(ethereal music) >> Welcome to the special Cube Conversation. I'm John Furrier, your host of "The Cube" here in Palo Alto, California. We've got two great remote guests here having a conversation around security, security convergence with platforms around networking and security with cybersecurity at an all time high, the need for understanding how to manage the breaches how to understand them, prevent them, everything in between cybersecurity and data are the number one conversation happening in the world today. We got two great guests, we've got Nirav Shah, VP of products at Fortinet and Peter Newton's senior director of products at Fortinet. The product leaders in the hottest cybersecurity company. And guys, thanks for coming on this Cube Conversation. >> Thanks for having us. >> Thank you, John. >> So last month or so I talked to John Madison about the Fortinet new release, FortiOS 7.0, as well as highlighting the convergence that's going on between the platforms around companies trying to consolidate and or manage or grow and build, converting networking and security together. Seeing that happening in real time, still doesn't change the underpinnings of how the internet works, and how these companies are structured. But the need for security is at an all time high. Talk about the impact to the customer. Do you guys have the keys to the kingdom here, product group? What is the killer product? What are customers doing? Give us the overview of why there's such a big need for the security platforms right now. >> Yeah, absolutely John. So if you see today's environment, we have seen working from anywhere it's become normal. And as part of that, we have seen so many different network edges. At the same time, they have different devices that they're using from anywhere. So what's important is as users have different devices, different users and applications that they're consuming from Cloud, we have to make sure that we provide security across the endpoint, across all network edges, and going to the Cloud compute. And for that kind of approach, you cannot have point products provide the visibility control and management. You need to have a comprehensive cybersecurity platform, which gives you security from that endpoint, to the edge, to the user, so that you have a simple but effective management and have a solid security in place to get that working from anywhere in a much more better user experience way. And that's exactly Fortinet describes as the security fabric platform. >> It's interesting not to kind of go on a tangent here, but to illustrate the point is, if you look at all the cyber security challenges that we're facing globally, especially here in the United States, the public private partnerships are increasing. We're seeing more public sector, commercial integration, the role of data. We've covered this on SiliconANGLE and many other cube interviews, especially with you guys. And there's all this kind of new approaches. Everyone's trying everything. They're buying every product that's out there, but now there's like overload. There's too much product. And that the obvious thing that's becoming clear, as cloud-scale, the evolution of this new edge environment. And so with that becomes the importance two trends that you guys are participating in. I want to get your thoughts on this because that's called SASE and SD-WAN. We know SD-WAN, but SASE stands for Secure Access Service Edge. That's I think Gartner made that term up or someone made that term up, but that's a new technology. And you've got SD-WAN, these are traditionally had been like edge for like branch offices. Now evolve now as pure network edges than a distributed computing environment. What's so important about these two topics. Nirav take us through the changes that are happening and why it's important for enterprises to get a handle on this >> Yeah John. So, as you said, SASE, Secured Access Services Edge. Really the foundation of that topic is the convergence of networking and security. And as you mentioned, Fortinet has been doing a lot of innovation in this area, right? Six years back, we pioneered the convergence of security and networking with security SD-WAN but what's happening now with the SASE is, as that working from anywhere continues to remain the dominant trend, users are looking for a Cloud-Delivered Security. And that's what Fortinet recently announced, where we can provide the most comprehensive Cloud-Delivered Security for remote users. For thin edge. You can still, anytime access from any device. To give you an example, now, our remote users, they are still at home or they can be branch of one user, but still have that always on threat protection with the consistent security given in the Cloud. So they don't have to go anymore from the branch or data center, but have a direct connectivity to the Cloud Security before they access SaaS application. That's what one of the SASE trend is. Second thing, John we are observing is users are now, as they are going back to the hybrid workforce, they are looking for a thin edge right? To your point of an edge, edge is still intelligent and a very important but there is an interesting architectural shift of, can I just use an intelligent networking there move my CapEx to OPEX and have security in Cloud? That unified security, unified policy is again becoming important. That's what SASE-- >> Okay, so