(upbeat jazz music) [Woman] - From our Studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE conversation. >> Hello and welcome to theCUBE Studios in Palo Alto, California, for another CUBE conversation, where we go in depth with thought leaders driving innovation across tech industry. I'm your host Peter Burris. Almost everybody's heard of the term black-hat and white-hat. And it constitutes groups of individuals that are either attacking or defending security challenges. It's been an arms race for the past 10, 20, 30 years as the worlds become more digital. And an arms race that many of us are concerned that black-hats appear to have the upper hand. But there's new developments in technology and new classes of tooling that are actually racing to the aid of white-hats and could very well upset that equilibrium in favor of the white-hats. To have that conversation about the ascension of the white-hats, we're joined by Derek Manky, who's the Chief Security Insights & Global Threat Alliances lead at Fortinet. Derek, thanks for joining us for another CUBE conversation. >> It's always a pleasure speaking with you. [Peter] - All right. [Derek] - Happy to be here. >> Derek, let's start, what's going on at FortiLabs at Fortinet? >> So 2019, we've seen a ton of development, a lot pretty much on track with our predictions when we talked last year. Obviously a big increase in volume, thanks to offensive automation. We're also seeing low volume attacks that are disrupting big business models. I'm talking about targeted ransom attacks, right. But, you know, criminals that are able to get into networks, cause millions of dollars of damages thanks to critical revenue streams being held. Usually in the public sector we've seen a lot of this. We've seen a rise in sophistication's, the adversaries are not slowing down. AET's, the mass evasion techniques are on the rise. And so, you know, to do this on FortiGaurd Labs, to be able to track this and map this, we're not just relying on logs anymore and, you know, 40, 50 page white papers. So, we're actually looking at that playbooks now, mapping the adversaries, understanding their tools, techniques, procedures, how they're operating, why they're operating, who are they hitting and what might be their next moves. So that's a bit development on the intelligence side too. >> All right, so imagine a front this notion that the white-hats might be ascending. I'm implying a prediction here. Tell us a little bit about what we see on the horizon for that concept of the white-hats ascending and specifically, why is a reason to be optimistic? >> Yeah, so it's been gloomy for decades like you said. And for many reasons, right, and I think those reasons are no secrets. I mean, cyber criminals and black-hats have always been able to move very, you know, with agility right. Cyber crime has no borders. It's often a slap on the wrist that they get. They can do a million things wrong, they don't care, there's no ethics and quite frankly no rules binding them right. On the white-hand side, we've always had rules binding us, we've had to take due care and we've had to move methodically, which slows us down. So, a lot of that comes in place because of frameworks, because of technology as well, having to move after it's enabled to with frameworks, specifically with making corrective action and things like that. So, those are the challenges that we faced against. But you know like, thinking ahead to 2020, particularly with the use of artificial intelligence, everybody talks about AI, it's impacted our daily lives, but when it comes to cyber security, on the white-hat side a proctor AI and machine learning model takes times. It can take years. In fact in our case, our experience, about four to five years before we can actually roll it out to production. But the good news is, that we have been investing, and when I say we, I'm just talking to the industry in general and white-hat, we've been investing into this technology because quite frankly we've had to. It takes a lot of data, it takes a lot of smart minds, a lot of investment, a lot of processing power and that foundation has now been set over the last five years. If we look at the black-hats, it's not the case. And why? Because they've been enjoying living off the land on low hanging fruit. Path of least resistance because they have been able to. >> So, what are the things that's changing that, equilibrium then, is the availability of AI and as you said, it could take four, five years to get to a point where we've actually got useful AI that can have an impact. I guess that means that we've been working on these things for four, five years. What's the state of the art with AI as it pertains to security, and are we seeing different phases of development start to emerge as we gain more experience with these technologies? >> Yeah, absolutely. And it's quite exciting right. AI isn't this universal brain that solves the worlds problems that everyone thinks it might be right. It's very specific, it relies on machine learning models. Each machine learning model is very specific to it's task right, I mean, you know, voice learning technology versus autonomous vehicle jobbing versus cyber security, is very