to ensure that they have a secure work at home for teleworkers at scale. In addition some organizations that never had a work from home practice are now being forced into that and so a lot of organizations now are faced with the challenge that employees are now bringing their own device into connecting to their networks. 'Cause employees can't be bring their workstations home with them. And if they don't have a company laptop they're of course using their own personal devices. And some personal devices are used by their kids. They're going out to gaming sites that could be impacted with malware. So it creates a lot of different challenges from a security perspective that a lot of organizations aren't necessarily prepared for. It's not only from a security but also from a scalability perspective. >> When I'm at home working... I came into the studio to do this interview. So I really wanted to talk to you guys. But when I'm at home, this past couple weeks. My kids are home. My daughter is watching Netflix. My son's gaming, multiplayer gaming. The surface area from a personnel standpoint or people standpoint is increased. My wife's working at home. My daughters there, two daughters. So this is also now a social issue because there are more people on the WiFi, there's more bandwidth being used. There's more fear. This has been an opportunity for the hackers. This crime of fear using the current situation. So is it changing how you guys are recommending people protect themselves at home? Or is it just accelerating a core problem that you've seen before? >> Yeah, so I think it's not changing. It's changing in terms of priority. I mean, all the things that we've talked about before it's just becoming much more critical. I think, at this point in time. If you look at any histories that we've... Lessons we've learned from the past or haven't learned (laughs). That's something that is just front and center right now. We've seen attack campaigns on any high level news. Anything that's been front and center. And we've seen successful attack campaigns in the past owing to any sort of profile events. We had Olympic destroyer last last Olympic period, when we have them in Korea as an example, in South Korea. We've seen... I can go back 10 years plus and give a History timeline, every single there's been something dominating the news. >> John: Yeah. And there's been attack campaigns that are leveraged on that. Obviously this is a much higher focus now given the global news domination that's happening with COVID. The heightened fear and anxiety. Just the other day FortiGuard labs, we pulled up over 600 different phishing emails and scam attempts for COVID-19. And we're actively poring through those. I expect that number to increase. Everybody is trying to hop on this bandwagon. I was just talking to our teams from the labs today. Groups that we haven't seen active since about 2011, 2012. Malware campaign authors. They're riding this bandwagon right now as well. So it's really a suction if you will, for these cyber criminals. So all of the things that we recommend in the past, obviously being vigilant, looking at those links coming in. Obviously, there's a lot of impersonators. There's a lot of spoofing out there. People prefer pretending to be the World Health Organization. We wrote a blog on this a couple of weeks back. People have to have this zero trust mentality coming in. Is everyone trying to ride on this? Especially on social networks, on emails. Even phishing and voice vishing. So the voice phishing. You really have to put more... People have to put more of a safeguard up. Not only for their personal health like everyone's doing the social distancing but also virtual (laughs) social distancing when it comes to really trusting who's trying to send you these links. >> Well, I'm glad you guys have the FortiGuard guard labs there. And I think folks watching should check it out and keep sending us that data. I think watching the data is critical. Everyone's watching the data. They want the real data. You brought up a good point, Rene. I want to get your thoughts on this because the at scale thing really gets my attention because there's more people at home as I mentioned from a social construct standpoint. Work at home is opening up new challenges for companies that haven't been prepared. Even though ones that are prepared have known at scale. So you have a spectrum of challenges. The social engineering is the big thing on Phishing. You're seeing all kinds of heightened awareness. It is a crime of opportunity for hackers. Like Derek just pointed out. What's your advice? What's your vision of what's happening? How do you see it evolving? And what can people do to protect themselves? What's the key threats? And what steps are people taking? >> Yeah, I think, like Derek said, kind of similar how in the physical world we're washing our hands. We're keeping 6 feet away from people. We could distance from our adversaries, as well. Again when you're looking at your emails ensuring that you're only opening attachments from people that you know. Hovering over the links to ensure that they are from legitimate sources. And being mindful that when you're seeing these type of attacks coming in, whether they are coming through emails. Through your phones. Take a moment and pause and think about would someone be contacting me through my cell phone? Through sending me a text message? or emails asking me for personal information? Asking me for user IDs and passwords, credential and information. So you kind of need to take that second and really think before you start taking actions. And similar to opening attachments we've seen a lot of cases where someone attaches a PDF file to an email but when you open up the PDF it's actually a malware. So you need to be careful and think to yourself, was I expecting this attachment? Do I know the person? And take steps to actually follow up and call that person directly and say, "Hey, did you really send this to me? "Is this legitimate?" >> And the thing-- >> You got to to be careful what you're opening up. Which links you click on. But while I got you here, I want to get your opinion on this because there's digital attacks and then there's phone based attacks. We all have mobile phones. I know this might be a little bit too elementary, but I do want to get it out there. Can you define the difference in phishing and spear phishing for the folks that are trying to understand the difference in phishing and spear phishing techniques. >> The main difference is spear phishing is really targeting a specific individual, or within a specific role within a company. For example, targeting like the CEO or the CFO. So those are attacks that are specifically targeting a specific individual or specific role. Where phishing emails are targeting just mass people regardless of their roles and responsibilities. >> So I'm reading the blog post that you guys put out. Which I think everyone... I'll put the link on SiliconANGLE later. But it's on fortinet.com Under digital attacks you've got the phishing and spear phishing which is general targeting an email or