I like this Cloud-Delivered Security. This is a hybrid workforce you're addressing with this marketplace, that's clear. Hybrid is a everywhere, hybrid cloud, hybrid workforce, hybrid events are coming. I mean, we love covering events physically but also now virtual. Everything's impacted by the word hybrid and Cloud. But talk about this thin edge. What do you mean by that? I mean I think thin edge, I think thin clients, the old trend. What is thin edge mean? >> Yeah, so there're different organizations are looking at the architecture in a different way. Some organizations are thinking about having a very simple branch where it is used for modern networking technologies, while security has been shifted to the Cloud deliver. What happens with this model is, now they are relying more into technologies like SD-WAN on edge to provide that intelligence steering, while everything in the security is being done in a Cloud compute way for both remote users and thin edge environment. Now the good news here is, they don't have to worry about the security patching, or any of those security capabilities. It is all done by Fortinet as they go and use the SaaS applications performance >> I want to come back and drill down on that but I want to get Peter in here in the Zero Trust equation because one of the things that comes up all the time with this edge discussion is network access. I mean, you go back to the old days of computing, you had edge log in, you'd come in, radius servers, all these things were happening, pretty simple cut paradigm. It's gotten so complicated now, Peter. So Zero Trust is a hot area. It's not only one of the things but it's a super important, what is Zero Trust these days? >> Zero Trust is indeed a very hot term because I think part of it is just it sounds great from a security standpoint, Zero Trust, you don't trust anyone, but it really comes down to a philosophical approach of how do you address the user's data applications that you want to protect? And the idea of Zero Trust and really what's driving it is the fact that as we've been talking, people are working remotely. The perimeter of the organization has dissolved. And so you no longer can afford to have a trusted internal zone and an untrusted external zone. Everything has to be "Zero Trust." So this means that you need to be authenticating and verifying users and devices on a repeat and regular basis, and you want to when you're bringing them on and giving them access to assets and applications, you want to do that with as granular of control as possible. So the users and devices have access to what they need, but no more. And that's kind of the basic tenets of Zero Trust. And that's what, it's really about prioritizing the applications and data, as opposed to just looking at, am I bringing someone into my network. >> God, the concept of Zero Trust, obviously hot. What's the difference between Zero Trust Access and Zero Trust Network Access, or as people say ZTA versus ZTNA? I mean, is there a nuance there? I mean, what's the difference between the two? >> That's actually a really good question because they both have the Zero Trust in the name. ZTNA is actually a specific term that a Gardner created or other analyst I should say, created 10 years ago. And this refers specifically to controlling application to controlling access to applications. whereas Zero Trust, overall Zero Trust access deals with both users and devices coming on to networks, how are you connecting them on? What kind of access are you giving them on the network? ZTNA is specifically how are you bringing users and connecting them to applications? Whether those applications are on premise or in the Cloud. >> So what the NA is more like the traditional old VPN model connecting users from home or whatever. Just connecting across the network with user to app. Is that right? >> That's actually a really good insight, but ironically the VPN clinical benefits of this are actually an outgrowth of the ZTNA model because ZTA doesn't differentiate between when you're on network or off network. It creates a secure tunnel automatically no matter where the user is, but VPN is all just about creating a secure tunnel when you're remote. ZTNA just does that automatically. So it's a lot easier, a lot simpler. You get a hundred percent compliance and then you also have that same secure tunnel even when you're "on a safe network" because with Zero Trust, you don't trust anything. So yes it really is leading to the evolution of VPN connectivity. >> So Nirav I want to get back to you on tie that circle back to what we were talking about around hybrid. So everyone says everything's moving to the Cloud. That's what people think. And Cloud ops is essentially what hybrid is. So connect the dots here between the zero trust, zero trust A and NA with the move to the hybrid cloud model. How does that, how does it, what's the difference between the two? Where's the connection? What's the relevance for your customers and the marketplace? >> Yeah, I think that again goes back to that SASE framework where ZTNA plays a huge role because John, we talked about when users are working from anywhere in this hybrid workforce, one of the important thing is to not give them this implicit trust right? To the applications, enabling the explicit trust is very important. And that is what ZTNA does. And the interesting thing about