different when it comes to these learning purposes. So, in essence the way I look at it, you know, there's three generations of AI. We have generation one, which was the past. Generation two, which is the current, where we are now and the generation three is where we're going. So, generation one was pretty simple right. It was just a central processing alert machine learning model that will take in data, correlate that data and then take action based off of it. Some simple inputs, simple output right. Generation two where we're currently sitting is more advanced. It's looking at pattern recognition, more advanced inputs, distributed models where we have sensors lying around networks. I'm talking about even IoT devices, security appliances and so forth, that still record up to this centralized brain that's learning it and acting on things. But where things get really interesting moving forward in 2020 gets into this third generation where you have especially moving towards cloud computer, sorry, edge computing, is where you have localized learning nodes that are actually processing and learning. So you can think of them as these mini brains. Instead of having this monolithic centralized brain, you have individual learner nodes, individual brains doing their own machine learning that are actually connected to each other, learning from each other, speaking to each other. It's a very powerful model. We actually refer to this as federated machine learning in our industry. >> So we've been, first phase we simply used statistics to correlate events, take action, now we're doing acceptions, pattern recognition, or acceptions and building patterns, and in the future we're going to be able to further distribute that so that increasingly the AI is going to work with other AI so that the aggregate, this federated aggregate gets better, have I got that right? >> Yeah absolutely. And what's the advantage of that? A couple of things. It's very similar to the human immune system right. If you have, if I were to cut my finger on my hand, what's going to happen? Well, localized white blood cells, localized, nothing from a foreign entity or further away in my body, are going to come to the rescue and start healing that right. It's the same, it's because it's interconnected within the nervous system. It's the same idea of this federated machine learning model right. If a security appliance is to detect a threat locally on site, it's able to alert other security appliances so that they can actually take action on this and learn from that as well. So connected machine learning models. So it means that by properly implementing these AI, this federated AI machine earning models in an organization, that that system is able to actually in a auto-immune way be able to pick up what that threat is and be able to act on that threat, which means it's able to respond to these threat quicker or shut them down to the point where it can be you know, virtually instantaneous right, before the damage is done and bleeding starts happening. >> So the common baseline is continuously getting better even as we're giving opportunities for local managers to perform the work in response to local conditions. So that takes us to the next notion of, we've got this federated AI on the horizon, how are people, how is the world of people, security professionals going to change? What kind of recipes are they going to follow to insure that they are working in a maximally productive way with these new capabilities, these new federated capabilities, especially as we think about the introduction of 5G and greater density of devices and faster speeds in the relatancies? >> Yeah so, you know the world of cyber computer, cyber security has always been incredibly complex. So we're trying to simplify that and that's where again, this federated machine learning comes into place, particularly with playbooks, so if we look at 2019 and where we're going in 2020, we've put a lot of groundwork quite frankly and so pioneering the work of playbooks right. So when I say playbooks I'm talking about adversary playbooks, knowing the offense, knowing the tools, techniques, procedures, the way that these cyber crime operations are moving right and the black-hats are moving. The more that we can understand that, the more we can predict their next move and that centralized language right, once you know that offense, we can start to create automated blue team playbooks, so defensive playbooks. That security technology can automatically integrate and respond to it, but getting back to you question, we can actually create human readable CECO guides that can actually say, "Look, there's a threat," "here's why it's a problem," "here are the gaps in your security that we've identified," "here's some recommended course of action as an idea too." Right, so that's where the humans and the machines are really going to be working together and quite frankly moving at speed, being able to that at machine level but also being able to simplify a complex landscape, that is where we can actually gain traction right. This is part of that ascendancy of the white-hat because it's allowing us to move in a more agile nature, it's allowing us to gain ground against the