individually spear spearing someone specifically. But you guys list social media deception, pre-texting and water holing as the key areas. Is that just based on statistics? Or just the techniques that people are using? Can you guys comment on and react to those different techniques? >> Yeah, so I think with the water holing specifically as well. The water holing attack refers to people that every day as part of their routine going to some sort of, usually a news source. It could be their favorite sites, social media, etc. Those sorts of sources because it's expected for people to go and drink from a water hole, are prime targets to these attackers. They can be definitely used for spear phishing but also for the masses for these phishing campaigns. Those are more effective. Attackers like to cast a wide net. And it's especially effective if you think of the climate that's happening right now, like you said earlier at the start of this conversation. That expanded attack surface. And also the usage of bandwidth and more platforms now applications. There's more traffic going to these sites simply. People have more time at home through telework. To virtually go to these sites. And so, yeah. Usually what we see in these water holing attacks can be definitely phishing sites that are set up on these pages. 'Cause they might have been compromised. So this is something even for people who are hosting these websites, right? There's always two sides of the coin. You got security of your client side security And your service side security-- >> So spear phishing is targeting an individual, water holing is the net that gets a lot of people and then they go from there. Can you guys, Renee or Derek talk about social media deception and pretexting. These are other techniques as well that are popular. Can you guys comment and define those? >> Yeah, so some of the pretexting that you're saying is what's happening is adversaries are either sending text, trying to get people to click on links, go to malicious sites. And they're also going setting up these fabricated stories and they're trying to call. Acting like they're a legitimate source. And again, trying to use tactics and a lot of times scare tactics. Trying to get people to divulge information, personal information. Credit card numbers, social security numbers, user IDs and passwords to gain access to either-- >> So misinformation campaigns would be an example that like, "I got a coven virus vaccine, put your credit card down now and get on the mailing list." Is that was that kind of the general gist there? >> Absolutely. >> Okay. >> And we've also seen as another example, and this was in one of our blogs I think about a couple weeks ago some of the first waves of these attacks that we saw was also again, impersonating to be the World Health Organization as part of pretexting. Saying that there's important alerts and updates that these readers must read in their regions, but they're of course malicious documents that are attached. >> Yeah, how do people just get educated on this? This is really challenging because if you're a nerd like us you can know what a URL looks like. And you can tell it's a host server or host name, it's not real. But when they're embedded in these social networks, how do you know? what's the big challenge? Just education and kind of awareness? >> Yeah, so I'll just jump in quickly on that. From my point of view, it's the whole ecosystem, right? There's no just one silver bullet. Education, cyber hygiene for sure. But beyond that obviously, this is where the security solutions pop in. So having that layered defense, right? That goes a long way of everything from anti-spam to antivirus. To be able to scan those malicious attachments. Endpoint security. Especially now in the telework force that we're dealing with having managed endpoint security from distributed enterprise angle is very important because all of these workstations that were within the corporate network before are now roaming--quote unquote--roaming or from home. So it's a multi-pronged approach, really. But education is of course a very good line of defense for our employees. And I think updated education on a weekly basis. >> Okay, before we get to the remote action steps, 'Cause I think the remote workers at scales like the critical problem that we're seeing now. I want to just close out this attack social engineering thing. There's also phone based attacks. We all have mobile phones, right? So we use such smartphones. There's other techniques in that. What are the techniques for the phone based attacks? >> Yeah, a lot of times you'll see adversaries, they're spoofing other phones. So what happens is that when you receive a call or a text it looks like it's coming from a number in your local area. So a lot of times that kind of gives you a false sense of security thinking in that it is a legitimate call when in reality they're simply just spoofing the number. And it's really coming from somewhere else in the country or somewhere else in the world. >> So I get a call from Apple support and it's not Apple support. They don't have a callback, that's spoofing? >> That's one way but also the number itself. When you see the number coming in. For example, I'm in the 410 area code. Emails coming in from my area code with my exchange is another example where it looks like it's someone that's either a close friend or someone within my community when in reality, it's not. >> And at the end of the day too the biggest red flags for these attacks are unsolicited information, right? If they're asking for any information always, always treat that as a red flag. We've seen this in the past. Just as an example with call centers, hotels too. Hackers have had access right to the switchboards to call guests rooms and say that there's a problem at the front desk and they just want to register the users information and they asked for credit card guest information to confirm all sorts of things. So again, anytime information is asked for always think twice. Try to verify. Callback numbers are a great thing. Same thing in social media if someone's messaging you, right? Try to engage in that dialect conversation, verify their identity. >> So you got-- >> That's also another good example of social media, is another form of essential engineering attacks is where people are creating profiles in say for example, LinkedIn. And they're acting like they're either someone from your company or a former colleague or friend as another way to try and make that human to human connection in order to do malicious things. >> Well, we've discussed with you guys in the past around LinkedIn as a feeding ground for spear phishing because, "Hey, here, don't tell your boss but here's "a PDF job opening paying huge salary. "You're qualified." Of course I'm going to look at that, right? So and a lot of that goes on. We see that happen a lot. I want to get your thoughts, Renee on the the vishing and phishing. Smishing is the legitimate source spoofing and vishing is the cloaking or spoofing, right? >> Yeah, smishing is really the text based attacks that you're seeing through your