(upbeat music) >> Welcome to this cube conversation. I'm Lisa Martin. I'm joined by Aamir Lakhani, the Lead Researcher and Cybersecurity Expert at FortiGuard Labs at Fortinet. Aamir, welcome back to theCube. >> Hey, it's always good to be back on. >> It is, even though we're still in this work from anywhere environment, and that's one of the things that I want to talk to you about. We're in this environment now, I've lost count, 16 months, 17 months? And we now have this distribution of folks working still from home, maybe some in the office, and a good portion that probably want to remain remote. And one of the things that, that you guys have seen in this time is this huge uptick and sophistication in phishing attacks. Talk to me about what's going on. >> You know, it's a funny thing you mention that, Lisa, every attack that I've seen in the last 16 months usually has a phishing component, and over the last, even just the last couple of weeks, we've seen some really sophisticated attacks, attacks that are against industrial control systems, against critical infrastructure, against large corporations, government entities, and almost every one of those attacks, whether it's a ransomware attack, whether it's a denial of service attack, usually has a phishing component. And the sad part is usually the initial attack vector, how attackers are getting into the network, a lot of times as the first step is through phishing. And, you know, it works, it's a method that has always worked. It works just as well today as it always did, so attackers are basically going back to the well and basically making their phishing attacks more complicated, and more sophisticated, and it's much more effective than it ever used to be. >> Tell me how they're making it more sophisticated because I know, I've seen interesting examples through Twitter, for example, of people that are very well-versed, you might even consider them cybersecurity experts, who've just almost fallen for a phishing email that looks so legitimate. How is it getting more sophisticated? >> Well, what attackers are doing is they're definitely playing on your emotions. They understand that there's a lot of things happening in the world, and sometimes we get a little emotion about it, whether it's, "Hey, how do you get the latest vaccine?" Maybe information, you know, around getting jobs, going back to work, LinkedIn, is a good example. A lot of people are looking for jobs. When the U.S. elections were happening, and there was a lot of phishing attacks around, political donations, and affiliations. They kind of kind of find these hot button items that they know people are really going to not think first about security, and really think like, "Hey, how do I respond back to this?" and really attack them that way. The other thing that we're seeing on how it's getting complicated is, it used to be like a phishing attack. You know, it used to be pretty simple, like click on a link. Now what they're doing is they're actually targeting organizations and what you do as a job. For example, I've seen a lot of phishing attacks against the HR, the human resource departments, and I feel sad for anyone in human resources because their job all day is to basically open files, and emails from strangers, and that's what attackers are doing. They're like, "Hey, I want to apply for a cybersecurity position. "And by the way, my resume is encrypted. "Please click on this link to see "my secure version of my resume". And when they do that, you know, HR person may be thinking, "Hey, this is a cybersecurity guy, like good. "He's actually sending me an encrypted link." In reality, when they click on that button, it's attacking their machine, and actually getting into their organization. The attacks are getting into the organization. So they're using more and more tricks to actually technically bypass some of the security tools you may have. >> So getting more sophisticated by preying on emotions, and also using technology, and things that an HR person, like you said, would think, "Great, this is the level of sophistication that this applicant has. How do they, how do organizations start reducing those attacks, that are falling victim to these attacks? >> Yeah, so I was thinking, at Fortinet we always mention, like at FortiGuard labs, that training and security awareness is some of the best ways you can protect against this attack. At Fortinet we have our training advancement agenda, that's out of Fortinet.com/training/taa. Basically what that does, well what we emphasize, what we preach, is that training is the key and education is the key, in helping protect against those attacks. And, you know, you can train anyone these days, at least some level of, you know, awareness. My mom used to call me up, and used to tell me like, "Hey, I got the IRS calling me, "should I answer these questions?" I was like, "No, absolutely not, like this is dangerous, "the IRS doesn't call you up and asking you "for your credit card number." I actually had my mum go for our level, one of our training, and she actually gets it. She's like, "Okay, I get why I shouldn't call the, you know, "answer the questions from the IRS now." So I say any type of training, to anyone you can give, and you can start it off like with people in high school, with people in elementary school, all the way up to professionals, I think it helps in all levels. >> So first of all, your mom sounds like my mom, and I need to get my mom to do this training, I really do. But one of the things that kind of highlights is the fact that there are five generations in the workforce. So there, and in every industry, there is a huge variety of people that understand technology, and know to be suspicious. And that's one of the things I think that's challenging for organizations, because if a lot of that responsibility falls on the person, the more sophisticated, the more personalized this phishing email is, the more likely I'm to think this is legitimate instead of questioning it. So that training that you're talking about, tell me a little bit more about that. You mentioned a variety of ages and generations, that folks as young as high school kids, and then folks in our parents' generation can also go on and learn how to navigate through basic emails, for example, to look for, to see what to look for. >> Yeah, it's not only emails. So attackers, like I said, they are getting sophisticated. We are seeing phishing attacks, not only through emails, but through applications, mobile applications. There's actually like some advanced phishing techniques now on smart speakers. When you ask your smart speaker, a certain skill like, "Hey, tell me my balance, "tell me what the weather is." There's like some phishing attacks there. So there's phishing attacks all across the board. Obviously, when we talk about phishing we're mostly talking about email attacks, but every generation kind of has their tools kind of has their, you know, techniques or apps that they're comfortable with. So, and we're trained, like a lot of my friends are trained to basically click on any app, download any app, allow, they don't really read the pop-ups that say like, "Do you want to share information?" They'll just start sharing information. People in the workforce, like sometimes that are not paying attention, they're just clicking on emails, and attackers realize this, most of the time when attacks happen, it's not when you're paying attention. It's like when we're on our Zoom calls, and we're actually like looking at our phones, looking at emails, multitasking, and that's when your attention kind of diverts a little bit, And that's when attackers are really jumping in, and really trying to take advantage of that situation. And that's, I think that's a good idea about the training is because it opens up your eyes to understand, hey, it's more about just emails, it's really about every way we can use technology, can be a vector on how we get attacked, and we have a couple of good examples on that as well. >> Let's talk about that, cause I want to see how easy it is for the bad actors to create phishing attacks. You were saying, it's not just email, it's through apps, it's through my smart speaker, which is one of the reasons I don't have one. But talk to me about how easy it is for them to actually set these up. >> Yeah, so we have, I think we have a demo we can show, an example that we can show, of what's going on. And what I'm showing here is basically how easy you can download proof of concept apps. Now, what I'm showing here is actually a defensive tool, it's for defenders, and people that want to test for security on testing, phishing, and how susceptible their organization may be to phishing. But you can see like attackers could do something very similar. This tool is called Black Eye. And what it does is allows me to create multiple different types of phishing websites. I can create a custom one, or I can use a template that's already created. Once I use this template, for example I'm using the LinkedIn template here, it's going to create a website for me. It already, this website, I can embed into a link if I was, if I was potentially a bad guy, I could hide it behind a link. I could potentially change the website to make it look more like LinkedIn. But when I go to the LinkedIn fake website, this phishing website, which is hosted, you'll see, it kind of looks like LinkedIn. It actually has that little security box, that little green box, because it generates a certificate as well. And when I go to the real LinkedIn website, yes, the real LinkedIn website does look a little different. It's using a more updated template, a more updated website, but most people aren't going to notice the difference between the real LinkedIn website, and here, where we have the fake LinkedIn website. And I'll just show you like, if I log in and I'm going to log in with a demo account, this is actually a honeypot demo account that we have, just to showcase this tool. But I'll log in here, and you'll see from our test box, as soon as we log in, and we go back to the attacker's point of view, he's captured the username, the password, but not only that he has the IP address, the ISP, the location of where the victim is coming from. So they have a lot of different types of information that they've captured. And this is just one simple way of doing the attack. Now, one thing to remember, I know I speak very fast, but at the same time, this is real time. I didn't like copy and paste anything, I just recorded this in real time, and replayed this. And this is how easy it is for an attacker to potentially start setting up a system where they can attack victims. >> That's remarkable, because I mean, I'm in LinkedIn every day, and I don't know, you talked about, we're all busy, multitasking, and things like that. I don't know that I would've, nothing that you showed caught my attention. So how would I know to, what would I know to look for as a user, as a potential victim? How do I look for something on that page to tell me "think twice about this? >> Yeah, it's getting much more difficult these days. I mean, one of the things that I do is I try and make sure I type in like the addresses, especially when I get links in emails, I try not to like, just click on the link directly. I try and look at what's behind that link, is it really going to the LinkedIn website, you know, I'll try and go ahead and type in it, type in the website in the web browser. But mostly I think the thing that we can do to all protect ourselves is like kind of slow down. One of the reasons I mentioned LinkedIn is not because LinkedIn is doing anything bad. They're actually taking a lot precautions on being secure. But you know, people, these days are very emotion, they're going back to work, they're maybe looking for new jobs, or they're trying to get back into the workforce after a pandemic. So there's a lot of people that are getting phishing attacks from attackers, and it's a really mean thing. They're taking once again, advantage of that emotion, like someone needs a job, so let me go ahead and send them a LinkedIn link, and this time they're just stealing their username and passwords. >> That's remarkable. I think another thing you can do, can you hover over the link, and if it looks suspicious, if it doesn't go to like linkedin.com, for example, in this case, that's one way, right, is to check out what that actual URL is. >> Yeah, absolutely, and that's a great way of doing that, so we definitely recommend that. Look at the, hover over the link, look over the links, type in the links directly if you can. And you can see like, you know, attackers are getting sophisticated.. We used to tell people, look for that green lock box, attackers can now generate that green lockbox, so you have to do a little more due diligence. Just keep your eyes a little sharper these days. >> Do you thing phishing is, and I know a lot of us understand what it is, but do you think it's as common ransomware was up? I think Derek told me 7X in the second half of calendar year, 2020, Is phishing becoming more of a household word like ransomware is? Or is that something that you think actually will help more organizations, and more people and more generations be just more aware of let me just take a step back, and check that this is legitimate. >> Yeah, so phishing, you have to remember is it's like the initial attack. So the demo that I just showed you, you could say the true attack was me possibly stealing the username and password, but a phishing would be the way that someone would get to get to that. Like by essentially mimicking the LinkedIn website, as I showed in the example. So ransomware is an attack, it's the main attack. Usually the attack that attackers are going for, but how they get into the system is usually through a phishing site. They'll usually try and phish your username and password to your corporate site, maybe your VPN services, or your remote desktop services. So phishing is usually in conjunction with another attack, and that's the scary part is attackers have a lot of attacks that you can choose from, but the attacks that they're normally normally conducting to get that initial access to your system is phishing. >> So besides training, which is obviously absolutely critical, how can organizations protect themselves against this threat landscape that I imagine is only going to continue to grow? >> Yeah, no, it's definitely going to continue to grow. And as I said, I really believe education is the best thing you can do. But on top of that, you know, just I would say, you know, cyber hygiene. The basic things that we always mention every time, it was like, make sure like your security products are up to date, make sure they're installed, make sure your patches are up to date, which is very difficult, but that does start helping things. Make sure you're using the latest version of your web browser. There's a lot of web browsers these days has some sort of anti-phishing type of tools in them as well, especially for websites. So they can kind of detect things. There's a once again, a lot of just even free plugins, security plugins, that are available, that kind of detect a lot of phishing sites as well. So there's a lot of things I think people can do to protect themselves from a technology standpoint. You know, with basic cyber hygiene, as well as security awareness. >> So you think this is really preventable, essentially. >> I don't think it's 100% preventable, because I think, you know, attackers are always going to take advantage of those times in our emotion when our emotions are heightened, and they're going to take advantage of just us sometimes like not paying as much attention to as we can. But I think you can definitely reduce that attack surface. The more we educate ourselves. >> Absolutely, tell me that training website again. >> Sure things, so it's basically Fortinet.com/training/taa. >> Excellent, and can you access different levels? Like if I literally point my mom to that website, can she access something that would be at her 75 year old brain level? >> Absolutely, so we have different levels out there. I would suggest that I go trying, everyone should try basically Level 1, NSC Level 1. That's our Security Institute. So that's really good awareness for everyone on all sorts of different levels. But we have training, geared towards specific individuals, and different age groups as well. >> Excellent, and it's one of those things that culturally is difficult I think for Americans, slow down, right? We don't do that, especially when people are still working from home, and probably now it's summertime, kids are out of school, things are a little bit more chaotic. That that best practice of an organization really keeping up with their cyber hygiene and us as individuals slowing down, checking something are really some of the best ways. Aamir, this is such an interesting topic. Thank you for showing us how easy it is to create phishing attacks, and what some of the things are that we as individuals, and companies can do to protect ourselves against it. >> Hey, no problem, glad to be here. >> For Aamir Lakhani, I'm Lisa Martin, you're watching this Cube conversation. (soft music)

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest ransomware trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we worked on some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches that we're seeing which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on paste and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation, >>Everyone. Welcome to this cube conversation. I'm John for host of the Cube here in the Cubes Palo Alto studios during the co vid crisis. Square Quarantine with our crew, but we got the remote interviews. Got great to get great guests here from 44 to guard Fortinet, 40 Guard Labs, Derek Manky chief Security Insights and Global Threat alliances. At 14 it's 40 guard labs and, um, are Lakhani. Who's the lead researcher for the Guard Labs. Guys, great to see you. Derek. Good to see you again. Um, are you meet you? >>Hey, it's it's it's been a while and that it happened so fast, >>it just seems, are say it was just the other day. Derek, we've done a couple interviews in between. A lot of flow coming out of Florida net for the guards. A lot of action, certainly with co vid everyone's pulled back home. The bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security. Uh, in terms of action, bad actors are at all time high new threats here is going on. Take us through what you guys were doing. What's your team makeup look like? What are some of the roles and you guys were seeing on your team? And how's that transcend to the market? >>Yeah, sure, Absolutely. So you're right. I mean, like, you know, like I was saying earlier this this is all this always happens fast and furious. We couldn't do this without, you know, a world class team at 40 guard labs eso we've grown our team now to over 235 globally. There's different rules within the team. You know, if we look 20 years ago, the rules used to be just very pigeonholed into, say, anti virus analysis. Right now we have Thio account for when we're looking at threats. We have to look at that growing attack surface. We have to look at where these threats coming from. How frequently are they hitting? What verticals are they hitting? You know what regions? What are the particular techniques? Tactics, procedures, You know, we have threat. This is the world of threat Intelligence, Of course. Contextualizing that information and it takes different skill sets on the back end, and a lot of people don't really realize the behind the scenes. You know what's happening on bears. A lot of magic happen not only from what we talked about before in our last conversation from artificial intelligence and machine learning, that we do a 40 yard labs and automation, but the people. And so today we want to focus on the people on and talk about you know how on the back ends, we approach a particular threat. We're going to talk to the world, a ransom and ransomware. Look at how we dissect threats. How correlate that how we use tools in terms of threat hunting as an example, And then how we actually take that to that last mile and and make it actionable so that, you know, customers are protected. How we share that information with Keith, right until sharing partners. But again it comes down to the people. We never have enough people in the industry. There's a big shortages, we know, but it it's a really key critical element, and we've been building these training programs for over a decade within 40 guard lab. So you know, you know, John, this this to me is why, exactly why, I always say, and I'm sure Americans share this to that. There's never a dull day in the office. I know we hear that all the time, but I think today you know, all the viewers really get a new idea of why that is, because this is very dynamic. And on the back end, there's a lot of things that doing together our hands dirty with this, >>you know, the old expression started playing Silicon Valley is if you're in the arena, that's where the action and it's different than sitting in the stands watching the game. You guys are certainly in that arena. And, you know, we've talked and we cover your your threat report that comes out, Um, frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware. What's going on? What's the state of the ransomware situation? Um, set the stage because that's still continues to be a threat. I don't go a week, but I don't read a story about another ransomware and then it leaks out. Yeah, they paid 10 million in Bitcoin or something like I mean, this Israel. That's a real ongoing threat. What is it, >>quite a bit? Yeah, eso I'll give sort of the one on one and then maybe capacity toe mark, who's on the front lines dealing with this every day. You know, if we look at the world of I mean, first of all, the concept to ransom, obviously you have people that that