attackers and quite frankly, it allows us to start disrupting their business model more right. It's a more resilient network. In the future this leads to the whole notion of self-healing that works as well that quite frankly just makes it a big pain, it disrupts your business model, it forces them to go back to the drawing board too. >> Well, it also seems as though, when we start talking about 5G, that the speeds, as I said the speeds, the dentancy, the reduced latency, the potential for a bad thing to propagate very quickly, demands that we have a more consistent, coherent response, at both the the machine level but also the people level. We 5G into this conversation. What's, what will be the impact to 5G on how these playbooks and AI start to come together over the next few years? >> Yeah, it's going to be very impactful. It is going to take a couple of years and we're just at the dawn of 5G right now. But if you think of 5G, your talking about a lot more volume, essentially as we move to the future, we're entering into the age of 5G and edge computing. And 5G and edge computing is going to start eating the cloud in a sense that more of that processing power that was in the cloud is starting to shift now towards edge computing right. This is at on Premis.it So, A; it is going to allow models like I was talking about, federated machine learning models and from the white-hats point of view, which again I think we are in the driver seat and a better, more advantageous position here, because we are more experienced again like I said, we've been doing this for years with black-hats quite frankly haven't. Yes, they're toying with it, but not in the same level and skill as we have. But, you know, (chuckles) I'm always a realist. This isn't a completely realsy picture, I mean, it is optimistic that we are able to get this upper hand. It has to be done right. But if we think about the weaponisation of 5G, that's also a very large problem right. Last year we're talking about swarm networks right, the idea of swarm networks is a whole bunch of devices that can connect to each other, share intelligence and then act to do something like a large scale DDoS attack. That's absolutely in the realm of possibility when it comes to the weaponisation of 5G as well. >> So one of the things, I guess the last question I want to ask you is, is you noted that these playbooks incorporate the human element in ways that are uniquely human. So, having CECO readable recipes for how people have to respond, does that also elevate the conversation with the business and does, allows us to do a better job of understanding risk, pricing risk and appropriately investing to manage and assure the business against risk in the right way? >> Absolutely. Absolutely it does, yeah. Yeah, because the more you know about going back to the playbooks, the more you know about the offense and their tools, the more you know about how much of a danger it is, what sort of targets they're after right. I mean if they're just going trying to look to collect a bit of information on, you know, to do some reconnaissance, that first phase attack might not cause a lot of damage, but if this group is known to go in, hit hard, steal intellectual property, shut down critical business streams through DoS, that in the past we know and we've seen has caused four, five million dollars from one breach, that's a very good way to start classifying risk. So yeah, I mean, it's all about really understanding the picture first on the offensive, and that's exactly what these automated playbook guides are going to be doing on the blue team and again, not only from a CoC perspective, certainly that on the human level, but the nice thing about the playbooks is because we've done the research, the threat hunting and understood this, you know from a machine level it's also able to put a lot of those automated, let's say day-to-day decisions, making security operation centers, so I'm talking about like SecDevOps, much more efficient too. >> So we've talked about more density at the edge amongst these devices, I also want to bring back one last thought here and that is, you said that historically some of the black-hats have been able to access with a degree of impunity, they have necessarily been hit hard, there's been a lot of slapping on the wrist as I think you said. Talk about how the playbooks and AI is going to allow us to more appropriately share data with others that can help both now but also in some of the forensics and the enforcement side, namely the legal and policing world. How are we going to share the responsibility, how is that going to change over the next few years to incorporate some of the folks that actually can then turn a defense into a legal attack? >> Threat elimination is what I call it right. So again, if we look at the current state, we've made great strides, great progress, you know, working with law enforcement, so we've set up public private sector relationships, we need to do that, have security experts working with law enforcement, law enforcements working on their end to train prosecutors to understand cyber crime and so forth. That foundation has been set, but it's still slow moving. You know, there's only a