phones. Vishing is using more of a combination of someone that is using a phone based attack but also creating a fake profile, creating a persona. A fabricated story that's ultimately fake but believable. And to try and encourage you to provide information, sensitive information. >> Well, I really appreciate you guys coming on and talking about the attackers trying to take advantage of the current situation. The remote workers again, this is the big at scale thing. What are the steps that people can take, companies can take to protect themselves from or the at scale remote worker situation that could be going on for quite some time now? >> Yeah. So again, at that scale with people in this new normal as we call it, teleworking. Being at scale is... Everyone has to do their part. So I would recommend A from an IT standpoint, keeping all employees virtually in the loop. So weekly updates from security teams. The cyber hygiene practice, especially patch management is critically important too, right? You have a lot of these other devices connected to networks, like you said. IoT devices, all these things that are all prime attack targets. So keeping all the things that we've talked about before, like patch management. Be vigilant on that from an end user perspective. I think especially putting into the employees that they have to be aware that they are highly at risk for this. And I think there has to be... We talked about changes earlier. In terms of mentality education, cyber hygiene, that doesn't change. But I think the way that this isn't forced now, that starts with the change, right? That's a big focus point especially from an IT security standpoint. >> Well, Derek, keep that stat and keep those stats coming in to us. We are very interested. You got the insight. You're the chief of the insights and the global threat. You guys do a great job at FortiGuard guard labs. That's phenomenal. Renee, I'd like you to have the final word on the segment here and we can get back to our remote working and living. What is going on the mind of the CISO right now? Because again, a lot of people are concerned. They don't know how long it's going to last. Certainly we're now in a new normal. Whatever happens going forward as post pandemic world, what's going on in the mind of the CISO right now? What are they thinking? What are they planning for? What's going on? >> Yeah, I think there's a lot of uncertainty. And I think the remote teleworking, again, making sure that employees have secure remote access that can scale. I think that's going to be on the forefront. But again, making sure that people connecting remotely don't end up introducing additional potential vulnerabilities into your network. And again, just keeping aware. Working closely with the IT teams to ensure that we keep our workforces updated and trained and continue to be vigilant with our monitoring capabilities as well as ensuring that we're prepared for potential attacks. >> Well, I appreciate your insights, folks, here. This is great. Renee and Derek thanks for coming on. We want to bring you back in when should do a digital event here in the studio and get the data out there. People are interested. People are making changes. Maybe this could be a good thing. Make some lemonade out of the lemons that are in the industry right now. So thank you for taking the time to share what's going on in the cyber risks. Thank you. >> Thank you, we'll keep those stats coming. >> Okay, CUBE conversation here in Palo Alto with the remote guests. That's what we're doing now. We are working remotely with all of our CUBE interviews. Thanks for watching. I'm John Furrier, co-host to theCUBE. (soft music)

>> Narrator: Live from San Francisco. It's theCUBE, covering RSA Conference 2020, San Francisco. Brought to you by, SiliconANGLE Media. >> Welcome back everyone. CUBE coverage here in Moscone in San Francisco for RSA, 2020. I'm John Furrier host of theCUBE. We've got a great guest here talking about cybersecurity and the impact with AI and the role of data. It's always great to have Derek Manky on Chief Security Insights Global Threat Alliances with FortiGuard Lab, part of Fortinet, FortiGuard Labs is great. Great organization. Thanks for coming on. >> It's a pleasure always to be here-- >> So you guys do a great threat report that we always cover. So it covers all the bases and it really kind of illustrates state of the art of viruses, the protection, threats, et cetera. But you're part of FortiGuard Labs. >> Yeah, that's right. >> Part of Fortinet, which is a security company, public. What is FortiGuard Labs? What do you guys do, what's your mission? >> So FortiGuard Labs has existed since day one. You can think of us as the intelligence that's baked into the product, It's one thing to have a world-class product, but you need a world-class intelligence team backing that up. We're the ones fighting those fires against cybercrime on the backend, 24/7, 365 on a per second basis. We're processing threat intelligence. We've got over 10 million attacks or processing just per minute, over a hundred billion events, in any given day that we have to sift through. We have to find out what's relevant. We have to find gaps that we might be missing detection and protection. We got to push that out to a customer base of 450,000 customers through FortiGuard services and 5 million firewalls, 5 million plus firewalls we have now. So it's vitally important. You need intelligence to be able to detect and then protect and also to respond. Know the enemy, build a security solution around that and then also be able to act quickly about it if you are under active attack. So we're doing everything from creating security controls and protections. So up to, real time updates for customers, but we're also doing playbooks. So finding out who these attackers are, why are they coming up to you. For a CSO, why does that matter? So this is all part of FortiGuard Labs. >> How many people roughly involved ? Take us a little inside the curtain here. What's going on? Personnel size, scope. >> So we're over 235. So for a network security vendor, this was the largest global SOC, that exists. Again, this is behind the curtain like you said. These are the people that are, fighting those fires every day. But it's a large team and we have experts to cover the entire attack surface. So we're looking at not just a viruses, but we're looking at as zero-day weapons, exploits and attacks, everything from cyber crime to, cyber warfare, operational technology, all these sorts of things. And of course, to do that, we need to really heavily rely on good people, but also automation and artificial intelligence and machine learning. >> You guys are walking on a tight rope there. I can only imagine how complex and stressful it is, just imagining the velocity alone. But one of the trends that's coming up here, this year at RSA and is kind of been talking about in the industry is the who? Who is the attacker because, the shifts could shift and change. You got nation states are sitting out there, they're not going to have their hands dirty on this stuff. You've got a lot of dark