has gone extended way, way before, you know, cybersecurity. Right? Um, in the world of physical crime s Oh, of course. You know the world's first ransom, where viruses actually called PC cyborg. This is in 1989. The ransom payment was demanded to appeal box from leave. It was Panama City at the time not to effective on floppy disk. Very small audience. Not a big attack surface. I didn't hear much about it for years. Um, you know, in really it was around 2000 and 10. We started to see ransomware becoming prolific, and what they did was somewhat cybercriminals. Did was shift on success from ah, fake antivirus software model, which was, you know, popping up a whole bunch of, you know said your computer is infected with 50 or 60 viruses. Chaos will give you an anti virus solution, Which was, of course, fake. You know, people started catching on. You know, the giggles up people caught onto that. So they weren't making a lot of money selling this project software. Uh, enter Ransomware. And this is where ransomware really started to take hold because it wasn't optional to pay for the software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer the current. Uh, the encryption kind of decrypt it with any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw we've seen things like master boot record nbr around somewhere. This is persistent. It sits before your operating system when you boot up your computer. So it's hard to get rid of, um, very strong. Um, you know, public by the key cryptography that's being so each victim is infected with the different key is an example. The list goes on, and you know I'll save that for for the demo today. But that's basically it's It's very it's prolific and we're seeing shit. Not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted ransom cases that we're going after, you know, critical business. Essentially, it's like a D O s holding revenue streams around too. So the ransom demands were getting higher because of this is Well, it's complicated. >>Yeah, I was mentioning, Omar, I want you to weigh in. I mean, 10 million is a lot we reported earlier this month. Garment was the company that was act I t guy completely locked down. They pay 10 million. Um, garment makes all those devices and a Z. We know this is impacting That's real numbers. So I mean, it's another little ones, but for the most part, it's new. It's, you know, pain in the butt Thio full on business disruption and extortion. Can you explain how it all works before I got it? Before we go to the demo, >>you know, you're you're absolutely right. It is a big number, and a lot of organizations are willing to pay that number to get their data back. Essentially their organization and their business is at a complete standstill. When they don't pay, all their files are inaccessible to them. Ransomware in general, what does end up from a very basic or review is it basically makes your files not available to you. They're encrypted. They have a essentially a pass code on them that you have to have the correct pass code to decode them. Ah, lot of times that's in the form of a program or actually a physical password you have type in. But you don't get that access to get your files back unless you pay the ransom. Ah, lot of corporations these days, they are not only paying the ransom, they're actually negotiating with the criminals as well. They're trying to say, Oh, you want 10 million? How about four million? Sometimes that it goes on as well, but it's Ah, it's something that organizations know that if they don't have the proper backups and the Attackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicate files, so sometimes you don't have a choice, and organizations will will pay the ransom >>and it's you know they're smart. There's a business they know the probability of buy versus build or pay versus rebuild, so they kind of know where to attack. They know the tactics. The name is vulnerable. It's not like just some kitty script thing going on. This is riel system fistic ated stuff. It's and it's and this highly targeted. Can you talk about some use cases there and what's goes on with that kind of attack? >>Absolutely. The cybercriminals are doing reconnaissance. They're trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. Eh? So there's a lot of attacks going on. We usually we're finding now is ransomware is sometimes the last stage of an attack, so an attacker may go into on organization. They may already be taking data out of that organization. They may be stealing customer data P I, which is personal, identifiable information such as Social Security numbers or or driver's licenses or credit card information. Once they've done their entire attack, once they've gone, everything they can Ah, lot of times their end stage. There last attack is ransomware, and they encrypt all the files on the system and try and try and motivate the victim to pay as fast as possible and as much as possible as well. >>You know, it's interesting. I thought of my buddy today. It's like casing the joint. They check it out. They do their re kon reconnaissance. They go in, identify what's the move that's move to make. How to extract the most out of the victim in this case, Target. Um, and it really I mean, it's just go on a tangent, you know? Why don't we have the right to bear our own arms? Why can't we fight back? I mean, the end of the day, Derek, this is like, Who's protecting me? I mean, >>e do >>what? To protect my own, build my own army, or does the government help us? I mean, that's at some point, I got a right to bear my own arms here, right? I mean, this is the whole security paradigm. >>Yeah, so I mean, there's a couple of things, right? So first of all, this is exactly why we do a lot of that. I was mentioning the skills shortage and cyber cyber security professionals. Example. This is why we do a lot of the heavy lifting on the back end. Obviously, from a defensive standpoint, you obviously have the red team blue team aspect. How do you first, Um, no. There is what is to fight back by being defensive as well, too, and also by, you know, in the world that threat intelligence. One of the ways that we're fighting back is not necessarily by going and hacking the bad guys, because that's illegal in jurisdictions, right? But how we can actually find out who these people are, hit them where it hurts. Freeze assets go after money laundering that works. You follow the cash transactions where it's happening. This is where we actually work with key law enforcement partners such as Inter Pool is an example. This is the world, the threat intelligence. That's why we're doing a lot of that intelligence work on the back end. So there's other ways toe actually go on the offense without necessarily weaponizing it per se right like he's using, you know, bearing your own arms, Aziz said. There's different forms that people may not be aware of with that and that actually gets into the world of, you know, if you see attacks happening on your system, how you how you can use security tools and collaborate with threat intelligence? >>Yeah, I think that I think that's the key. I think the key is these new sharing technologies around collective intelligence is gonna be, ah, great way to kind of have more of an offensive collective strike. But I think fortifying the defense is critical. I mean, that's there's no other way to do that. >>Absolutely. I mean the you know, we say that's almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cyber criminal to operate. And there's many ways to do that right you could be could be a pain to them by by having a very rigid, hard and defense. That means that if if it's too much effort on their end, I mean, they have roos and their in their sense, right, too much effort on there, and they're gonna go knocking somewhere else. Um, there's also, you know, a zay said things like disruption, so ripping infrastructure offline that cripples them. Yeah, it's wack a mole they're going to set up somewhere else. But then also going after people themselves, Um, again, the cash networks, these sorts of things. So it's sort of a holistic approach between anything. >>Hey, it's an arms race. Better ai better cloud scale always helps. You know, it's a ratchet game. Okay, tomorrow I want to get into this video. It's of ransomware four minute video. I'd like you to take us through you to lead you to read. Researcher, >>take us >>through this video and, uh, explain what we're looking at. Let's roll the video. >>All right? Sure s. So what we have here is we have the victims. That's top over here. We have a couple of things on this. Victims that stop. We have ah, batch file, which is essentially going to run the ransom where we have the payload, which is the code behind the ransomware. And then we have files in this folder, and this is where you typically find user files and, ah, really world case. This would be like Microsoft Microsoft Word documents or your Power point presentations. Over here, we just have a couple of text files that we've set up we're going to go ahead and run the ransomware and sometimes Attackers. What they do is they disguise this like they make it look like a like, important word document. They make it look like something else. But once you run, the ransomware usually get a ransom message. And in this case, the ransom message says your files are encrypted. Uh, please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address that usually they look a little more complicated. But this is our fake Bitcoin address, but you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as the researchers, we see files like this all the time. We see ransomware all the all the time. So we use a variety of tools, internal tools, custom tools as well as open source tools. And what you're seeing here is open source tool is called the cuckoo sandbox, and it shows us the behavior of the ransomware. What exactly is a ransom we're doing in this case? You can see just clicking on that file launched a couple of different things that launched basically a command execute herbal, a power shell. It launched our windows shell and then it did things on the file. It basically had registry keys. It had network connections. It changed the disk. So this kind of gives us behind the scenes. Look at all the processes that's happening on the ransomware and just that one file itself. Like I said, there's multiple different things now what we want to do As researchers, we want to categorize this ransomware into families. We wanna try and determine the actors behind that. So we dump everything we know in the ransomware in the central databases. And then we mind these databases. What we're doing here is we're actually using another tool called malt ego and, uh, use custom tools as well as commercial and open source tools. But but this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking malty, go to look through our database and say, like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system because that helps us identify maybe where the ransom that's connecting to where it's going thio other processes that may be doing. In this case, we can see multiple I P addresses that are connected to it so we can possibly see multiple infections weaken block different external websites. If we can identify a command and control system, we can categorize this to a family. And sometimes we can even categorize this to a threat actor that has claimed responsibility for it. Eso It's essentially visualizing all the connections and the relationship between one file and everything else we have in our database in this example. Off course, we put this in multiple ways. We can save these as reports as pdf type reports or, you know, usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets when we're researching file based attacks when we're researching, um, you know, I P reputation We have a lot of different IOC's or indicators of compromise that we can correlate where attacks goes through and maybe even detective new types of attacks as well. >>So the bottom line is you got the tools using combination of open source and commercial products. Toe look at the patterns of all ransomware across your observation space. Is that right? >>Exactly. I should you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic that that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At four of our labs intelligence that we acquire that product, that product of intelligence, it's consumed directly by our projects. >>Also take me through what, what's actually going on? What it means for the customers. So border guard labs. You're looking at all the ransom where you see in the patterns Are you guys proactively looking? Is is that you guys were researching you Look at something pops on the radar. I mean, take us through What is what What goes on? And then how does that translate into a customer notification or impact? >>So So, yeah, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be a wear Some of the solutions we talked about before. And if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can't see. So you got to get your hands on visibility. We call these I, O. C s indicators a compromise. So this is usually something like, um, actual execute herbal file, like the virus from the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that seed, we call it a seed. We could do threat hunting from there, so we can analyze that right? If it's ah piece of malware or a botnet weaken do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things and we really you know, it's similar to the world of C. S. I write have these different gods that they're connecting. We're doing that at hyper scale on DWI. Use that through these tools that Omar was talking. So it's really a life cycle of getting, you know, the malware incoming seeing it first, um, analyzing it on, then doing action on that. Right? So it's sort of a three step process, and the action comes down to what tomorrow is saying water following that to our customers so that they're protected. But then in tandem with that, we're also going further. And I'm sharing it, if if applicable to, say, law enforcement partners, other threat Intel sharing partners to And, um, there's not just humans doing that, right? So the proactive peace again, This is where it comes to artificial intelligence machine learning. Um, there's a lot of cases where we're automatically doing that analysis without humans. So we have a I systems that are analyzing and actually creating protection on its own. Two. So it Zack white interest technology. >>A decision. At the end of the day, you want to protect your customers. And so this renders out if I'm afford a net customer across the portfolio. The goal here is to protect them from ransomware. Right? That's the end of game. >>Yeah, And that's a very important thing when you start talking these big dollar amounts that were talking earlier comes Thio the damages that air down from estimates. >>E not only is a good insurance, it's just good to have that fortification. Alright, So dark. I gotta ask you about the term the last mile because, you know, we were before we came on camera. You know, I'm band with junkie, always want more bandwidth. So the last mile used to be a term for last mile to the home where there was telephone lines. Now it's fiber and by five. But what does that mean to you guys and security is that Does that mean something specific? >>Yeah, Yeah, absolutely. The easiest way to describe that is actionable, right? So one of the challenges in the industry is we live in a very noisy industry when it comes thio cybersecurity. What I mean by that is because of that growing attacks for fists on do you know, you have these different attack vectors. You have attacks not only coming in from email, but websites from, you know, DDOS attacks. There's there's a lot of volume that's just going to continue to grow is the world of I G N O T. S O. What ends up happening is when you look at a lot of security operation centers for customers as an example, um, there are it's very noisy. It's, um you can guarantee that every day you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs, and when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually started to say, Hey, this looks like an attack. I'm gonna go investigate it and block it. So this is where the last mile comes in because ah, lot of the times that you know these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because The reality is, if it's just humans, doing it on that last mile is often going back to your bandwidth terms. There's too much too much lately. See right, So how do you reduce that late and see? That's where the automation the AI machine learning comes in. Thio solve that last mile problem toe automatically either protection. Especially important because you have to be quicker than the attacker. It's an arms race like E. >>I think what you guys do with four to Guard Labs is super important. Not like the industry, but for society at large, as you have kind of all this, you know, shadow, cloak and dagger kind of attacks systems, whether it's National Security international or just for, you know, mafias and racketeering and the bad guys. Can you guys take a minute and explain the role of 40 guards specifically and and why you guys exist? I mean, obviously there's a commercial reason you both on the four net that you know trickles down into the products. That's all good for the customers. I get that, but there's more to the fore to guard than just that. You guys talk about this trend and security business because it is very clear that there's a you know, uh, collective sharing culture developing rapidly for societal benefit. Can you take them into something that, >>Yeah, sure, I'll get my thoughts. Are you gonna that? So I'm going to that Teoh from my point of view, I mean, there's various functions, So we've just talked about that last mile problem. That's the commercial aspect we create through 40 yard labs, 40 yards, services that are dynamic and updated to security products because you need intelligence products to be ableto protect against intelligence attacks. That's just the defense again, going back to How can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that you do. But we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court, and because of that, a lot of these cybercriminals rain free. That's been a big challenge in the industry. So, you know, this has been close to my heart over 10 years, I've been building a lot of these key relationships between private public sector as an example, but also private sector things like Cyber Threat Alliance, where a founding member of the Cyber Threat Alliance, if over 28 members and that alliance. And it's about sharing intelligence to level that playing field because Attackers room freely. What I mean by that is there's no jurisdictions for them. Cybercrime has no borders. Um, they could do a million things, uh, wrong and they don't care. We do a million things right. One thing wrong, and it's a challenge. So there's this big collaboration that's a big part of 40 guard. Why exists to is to make the industry better. Thio, you know, work on protocols and automation and and really fight fight this together. Well, remaining competitors. I mean, we have competitors out there, of course, on DSO it comes down to that last mile problem. John is like we can share intelligence within the industry, but it's on Lee. Intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. And, >>um, are what's your take on this, uh, societal benefit because, you know, I've been saying since the Sony hack years ago that, you know, when you have nation states that if they put troops on our soil, the government would respond. Um, but yet virtually they're here, and the private sector's defend for themselves. No support. So I think this private public partnership thing is very relevant. I think is ground zero of the future build out of policy because, you know, we pay for freedom. Why don't we have cyber freedom is if we're gonna run a business. Where's our help from the government? Pay taxes. So again, if a military showed up, you're not gonna see, you know, cos fighting the foreign enemy, right? So, again, this is a whole new change over it >>really is. You have to remember that cyberattacks puts everyone on even playing field, right? I mean, you know, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that, right? Anyone can basically come up to speed on cyber weapons as long as they have an Internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies, you know, But absolutely that I think a lot of us, You know, from a personal standpoint, a lot of us have seen researchers have seen organizations fail through cyber attacks. We've seen the frustration we've seen. Like, you know, besides organization, we've seen people like, just like grandma's loser pictures of their, you know, other loved ones because they can being attacked by ransom, where I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But But I will add that the least here in the U. S. The federal government actually has a lot of partnerships and ah, lot of programs to help organizations with cyber attacks. Three us cert is always continuously updating, you know, organizations about the latest attacks. Infra Guard is another organization run by the FBI, and a lot of companies like Fortinet and even a lot of other security companies participate in these organizations so everyone can come up to speed and everyone share information. So we all have a fighting chance. >>It's a whole new wave paradigm. You guys on the cutting edge, Derek? Always great to see a mark. Great to meet you remotely looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >>All right. Thank God. Pleasure is always >>okay. Q conversation here. I'm John for a host of the Cube. Great insightful conversation around security Ransomware with a great demo. Check it out from Derek and, um, are from 14 guard labs. I'm John Ferrier. Thanks for watching.