limited amount of playbooks right now. It takes a lot of work to unearth and do, to really move the needle, what we need to do, again like we're talking about, is to integrate a artificial intelligence with playbooks. The more that we understand about groups, the more that we do the threat illumination, the more that we uncover about them, the more we know about them, and by doing that we can start to form predictive models right. Based, I always say old habits die hard. So you know, if an attacker goes in, hits a network and their successful following a certain sequence of patterns, they're likely going to follow that same sequence on their next victim or their next target. So the more that we understand about that, the more that we can forecast A; from a mitigation standpoint, but the, also by the same token, the more correlation we're doing on these playbooks, the more machine learning we're doing on these playbooks, the more we're able to do attribution and attribution is the holy grail, it's always been the toughest thing to do when it comes to research. But by combing the framework that we're using with playbooks, and AI machine learning, it's a very very powerful recipe and that's what we need to get right and forward in the right direction. >> Derek Manky, Fortinet's Chief of Security Insights & Threat Alliances, thanks again for being on theCUBE. >> It's a pleasure. Anytime. Happy to talk. >> And I want to thank you for joining us for another CUBE conversation. I'm Peter Burris, see you next time. (upbeat jazz music) >> Yeah I thought it was pretty good. [Man] - That was great. [Derek] - Yeah, yeah.

(vibrant music) >> Hi, I'm Peter Burris, welcome once again to another CUBE Conversation from our Palo Alto studios. Recently, we had FortiGaurd Labs here on theCUBE talking about a regular report that they do on the state of the security industry. And once again, we've got Anthony Giandomenico. >> Yeah, good. >> Here to talk about the most recent, the Q1 update. First of all, tell us a little bit about FortiGaurd labs, where's this come from? >> So FortiGaurd Labs actually is the threat intelligence organization of Fortinet, so what we do, is we keep track of the tactics, techniques, and procedures of the adversary. And make sure that we have detection methodologies to be able to stop all those tactics, techniques, and procedures. >> Peter: So you're the ones that are collecting the data that's right from the ground to help everybody keep up to date on where the threat's are likely to be, set priorities. So that's what this report does, right? >> Absolutely, it's something we do on a quarterly basis, and it's really, you know, we're looking at billions of events that we're observing in real time, you know, production environments, and what we're trying to do is identify the top application exploits, malware, and botnets, and what we want to be able to do is find different types of trends that then can be able to translate into helping organizations fortify their environments. >> Peter: Alright, so here, this is the Q1, 2018, people can get access to it. >> Anthony: Yeah. >> What's the top line change? >> Anthony: Yeah, well at a high level, I think, you know, one the actual cyber criminals, they're evolving, their attack methodologies to be able to increase their, you know, success rate as well as being able to increase their infection rate. So that's one thing, you know, the other thing, obviously we always have to talk about ransomware. That, you know, seems to be a very hot threat these days for cyber criminals to make money. Now, that threat isn't going away. We did see a slight decrease though, where the adversaries were more interested in hijacking, you know, systems to be able to mine for crypto currencies as opposed to taking that machine hostage and demanding a ransome. >> Peter: Really? >> Anthony: Yeah, believe it or not. >> I'm a little bit, I mean ransomware just seems like it would have so much potential, and crypto currencies are, well they're interesting. Tell us a little bit about why that's happening. >> What seems to be the indicators? >> Yeah, well, you know, like I said, ransomware isn't going away, I think they're going to continue to use that to make money. But from a crypto jacking, you know, perspective, we did see the uptake last year in our Q4 report. It was about 13 percent of the organizations actually reported some type of crypto jacking attack. Fast forward to this report, and it nearly doubled. Actually, over doubled to, you know 28 percent, so that's about one in four organizations that are actually impacted with this particular threat. Now, what I think is interesting about this particular threat, is the way it evolves, right. 