web activity. You've got a lot of actors out there that go by different patterns. But you guys have an aperture and visibility into a lot of this stuff. >> Absolutely. >> So, you can almost say, that's that guy. That's the actor. That's a really big part. Talk about why that's important. >> This is critically important because in the past, let's say the first generation of, threat intelligence was very flat. It was to watch. So it was just talking about here's a bad IP, here's a bad URL, here's a bad file block hit. But nowadays, obviously the attackers are very clever. These are large organizations that are run a lot of people involved. There's real world damages happening and we're talking about, you look at OT attacks that are happening now. There's, in some cases, 30, $40 million from targeted ransom attacks that are happening. These people, A, have to be brought to justice. So we need to understand the who, but we also need to be able to predict what their next move is. This is very similar to, this is what you see online or CSI. The police trynna investigate and connect the dots like, plotting the strings and the yarn on the map. This is the same thing we're doing, but on a way more advanced level. And it's very important to be able to understand who these groups are, what tools they use, what are the weapons, cyber weapons, if you will, and what's their next move potentially going to be. So there's a lot of different reasons that's important. >> Derek, I was riffing with another guest earlier today about this notion of, government protection. You've got a military troops drop on our shores and my neighborhood, the Russians drop in my neighborhood. Guess what, the police will probably come in, and, or the army should take care of it. But if I got to run a business, I got to build my own militia. There's no support out there. The government's not going to support me. I'm hacked. Damage is done. You guys are in a way providing that critical lifeline that guard or shield, if you will, for customers. And they're going to want more of it. So I've got to ask you the hard question, which is, how are you guys going to constantly be on the front edge of all this? Because at the end of the day, you're in the protection business. Threats are coming at the speed of milliseconds and nanoseconds, in memory. You need memory, you need database. You've got to have real time. It's a tsunami of attack. You guys are the front lines of this. You're the heat shield. >> Yes, absolutely. >> How do you take it to the next level? >> Yeah, so collaboration, integration, having a broad integrated platform, that's our bread and butter. This is what we do. End-to-end security. The attack surface is growing. So we have to be able to, A, be able to cover all aspects of that attack surface and again, have intelligence. So we're doing sharing through partners. We have our core intelligence network. Like I said, we're relying heavily on machine learning models. We're able to find that needle in the haystack. Like, as I said earlier, we're getting over a hundred billion potential threat events a day. We have to dissect that. We have to break it down. We have to say, is this affecting endpoint? Is this effect affecting operational technology? What vertical, how do we process it? How do we verify that this is a real threat? And then most importantly, get that out in time and speed to our customers. So I started with automation years ago, but now really the way that we're doing this is through broad platform coverage. But also machine learning models for and-- >> I want to dig into machine learning because, I love that needle in the haystack analogy, because, if you take that to the next step, you got to stack a needles now. So you find the needle in the haystack. Now you got a bunch of needles, where do you find that? You need AI, you got to have some help. But you still got the human component. So talk about how you guys are advising customers on how you're using machine learning and get that AI up and running for customers and for yourselves. >> So we're technology people. I always look at this as the stack. The stack model, the bottom of the stack, you have automation. You have layer one, layer two. That's like the basic things for, feeds, threat feeds, how we can push out, automate, integrate that. Then you have the human. So the layer seven. This is where our human experts are coming in to actually advise our customers. We're creating a threat signals with FortiGuard Labs as an example. These are bulletins that's a quick two to three page read that a CSO can pick up and say, here's what FortiGuard Labs has discovered this week. Is this relevant to my network? Do I have these protections in place. There's also that automated, and so, I refer to this as a centaur model. It's half human half machine and, the machines are driving a lot of that, the day to day mundane tasks, if you will, but also finding, collecting the needles of needles. But then ultimately we have our humans that are processing that, analyzing it, creating the higher level strategic advice. We recently, we've launched a FortiAI, product as well. This has a concept of a virtual-- >> Hold on, back up a second. What's it called? >> FortiAI. >> So it's AI components. Is it a hardware box or-- >> This is a on-premise appliance built off of five plus years of learning that we've done in the cloud to be able to identify threats and malware, understand what that malware does to a detailed level. And, where we've seen this before, where is it potentially going? How do we protect against it? Something that typically you would need, four to five headcount in your security operations center to do, we're using this as an assist to us. So that's why it's a virtual analyst. It's really a bot, if you will, something that can actually-- >> So it's an enabling opportunity for the customers. So is this virtual assistant built into the box. What does that do, virtual analyst. >> So the virtual analyst is able to, sit on premises. So it's localized learning, collect threats to understand the nature of those threats, to be able to look at the needles of the needles, if you will, make sense of that and then automatically generate reports based off of that. So it's really an assist tool that a network admin or a security analyst was able to pick up and virtually save hours and hours of time of resources. >> So, if you look at the history of like our technology industry from a personalization standpoint, AI and data, whether you're a media business, personalization is ultimately the result of good data AI. So personalization for an analyst, would be how not to screw up their job. (laughs) One level. The other one is to be proactive on being more offensive. And then third collaboration with others. So, you starting to see that kind of picture form. What's your reaction to that? >> I think it's great. There's stepping stones that we have to go through. The collaboration is not always easy. I'm very familiar with this. I mean I was, with the Cyber Threat Alliance since day one, I head up and work with our Global Threat Alliances. There's