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.

(soft music) >> Narrator: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world: this is a CUBE conversation. >> Everyone, welcome to this special cube conversation. We're here in the Palo Alto studios, where I am; here during this critical time during the corona virus and this work at home current situation across the United States and around the world. We've got a great interview here today around cybersecurity and the threats that are out there. The threats that are changing as a result of the current situation. We got two great guests; Derek Manky, Chief Security Insights and Global Threat Alliances at FortiGuard labs. And Renee Tarun, deputy Chief Information Security Officer with Fortinet net. Guys, thanks for remotely coming in. Obviously, we're working remotely. Thanks for joining me today on this really important conversation. >> It's a pleasure to be here. >> Thanks for having us. >> So Renee and Derek. Renee, I want to start with you as deputing CISO. There's always been threats. Every day is a crazy day. But now more than ever over the past 30 to 45 days we've seen a surge in activity with remote workers. Everyone's working at home. It's disrupting family's lives. How people do business. And also they're connected to the internet. So it's an endpoint. It's a (laughs) hackable environment. We've had different conversation with you guys about this. But now more than ever, it's an at scale problem. What is the impact of the current situation for that problem statement of from working at home, at scale. Are there new threats? What's happening? >> Yeah, I think you're seeing some organizations have always traditionally had that work at home ability. But now what you're seeing is now entire workforces that are working home and now some companies are scrambling to ensure that they have a secure work at home for teleworkers at scale. In addition some organizations that never had a work from home practice are now being forced into that and so a lot of organizations now are faced with the challenge that employees are now bringing their own device into connecting to their networks. 'Cause employees can't be bring their workstations home with them. And if they don't have a company laptop they're of course using their own personal devices. And some personal devices are used by their kids. They're going out to gaming sites that could be impacted with malware. So it creates a lot of different challenges from a security perspective that a lot of organizations aren't necessarily prepared for. It's not only from a security but also from a scalability perspective. >> When I'm at home working... I came into the studio to do this interview. So I really wanted to talk to you guys. But when I'm at home, this past couple weeks. My kids are home. My daughter is watching Netflix. My son's gaming, multiplayer gaming. The surface area from a personnel standpoint or people standpoint is increased. My wife's working at home. My daughters there, two daughters. So this is also now a social issue because there are more people on the WiFi, there's more bandwidth being used. There's more fear. This has been an opportunity for the hackers. This crime of fear using the current situation. So is it changing how you guys are recommending people protect themselves at home? Or is it just accelerating a core problem that you've seen before? >> Yeah, so I think it's not changing. It's changing in terms of priority. I mean, all the things that we've talked about before it's just becoming much more critical. I think, at this point in time. If you look at any histories that we've... Lessons we've learned from the past or haven't learned (laughs). That's something that is just front and center right now. We've seen attack campaigns on any high level news. Anything that's been front and center. And we've seen successful attack campaigns in the past owing to any sort of profile events. We had Olympic destroyer last last Olympic period, when we have them in Korea as an example, in South Korea. We've seen... I can go back 10 years plus and give a History timeline, every single there's been something dominating the news. >> John: Yeah. And there's been attack campaigns that are leveraged on that. Obviously this is a much higher focus now given the global news domination that's happening with COVID. The heightened fear and anxiety. Just the other day FortiGuard labs, we pulled up over 600 different phishing emails and scam attempts for COVID-19. And we're actively poring through those. I expect that number to increase. Everybody is trying to hop on this bandwagon. I was just talking to our teams from the labs today. Groups that we haven't seen active since about 2011, 2012. Malware campaign authors. They're riding this bandwagon right now as well. So it's really a suction if you will, for these cyber criminals. So all of the things that we recommend in the past, obviously being vigilant, looking at those links coming in. Obviously, there's a lot of impersonators. There's a lot of spoofing out there. People prefer pretending to be the World Health Organization. We wrote a blog on this a couple of weeks back. People have to have this zero trust mentality coming in. Is everyone trying to ride on this? Especially on social networks, on emails. Even phishing and voice vishing. So the voice phishing. You really have to put more... People have to put more of a safeguard up. Not only for their personal health like everyone's doing the social distancing but also virtual (laughs) social distancing when it comes to really trusting who's trying to send you these links. >> Well, I'm glad you guys have the FortiGuard guard labs there. And I think folks watching should check it out and keep sending us that data. I think watching the data is critical. Everyone's watching the data. They want the real data. You brought up a good point, Rene. I want to get your thoughts on this because the at scale thing really gets my attention because there's more people at home as I mentioned from a social construct standpoint. Work at home is opening up new challenges for companies that haven't been prepared. Even though ones that are prepared have known at scale. So you have a spectrum of challenges. The social engineering is the big thing on Phishing. You're seeing all kinds of heightened awareness. It is a crime of opportunity for hackers. Like Derek just pointed out. What's your advice? What's your vision of what's happening? How do you see it evolving? And what can people do to protect themselves? What's the key threats? And what steps are people taking? >> Yeah, I think, like Derek said, kind of similar how in the physical world we're washing our hands. We're keeping 6 feet away from people. We could distance from our adversaries, as well. Again when you're looking at your emails ensuring that you're only opening attachments from people that you know. Hovering over the links to ensure that they are from legitimate sources. And being mindful that when you're seeing these type of attacks coming in, whether they are coming through emails. Through your phones. Take a moment and pause and think about would someone be contacting me through my cell phone? Through sending me a text message? or emails asking me for personal information? Asking me for user IDs and passwords, credential and information. So you kind of need to take that second and really think before you start taking actions. And similar to opening attachments we've seen a lot of cases where someone attaches a PDF file to an email but when you open up the PDF it's actually a malware. So you need to be careful and think to yourself, was I expecting this attachment? Do I know the person? And take steps to actually follow up and call that person directly and say, "Hey, did you really send this to me? "Is this legitimate?" >> And the thing-- >> You got to to be careful what you're opening up. Which links you click on. But while I got you here, I want to get your opinion on this because there's digital attacks and then there's phone based attacks. We all have mobile phones. I know this might be a little bit too elementary, but I do want to get it out there. Can you define the difference in phishing and spear phishing for the folks that are trying to understand the difference in phishing and spear phishing techniques. >> The main difference is spear phishing is really targeting a specific individual, or within a specific role within a company. For example, targeting like the CEO or the CFO. So those are attacks that are specifically targeting a specific individual or specific role. Where phishing emails are targeting just mass people regardless of their roles and responsibilities. >> So I'm reading the blog post that you guys put out. Which I think everyone... I'll put the link on SiliconANGLE later. But it's on fortinet.com Under digital attacks you've got the phishing and spear phishing which is general targeting an email or individually spear spearing someone specifically. But you guys list social media deception, pre-texting and water holing as the key areas. Is that just based on statistics? Or just the techniques that people are using? Can you guys comment on and react to those different techniques? >> Yeah, so I think with the water holing specifically as well. The water holing attack refers to people that every day as part of their routine going to some sort of, usually a news source. It could be their favorite sites, social media, etc. Those sorts of sources because it's expected for people to go and drink from a water hole, are prime targets to these attackers. They can be definitely used for spear phishing but also for the masses for these phishing campaigns. Those are more effective. Attackers like to cast a wide net. And it's especially effective if you think of the climate that's happening right now, like you said earlier at the start of this conversation. That expanded attack surface. And also the usage of bandwidth and more platforms now applications. There's more traffic going to these sites simply. People have more time at home through telework. To virtually go to these sites. And so, yeah. Usually what we see in these water holing attacks can be definitely phishing sites that are set up on these pages. 'Cause they might have been compromised. So this is something even for people who are hosting these websites, right? There's always two sides of the coin. You got security of your client side security And your service side security-- >> So spear phishing is targeting an individual, water holing is the net that gets a lot of people and then they go from there. Can you guys, Renee or Derek talk about social media deception and pretexting. These are other techniques as well that are popular. Can you guys comment and define those? >> Yeah, so some of the pretexting that you're saying is what's happening is adversaries are either sending text, trying to get people to click on links, go to malicious sites. And they're also going setting up these fabricated stories and they're trying to call. Acting like they're a legitimate source. And again, trying to use tactics and a lot of times scare tactics. Trying to get people to divulge information, personal information. Credit card numbers, social security numbers, user IDs and passwords to gain access to either-- >> So misinformation campaigns would be an example that like, "I got a coven virus vaccine, put your credit card down now and get on the mailing list." Is that was that kind of the general gist there? >> Absolutely. >> Okay. >> And we've also seen as another example, and this was in one of our blogs I think about a couple weeks ago some of the first waves of these attacks that we saw was also again, impersonating to be the World Health Organization as part of pretexting. Saying that there's important alerts and updates that these readers must read in their regions, but they're of course malicious documents that are attached. >> Yeah, how do people just get educated on this? This is really challenging because if you're a nerd like us you can know what a URL looks like. And you can tell it's a host server or host name, it's not real. But when they're embedded in these social networks, how do you know? what's the big challenge? Just education and kind of awareness? >> Yeah, so I'll just jump in quickly on that. From my point of view, it's the whole ecosystem, right? There's no just one silver bullet. Education, cyber hygiene for sure. But beyond that obviously, this is where the security solutions pop in. So having that layered defense, right? That goes a long way of everything from anti-spam to antivirus. To be able to scan those malicious attachments. Endpoint security. Especially now in the telework force that we're dealing with having managed endpoint security from distributed enterprise angle is very important because all of these workstations that were within the corporate network before are now roaming--quote unquote--roaming or from home. So it's a multi-pronged approach, really. But education is of course a very good line of defense for our employees. And I think updated education on a weekly basis. >> Okay, before we get to the remote action steps, 'Cause I think the remote workers at scales like the critical problem that we're seeing now. I want to just close out this attack social engineering thing. There's also phone based attacks. We all have mobile phones, right? So we use such smartphones. There's other techniques in that. What are the techniques for the phone based attacks? >> Yeah, a lot of times you'll see adversaries, they're spoofing other phones. So what happens is that when you receive a call or a text it looks like it's coming from a number in your local area. So a lot of times that kind of gives you a false sense of security thinking in that it is a legitimate call when in reality they're simply just spoofing the number. And it's really coming from somewhere else in the country or somewhere else in the world. >> So I get a call from Apple support and it's not Apple support. They don't have a callback, that's spoofing? >> That's one way but also the number itself. When you see the number coming in. For example, I'm in the 410 area code. Emails coming in from my area code with my exchange is another example where it looks like it's someone that's either a close friend or someone within my community when in reality, it's not. >> And at the end of the day too the biggest red flags for these attacks are unsolicited information, right? If they're asking for any information always, always treat that as a red flag. We've seen this in the past. Just as an example with call centers, hotels too. Hackers have had access right to the switchboards to call guests rooms and say that there's a problem at the front desk and they just want to register the users information and they asked for credit card guest information to confirm all sorts of things. So again, anytime information is asked for always think twice. Try to verify. Callback numbers are a great thing. Same thing in social media if someone's messaging you, right? Try to engage in that dialect conversation, verify their identity. >> So you got-- >> That's also another good example of social media, is another form of essential engineering attacks is where people are creating profiles in say for example, LinkedIn. And they're acting like they're either someone from your company or a former colleague or friend as another way to try and make that human to human connection in order to do malicious things. >> Well, we've discussed with you guys in the past around LinkedIn as a feeding ground for spear phishing because, "Hey, here, don't tell your boss but here's "a PDF job opening paying huge salary. "You're qualified." Of course I'm going to look at that, right? So and a lot of that goes on. We see that happen a lot. I want to get your thoughts, Renee on the the vishing and phishing. Smishing is the legitimate source spoofing and vishing is the cloaking or spoofing, right? >> Yeah, smishing is really the text based attacks that you're seeing through your phones. Vishing is using more of a combination of someone that is using a phone based attack but also creating a fake profile, creating a persona. A fabricated story that's ultimately fake but believable. And to try and encourage you to provide information, sensitive information. >> Well, I really appreciate you guys coming on and talking about the attackers trying to take advantage of the current situation. The remote workers again, this is the big at scale thing. What are the steps that people can take, companies can take to protect themselves from or the at scale remote worker situation that could be going on for quite some time now? >> Yeah. So again, at that scale with people in this new normal as we call it, teleworking. Being at scale is... Everyone has to do their part. So I would recommend A from an IT standpoint, keeping all employees virtually in the loop. So weekly updates from security teams. The cyber hygiene practice, especially patch management is critically important too, right? You have a lot of these other devices connected to networks, like you said. IoT devices, all these things that are all prime attack targets. So keeping all the things that we've talked about before, like patch management. Be vigilant on that from an end user perspective. I think especially putting into the employees that they have to be aware that they are highly at risk for this. And I think there has to be... We talked about changes earlier. In terms of mentality education, cyber hygiene, that doesn't change. But I think the way that this isn't forced now, that starts with the change, right? That's a big focus point especially from an IT security standpoint. >> Well, Derek, keep that stat and keep those stats coming in to us. We are very interested. You got the insight. You're the chief of the insights and the global threat. You guys do a great job at FortiGuard guard labs. That's phenomenal. Renee, I'd like you to have the final word on the segment here and we can get back to our remote working and living. What is going on the mind of the CISO right now? Because again, a lot of people are concerned. They don't know how long it's going to last. Certainly we're now in a new normal. Whatever happens going forward as post pandemic world, what's going on in the mind of the CISO right now? What are they thinking? What are they planning for? What's going on? >> Yeah, I think there's a lot of uncertainty. And I think the remote teleworking, again, making sure that employees have secure remote access that can scale. I think that's going to be on the forefront. But again, making sure that people connecting remotely don't end up introducing additional potential vulnerabilities into your network. And again, just keeping aware. Working closely with the IT teams to ensure that we keep our workforces updated and trained and continue to be vigilant with our monitoring capabilities as well as ensuring that we're prepared for potential attacks. >> Well, I appreciate your insights, folks, here. This is great. Renee and Derek thanks for coming on. We want to bring you back in when should do a digital event here in the studio and get the data out there. People are interested. People are making changes. Maybe this could be a good thing. Make some lemonade out of the lemons that are in the industry right now. So thank you for taking the time to share what's going on in the cyber risks. Thank you. >> Thank you, we'll keep those stats coming. >> Okay, CUBE conversation here in Palo Alto with the remote guests. That's what we're doing now. We are working remotely with all of our CUBE interviews. Thanks for watching. I'm John Furrier, co-host to theCUBE. (soft music)