'Cause it's so new, it's always looking back at, its other successful, you know, predecessors to be able to determine how can I be more stealthy, and how can I get my, you know, malware, or my, you know, payload out to all the different sort of systems. So, you know, an example of that is phallus malware. Phallus malware is very stealthy. It's starting to use phallus malware techniques, it'll use scripts to inject their actual payload into memory, nothing on disc, so it makes it a lot more difficult to be able to detect. Now, how do I get my payload out to all the other, you know, workstations? Well, it takes a one two punch combination that, you know, Petya used last year. It's leveraging, um, there's this open source technology called, you know, minicats, steals different types of credentials and does something called pass the hash. Passes the hash credential out to those other systems, and then it gains access. That way it can actually pass the actual malware from system to system. If that fails, and then goes back to identifying different vulnerabilities that it could then exploit. One vulnerability it does looks for is eternal blue, which was a vulnerability that was so graciously given to us from shadow brokers. So those are the ways they're starting to be more effective and be more stealthy, and also being able to propagate a lot faster. >> Peter: And crypto currency obviously is one of the more extreme things because you take over the computer resources without necessarily stealing any data. You're just grabbing computer resources. >> Anthony: Yeah, what's interesting, I don't want to actually kind of go off topic here, but that' another conversation. Is crypto jacking actually a threat or not? Right, 'cause all it's really doing is stealing, you know, CPU resources, so, you know, so people say. So that's a whole 'nother discussion to actually get into is, is it actually really a threat or not? >> Well, you're able to get access to a computer, presumably you're able to get access not just for that purpose, but many others. >> Exactly. >> So that's probably an indication, you may have a problem. >> Yes, yes. >> Let's talk about ransomware. You said ransomware's not going away. Ransomware, most folks are familiar with it. What is it, what's the report suggest? >> You know Peter, did you realize that this month is the one year anniversary of WannaCry? Don't know if you remember that or not, but, you know, WannaCry was very infamous for, not necessarily the payload, but by the way that it actually was able to spread so fast and affect so many different machines. Now, that spreading, that worm-like spreading, kind of capability still exists here, you know. Today, you see a lot of different sort of threats using that, but what seems to be a bit different now is the combination of that ransomware payload along with more targeted attacks. >> Mm-hmm >> So, usually in a ransomware type of attack, you do some type of spammy campaign. You spam out that email, you know, and see what sticks. Well, these are more, a lot more targeted, so they're going to spend a lot more time doing, you know, reconnaissance on an organization and being able to find different vulnerabilities on the outside of the network. Once they actually come in, very methodical at how they're able to laterally move and put their actual malware on systems that they actually think, you know, well you know, however many systems they think they should actually have that particular malware on. Now, at this point, they hadn't actually executed you know, the actual payloads. So they have it on as many systems as possible, and once their ready (fingers snap). They flip the switch, and all those systems now are held hostage. That impact is much greater to the business. >> Peter: Now, when we think about the attacks, we think in terms of computing devices, whether it's a mobile device or PC device, or servers or what not, but are we seeing any changes in how people are attacking other computing resources within a network, hitting routers and other to try to drive more control over somebody's network resources? >> Well, I mean, we definitely see exploits that are actually hitting, you know, mobile devices, their hitting routers, um, a lot of IOT as well, but also web technology because, you know, web technology, there's so much external facing websites these days, you know, they're much easier targets. So we are seeing that. I would mention also that, it's up seven percent to 21 percent of organizations have actually reported mobile malware as well. >> And that is a especially difficult thing because your mobile applications are not just associated with a particular business, but other businesses as well. So you are both an employee and a consumer, and if your mobile applications get hit, that can have enormous ramifications on a number of different levels. >> Anthony: Yeah, absolutely, and I think sometimes, you know, in an organization where an actual consumer will have a phone, and they won't necessarily think it's the same as their workstation. So, it's like, oh, well not that much can happen on my mobile phone, right, not the same as on my workstation, but actually, it could be even worse. >> Peter: Yes, so if you think about some of the things that are on the horizon, you mention that we're seeing a greater utilization of different techniques to make money in some of the new domains, like jacking, uh, crypto jacking. >> Mm-hmm. >> Uh, there's still ransomware, still an issue, as folks go back and identify these different malware, these different security breaches, what are they doing to actually clean things up? Are we seeing folks actually cleaning up, or is there still just like, whack-a-mole, whacking things