Fortinet is we provide all of this part of FortiOS and users can deploy anywhere. So as they are going to the Cloud-Delivered Security, they can enable ZTNA there so that we make sure this user at what time, which application they're accessing and should we give them that access or not. So great way to have ZTNA, SASE, everything in one unified policy and provide that anytime access for any device with a trusting place. >> Okay, real quick question to you is, what's the difference between SASE, Secure Access Service Edge, and SD-WAN? Real quick. >> Yeah, so SD-WAN is one of the core foundation element of SASE, right? So far we talked about the Cloud-Delivered Security, which is all important part of the security of the service. SASE is another element, which is a networking and a service where SD-WAN plays a foundation role. And John that's where I was saying earlier that the intelligent edge modern technology that SD-WAN provides is absolutely necessary for a successful SASE deployment, right? If users who are sitting anywhere, if they can't get the right application steering, before they provide the Cloud-Delivered Security, then they are not going to get the user experience. So having the right SD-WAN foundation in that edge, working in tandem with the Cloud-Delivered Security makes a win-win situation for both networking and security teams. >> So Peter, I want to talk to you. Last night I was on a chat on the Clubhouse app with some cybersecurity folks and they don't talk in terms of "I got ZTNA and I got some SASE and SD-WEN, they're talking mostly about just holistically their environment. So could you just clarify the difference 'cause this can be confusing between Zero Trust Network Access ZTNA versus SASE because it's kind of the same thing, but I know it's nuance, but, is there a difference there? People get confused by this when I hear people talking 'cause like they just throw jargon around and they say, "Oh, with Zero Trust we're good. What does that even mean? >> Yeah, we get a lot of that when talking with customers because the two technologies are so complimentary and similar, they're both dealing with security for remote workers. However sassy is really dealing with that kind of firewall in the Cloud type service, where the remote user gets the experience and protection of being behind a firewall, ZTNA is about controlling the application and giving them that secure tunnel to the application. So they're different things one's kind of that firewall and service, security and service, even networking in a service. But ZTNA is really about, how do I have the policies no matter where our user is, to give them access to specific applications and then give them a secure tunnel to that application? So very complimentary, but again, they are separate things. >> What's the landscape out there with competitive because has there products, I mean you guys are product folks. You'll get the product question. Is it all kind of in one thing, is this bundled in? Do you guys have a unique solution? Some people have it, they don't. What's the marketplace look like from a product standpoint? >> Yeah. So John, that starts back to the platform that we talked about, right? Fortinet always believes in not to develop a point product, but doing organic development which is part of a broader platform. So when we look at the thing like SASE, which required a really enterprise grade networking and security stack, Fortinet has organically developed them SD-WAN, we are a leading vendor, for the Gartner magic quadrant leader there, network firewall, including whether they deployed on Cloud, on-prem or a segmentation. We are a leader there. So when you combine both of them and ZTNA is part of it, there is only handful of vendor you will see in the industry who can provide the consistent security, networking, and security together and have that better user experience for the single management. So clearly there's a lot of buzz John, about a lot of vendors talk about it. But when you go to the details and see this kind of unified policy of networking and security, Fortinet is emerging as a leader. >> Well I always like talking the experts like you guys on this topic. And we get into the conversations around the importance under the hood. SASE, SD-WEN, we've been covering that for a long time. And now with Zero Trust becoming such a prominent architectural feature in Cloud and hybrid, super important under the hood. At the end of the day though, I got to ask the customers question, which is, "what's in it for me? "I care about breaches. "I don't want to be breached. "The government's not helping me over the top. "I got to defend myself. "I have to put resources in place, it's expensive, "and nevermind if I get breached." The criticality of that alone, is a risk management discussion. These are huge table. These are huge stakes and the stakes are high. So what I care about is are you going to stop the breaches? I need the best security in town. What do you say to that? >> Yeah this goes back to the beginning. We talked about consistent certified security, right John. So yes a SASE model is interesting. Customers are going to move to Cloud, but it's going to be a journey. Customers are not going Cloud first day one. They are going to take a hybrid approach where security is required in a segment, in an edge and on the Cloud. And that's where