always good intentions, there's problems that can be created and obviously you have things like PII now and data privacy and all these little hurdles they have to come over. But when it works right together, this is the way to do it. It's the same thing with, you talked about the data naturally when he started building up IT stacks, you have silos of data, but ultimately those silos need to be connected from different departments. They need to integrate a collaborate. It's the same thing that we're seeing from the security front now as well. >> You guys have proven the model of FortiGuard that the more you can see, the more visibility you can see and more access to the data in real time or anytime scale, the better the opportunity. So I got to take that to the next level. What you guys are doing, congratulations. But now the customer. How do I team up with, if I'm a customer with other customers because the bad guys are teaming up. So the teaming up is now a real dynamic that companies are deploying. How are you guys looking at that? How is FortiGuard helping that? Is it through services? Is it through the products like virtual assistant? Virtual FortiAI? >> So you can think of this. I always make it an analogy to the human immune system. Artificial neural networks are built off of neural nets. If I have a problem and an infection, say on one hand, the rest of the body should be aware of that. That's collaboration from node to node. Blood cells to blood cells, if you will. It's the same thing with employees. If a network admin sees a potential problem, they should be able to go and talk to the security admin, who can go in, log into an appliance and create a proper response to that. This is what we're doing in the security fabric to empower the customer. So the customer doesn't have to always do this and have the humans actively doing those cycles. I mean, this is the integration. The orchestration is the big piece of what we're doing. So security orchestration between devices, that's taking that gap out from the human to human, walking over with a piece of paper to another or whatever it is. That's one of the key points that we're doing within the actual security fabric. >> So that's why silos is problematic. Because you can't get that impact. >> And it also creates a lag time. We have a need for speed nowadays. Threats are moving incredibly fast. I think we've talked about this on previous episodes with swarm technology, offensive automation, the weaponization of artificial intelligence. So it becomes critically important to have that quick response and silos, really create barriers of course, and make it slower to respond. >> Okay Derek, so I got to ask you, it's kind of like, I don't want to say it sounds like sports, but it's, what's the state of the art in the attack vectors coming in. What are you guys seeing as some of the best of breed tax that people should really be paying attention to? They may, may not have fortified down. What are SOCs looking at and what are security pros focused on right now in terms of the state of the art. >> So the things that keep people up at night. We follow this in our Threat Landscape Report. Obviously we just released our key four one with FortiGuard Labs. We're still seeing the same culprits. This is the same story we talked about a lot of times. Things like, it used to be a EternalBlue and now BlueKeep, these vulnerabilities that are nothing new but still pose big problems. We're still seeing that exposed on a lot of networks. Targeted ransom attacks, as I was saying earlier. We've seen the shift or evolution from ransomware from day to day, like, pay us three or $400, we'll give you access to your data back to going after targeted accounts, high revenue business streams. So, low volume, high risk. That's the trend that we're starting to see as well. And this is what I talk about for trying to find that needle in the haystack. This is again, why it's important to have eyes on that. >> Well you guys are really advanced and you guys doing great work, so congratulations. I got to ask you to kind of like, the spectrum of IT. You've got a lot of people in the high end, financial services, healthcare, they're regulated, they got all kinds of challenges. But as IT and the enterprise starts to get woke to the fact that everyone's vulnerable. I've heard people say, well, I'm good. I got a small little to manage, I'm only a hundred million dollar business. All I do is manufacturing. I don't really have any IP. So what are they going to steal? So that's kind of a naive approach. The answer is, what? Your operations and ransomware, there's a zillion ways to get taken down. How do you respond to that. >> Yeah, absolutely. Going after the crown jewels, what hurts? So it might not be a patent or intellectual property. Again, the things that matter to these businesses, how they operate day to day. The obvious examples, what we just talked about with revenue streams and then there's other indirect problems too. Obviously, if that infrastructure of a legitimate organization is taken over and it's used as a botnet and an orchestrated denial-of-service attack to take down other organizations, that's going to have huge implications. >> And they won't even know it. >> Right, in terms of brand damage, has legal implications as well that happened. This is going even down to the basics with consumers, thinking that, they're not under attack, but at the end of the day, what matters to them is their identity. Identity theft. But this is on another level when it comes to things to-- >> There's all kinds of things to deal with. There's, so much more advanced on the attacker side. All right, so I got to ask you a final question. I'm a business. You're a pro. You guys are doing great work. What do I do, what's my strategy? How would you advise me? How do I get my act together? I'm working the mall every day. I'm trying my best. I'm peddling as fast as I can. I'm overloaded. What do I do? How do I go the next step? >> So look for security solutions that are the assist model like I said. There's never ever going to be a universal silver bullet to security. We all know this. But there are a lot of things that can help up to that 90%, 95% secure. So depending on the nature of the threats, having a first detection first, that's always the most important. See what's on your network. This is things where SIM technology, sandboxing technology has really come into play. Once you have those detections, how can you actually take action? So look for a integration. Really have a look at your security solutions to see if you have the integration piece. Orchestration and integration is next after detection. Finally from there having a proper channel, are there services you looked at for managed incident response as an example. Education and cyber hygiene are always key. These are free things that I push on everybody. I mean we release weekly threat intelligence briefs. We're doing our quarterly Threat Landscape Reports. We have something called threat signals. So it's FortiGuard response to breaking industry events. I think that's key-- >> Hygiene seems