out, andt worrying about whether they go back and clean things up later? >> Anthony: Well, to basically answer your question, they are starting to actually kind of clean up, but, you know wait 'til you hear this, so what we try to do here, in this quarterly report, is we wanted to measure how quickly they were able to clean up that, you know, that particular threat. And what we found out, you know, we used botnet alerts. And we wanted to see how fast those botnet alerts actually got cleaned up. So what we were able to determine is 58 percent of all organizations, within 24 hours, were able to clean up that particular botnet infection. Which is actually pretty good. But, that 42 percent, it took them either two days or longer, you know, to be able to get that actual threat out. Actually, sometimes the threat really never even, you know, actually went away. Great example of that, is actually the Andromeda botnet. It's a threat that was brought down last year, but even though it's not there anymore, the infections on the workstations are still there, so we're still kind of getting those actual hits on that Andromeda botnet, and that actual threat >> for Q1, was one of the highest in prevalence and volume. >> Even if it wasn't necessarily doing damage, because we'd figured out how to deal with it, >> Right. >> but if it's there, somebody might find a way to use it again in the future. >> Absolutely, absolutely. >> So as we think about the next quarter, you doing this on every quarter, are there any particular areas that you think folks have to, they need to anticipate some of these changes, more of the same, different trends, or what about OT for example, as operational technology becomes increasingly part of that common technology fabric, how is that likely to be affected by some of these different attach types? >> In answer of your first question, I think we'll probably see a lot more of the same. And I think what we'll continue to see, you know there's this whole zero day market, I think it's getting more and more mature, meaning that we're going to see more and more vulnerabilities that are actually kind of zero day that have just been discovered or just been announced, and I think we're going to continue to see the adversaries take advantage of those newly discovered zero day vulnerabilities. You know, they'll take those actual, those exploits, you know, put 'em into their attack methodologies, to propagate faster and faster, so I think, organizations are going to have to make sure they can address some of those newly discovered vulnerabilities fairly quickly. Now, as we switch the, you know, the OT side, you know, we didn't see a lot of attacks if you look at the percentage of the overall attacks, however, you know, OT, if there is an actual successful attack, I think it's, you know, worth saying that it's >> a much larger impact, right. >> You have a major problem. >> You know, my concern is, these different types of trends that are coming together. One, OT is starting to connect to other networks, which means they're going to eventually be accessible from the internet, which makes it a lot more difficult to be able to protect. At the same time, we're seeing nation states continue to focus on compromising OT systems as well. So, I don't know what's going to happen in the coming months and years, but the trends aren't actually looking so good right now. >> So if you were to, if we had a CIO sitting here right now, and you were talking about this report, what are the, first off, how should they regard the information, what should they be doing differently as a result of the information that the reports are viewing? >> Yeah, I mean, I would say, one, we always talk about this, it's easier said than done, but you know, going back to the basics, and making sure that you have good cyber hygiene and being able to identify vulnerabilities that exist in your environment, and that, you know, me just saying that sounds kind of simple, but that really means identifying all the assets that you have in your environment that you're responsible for protecting, number one, and then being able to, you know, identify the vulnerabilities that may exist on those things. That's uh, it's not the easiest thing to do, but I think it's something that really should be focused on. At the same time though, threats are going to get into your network. That's just a, you know, that's a given. So being able to make sure that you can identify, you know, threats within your environment is extremely important, and then, once you identify them, what's the processes for you to go ahead and actually respond and clean up those particular threats? That really is going to be the key. I know it's at a high level, it's much deeper than that. But that's where you start. >> Alright, Anthony Giandomenico, Tony G, >> Tony G. >> thanks very much once again for being on theCUBE and talking to us about FortiGuard's Q1, 2018 report from Fortinet. >> Awesome, well thanks for having me. >> You betcha, so, Anthony Giandomenico (laughs) a senior strategist researcher at FortiGuard labs, Fortinet, talking to us about the 1Q 2018 report. Once again, this has been a CUBE Conversation thanks for listening. (vibrant music)