having a solid security in place is a number one requirement. And when you look at the history of Fortinet, over the last 20 years, how we have done, with our FortiGuard Labs, our threat intelligence and ability for us to protect over 450,000 customers, that's a big achievement. And for us to continue to provide that security but more importantly, continue to go out, and do a third-party certification with many organization to make sure no matter where customers are deploying security, it is that same enterprise grade security deployment. And that's very important that we talk to our users to make sure they validate that. >> Peter would weigh in on this. Customers don't want any breaches. How do you help them with the best security? What's your take on that? >> Well, to kind of reiterate what Nirav said earlier, we really believe that security is a team sport. And you do need best in class products at each individual element, but more importantly you need those products we talking together. So the fact that we have industry leading firewalls, the fact that we have industry-leading SD-WAN, we've got industry leading products to cover the entire gamut of the end point all the way email application, Cloud, all these products while it's important that they're, third-party validated as Nirav was mentioning, it's more important that they actually talk together. They're integrated and provide automated actions. Today's cyber security moves so fast. You need that team approach to be able to protect and stop those breaches. >> Well, you guys have a great enterprise grade solution. I got to say, I've been covering you guys for many years now and you guys have been upfront, out front on the data aspect of it with FortiGuards. And I think people are starting to realize now that data is the key, value proposition is not a secret anymore. Used to be kind of known for the people inside the ropes. So congratulations. I do know that there's a lot action happening. I want to give you guys a chance to at the end of this conversation now to just put a plug in Fortinet because there's more people coming into the workforce now. Post pandemic, young people with computer science degrees and other degrees that want to go into career with cybersecurity, could you guys share both your perspective on for the young people watching or people re-skilling, what opportunities there are from a coding standpoint, and or from say an analyst perspective. What are some of the hot openings? 'cause there are thousands and thousands of jobs give a quick plug for Fortinet and what openings you guys might have. >> Well, certainly in the cyber industry, one of the major trends we have is a work place shortage. There are not enough trained professionals who know about cybersecurity. So for those who are interested in retooling or starting their career, cybersecurity is an ongoing field. It's going to be around for a long time. I highly encourage those interested, come take a look at Fortinet. We offer free training. So you can start from knowing nothing to becoming certified up to a security architect level, and all those, all that training is now available for free. So it's a great time to star, great time to come into the industry. The industry needs you >> Any particularly areas, Peter you see that's like really jumping off the page. >> Well, it's hybrid, knowing Cloud, knowing on-prem, knowing the traffic, knowing the data on the applications, there's just so much to do. >> You're the head of product, you've got all, probably a ton of openings but seriously young people trying to figure out where to jump in, what are the hot areas? Where can people dig in and get retrained and or find their career? >> Yeah, no, I think to reiterate what Peter said, right? The program that Fortinet has built, LSE one, two, three which is free available, is a great foundation. Because that actually goes into the detail of many topics we touched upon. Even though we are talking about SD-WAN, SASE, ZTNA, fundamentally these are the networking and security technologies to make sure users are able to do the right work in the user experience. And that will be really helpful to the young people who are looking to learn more and go into this area. So highly encouraged to take those training, reach out to us. We are there to provide any mentorship, anything that is required to help them in that journey. >> Anything jump off the page in terms of areas that you think are super hot, that are in need. >> Certainly there's convergence of networking and security. There is a growing need of how and what is Zero Trust is? and how the security is applied everywhere. Definitely that's a topic of mine for a lot of our customers, and that's an area, it's a good thing to gain more knowledge and utilize it. >> Nirav and Peter, thank you for coming on. You guys are both experts and the leaders at Fortinet, the product team. The need for security platform is an all time high consolidating tools into a platform. More tools are needed and there's new tools coming. So I'm expecting to have more great conversations as the world evolves. Certainly the edge is super important. Thanks for coming on, appreciate it. >> Thanks for having us. >> Okay, Cube Conversation on security here in the Palo Alto studios. I'm John furrier. Thanks for watching. (ethereal music)

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.