>> Narrator: Live from San Francisco. It's theCUBE, covering RSA Conference 2020, San Francisco. Brought to you by, SiliconANGLE Media. >> Welcome back everyone. CUBE coverage here in Moscone in San Francisco for RSA, 2020. I'm John Furrier host of theCUBE. We've got a great guest here talking about cybersecurity and the impact with AI and the role of data. It's always great to have Derek Manky on Chief Security Insights Global Threat Alliances with FortiGuard Lab, part of Fortinet, FortiGuard Labs is great. Great organization. Thanks for coming on. >> It's a pleasure always to be here-- >> So you guys do a great threat report that we always cover. So it covers all the bases and it really kind of illustrates state of the art of viruses, the protection, threats, et cetera. But you're part of FortiGuard Labs. >> Yeah, that's right. >> Part of Fortinet, which is a security company, public. What is FortiGuard Labs? What do you guys do, what's your mission? >> So FortiGuard Labs has existed since day one. You can think of us as the intelligence that's baked into the product, It's one thing to have a world-class product, but you need a world-class intelligence team backing that up. We're the ones fighting those fires against cybercrime on the backend, 24/7, 365 on a per second basis. We're processing threat intelligence. We've got over 10 million attacks or processing just per minute, over a hundred billion events, in any given day that we have to sift through. We have to find out what's relevant. We have to find gaps that we might be missing detection and protection. We got to push that out to a customer base of 450,000 customers through FortiGuard services and 5 million firewalls, 5 million plus firewalls we have now. So it's vitally important. You need intelligence to be able to detect and then protect and also to respond. Know the enemy, build a security solution around that and then also be able to act quickly about it if you are under active attack. So we're doing everything from creating security controls and protections. So up to, real time updates for customers, but we're also doing playbooks. So finding out who these attackers are, why are they coming up to you. For a CSO, why does that matter? So this is all part of FortiGuard Labs. >> How many people roughly involved ? Take us a little inside the curtain here. What's going on? Personnel size, scope. >> So we're over 235. So for a network security vendor, this was the largest global SOC, that exists. Again, this is behind the curtain like you said. These are the people that are, fighting those fires every day. But it's a large team and we have experts to cover the entire attack surface. So we're looking at not just a viruses, but we're looking at as zero-day weapons, exploits and attacks, everything from cyber crime to, cyber warfare, operational technology, all these sorts of things. And of course, to do that, we need to really heavily rely on good people, but also automation and artificial intelligence and machine learning. >> You guys are walking on a tight rope there. I can only imagine how complex and stressful it is, just imagining the velocity alone. But one of the trends that's coming up here, this year at RSA and is kind of been talking about in the industry is the who? Who is the attacker because, the shifts could shift and change. You got nation states are sitting out there, they're not going to have their hands dirty on this stuff. You've got a lot of dark web activity. You've got a lot of actors out there that go by different patterns. But you guys have an aperture and visibility into a lot of this stuff. >> Absolutely. >> So, you can almost say, that's that guy. That's the actor. That's a really big part. Talk about why that's important. >> This is critically important because in the past, let's say the first generation of, threat intelligence was very flat. It was to watch. So it was just talking about here's a bad IP, here's a bad URL, here's a bad file block hit. But nowadays, obviously the attackers are very clever. These are large organizations that are run a lot of people involved. There's real world damages happening and we're talking about, you look at OT attacks that are happening now. There's, in some cases, 30, $40 million from targeted ransom attacks that are happening. These people, A, have to be brought to justice. So we need to understand the who, but we also need to be able to predict what their next move is. This is very similar to, this is what you see online or CSI. The police trynna investigate and connect the dots like, plotting the strings and the yarn on the map. This is the same thing we're doing, but on a way more advanced level. And it's very important to be able to understand who these groups are, what tools they use, what are the weapons, cyber weapons, if you will, and what's their next move potentially going to be. So there's a lot of different reasons that's important. >> Derek, I was riffing with another guest earlier today about this notion of, government protection. You've got a military troops drop on our shores and my neighborhood, the Russians drop in my neighborhood. Guess what, the police will probably come in, and, or the army should take care of it. But if I got to run a business, I got to build my own militia. There's no support out there. The government's not going to support me. I'm hacked. Damage is done. You guys are in a way providing that critical lifeline that guard or shield, if you will, for customers. And they're going to want more of it. So I've got to ask you the hard question, which is, how are you guys going to constantly be on the front edge of all this? Because at the end of the day, you're in the protection business. Threats are coming at the speed of milliseconds and nanoseconds, in memory. You need memory, you need database. You've got to have real time. It's a tsunami of attack. You guys are the front lines of this. You're the heat shield. >> Yes, absolutely. >> How do you take it to the next level? >> Yeah, so collaboration, integration, having a broad integrated platform, that's our bread and butter. This is what we do. End-to-end security. The attack surface is growing. So we have to be able to, A, be able to cover all aspects of that attack surface and again, have intelligence. So we're doing sharing through partners. We have our core intelligence network. Like I said, we're relying heavily on machine learning models. We're able to find that needle in the haystack. Like, as I said earlier, we're getting over a hundred billion potential threat events a day. We have to dissect that. We have to break it down. We have to say, is this affecting endpoint? Is this effect affecting operational technology? What vertical, how do we process it? How do we verify that this is a real threat? And then most importantly, get that out in time and speed to our customers. So I started with automation years ago, but now really the way that we're doing this is through broad platform coverage. But also machine learning models for and-- >> I want to dig into machine learning because, I love that needle in the haystack analogy, because, if you take that to the next step, you got to stack a needles now. So you find the needle in the haystack. Now you got a bunch of needles, where do you find that? You need AI, you got to have some help. But you still got the human component. So talk about how you guys are advising customers on how you're using machine learning and get that AI up and running for customers and for yourselves. >> So we're technology people. I always look at this as the stack. The stack model, the bottom of the stack, you have automation. You have layer one, layer two. That's like the basic things for, feeds, threat feeds, how we can push out, automate, integrate that. Then you have the human. So the layer seven. This is where our human experts are coming in to actually advise our customers. We're creating a threat signals with FortiGuard Labs as an example. These are bulletins that's a quick two to three page read that a CSO can pick up and say, here's what FortiGuard Labs has discovered this week. Is this relevant to my network? Do I have these protections in place. There's also that automated, and so, I refer to this as a centaur model. It's half human half machine and, the machines are driving a lot of that, the day to day mundane tasks, if you will, but also finding, collecting the needles of needles. But then ultimately we have our humans that are processing that, analyzing it, creating the higher level strategic advice. We recently, we've launched a FortiAI, product as well. This has a concept of a virtual-- >> Hold on, back up a second. What's it called? >> FortiAI. >> So it's AI components. Is it a hardware box or-- >> This is a on-premise appliance built off of five plus years of learning that we've done in the cloud to be able to identify threats and malware, understand what that malware does to a detailed level. And, where we've seen this before, where is it potentially going? How do we protect against it? Something that typically you would need, four to five headcount in your security operations center to do, we're using this as an assist to us. So that's why it's a virtual analyst. It's really a bot, if you will, something that can actually-- >> So it's an enabling opportunity for the customers. So is this virtual assistant built into the box. What does that do, virtual analyst. >> So the virtual analyst is able to, sit on premises. So it's localized learning, collect threats to understand the nature of those threats, to be able to look at the needles of the needles, if you will, make sense of that and then automatically generate reports based off of that. So it's really an assist tool that a network admin or a security analyst was able to pick up and virtually save hours and hours of time of resources. >> So, if you look at the history of like our technology industry from a personalization standpoint, AI and data, whether you're a media business, personalization is ultimately the result of good data AI. So personalization for an analyst, would be how not to screw up their job. (laughs) One level. The other one is to be proactive on being more offensive. And then third collaboration with others. So, you starting to see that kind of picture form. What's your reaction to that? >> I think it's great. There's stepping stones that we have to go through. The collaboration is not always easy. I'm very familiar with this. I mean I was, with the Cyber Threat Alliance since day one, I head up and work with our Global Threat Alliances. There's always good intentions, there's problems that can be created and obviously you have things like PII now and data privacy and all these little hurdles they have to come over. But when it works right together, this is the way to do it. It's the same thing with, you talked about the data naturally when he started building up IT stacks, you have silos of data, but ultimately those silos need to be connected from different departments. They need to integrate a collaborate. It's the same thing that we're seeing from the security front now as well. >> You guys have proven the model of FortiGuard that the more you can see, the more visibility you can see and more access to the data in real time or anytime scale, the better the opportunity. So I got to take that to the next level. What you guys are doing, congratulations. But now the customer. How do I team up with, if I'm a customer with other customers because the bad guys are teaming up. So the teaming up is now a real dynamic that companies are deploying. How are you guys looking at that? How is FortiGuard helping that? Is it through services? Is it through the products like virtual assistant? Virtual FortiAI? >> So you can think of this. I always make it an analogy to the human immune system. Artificial neural networks are built off of neural nets. If I have a problem and an infection, say on one hand, the rest of the body should be aware of that. That's collaboration from node to node. Blood cells to blood cells, if you will. It's the same thing with employees. If a network admin sees a potential problem, they should be able to go and talk to the security admin, who can go in, log into an appliance and create a proper response to that. This is what we're doing in the security fabric to empower the customer. So the customer doesn't have to always do this and have the humans actively doing those cycles. I mean, this is the integration. The orchestration is the big piece of what we're doing. So security orchestration between devices, that's taking that gap out from the human to human, walking over with a piece of paper to another or whatever it is. That's one of the key points that we're doing within the actual security fabric. >> So that's why silos is problematic. Because you can't get that impact. >> And it also creates a lag time. We have a need for speed nowadays. Threats are moving incredibly fast. I think we've talked about this on previous episodes with swarm technology, offensive automation, the weaponization of artificial intelligence. So it becomes critically important to have that quick response and silos, really create barriers of course, and make it slower to respond. >> Okay Derek, so I got to ask you, it's kind of like, I don't want to say it sounds like sports, but it's, what's the state of the art in the attack vectors coming in. What are you guys seeing as some of the best of breed tax that people should really be paying attention to? They may, may not have fortified down. What are SOCs looking at and what are security pros focused on right now in terms of the state of the art. >> So the things that keep people up at night. We follow this in our Threat Landscape Report. Obviously we just released our key four one with FortiGuard Labs. We're still seeing the same culprits. This is the same story we talked about a lot of times. Things like, it used to be a EternalBlue and now BlueKeep, these vulnerabilities that are nothing new but still pose big problems. We're still seeing that exposed on a lot of networks. Targeted ransom attacks, as I was saying earlier. We've seen the shift or evolution from ransomware from day to day, like, pay us three or $400, we'll give you access to your data back to going after targeted accounts, high revenue business streams. So, low volume, high risk. That's the trend that we're starting to see as well. And this is what I talk about for trying to find that needle in the haystack. This is again, why it's important to have eyes on that. >> Well you guys are really advanced and you guys doing great work, so congratulations. I got to ask you to kind of like, the spectrum of IT. You've got a lot of people in the high end, financial services, healthcare, they're regulated, they got all kinds of challenges. But as IT and the enterprise starts to get woke to the fact that everyone's vulnerable. I've heard people say, well, I'm good. I got a small little to manage, I'm only a hundred million dollar business. All I do is manufacturing. I don't really have any IP. So what are they going to steal? So that's kind of a naive approach. The answer is, what? Your operations and ransomware, there's a zillion ways to get taken down. How do you respond to that. >> Yeah, absolutely. Going after the crown jewels, what hurts? So it might not be a patent or intellectual property. Again, the things that matter to these businesses, how they operate day to day. The obvious examples, what we just talked about with revenue streams and then there's other indirect problems too. Obviously, if that infrastructure of a legitimate organization is taken over and it's used as a botnet and an orchestrated denial-of-service attack to take down other organizations, that's going to have huge implications. >> And they won't even know it. >> Right, in terms of brand damage, has legal implications as well that happened. This is going even down to the basics with consumers, thinking that, they're not under attack, but at the end of the day, what matters to them is their identity. Identity theft. But this is on another level when it comes to things to-- >> There's all kinds of things to deal with. There's, so much more advanced on the attacker side. All right, so I got to ask you a final question. I'm a business. You're a pro. You guys are doing great work. What do I do, what's my strategy? How would you advise me? How do I get my act together? I'm working the mall every day. I'm trying my best. I'm peddling as fast as I can. I'm overloaded. What do I do? How do I go the next step? >> So look for security solutions that are the assist model like I said. There's never ever going to be a universal silver bullet to security. We all know this. But there are a lot of things that can help up to that 90%, 95% secure. So depending on the nature of the threats, having a first detection first, that's always the most important. See what's on your network. This is things where SIM technology, sandboxing technology has really come into play. Once you have those detections, how can you actually take action? So look for a integration. Really have a look at your security solutions to see if you have the integration piece. Orchestration and integration is next after detection. Finally from there having a proper channel, are there services you looked at for managed incident response as an example. Education and cyber hygiene are always key. These are free things that I push on everybody. I mean we release weekly threat intelligence briefs. We're doing our quarterly Threat Landscape Reports. We have something called threat signals. So it's FortiGuard response to breaking industry events. I think that's key-- >> Hygiene seems to come up over and over as the, that's the foundational bedrock of security. >> And then, as I said, ultimately, where we're heading with this is the AI solution model. And so that's something, again that I think-- >> One final question since it's just popped into my head. I wanted, and that last one. But I wanted to bring it up since you kind of were, we're getting at it. I know you guys are very sensitive to this one topic cause you live it every day. But the notion of time and time elapsed is a huge concern because you got to know, it's not if it's when. So the factor of time is a huge variable in all kinds of impact. Positive and negative. How do you talk about time and the notion of time elapsing. >> That's great question. So there's many ways to stage that. I'll try to simplify it. So number one, if we're talking about breaches, time is money. So the dwell time. The longer that a threat sits on a network and it's not cleaned up, the more damage is going to be done. And we think of the ransom attacks, denial-of-service, revenue streams being down. So that's the incident response problem. So time is very important to detect and respond. So that's one aspect of that. The other aspect of time is with machine learning as well. This is something that people don't always think about. They think that, artificial intelligence solutions can be popped up overnight and within a couple of weeks they're going to be accurate. It's not the case. Machines learn like humans too. It takes time to do that. It takes processing power. Anybody can get that nowadays, data, most people can get that. But time is critical to that. It's a fascinating conversation. There's many different avenues of time that we can talk about. Time to detect is also really important as well, again. >> Let's do it, let's do a whole segment on that, in our studio, I'll follow up on that. I think it's a huge topic, I hear about all the time. And since it's a little bit elusive, but it kind of focuses your energy on, wait, what's going on here? I'm not reacting. (laughs) Time's a huge issue. >> I refer to it as a latency. I mean, latency is a key issue in cybersecurity, just like it is in the stock exchange. >> I mean, one of the things I've been talking about with folks here, just kind of in fun conversation is, don't be playing defense all the time. If you have a good time latency, you going to actually be a little bit offensive. Why not take a little bit more offense. Why play defense the whole time. So again, you're starting to see this kind of mentality not being, just an IT, we've got to cover, okay, respond, no, hold on the ballgame. >> That comes back to the sports analogy again. >> Got to have a good offense. They must cross offense. Derek, thanks so much. Quick plug for you, FortiGuard, share with the folks what you guys are up to, what's new, what's the plug. >> So FortiGuard Labs, so we're continuing to expand. Obviously we're focused on, as I said, adding all of the customer protection first and foremost. But beyond that, we're doing great things in industry. So we're working actively with law enforcement, with Interpol, Cyber Threat Alliance, with The World Economic Forum and the Center for Cyber Security. There's a lot more of these collaboration, key stakeholders. You talked about the human to human before. We're really setting the pioneering of setting that world stage. I think that is, so, it's really exciting to me. It's a lot of good industry initiatives. I think it's impactful. We're going to see an impact. The whole goal is we're trying to slow the offense down, the offense being the cyber criminals. So there's more coming on that end. You're going to see a lot great, follow our blogs at fortinet.com and all-- >> Great stuff. >> great reports. >> I'm a huge believer in that the government can't protect us digitally. There's going to be protection, heat shields out there. You guys are doing a good job. It's only going to be more important than ever before. So, congratulations. >> Thank you. >> Thanks for coming I really appreciate. >> Never a dull day as we say. >> All right, it's theCUBE's coverage here in San Francisco for RSA 2020. I'm John Furrier, your host. Thanks for watching. (upbeat music)