to come up over and over as the, that's the foundational bedrock of security. >> And then, as I said, ultimately, where we're heading with this is the AI solution model. And so that's something, again that I think-- >> One final question since it's just popped into my head. I wanted, and that last one. But I wanted to bring it up since you kind of were, we're getting at it. I know you guys are very sensitive to this one topic cause you live it every day. But the notion of time and time elapsed is a huge concern because you got to know, it's not if it's when. So the factor of time is a huge variable in all kinds of impact. Positive and negative. How do you talk about time and the notion of time elapsing. >> That's great question. So there's many ways to stage that. I'll try to simplify it. So number one, if we're talking about breaches, time is money. So the dwell time. The longer that a threat sits on a network and it's not cleaned up, the more damage is going to be done. And we think of the ransom attacks, denial-of-service, revenue streams being down. So that's the incident response problem. So time is very important to detect and respond. So that's one aspect of that. The other aspect of time is with machine learning as well. This is something that people don't always think about. They think that, artificial intelligence solutions can be popped up overnight and within a couple of weeks they're going to be accurate. It's not the case. Machines learn like humans too. It takes time to do that. It takes processing power. Anybody can get that nowadays, data, most people can get that. But time is critical to that. It's a fascinating conversation. There's many different avenues of time that we can talk about. Time to detect is also really important as well, again. >> Let's do it, let's do a whole segment on that, in our studio, I'll follow up on that. I think it's a huge topic, I hear about all the time. And since it's a little bit elusive, but it kind of focuses your energy on, wait, what's going on here? I'm not reacting. (laughs) Time's a huge issue. >> I refer to it as a latency. I mean, latency is a key issue in cybersecurity, just like it is in the stock exchange. >> I mean, one of the things I've been talking about with folks here, just kind of in fun conversation is, don't be playing defense all the time. If you have a good time latency, you going to actually be a little bit offensive. Why not take a little bit more offense. Why play defense the whole time. So again, you're starting to see this kind of mentality not being, just an IT, we've got to cover, okay, respond, no, hold on the ballgame. >> That comes back to the sports analogy again. >> Got to have a good offense. They must cross offense. Derek, thanks so much. Quick plug for you, FortiGuard, share with the folks what you guys are up to, what's new, what's the plug. >> So FortiGuard Labs, so we're continuing to expand. Obviously we're focused on, as I said, adding all of the customer protection first and foremost. But beyond that, we're doing great things in industry. So we're working actively with law enforcement, with Interpol, Cyber Threat Alliance, with The World Economic Forum and the Center for Cyber Security. There's a lot more of these collaboration, key stakeholders. You talked about the human to human before. We're really setting the pioneering of setting that world stage. I think that is, so, it's really exciting to me. It's a lot of good industry initiatives. I think it's impactful. We're going to see an impact. The whole goal is we're trying to slow the offense down, the offense being the cyber criminals. So there's more coming on that end. You're going to see a lot great, follow our blogs at fortinet.com and all-- >> Great stuff. >> great reports. >> I'm a huge believer in that the government can't protect us digitally. There's going to be protection, heat shields out there. You guys are doing a good job. It's only going to be more important than ever before. So, congratulations. >> Thank you. >> Thanks for coming I really appreciate. >> Never a dull day as we say. >> All right, it's theCUBE's coverage here in San Francisco for RSA 2020. I'm John Furrier, your host. Thanks for watching. (upbeat music)

our Studios in the heart of Silicon Valley Palo Alto California this is a cute conversation hello and welcome to the cube studios in Palo Alto California for another cube conversation where we go in-depth with thought leaders driving innovation across the tech industry I'm your host Peter Burris almost everybody's heard of the term black hat and white hat and it constitutes groups of individuals that are either attacking or defending security challenges it's been an arms race for the past 10 20 30 years as the world has become more digital and an arms race that many of us are concern that black hats appear to have the upper hand but there's new developments in technology and new classes of tooling that are actually racing to the aid of white hats and could very well upset that equilibrium in favor of the white hats to have that conversation about the Ascension of the white hats we're joined by Derek manky who's chief security insights and global threat alliances lead at Ford Annette dereck thanks for joining us for another cube conversation it's always a pleasure speaking yeah all right Derrick let's start what's going on afforda labs at four Dannette so 2019 we've seen a ton of development a lot pretty much on track with our predictions when we talked last year obviously a big increase in volume thanks offense of automation we're also seeing low volume attacks that are disrupting big business models I'm talking about targeted ransom attacks right you know criminals that are able to get into networks caused millions of dollars of damages thanks to critical revenue streams being out usually in the public sector we've seen a lot of this we've seen a rise in sophistication the adversary's are not slowing down AET s advanced evasion techniques are on the rise and so you know to do this and for the guard loves to be able to track this and map this we're not just relying on blogs anymore and you know 40 50 page white papers so we're actually looking at that playbooks now mapping the adversary's understanding their tools techniques procedures how they're operating why they're operating who are they hitting on and what what might be their next move so that's a big development on the intelligence sides here all right so I mentioned upfront this notion that the white hats may be ascending I'm implying a prediction here tell us a little bit about what we see on the horizon for that concept of the white hats ascending and specifically why is there reason to be optimistic yeah so as it's it's it's been gloomy for you for decades like he said and for many reasons right and I think those reasons there are no secrets I mean cyber criminals and black hats have always been able to move very you know with with agility right I'm sorry crime has no borders it's often a slap on the wrist that they get they can do a million things are on they don't care there's no ethics and quite frankly no no rules