>> from our studios in the heart of Silicon Valley, Palo Alto, California It is a cute conversation. >> Well, the Special Cube conversation. We are here in Palo Alto, California, Cube studios here. Tony, Gino, Domenico, Who's the senior security strategist and research at for Net and four to guard labs live from Las Vegas. Where Black Hat and then Def Con security activities happening, Tony, also known as Tony G. Tony G. Welcome to this cube conversation. >> Hey, Thanks, John. Thanks for having me. >> So a lot of action happening in Vegas. We just live there all the time with events. You're there on the ground. You guys have seen all the action there. You guys are just published. Your quarterly threat report got a copy of it right here with the threat index on it. Talk about the quarterly global threats report. Because the backdrop that we're living in today, also a year at the conference and the cutting edge is security is impacting businesses that at such a level, we must have shell shock from all the breaches and threats they're going on. Every day you hear another story, another story, another hack, more breaches. It said all time high. >> Yeah, you know, I think a lot of people start to get numb to the whole thing. You know, it's almost like they're kind of throwing your hands up and say, Oh, well, I just kind of give up. I don't know what else to do, but I mean, obviously, there are a lot of different things that you can do to be able to make sure that you secure your cybersecurity program so at least you minimize the risk of these particular routes is happening. But with that said with the Threat Landscape report, what we typically dio is we start out with his overall threat index, and we started this last year. If we fast forward to where we are in this actual cue to report, it's been one year now, and the bad news is that the threats are continuing to increase their getting more sophisticated. The evasion techniques are getting more advanced, and we've seen an uptick of about 4% and threat volume over the year before. Now the silver lining is I think we expected the threat volume to be much higher. So I think you know, though it is continuing to increase. I think the good news is it's probably not increasing as fast as we thought it was going to. >> Well, you know, it's always You have to know what you have to look for. Blood. People talk about what you can't see, and there's a lot of a blind spot that's become a data problem. I just want to let people know that. Confined the report, go to Ford Nets, ah website. There's a block there for the details, all the threat index. But the notable point is is only up 4% from the position year of a year that the attempts are more sophisticated. Guys gotta ask you, Is there stuff that we're not seeing in there? Is there blind spots? What's the net net of the current situation? Because observe ability is a hot topic and cloud computing, which essentially monitoring two point. Oh, but you gotta be able to see everything. Are we seeing everything? What's what's out there? >> Well, I mean, I think us as Ford, a guard on Darcy, have cyber threat in challenges. I think we're seeing a good amount, but when you talk about visibility, if you go back down into the organizations. I think that's where there's There's definitely a gap there because a lot of the conversations that I have with organizations is they don't necessarily have all the visibility they need from cloud all the way down to the end point. So there are some times that you're not gonna be able to catch certain things now. With that said, if we go back to the report at the end of the day, the adversaries have some challenges to be able to break into an organization. And, of course, the obvious one is they have to be able to circumvent our security controls. And I think as a security community, we've gotten a lot better of being able to identify when the threat is coming into an organization. Now, on the flip side, Oh, if you refer back to the minor Attack knowledge base, you'll see a specific tactic category called defense evasions. There's about 60 plus techniques, evasion techniques the adversary has at their disposal, at least that we know may there may be others, but so they do have a lot of opportunity, a lot of different techniques to be able to leverage with that, said There's one technique. It's, ah, disabling security tools that we started seeing a bit of an increase in this last cue to threat landscape report. So a lot of different types of threats and mile where have the capability to be ableto one look at the different processes that may be running on a work station, identifying which one of those processes happen to be security tools and then disabling them whether they're no, maybe they might just be able to turn the no, the actual service off. Or maybe there's something in the registry that they can tweak. That'll disable the actual security control. Um, maybe they'll actually suppress the alerts whatever. They conduce you to make sure that that security control doesn't prevent them from doing that malicious activity. Now, with that said, on the flip side, you know, from an organization for perspective, you want to make sure that you're able to identify when someone's turning on and turning off those security control to any type of alert that might be coming out of that control also. And this is a big one because a lot of organizations and this certainly do this minimize who has the ability to turn those particular security controls on and off. In the worst cases, you don't wanna have all of your employees uh, the you don't want to give them the ability to be able to turn those controls on and off. You're never gonna be ableto baseline. You're never gonna be able to identify a, you know, anomalous activity in the environment, and you're basically gonna lose your visibility. >> I mean, this increase in male wearing exploit activity you guys were pointing out clearly challenge the other thing that the report kind of She's out. I want to get your opinion on this. Is that the The upping? The ante on the evasion tactics has been very big trend. The adversaries are out there. They're upping the ante. You guys, we're upping the guarantees. This game you continue this flight will continues. Talk about this. This feature of upping the ante on evasion tactics. >> Yes. So that's what I was that I was kind of ah, referring to before with all the different types of evasion techniques. But what I will say is most of the all the threats these days all have some type of evasion capabilities. A great example of this is every quarter. If you didn't know. We look at different types of actors and different types of threats, and we find one that's interesting for us to dig into and where create was called an actual playbook, where we want to be able to dissect that particular threat or those threat actor methodologies and be able to determine what other tactics and corresponding techniques, which sometimes of course, includes evasion techniques. Now, the one that we focused on for this quarter was called His Ego's Was Ego, says a specific threat that is an information stealer. So it's gathering information, really based on the mission goals off, whatever that particular campaign is, and it's been around for a while. I'm going all the way back to 2011. Now you might be asking yourself, Why did we actually choose this? Well, there's a couple different reasons. One happens to be the fact that we've seen an uptick in this activity. Usually when we see that it's something we want to dive into a little bit more. Number two. Though this is a tactic of the of the adversary, what they'll do is they'll have their threat there for a little while, and then local doorman. They'll stop using that particular malware. That's no specific sort of threat. They'll let the dust settle that things die down. Organizations will let their guard down a little bit on that specific threat. Security organizations Ah, vendors might actually do the same. Let that digital dust kind of settle, and then they'll come back. Bigger, faster, stronger. And that's exactly what Z ghosted is. Ah, we looked at a specific campaign in this new mall where the new and improved Mauer, where is they're adding in other capabilities for not just being able to siphon information from your machine, but they're also now can capture video from your webcam. Also, the evasion techniques since Iran that particular subject, what they're also able to do is they're looking at their application logs. Your system logs your security logs, the leading them making a lot more difficult from a forensic perspective. Bill, go back and figure out what happened, what that actual malware was doing on the machine. Another interesting one is Ah, there. We're looking at a specific J peg file, so they're looking for that hash. And if the hash was there the axle? Um, our wouldn't run. We didn't know what that was. So we researched a little bit more on What we found out was that J Peg file happened to be a desktop sort of picture for one of the sandboxes. So it knew if that particular J pick was present, it wasn't going to run because it knew it was being analyzed in a sandbox. So that was a second interesting thing. The 3rd 1 that really leaned us towards digging into this is a lot of the actual security community attribute this particular threat back to cyber criminals that are located in China. The specific campaign we were focused on was on a government agency, also in China, So that was kind of interesting. So you're continuing to see these. These mile wears of maybe sort of go dormant for a little bit, but they always seem to come back bigger, faster, stronger. >> And that's by design. This is that long, whole long view that these adversaries we're taking in there as he organized this economy's behind what they're doing. They're targeting this, not just hit and run. It's get in, have a campaign. This long game is very much active. Howto enterprises. Get on, get on top of this. I mean, is it Ah, is it Ah, people process Issue is it's, um, tech from four to guard labs or what? What's what's for the Nets view on this? Because, I mean, I can see that happening all the time. It has >> happened. Yeah, it's It's really it's a combination of everything on this combination. You kind of hit like some of it, its people, its processes and technology. Of course, we have a people shortage of skilled resource is, but that's a key part of it. You always need to have those skills. Resource is also making sure you have the right process. Is how you actually monitoring things. I know. Ah, you know, a lot of folks may not actually be monitoring all the things that they need to be monitoring from, Ah, what is really happening out there on the internet today? So making sure you have clear visibility into your environment and you can understand and maybe getting point in time what your situational awareness is. You you, for my technology perspective, you start to see and this is kind of a trend. We're starting the leverage artificial intelligence, automation. The threats are coming, and it's such a high volume. Once they hit the the environment, instead of taking hours for your incident response to be about, at least you know not necessarily mitigate, but isolate or contain the breach. It takes a while. So if you start to leverage some artificial intelligence and automatic response with the security controls are working together. That's a big that's a big part of it. >> Awesome. Thanks for coming. This is a huge problem. Think no one can let their guard down these days? Certainly with service, they're expanding. We're gonna get to that talk track in the second. I want to get quickly. Get your thoughts on ransom, where this continues to be, a drum that keeps on beating. From a tax standpoint, it's almost as if when when the attackers need money, they just get the same ransomware target again. You know, they get, they pay in. Bitcoin. This is This has been kind of a really lucrative but persistent problem with Ransomware. This what? Where what's going on with Ransomware? What's this state of the report and what's the state of the industry right now in solving that? >> Yeah. You know, we looked into this a little bit in last quarter and actually a few quarters, and this is a continuous sort of trend ransom, where typically is where you know, it's on the cyber crime ecosystem, and a lot of times the actual threat itself is being delivered through some type of ah, phishing email where you need a user to be able to click a langur clicking attachment is usually kind of a pray and spray thing. But what we're seeing is more of ah, no sort of ah, you know, more of a targeted approach. What they'll do is to look for do some reconnaissance on organizations that may not have the security posture that they really need. Tohave, it's not as mature, and they know that they might be able to get that particular ransomware payload in there undetected. So they do a little reconnaissance there, And some of the trend here that we're actually seeing is there looking at externally RTP sessions. There's a lot of RTP sessions, the remote desktop protocol sessions that organizations have externally so they can enter into their environment. But these RTP sessions are basically not a secure as they need to be either week username and passwords or they are vulnerable and haven't actually been passed. They're taking advantage of those they're entering and there and then once they have that initial access into the network, they spread their payload all throughout the environment and hold all those the those devices hostage for a specific ransom. Now, if you don't have the, you know, particular backup strategy to be able to get that ransom we're out of there and get your your information back on those machines again. Sometimes you actually may be forced to pay that ransom. Not that I'm recommending that you sort of do so, but you see, or organizations are decided to go ahead and pay that ransom. And the more they do that, the more the adversary is gonna say, Hey, I'm coming back, and I know I'm gonna be able to get more and more. >> Yeah, because they don't usually fix the problem or they come back in and it's like a bank. Open bank blank check for them. They come in and keep on hitting >> Yeah >> same target over and over again. We've seen that at hospitals. We've seen it kind of the the more anemic I t department where they don't have the full guard capabilities there. >> Yeah, and I would have gone was really becoming a big issue, you know? And I'll, uh, ask you a question here, John. I mean, what what does Microsoft s A N D. H s have in common for this last quarter? >> Um, Robin Hood? >> Yeah. That attacks a good guess. Way have in common is the fact that each one of them urged the public to patch a new vulnerability that was just released on the RTP sessions called Blue Keep. And the reason why they was so hyped about this, making sure that people get out there and patch because it was were mobile. You didn't really need tohave a user click a link or click and attachment. You know, basically, when you would actually exploit that vulnerability, it could spread like wildfire. And that's what were mobile is a great example of that is with wannacry. A couple years ago, it spread so quickly, so everybody was really focused on making sure that vulnerability actually gets patched. Adding onto that we did a little bit of research on our own and ransom Internet scans, and there's about 800,000 different devices that are vulnerable to that particular ah, new vulnerability that was announced. And, you know, I still think a lot of people haven't actually patched all of that, and that's a real big concern, especially because of the trend that we just talked about Ransomware payload. The threat actors are looking at are Rdp as the initial access into the environment. >> So on blue Keep. That's the one you were talking about, right? So what is the status of that? You said There's a lot of vulnerable is out. There are people patching it, is it Is it being moving down, the down the path in terms of our people on it? What's your take on that? What's the assessment? >> Yeah, so I think some people are starting to patch, but shoot, you know, the scans that we do, there's still a lot of unpacked systems out there, and I would also say we're not seeing what's inside the network. There may be other RTP sessions in the environment inside of an organization's environment, which really means Now, if Ransomware happens to get in there that has that capability than to be able to spread like the of some RTP vulnerability that's gonna be even a lot more difficult to be able to stop that once it's inside a network. I mean, some of the recommendations, obviously, for this one is you want to be able to patch your RTP sessions, you know, for one. Also, if you want to be able to enable network authentication, that's really gonna help us. Well, now I would also say, You know, maybe you want a hard in your user name and passwords, but if you can't do some of this stuff, at least put some mitigating controls in place. Maybe you can isolate some of those particular systems, limit the amount of AH access organizations have or their employees have to that, or maybe even just totally isolated. If it's possible, internal network segmentation is a big part of making sure you can. You're able to mitigate some of these put potential risks, or at least minimize the damage that they may cause. >> Tony G. I want to get your thoughts on your opinion and analysis expert opinion on um, the attack surface area with digital and then ultimately, what companies can do for Let's let's start with the surface area. What's your analysis there? Ah, lot of companies are recognizing. I'll see with Coyote and other digital devices. The surface area is just everywhere, right? So I got on the perimeter days. That's kind of well known. It's out there. What's the current digital surface area threats look like? What's your opinion? >> Sure, Yeah, it's Ah, now it's funny. These days, I say no, Jenna tell you everything that seems to be made as an I P address on it, which means it's actually able to access the Internet. And if they can access the Internet, the bad guys can probably reach out and touch it. And that's really the crux of the problem of these days. So anything that is being created is out on the Internet. And, yeah, like, we all know there's really not a really rigid security process to make sure that that particular device as secure is that secure as it actually needs to be Now. We talked earlier on about You know, I ot as relates to maybe home routers and how you need to be ableto hard in that because you were seeing a lot of io teapot nets that air taking over those home routers and creating these super large I ot botnets on the other side of it. You know, we've seen ah lot of skate of systems now that traditionally were in air gapped environments. Now they're being brought into the traditional network. They're being connected there. So there's an issue there, but one of the ones we haven't actually talked a lot about and we see you're starting to see the adversaries focus on these little bit more as devices in smart homes and smart buildings in this queue to threat landscape report. There was a vulnerability in one of these you motion business management systems. And, you know, we looked at all the different exploits out there, and the adversaries were actually looking at targeting that specific exploit on that. That's smart management building service device. We had about 1% of all of our exploit, uh, hits on that device. Now that might not seem like a lot, but in the grand scheme of things, when we're collecting billions and billions of events, it's a fairly substantial amount. What, now that we're Lee starts a kind of bring a whole another thought process into as a security professional as someone responds double for securing my cyber assets? What if I include in my cyber assets now widen include all the business management systems that my employees, Aaron, for my overall business. Now that that actually might be connected to my internal network, where all of my other cyber assets are. Maybe it actually should be. Maybe should be part of your vulnerability mentioned audibly patch management process. But what about all the devices in your smart home? Now? You know, all these different things are available, and you know what the trend is, John, right? I mean, the actual trend is to work from home. So you have a lot of your remote workers have, ah, great access into the environment. Now there's a great conduit for the obvious areas to be ableto break into some of those smart home devices and maybe that figure out from there there on the employees machine. And that kind of gets him into, you know, the other environment. So I would say, Start looking at maybe you don't wanna have those home devices as part of, ah, what you're responsible for protecting, but you definitely want to make sure your remote users have a hardened access into the environment. They're separated from all of those other smart, smart home devices and educate your employees on that and the user awareness training programs. Talk to them about what's happening out there, how the adversaries air starting to compromise, or at least focus on some of them smart devices in their home environment. >> These entry points are you point out, are just so pervasive. You have work at home totally right. That's a great trend that a lot of companies going to. And this is virtual first common, a world. We build this new new generation of workers. They wanna work anywhere. So no, you gotta think about all that. Those devices that your son or your daughter brought home your husband. Your wife installed a new light bulb with an I peed connection to it fully threaded processor. >> I know it. Gosh, this kind of concern me, it's safer. And what's hot these days is the webcam, right? Let's say you have an animal and you happen to go away. You always want to know what your animals doing, right? So you have these Webcams here. I bet you someone might be placing a webcam that might be near where they actually sit down and work on their computer. Someone compromises that webcam you may be. They can see some of the year's name and password that you're using a log in. Maybe they can see some information that might be sensitive on your computer. You know, it's the The options are endless here. >> Tony G. I want to get your thoughts on how companies protect themselves, because this is the real threat. A ni O t. Doesn't help either. Industrial I ot to just Internet of things, whether it's humans working at home, too, you know, sensors and light bulbs inside other factory floors or whatever means everywhere. Now the surface area is anything with a knife he address in power and connectivity. How do companies protect themselves? What's the playbook? What's coming out of Red hat? What's coming out of Fort Annette? What are you advising? What's the playbook? >> Yeah, you know I am. You know, when I get asked this question a lot, I really I sound like a broken record. Sometimes I try to find so many different ways to spin it. You know, maybe I could actually kind of say it like this, and it's always means the same thing. Work on the fundamentals and John you mentioned earlier from the very beginning. Visibility, visibility, visibility. If you can't understand all the assets that you're protecting within your environment, it's game over. From the beginning, I don't care what other whiz bang product you bring into the environment. If you're not aware of what you're actually protecting, there's just no way that you're gonna be able to understand what threats are happening out your network at a higher level. It's all about situational awareness. I want to make sure if I'm if I'm a C so I want my security operations team to have situational awareness at any given moment, all over the environment, right? So that's one thing. No grabbing that overall sort of visibility. And then once you can understand where all your assets are, what type of information's on those assets, you get a good idea of what your vulnerabilities are. You start monitoring that stuff. You can also start understanding some of different types of jabs. I know it's challenging because you've got everything in the cloud all the way down to the other end point. All these mobile devices. It's not easy, but I think if you focus on that a little bit more, it's gonna go a longer way. And I also mentioned we as humans. When something happens into the environment, we can only act so fast. And I kind of alluded to this earlier on in this interview where we need to make sure that we're leveraging automation, artificial in intelligence to help us be able to determine when threats happened. You know, it's actually be in the environment being able to determine some anomalous activity and taking action. It may not be able to re mediate, but at least it can take some initial action. The security controls can talk to each other, isolate the particular threat and let you fight to the attack, give you more time to figure out what's going on. If you can reduce the amount of time it takes you to identify the threat and isolate it, the better chances that you're gonna have to be able to minimize the overall impact of that particular Reno. >> Tony, just you jogging up a lot of memories from interviews I've had in the past. I've interviewed the four star generals, had an essay, had a cyber command. You get >> a lot of >> military kind of thinkers behind the security practice because there is a keeping eyes on the enemy on the target on the adversary kind of dialogue going on. They all talk about automation and augmenting the human piece of it, which is making sure that you have as much realty. I'm information as possible so you can keep your eyes on the targets and understand, to your point contextual awareness. This seems to be the biggest problem that Caesar's heir focused on. How to eliminate the tasks that take the eyes off the targets and keep the situational winners on on point. Your thoughts on that? >> Yeah, I have to. You know what, son I used to be? Oh, and I still do. And now I do a lot of presentations about situational awareness and being ableto build your you know, your security operations center to get that visibility. And, you know, I always start off with the question of you know, when your C so walks in and says, Hey, I saw something in the news about a specific threat. How are we able to deal with that? 95% of the responses are Well, I have to kind of go back and kind of like, you don't have to actually come dig in and, you know, see, and it takes them a while for the audio. >> So there's a classic. So let me get back to your boss. What? Patch patch? That, um Tony. Chief, Thank you so much for the insight. Great Congressional. The Holy Report. Keep up the good work. Um, quick, Quick story on black hat. What's the vibe in Vegas? Def con is right around the corner after it. Um, you seeing the security industry become much more broader? See, as the industry service area becomes from technical to business impact, you starting to see that the industry change Amazon Web service has had an event cloud security called reinforce. You starting to see a much broader scope to the industry? What's the big news coming out of black at? >> Yeah, you know, it's it's a lot of the same thing that actually kind of changes. There's just so many different vendors that are coming in with different types of security solutions, and that's awesome. That is really good with that, said, though, you know, we talked about the security shortage that we don't have a lot of security professionals with the right skill sets. What ends up happening is you know, these folks that may not have that particular skill, you know, needed. They're being placed in these higher level of security positions, and they're coming to these events and they're overwhelmed because they're all they'll have a saw slight. It's all over a similar message, but slightly different. So how did they determine which one is actually better than the others? So it's, um, I would say from that side, it gets to be a little bit kind of challenging, but at the same time, No, I mean, we continued to advance. I mean, from the, uh, no, from the actual technical controls, solutions perspective, you know, You know, we talked about it. They're going, we're getting better with automation, doing the things that the humans used to do, automating that a little bit more, letting technology do some of that mundane, everyday kind of grind activities that we would as humans would do it, take us a little bit longer. Push that off. Let the actual technology controls deal with that so that you can focus like you had mentioned before on those higher level you know, issues and also the overall sort of strategy on either howto actually not allow the officer to come in or haven't determined once they're in and how quickly will be able to get them out. >> You know, we talked. We have a panel of seashells that we talk to, and we were running a you know, surveys through them through the Cube insights Most see says, we talk Thio after they won't want to talk off the record. I don't want anyone know they work for. They all talked him. They say, Look, I'm bombarded with more and more security solutions. I'm actually trying to reduce the number of suppliers and increase the number of partners, and this is nuanced point. But to your what you're getting at is a tsunami of new things, new threats, new solutions that could be either features or platforms or tools, whatever. But most si SOS wanna build an engineering team. They wanna have full stack developers on site. They wanna have compliance team's investigative teams, situational awareness teams. And they want a partner with with suppliers where they went partners, not just suppliers. So reduce the number suppliers, increase the partners. What's your take on that year? A big partner. A lot of the biggest companies you >> get in that state spring. Yeah. I mean, that's that's actually really our whole strategy. Overall strategy for Ford. Annette is, and that's why we came up with this security fabric. We know that skills are really not as not as prevalent as that they actually need to be. And of course, you know there's not endless amounts of money as well, right? And you want to be able to get these particular security controls to talk to each other, and this is why we built this security fabric. We want to make sure that the controls that we're actually gonna build him, and we have quite a few different types of, you know, security controls that work together to give you the visibility that you're really looking for, and then years Ah, you know, trusted partner that you can actually kind of come to And we can work with you on one identifying the different types of ways the adversaries air moving into the environment and ensuring that we have security controls in place to be able to thwart the threat. Actor playbook. Making sure that we have a defensive playbook that aligns with those actual ttp is in the offensive playbook, and we can actually either detect or ultimately protect against that malicious activity. >> Tony G. Thanks for sharing your insights here on the cube conversation. We'll have to come back to you on some of these follow on conversations. Love to get your thoughts on Observe ability. Visibility on. Get into this. What kind of platforms are needed to go this next generation with cloud security and surface area being so massive? So thanks for spending the time. Appreciate it. >> Thanks a lot, Right. We only have >> a great time in Vegas. This is Cube conversation. I'm John for here in Palo Alto. Tony G with Fortinet in Las Vegas. Thanks for watching

(dramatic string music) >> Hi I'm Peter Burris and welcome to another theCUBE Conversation from our outstanding studios here in beautiful Palo Alto, California. Like all our CUBE Conversations, we've got a great one today. In this one we're going to talk about some of the trends that people are experiencing in the world of security and threats. And to have that conversation, we've got Tony Giandomenico who's a senior security strategist researcher at Fortinet's FortiGuard Labs. Tony welcome back to theCUBE. >> Hey Peter, how ya doin' man? It's great to be here. >> It's great to see you again Tony. Look, we've had this conversation now for at least four quarters and FortiGuard Labs has published their overall threat analysis for at least the past couple of years and that's what we're going to talk about today. So, give us a little bit of overview of what this report entails. Where does the data come from and how are you using it within Fortinet and FortiGuard Labs? >> Sure, sure, well, so this is a quarterly threat landscape report, right? So obviously, we do it on a quarterly basis and it's really geared towards the IT security professional from the CSO all the way down to, you know, the folks that are actually in the operations, you know, the daily operations. And we're getting billions of events that we're observing in real time production environments and we're looking specifically at application exploits, we're looking at malware, we're looking at botnets, and we hope to be able to identify different trends and then maybe able to translate into that IT security professional to be able to figure out where they should be focusing their security efforts. >> Yeah, and I think that's an important issue because you can't know what you should do next if you don't know what's happening right now or what has happened recently. But you've tried to provide, let's call a more general flavor to the report this year in the sense that you've introduced some indices that shows trends over time. Talk to us a little bit about that. >> Sure yeah, so last quarter we finally introduced what's referred to as our threat index. And what we were trying to do is be able track the ebbs and flows of threats over time and like you know, we always break down our exploits or our threats into application exploits, malware and botnets, so each one of them also have their individual index. Now, although there was some peaks and valleys and application exploits did hit an all-time high, at the end of the quarter, it ended up around the same the threat index did as last quarter, and I think a lot of that may be actually driven by the holiday season. Now, if I had a crystal ball, I would've probably think that the future quarters, the threat index is probably going to continue to increase. >> And I think that there's a couple reasons for that, right? When you say it's the holiday quarter, the overall threat index goes down because as people spend time home for the holidays, take vacation, little less time at work, they're opening fewer malicious files from fewer unknown sources or bad websites. But I think you've made the point multiple times that just because they're not opening a bad file in an email attachment right now, doesn't mean that they're not going to open it when they get back from work. >> Yeah, that is definitely true, but you know what? Maybe they are more focused and they'll be more attentive to looking at their email. I will also say, the bad guys need a break too, right? So, when a holiday season comes around, I mean, they're going to probably slow down some of their malware and some of their exploits and you know, just kind of enjoy the holidays. >> (laughs) Good for them. All right, so let's take a look at each of the different areas. The overall threat index is comprised of, as you said, the application exploits, malware and botnets. So, let's take them one at each. What did we see in the threat index as it pertains to application exploits? What were the big trends? >> Well, of the top 12, six of them, you know Peter, do you know what, the six exploits we're focusing on for the top 12, any idea? >> I read the report so yes, but tell us. >> Okay, yes, IOT. Now, that's not like extremely interesting because we continue to see that a quarter over quarter the adversaries are targeting more on the IOT device, which makes sense, right? I mean, there's a lot of them out there, the volume is there, and of course, they're not as secure as they typically need to be. But what's interesting though, out of those six, four of them happen to be IP cameras, right? So, these monitoring devices that are monitoring your physical security, the adversaries are targeting those a little bit more because they understand that this cyber world and the physical security, they're combining, and when they're combining, if you're bringing over a physical security device that already has vulnerabilities, you're bringing that vulnerability with you, and that would just open up an opportunity for the adversary to be able to penetrate into that particular device and then get access to your internal network. >> Yeah, let me ask you a question Tony because I was very interested in the incidents related to cameras because cameras is kind of one of those domains, one of those technologies, one of those use cases that is somewhere between the old OC world or the OT world, the operational technology world and the IT world or the IOT world where in the OT world folks have spent an enormous amount of time making sure that the devices that they utilize are as secure as they possibly can be. I mean, they've got huge teams devoted to this. In the IOT world, we're working on speed, we're working on software defined, we're working on a little bit more generalization. But this notion of cameras just kind of coming in from an IOT side but hitting the OT side, is that one of the reasons why cameras in particular are vulnerable? And does that tell us something about how IT and OT have to work together based on the data that we're seeing in the report? >> Yeah, I mean, I would totally agree, right? Because a lot of those different types of technologies have been isolated, meaning that not everybody had the ability to reach out and touch it, maybe security, you know, wasn't top of mind here, but now that convergence is taking place, it's really top priority to make sure that if you are merging those things together, make sure that those devices are part of your threat and vulnerability management process 'cause now vulnerabilities that may actually be introduced from that particular device can affect your entire cyber assets. >> Yeah, I think it's a great point. The cheap, what one might regard as constrained devices, nonetheless have an awesome processing power and if they're connected can enormous implication. Okay, let's move from the application exploits into the malware world. What was the big trend in malware in this past report? >> Sure, sure, yeah, so what we continue to see, and I think this is great, sharing information, sharing threat information, sharing malware samples, is awesome and we've been doing it for a long time and we continue to see more and more of public available sources for showing exploits, for showing malware, you know, open source malware and that's great because as a cyber defender, it's great that I can research this and I can ensure that I have the right detections and ultimately the right protections against those particular threats. I would also add that we have such a skill shortage, right? I mean, we're trying to build up our future cyber warriors and the way we want to be able to do that obviously is through a lot of training and we can give them great examples that they can actually glean and learn from. And so all of this is good but at the same time, when you have all this information out there, you know, freely available, of course, the adversaries have access, they have access to it as well. So, what that means is, I'll give you an example, Peter. You'll download, let's say there's open source malware that's ransomware. You can download that, modify the bitcoin address of where that victim is supposed to send the ransom, and you just operationalized this ransomware. But then again, you might be saying well, you know, you just said that it's available for us to be able to research and have better detections and you're right, most of the time we'll detect that. But now, you add in the fact that there's a whole bunch of open source evasion tools that you can run your malware through that would obfuscate possibly the malware enough that it can circumvent some of the actual security controls that you have in place. So, it's a good thing but we do continue to see some of the bad guys leverage it as well. >> So, let me see if I can put that in the context of some overall industry trends. Historically, the things that got the greatest install base were the targets that were preferred by bad actors because they could do the most damage in those large numbers and open source, as we improve these toolings, we see more people flock to that set of tools and as those tools become more popular, they both have more value to the enterprise as a protection, but they become increasingly obvious targets to the bad actors. Is that kind of what you're saying? >> Yeah sure, it's almost like the cybercrime ecosystem, the actual tools that are available, the services that are available at your fingertips, no longer do you need to be an expert. Begin a life of cybercrime, you just need to know where to get these resources and that is what's really driving the volume of attacks these days, so you're absolutely right, Peter. >> So, we've talked a little bit about application exploitation, we've talked a little about malware, now these are things that we look at before the system gets compromised. We're really concerned about avoiding them getting a footprint or hold within our system. Now, let's talk about botnets, which are particularly interesting because often the botnet gets turned on and becomes a source of danger after the compromises take place. What do trends in botnets tell us? >> Sure, sure, yeah, so one interesting point in botnets in quarter four was the fact that the initial botnet infections per firm was up 15% from the quarter before, so what that means is, on average, each firm saw about 12 botnet infections for that quarter and that kind of translates into, out of maybe the 91 days that you have in that quarter, 12 of those days, they actually had some type of botnet infection that they had to actually respond to, right? 