by right on the white hand side we've always had rules binding us we've had to we've had to take due care and we've had to move methodically which slows us down so a lot of that comes in place because of frameworks because of technology as well having to move um after it's in able to it with frameworks so specifically with you know making corrective action and things like that so those are the challenges that we face against but you know like thinking ahead to to 2020 particularly with the use of artificial intelligence everybody talks about AI you know it's it's impacted our daily lives but when it comes to cybersecurity on the white hat side um you know a proper AI and machine learning model it takes time you think it can take you years in fact in our case in our experience about four to five years before we can actually roll it out to production but the good news is that we have been investing and when I say we I'm just talking to the industry in general and wait we've been investing into this technology because quite frankly we've had to it takes a lot of data it takes a lot of smart minds a lot of investment a lot of processing power and that foundation has now been set over the last five years if we look at the blackcats it's not the case and why because they've been enjoying living off the land on a low-hanging truth path of least resistance because they've been able to so one of the things that's changing that equilibrium then is the availability of AI as you said it could take four or five years to get to a point we've actually got useful AI is it can have an impact I guess that means that we've been working on these things for four or five years what's the state of the art with AI as it pertains to security and are we seeing different phases of development start to emerge as we gain more experience with these technologies yeah absolutely and it's quite exciting right ai isn't this universal brain that's that's always good the world's problems that everyone thinks it might right it's very specific it relies on machine learning models each machine learning model is very specific to its task right I mean you know voice learning technology versus autonomous vehicle driving versus cybersecurity it's very different when it comes to the swimming purposes so so in essence the way I look at it you know there's three generations of AI we have generation 1 which was the past generation 2 which is a current where we are now and the generation 3 is where we're going so generation 1 was pretty simple right it was just a central processing lyrtle of machine learning model that'll take in data they'll correlate that data and then take action based off of it some simple inputs simple output right generation to where we're currently sitting is more advances looking at pattern recognition more advanced inputs are distributed models where we have the you know sensor is lying around networks I'm talking about even IOT devices security appliances and so forth but still report up to this centralized brain that's learning and acting on things but where things get really interesting moving forward in 2020 gets into this third generation where you have especially you know moving towards about computer sorry I'm computing where you have localized learning notes that are actually processing and learning so you can think of them as these mini brains instead of having this monolithic centralized brain you have individual learning modes individual brains doing their own machine learning that are actually connected to each other learning from each other speaking to each other it's a very powerful model we actually refer to this as federated machine learning in our industry so we've been first phase we simply use statistics to correlate events take action yeah now we're doing exceptions pattern recognition or exceptions and building patterns and in the future we're going to be able to further distribute at that so that increasingly the AI is going to work with other AI so that the aggregate this federated aggregate gets better I got that right yeah absolutely and what's the advantage of that a couple of things I'm it's very similar to the human immune system right I mean if you have you know if I were to cut my finger on my hand what's gonna happen well localized white blood cells get localized not nothing from a foreign entity or further away in my body are gonna come to the rescue and start healing right it's the same idea it's because it's interconnected within the nervous system it's the same idea of this federated machine learning right if security appliance is to detect a threat locally on-site its able to alert other security appliances so that they can actually take action on this and learn from that as well so connected machine learning models it means that that you know by properly implementing these these AI this federated AI machine learning models in an organization that that system is able to actually in an auto you may pick up what that threat is be able to act on that threat which means it's able to respond to these threats quicker shut them down to the point where it can be you know virtually instantaneous right before you know that the damage is done and bleeding starts happening so the common time safe common baseline is constantly getting better even as we're giving opportunities for local local managers to perform the work in response to local conditions so that takes us to the next notion of we've got this federated a la a I on the horizon how are people how is the role of people security professionals going to change what kind of recipes are they going to follow to ensure that they are working in a maximally productive way with these new capabilities these new federated capabilities especially as we think about the introduction of 5g and greater density of devices and faster speeds and lower latencies yeah so you know that the the the the world of cyber computer cyber security has always been incredibly complex so we're trying to simplify that and that's where again this this federated machine learning comes into place particularly with playbooks so you know if we look at 2019 and where we're going in 2020 we've put a lot of a lot of groundwork quite frankly into pioneering the work of playbooks right so when I say playbooks I'm talking about adversary's playbook knowing the offense knowing the tools techniques procedures the way that these cybercrime operations are moving right and the black hats are moving the more that we can understand that the more we can predict their next move and that centralized language right once you know that offense we can start to create automated Blue Team playbook so defensive play books that a human that that's a security technology can automatically integrate and respond to it but to getting back to your question we can actually create human readable sea cecil guides that can actually say look there's a threat here's why it's a problem here's here here are the gaps in your security that we've identified if you're some recommended course of action as my deity right so that's that's where the humans and the machines are