'Cause they got to respond. Like you said Peter, the infection's already there, somehow the payload circumvented their security defenses, it's on there and it's trying to communicate out to it's command and control infrastructure, whether it's to download other malware, whether it's to actually possibly provide different types of commands to execute their cyber mission, whatever it is, it's there, and that's where we were sort of triggering on it. And I'll add to this, because of this, you got to invoke your instant response process, which means you're taking time, you're taking resources away for folks that are probably working on other projects to be able to help them fortify their overall security program more, which I think underscores the need to be able to ensure that you're leveraging technology to help you make some of these automated decisions, with being able to prevent and ultimately, hopefully, be able to remediate those threats. >> Yeah, so we've seen application exploits down a little bit, malware down a little bit, largely because the fourth quarter's a holiday quarter. We've seen botnets also follow those trends but still we have to be concerned about the number of net new days in which a botnet is operating. Is there something that we started to see in the data that requires new thinking, new approaches? What about all these memes that people are downloading, for example? >> (laughs) Yeah, I tell ya, you know social media, right? Love pictures. You know, whether it's Facebook, whether it's Twitter, you know, Instagram, words are good, but what's even better it seems is pictures. People love pictures and adversaries know that, so with an attack called leveraging steganography, I think I spoke about that a couple, maybe it was last year, you know sometime, we talked about that, but if you don't remember, steganography is really the art of hiding something in a picture file, whether it was a message, whether it was a malicious payload or it could even be different types of commands that the adversary wants to do to overall be able to complete their cyber mission, so they hide that information in there. And the adversaries to be able to attack or leverage a steganography attack, they're used in social media as a means of that communication. And what's interesting about that is nowadays, you know, maybe 10 years ago, not as much, but nowadays, social media traffic and apps are kind of acceptable on a network these days, right? The marketing organizations' comms and PR, they leverage these social media sites. It's a key part of their overall plan, so you're going to see a lot of social media traffic in the network, so the adversary, if they can blend in with that normal traffic, they may go unnoticed for quite some time. >> So, as new sources of data are exploited by the business to engage their customers, like social media, new technologies or new concepts like steganography or, steganography's been around for a long time, but its new to a lot of people, becomes something that increasingly has to be observed and tracked and acted upon. >> Yeah, you know I always say this is like, we want to continue to advance technology, right? We want to leverage it, why? Because overall, it makes our society better. Makes my life better, makes your life better, makes everybody, you know, future generations' lives better, but we need to make sure that we are securing the advancement of that actual technology, so it's a constant kind of catch up game for us. >> Yes, I need my cat pictures, Tony. All right, so I want to do one last thing here. We learned a lot in the overall FortiGuard Labs reports over the past few quarters, certainly since you've come on theCUBE, I've learned a lot, and I'm sure everybody who's been watching these CUBE Conversations has learned a lot as well. Let's now think about some recommendations. If we kind of quickly summarize what happened in 2018, what does it tell us about things that people should do differently in 2019? What are the kind of two or three key recommendations that FortiGuard Labs is putting forward right now? >> Yeah, I think one of the things that we continue to see is just how these threats are becoming bigger, faster, stronger, right? And that's really being sort of driven by the cybercrime ecosystem, the advancement of these types of attacks. So, how do you continue to ensure that you can keep up with this sophistication and this volume? And I'll kind of make it simple at a high level, obviously it goes a lot a lot deeper, but the first thing is having awareness. I really feel people don't truly know what they're actually protecting within all of their cyber assets. What are operating systems? What software? Where are they located? Where is their data located? How is their data flowing from system to system? I don't think they have a good understanding of that, so having that awareness, right? It's getting even harder now because it's cloud, right? It's on your workstation It's in the cloud, it's all over the place. So, it's good to get a handle on that, and once you have that, you need to act on it. So, whether it's identifying vulnerabilities that need to be say, patched or whether it's finding some type of threat in your environment and taking action, it's important that we need skilled resources to be able to deal with that. But I would say, once again, look at automation. How can you leverage technology to be able to communicate with each other through open APIs and make some automated decisions for you, isolate those threats, allow you to fight through the attack a little bit more so you can figure out what to do? Ultimately, hopefully it's going to minimize the impact of that one breach. And I would say this, threats are going to get in, but if you can continue to resist that threat before it gets into the core of your network, that's a win for everybody. So, continue to resist is a big one. That initial access, it's going to happen. Continue to resist, so you can ensure the minimization of the actual impact of that risk, of that threat. >> I got two quick comments about that, Tony. Tell me if I can summarize this right. One is that, look, everybody's going to digital, everybody's going through digital transformation, very few firms however have truly adopted an asset-oriented approach to their data. What you're saying is security is how you go about making your data private so that you get value out of it and not bad people. That's I think kind of an overarching statement, that this is a business problem that has to be treated like a business problem and invested in like a business problem. The second thing >> Possible. >> that I would say, and let me see if I got this right, that the idea ultimately, that data stays in one place and is used only in one way is wrong. It's going to change over time, and we have to acknowledge that there's not one approach to how we go about data security and handling these threats. There's differences in application exploitation, differences in malware and as you've said, botnets are indications that something's already happened, so we have to use a more balanced comprehensive view to how we think about handling the threats against us. Have I got that right? >> Yeah, absolutely. And I'll just end it with that, there's a lot of things that you have to deal with, and we have such a cybersecurity shortage, and you can never get to everything, but like you had said, it's a business issue. If you can understand your critical business processes and focus on those things, those assets, that data, that is going to be how you're going to prioritize and ensure that you can minimize the overall impact of an actually threat that may actually enter into your environment. >> Tony Giandomenico, senior security strategist and researcher at FortiGuard Labs at Fortinet. Once again Tony, thanks for being on theCUBE. >> It's always a pleasure Peter. >> And always love having Tony G. on. Hopefully, you've enjoyed this CUBE Conversation as well. Until next time, I'm Peter Burris. Talk to you soon. (upbeat string music)

(Intense orchestral music) >> Hi, I'm Peter Burris and once again welcome to a CUBEComnversation from our beautiful studios here in Palo Alto, California. For the last few quarters I've been lucky enough to speak with Tony Giandomenico, who's the Senior Security Strategist and Researcher at Fortinet, specifically in the FortiGuard labs, about some of the recent trends that they've been encountering and some of the significant, groundbreaking, industry-wide research we do on security threats, and trends in vulnerabilities. And once again, Tony's here on theCUBE to talk about the second quarter report, Tony, welcome back to theCUBE. >> Hey, Peter, it's great to be here man, you know, sorry I actually couldn't be right there with you though, I'm actually in Las Vegas for the Black Hat DEF CON Conference this time so, I'm havin' a lot of fun here, but definitely missin' you back in the studio. >> Well, we'll getcha next time, but, it's good to have you down there because, (chuckles) we need your help. So, Tony, let's start with the obvious, second quarter report, this is the Fortinet threat landscape report. What were some of the key findings? >> Yeah, so there's a lot of them, but I think some of the key ones were, one, you know, cryptojacking is actually moving into the IOT and media device space. Also, we did an interesting report, that we'll talk about a little bit later within the actual threat report itself, was really around the amount of vulnerabilities that are actually actively being exploited over that actual Q2 period. And then lastly, we did start to see the bad guys using agile development methodologies to quickly get updates into their malware code. >> So let's take each of those in tern, because they're all three crucially important topics, starting with crypto, starting with cryptojacking, and the relationship between IOT. The world is awash in IOT, it's an especially important domain, it's going to have an enormous number of opportunities for businesses, and it's going to have an enormous impact in people's lives. So as these devices roll out, they get more connected through TCP/IP and related types of protocols, they become a threat, what's happening? >> Yeah, what we're seeing now is, I think the bad guys continue to experiment with this whole cryptojacking thing, and if you're not really, for the audience who may not be familiar with cryptojacking, it's really the ability, it's malware, that helps the bad guys mine for cryptocurrencies, and we're seeing that cryptojacking malware move into those IOT devices now, as well as those media devices, and, you know, you might be saying well, are you really getting a lot of resources out of those IOT devices? Well, not necessarily, but, like you mentioned Peter, there's a lot of them out there, right, so the strength is in the number, so I think if they can get a lot of IOTs compromised into an actual botnet, really the strength's in the numbers, and I think you can start to see a lot more of those CPU resources being leverages across an entire botnet. Now adding onto that, we did see some cryptojacking affecting some of those media devices as well, we have a lot of honeypots out there. Examples would be say, different types of smart TVs, a lot of these software frameworks they have kind of plugins that you can download, and at the end of the day these media devices are basically browsers. And what some folks will do is they'll kind of jailbreak the stuff, and they'll go out there and maybe, for example, they want to be able to download the latest movie, they want to be able to stream that live, it may be a bootleg movie; however, when they go out there an download that stuff, often malware actually comes along for the ride, and we're seeing cryptojacking being downloaded onto those media devices as well. >> So, the act of trying to skirt some of the limits that are placed on some of these devices, gives often one of the bad guys an opportunity to piggyback on top of that file that's coming down, so, don't break the law, period, and copyright does have a law, because when you do, you're likely going to be encountering other people who are going to break the law, and that could be a problem. >> Absolutely, absolutely. And then I think also, for folks who are actually starting to do that, it really starts to-- we talk a lot about how segmentation, segmenting your network and your corporate environment, things in that nature but, those same methodologies now have to apply at your home, right? Because at your home office, your home network, you're actually starting to build a fairly significant network, so, kind of separating lot of that stuff from your work environment, because everybody these days seems to be working remotely from time to time, so, the last thing you want is to create a conduit for you to actually get malware on your machine, that maybe you go and use for work resources, you don't want that malware then to end up in your environment. >> So, cryptojacking, exploiting IOT devices to dramatically expand the amount of processing power that could be applied to doing bad things. That leads to the second question: there's this kind of notion, it's true about data, but I presume it's also true about bad guys and the things that they're doing, that there's these millions and billions of files out there, that are all bad, but your research has discovered that yeah, there are a lot, but there are a few that are especially responsible for the bad things that are being done, what did you find out about the actual scope of vulnerabilities from a lot of these different options? >> Yeah, so what's interesting is, I mean we always play this, and I think all the vendors talk about this cyber hygiene, you got to patch, got to patch, got to patch, well that's easier said than done, and what organizations end up doing is actually trying to prioritize what vulnerabilities they really should be patching first, 'cause they can't patch everything. So we did some natural research where we took about 108 thousand plus vulnerabilities that are actually publicly known, and we wanted to see which ones are actually actively being exploited over an actual quarter, in this case it was Q2 of this year, and we found out, only 5.7% of those vulnerabilities were actively being exploited, so this is great information, I think for the IT security professional, leverage these types of reports to see which particular vulnerabilities are actively being exploited. Because the bad guys are going to look at the ones that are most effective, and they're going to continue to use those, so, prioritize your patching really based on these types of reports. >> Yeah, but let's be clear about this Tony, right, that 108 thousand, looking at 108 thousand potential vulnerabilities, 5.7% is still six thousand possible sources of vulnerability. (Tony laughs) >> So, prioritize those, but that's not something that people are going to do in a manual way, on their own, is it? >> No, no, no, not at all, so there's a lot of, I mean there's a lot of stuff that goes into the automation of those vulnerabilities and things of that nature, and there's different types of methodologies that they can use, but at the end of the day, if you look at these type of reports, and you can read some of the top 10 or top 20 exploits out there, you can determine, hey, I should probably start patching those first, and even, what we see, we see also this trend now of once the malware's in there, it starts to spread laterally, often times in worm like spreading capabilities, will look for other vulnerabilities to exploit, and move their malware into those systems laterally in the environment, so, just even taking that information and saying oh, okay so once the malware's in there it's going to start leveraging X, Y, Z, vulnerability, let me make sure that those are actually patched first. >> You know Tony the idea of cryptojacking IOT devices and utilizing some new approaches, new methods, new processes to take advantage of that capacity, the idea of a lateral movement of 5.7% of the potential vulnerabilities suggests that even the bag guys are starting to accrete a lot of new experience, new devices, new ways of doing things, finding what they've already learned about some of these vulnerabilities and extending them to different domains. Sounds like the bad guys themselves are starting to develop a fairly high degree of sophistication in the use of advanced application development methodologies, 'cause at the end of the day, they're building apps too aren't they? >> Yeah, absolutely, it's funny, I always use this analogy of from a good guy side, for us to have a good strong security program, of course we need technology controls, but we need the expertise, right, so we need the people, and we also need the processes, right, so very good, streamline sort of processes. Same thing on the bad guy side, and this is what we're starting to see is a lot more agile development methodologies that the bad guys--(clears throat) are actually using. Prior to, well I think it still happens, but, earlier on, for the bad guys to be able to circumvent a lot of these security defenses, they were leveraging polymorphous, modifying those kind of malwares fairly quickly to evade our defenses. Now, that still happens, and it's very effective still, but I think the industry as a whole is getting better. So the bad guys, I think are starting to use better, more streamlined processes to update their malicious software, their malicious code, to then, always try to stay one step ahead of the actual good guys. >> You know it's interesting, we did a, what we call a crowd chat yesterday, which is an opportunity to bring our communities together and have a conversation about a crucial issue, and this particular one was about AI and the adoption of AI, and we asked the community: What domains are likely to see significant investment and attention? And a domain that was identified as number one was crypto, and a lot of us kind of stepped back and said well why is that and we kind of concluded that one of the primary reasons is is that the bad guys are as advanced, and have an economic incentive to continue to drive the state of the art in bad application development, and that includes the use of AI, and other types of technologies. So, as you think about prices for getting access to these highly powerful systems, including cryptojacking going down, the availability of services that allow us to exploit these technologies, the expansive use of data, the availability of data everywhere, suggests that we're in a pretty significant arms race, for how we utilize these new technologies. What's on the horizon, do you think, over the course of the next few quarters? And what kinds of things do you anticipate that we're going to be talking about, what headlines will we be reading about over the course of the next few quarters as this war game continues? >> Well I think a lot of it is, and I think you touched upon it, AI, right, so using machine learning in the industry, in cyber we are really excited about this type of technology it's still immature, we still have a long way to go, but it's definitely helping at being able to quickly identify these types of malicious threats. But, on the flip side, the bad guys are doing the same thing, they're leveraging that same artificial intelligence, the machine learning, to be able to modify their malware. So I think we'll continue to see more and more malware that might be AI sort of focused, or AI sort of driven. But at the same time, we've been taking about this a little bit, this swarm type of technology where you have these larger, botnet infrastructures, and instead of the actual mission of a malware being very binary, and if it's in the system, it's either yes or no, it does or it doesn't, and that's it. But I think we'll start to see a little bit more on what's the mission? And whatever that mission is, using artificial intelligence then to be able to determine, well what do I need to do to be able to complete that place, or complete that mission, I think we'll see more of that type of stuff. So with that though, on the good guy side, for the defenses, we need to continue to make sure that our technology controls are talking with each other, and that they're making some automated decisions for us. 'Cause I'd rather get a security professional working in a saw, I want an alert saying: hey, we've detected a breach, and I've actually quarantined this particular threat at these particular endpoints, or we've contained it in this area. Rather than: hey, you got an alert, you got to figure out what to do. Minimize the actual impact of the breach, let me fight the attack a little longer, give me some more time. >> False positives are not necessarily a bad thing when the risk is very high. Alright-- >> Yeah, absolutely. >> Tony Giandomenico, Senior Security Strategist and Researcher at Fortinet, the FortiGuard labs, enjoy Black Hat, talk to you again. >> Thanks Peter, it's always good seein' ya! >> And once again this is Peter Burris, CUBEConversation from our Palo Alto studios, 'til next time. (intense orchestral music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say>> now I'm not condoning that you actually pay the ransom>> however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes>> and we've seen organizations actively go ahead and do this>> is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this CUBE conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next CUBE Conversation. (uplifting music)

(Upbeat orchestra music) >> Hi, it's Peter Burris with Cube Conversation. We're here with Anthony Giandomenico who's a senior security strategist and researcher at FortiGuard Labs. Tony G! >> Thanks for having me today, Peter! >> Good to see you again! So, Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals, you're doing a lot of research on issues. Give us a quick snapshot. What's the state of security today? >> Well I think there's a lot of things happening right now, I think in the cyberworld. One, a lot of us already know is we have a huge skill shortage. We just don't have enough folks to be able to defend our cyber assets. And, I think the other thing is, you look at some of the mid-tier organizations, maybe a thousand users or so, they don't have those skilled resources, and what happens is they end up relying on different types of technology to help fill that skills gap, and that's good, but what they need to also make sure is that they have an over-arching good solid security program that takes into consideration, technology controls, so you're buying these specific products, but also, what are the processes and what are the actual kind of people that are involved. And are you actually combining all of those to encompass a solid, good, cyber security program? >> Yeah, a bad guy who watches a ransomware attack on a mid-size company, may be a little disappointed that they are not able to get 10 million dollars, but they'll be pretty happy with a million or 500 thousand dollars. That's a good day's work for these guys. >> It's low-hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right, because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you're getting a decent amount, and a lot of times, they don't have that strong, cyber security program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. It's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets, what are those five, six business critical processes, understand the assets that those processes ride over, focus on protecting those. Everything else is ancillary because this is all that really matters to the business. The other thing I would say, Peter, and I think that this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breech in my network or not, so if there is a breech I fail, that has to go away. Because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified, something in the network, isolated it, we mitigated it, we got everything back up and running, and we're back up and running as normal, minimized the actual damage. That's how I should be graded on. >> So, it's an important point, Tony G, so what we're saying is, that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you're 100% clear of everything, because the bad guys are going to find their way at some point in time. >> They got enough time to do it and you don't. So, like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win! >> One of the things you mentioned, you mentioned for your cyber security, or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that, and that cyber asset's worth that, but we do have to make some effort to understand the risks associated with cyber where it's an opportunity cost or whether it's replacement cost or whatever else it might be. But it also suggests historically we invest in assets we appreciate the value of those assets. Should security be regarded as an asset, should cyber security be regarded as part of the asset base of the business? What do you think? >> Absolutely, you definitely as a consumer or as someone who is interested in looking at an actual business, I think that's a key asset to make sure that your information is being protected. And, honestly, I don't think it always is. We have these regulations that are tied to making sure for example, if you're storing customer credit cards, there's PCI, and there's all these other now HIPPA regulations, and all that type of stuff, but those regulations still don't seem to be enough, and I think the minute you can turn >> You mean it's not enough and it appears that enterprise has generally continued to under invest in their cyber security assets. Is that kind of what you mean? >> Yeah, I still think it's a check-box. >> Okay, I am compliant, okay, that's enough. I betcha, there are companies out there, they'll put a certain money aside knowing that they're going to get breached, and use that money to be able to pay for their breach or whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. >> Well, at wikibon->> we are doing research on related type things all the time, we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cyber security profile that allows you to take advantage of those opportunities, that allows you to connect with those partners, that allows you to set up more intimated relations with a big customer. And it just seems as though that something has to become an explicit feature of the conversation about what are strategic assets. >> Yeah, I totally agree. That kind of stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, well, let me just buy some kind of cyber insurance. And, in the beginning they would go ahead and buy those things, but what they would quickly find out, is that they wouldn't be able to reap the money on an actual breach, because they were out of compliance because they didn't have the good cyber security program they were supposed to have. >> Yeah, the insurance company always finds a way to not pay. Let's talk now about this notion of great agility. We talked about the role that cyber security could play in businesses as they transform the digital world. We've seen a lot of developers starting to enter into cloud-native, cloud-development, new ways of integrating, that requires a mindset shift in the development world about what constitutes security. Now everybody knows, we're not just talking about perimeter, we're talking about something different. What is it that we are talking about? Are we talking about how security is going to move with the data? Are the securities going to be embedded in the API? What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? >> Well, before you even start talking about the cloud, or anything else, we still have an issue when we're building our applications, developers still, I don't think are up to speed enough on tracking good, secure coding. I think we're still playing catch-up to that. Now, what you just said, think about where we're at now, we're not even sort of there, now you're going to expand that out into the cloud, it's only going to amplify the actual problem, so there's going to be a lot of challenges that we're going to have to face. We talked about this off-line before, is where's your data going to be? It's going to be everywhere. How are you going to be able to secure that particular data? I think that's going to be a lot of challenges that face ahead of us. We have to figure out how to deal with it. >> The last thing I want to talk about, Tony G, is a lot of the applications that folks are going to be building, a lot of things the developers are going to be building, are things that increasingly provide or bring a degree 6of automation to bear. hink about it, if you've got bad cyber security, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you've got some automation thing going on that's spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for more focus and attention on cyber security? >> Usually when I talk about automation, I'm talking about how the bad guys are leveraging automation. Now, I'll give you a little bit of an example here, in our FortiGuard Labs, I think last quarter, I think it was over a million exploits or at least exploit attempts that we were thwarting in one minute. The volume of the attacks are so large these days, and it's really coming from the cyber crime ecosystem. The human cannot actually deal with handling dealing with all those different threats out there, so they need to figure out a way to fight automation with automation. And that's really the key. I had mentioned this earlier on before, is you have to make sure that your technology controls are talking to each other so that they can actually take some automated action. As far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but usually it's a couple hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you, and that's where you start to hear a lot about, and all these buzz-words about artificial intelligence, machine learning, big data analytics. We're really diving into now and trying to figure out how can the machines help us make these automated decisions for us. >> But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and be taken over as a bad actor. They themselves are more connected. It just amplifies the whole problem. >> Yeah, it gets more complicated, so a system that's more complex, is less secure. >> More vulnerable, sir. >> Yeah, more vulnerable. Absolutely. >> Alright, so once again, Tony G, thanks for being here. We've been speaking on Cube Conversation with Anthony Giandomenico who's with the FortiGuard Labs. He's a security analyst and researcher. Thank you very much for being here. >> Thanks! Thanks for having me. (Techno music)

(Upbeat orchestra music) >> Hi, it's Peter Burris with Cube Conversation. We're here with Anthony Giandomenico who's a senior security strategist and researcher at FortiGuard Labs. Tony G! >> Thanks for having me today, Peter! >> Good to see you again! So, Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals, you're doing a lot of research on issues. Give us a quick snapshot. What's the state of security today? >> Well I think there's a lot of things happening right now, I think in the cyberworld. One, a lot of us already know is we have a huge skill shortage. We just don't have enough folks to be able to defend our cyber assets. And, I think the other thing is, you look at some of the mid-tier organizations, maybe a thousand users or so, they don't have those skilled resources, and what happens is they end up relying on different types of technology to help fill that skills gap, and that's good, but what they need to also make sure is that they have an over-arching good solid security program that takes into consideration, technology controls, so you're buying these specific products, but also, what are the processes and what are the actual kind of people that are involved. And are you actually combining all of those to encompass a solid, good, cyber security program? >> Yeah, a bad guy who watches a ransomware attack on a mid-size company, may be a little disappointed that they are not able to get 10 million dollars, but they'll be pretty happy with a million or 500 thousand dollars. That's a good day's work for these guys. >> It's low-hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right, because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you're getting a decent amount, and a lot of times, they don't have that strong, cyber security program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. It's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets, what are those five, six business critical processes, understand the assets that those processes ride over, focus on protecting those. Everything else is ancillary because this is all that really matters to the business. The other thing I would say, Peter, and I think that this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breech in my network or not, so if there is a breech I fail, that has to go away. Because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified, something in the network, isolated it, we mitigated it, we got everything back up and running, and we're back up and running as normal, minimized the actual damage. That's how I should be graded on. >> So, it's an important point, Tony G, so what we're saying is, that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you're 100% clear of everything, because the bad guys are going to find their way at some point in time. >> They got enough time to do it and you don't. So, like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win! >> One of the things you mentioned, you mentioned for your cyber security, or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that, and that cyber asset's worth that, but we do have to make some effort to understand the risks associated with cyber where it's an opportunity cost or whether it's replacement cost or whatever else it might be. But it also suggests historically we invest in assets we appreciate the value of those assets. Should security be regarded as an asset, should cyber security be regarded as part of the asset base of the business? What do you think? >> Absolutely, you definitely as a consumer or as someone who is interested in looking at an actual business, I think that's a key asset to make sure that your information is being protected. And, honestly, I don't think it always is. We have these regulations that are tied to making sure for example, if you're storing customer credit cards, there's PCI, and there's all these other now HIPPA regulations, and all that type of stuff, but those regulations still don't seem to be enough, and I think the minute you can turn >> You mean it's not enough and it appears that enterprise has generally continued to under invest in their cyber security assets. Is that kind of what you mean? >> Yeah, I still think it's a check-box. >> Okay, I am compliant, okay, that's enough. I betcha, there are companies out there, they'll put a certain money aside knowing that they're going to get breached, and use that money to be able to pay for their breach or whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. >> Well, at wikibon-- we are doing research on related type things all the time, we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cyber security profile that allows you to take advantage of those opportunities, that allows you to connect with those partners, that allows you to set up more intimated relations with a big customer. And it just seems as though that something has to become an explicit feature of the conversation about what are strategic assets. >> Yeah, I totally agree. That kind of stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, well, let me just buy some kind of cyber insurance. And, in the beginning they would go ahead and buy those things, but what they would quickly find out, is that they wouldn't be able to reap the money on an actual breach, because they were out of compliance because they didn't have the good cyber security program they were supposed to have. >> Yeah, the insurance company always finds a way to not pay. Let's talk now about this notion of great agility. We talked about the role that cyber security could play in businesses as they transform the digital world. We've seen a lot of developers starting to enter into cloud-native, cloud-development, new ways of integrating, that requires a mindset shift in the development world about what constitutes security. Now everybody knows, we're not just talking about perimeter, we're talking about something different. What is it that we are talking about? Are we talking about how security is going to move with the data? Are the securities going to be embedded in the API? What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? >> Well, before you even start talking about the cloud, or anything else, we still have an issue when we're building our applications, developers still, I don't think are up to speed enough on tracking good, secure coding. I think we're still playing catch-up to that. Now, what you just said, think about where we're at now, we're not even sort of there, now you're going to expand that out into the cloud, it's only going to amplify the actual problem, so there's going to be a lot of challenges that we're going to have to face. We talked about this off-line before, is where's your data going to be? It's going to be everywhere. How are you going to be able to secure that particular data? I think that's going to be a lot of challenges that face ahead of us. We have to figure out how to deal with it. >> The last thing I want to talk about, Tony G, is a lot of the applications that folks are going to be building, a lot of things the developers are going to be building, are things that increasingly provide or bring a degree 6of automation to bear. hink about it, if you've got bad cyber security, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you've got some automation thing going on that's spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for more focus and attention on cyber security? >> Usually when I talk about automation, I'm talking about how the bad guys are leveraging automation. Now, I'll give you a little bit of an example here, in our FortiGuard Labs, I think last quarter, I think it was over a million exploits or at least exploit attempts that we were thwarting in one minute. The volume of the attacks are so large these days, and it's really coming from the cyber crime ecosystem. The human cannot actually deal with handling dealing with all those different threats out there, so they need to figure out a way to fight automation with automation. And that's really the key. I had mentioned this earlier on before, is you have to make sure that your technology controls are talking to each other so that they can actually take some automated action. As far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but usually it's a couple hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you, and that's where you start to hear a lot about, and all these buzz-words about artificial intelligence, machine learning, big data analytics. We're really diving into now and trying to figure out how can the machines help us make these automated decisions for us. >> But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and be taken over as a bad actor. They themselves are more connected. It just amplifies the whole problem. >> Yeah, it gets more complicated, so a system that's more complex, is less secure. >> More vulnerable, sir. >> Yeah, more vulnerable. Absolutely. >> Alright, so once again, Tony G, thanks for being here. We've been speaking on Cube Conversation with Anthony Giandomenico who's with the FortiGuard Labs. He's a security analyst and researcher. Thank you very much for being here. >> Thanks! Thanks for having me. (Techno music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say- now I'm not condoning that you actually pay the ransom- however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes- and we've seen organizations actively go ahead and do this- is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this Cube conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next Cube Conversation. (uplifting music)