really going to be worked working together and and quite frankly moving speed being able to do that a machine level but also being being able to simplify a complex landscape that is where we can actually gain traction right that this is part of that ascendancy of the white hat because because it's it's allowing us to move in a more agile nature it's an it's allowing us to gain ground against heat actors and quite frankly it allows us to start disrupting their business model right it's more resilient Network in the future this leads to the whole notion of self-healing networks as well that quite frankly just makes it a big pain it disrupts your business model it forces them to go back to the drawing board - well it also seems as though when we start talking about 5g that the speeds as I said the speeds the dentin see the reduced latency the the potential for a bad thing to propagate very quickly demands that we have a more consistent coherent response at both the Machine level but also at the people level we 5g into this conversation what's what will be the impact of 5g on how these playbooks and AI start to come together over the next few years yeah it's it's it's it's gonna be very impactful it's gonna take a couple of years and we're just at the dawn of 5g right now but if you think of 5g you're talking about a lot more volume essentially as we move to the future we're entering into the age of five G and edge computing and 5g and edge computing is gonna start eating the cloud in a sense that more of that processing power that was in the cloud is starting to shift now towards edge computing right this is that on-premises so it is gonna allow models like I was talking about federated machine learning models at first from the the white hats point of view which I again I think we are in the driver's seat and in a better you know more advantageous position here because we have more experience again like I said we've been doing this for years where the black hats quite frankly haven't yes they're toying with it but not to the same level at scale that we have but you know you know it's I'm always a realist this isn't a completely rosy picture I mean there it is optimistic that we are able to get this upper hand it has to be done right but if we think about the weaponization of 5g that's also very large problem right last year we're talking about sworn networks right the idea of sworn networks is a whole bunch of devices that can connect to each other share intelligence and then act to do something like a large-scale DDoS attack that's absolutely in the in the realm of possibility when it comes to the weaponization of 5g as well so one of the things I guess the last question I want to ask you is you noted that these play books incorporate the human element in ways that are uniquely human so having C so readable recipes for how people have to respond does that also elevate the conversation with the business and does allows us to do a better job of understanding risk pricing risk and appropriately investing to manage and assure the business against risk in the right way absolutely absolutely it does yeah yeah because the more you know about going back to the playbook some more you know about the office and their tools you know you the more you know about how much of a danger it is what sort of targets they're after right I mean if they're just going trying to look to to to collect a little bit of information on you know to do some reconnaissance that first phase attack might not cause a lot of damage but if this group is knowing to go in hit hard steal intellectual property shut down critical business streams to do s that in the past we know and we've seen has caused four or five million dollars from one you know from one breach that's a very good way to start classifying risk so yeah I mean it's all about really understanding the picture first on the offense and that's exactly what these automated playbook guides are going to be doing on the on the on the blue team and again not only from a CSE suite perspective certainly that on the human level but the nice thing about the play books is because we've done the research the threat hunting and understood this you know from a machine level it's also able to put a lot of those automated let's say day-to-day decisions making security operation center is so I'm talking about like sect DevOps much more efficient to so he's talking about more density at the edge amongst these devices I also want to bring back one last thought here and that is you said that historically some of the black hats have been able to act with a degree of impunity they haven't necessarily been hit hard there a lot of slapping on the wrist as I think you said talk about how the playbooks and AI is going to allow them to more appropriately share data with others that can help both now but also in some of the forensics and the the enforcement side namely the the legal and policing world how are we going to share the responsibility or how is that going to change over the next few years to incorporate some of the folks that actually can then turn a defense into a legal attack illumination this is what I call it right so again if we look at the current state we've made great strides great progress you know working with law enforcement so we've set up public private sector relationships we need to do that have security experts working with law enforcement law enforcement working on there and to train process prosecutors to understand cybercrime and so forth that foundation has been set but it's still slow-moving you know there's only a limited amount of playbooks right now it takes a lot of work to unearth and and and do to really move the needle what we need to do again like we're talking about is to integrate artificial intelligence with playbooks the more that we understand about groups the more that we do this threat illumination the more we have cover about them the more we know about them and by doing that we can start to form predictive models right basically I always say old habits die hard so you know if an attacker goes in hits a network and they're successful following a certain sequence of patterns they're likely going to follow that say that's that same sequence on their next victim or their next target so the more that we understand about that the more that we can forecast eight from a mitigation standpoint but the also by the same token the more correlation we're doing on these playbooks the more machine learning we're doing on this playbooks the more we were able to do attribution and attribution is the Holy Grail it's always been the toughest thing to do when it comes to research but by combining the framework that we're using with playbooks and AI machine learning it's a very very powerful recipe and that's that's what we need to get right and move forward in the right direction Derrick McKey ordinance chief of security insights and threat alliances thanks again for being on the cube it's a pleasure anytime happy to talk and I want to thank you for joining us for another cube conversation I'm Peter Burris see you next time [Music]