(soft music) >> Narrator: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world: this is a CUBE conversation. >> Everyone, welcome to this special cube conversation. We're here in the Palo Alto studios, where I am; here during this critical time during the corona virus and this work at home current situation across the United States and around the world. We've got a great interview here today around cybersecurity and the threats that are out there. The threats that are changing as a result of the current situation. We got two great guests; Derek Manky, Chief Security Insights and Global Threat Alliances at FortiGuard labs. And Renee Tarun, deputy Chief Information Security Officer with Fortinet net. Guys, thanks for remotely coming in. Obviously, we're working remotely. Thanks for joining me today on this really important conversation. >> It's a pleasure to be here. >> Thanks for having us. >> So Renee and Derek. Renee, I want to start with you as deputing CISO. There's always been threats. Every day is a crazy day. But now more than ever over the past 30 to 45 days we've seen a surge in activity with remote workers. Everyone's working at home. It's disrupting family's lives. How people do business. And also they're connected to the internet. So it's an endpoint. It's a (laughs) hackable environment. We've had different conversation with you guys about this. But now more than ever, it's an at scale problem. What is the impact of the current situation for that problem statement of from working at home, at scale. Are there new threats? What's happening? >> Yeah, I think you're seeing some organizations have always traditionally had that work at home ability. But now what you're seeing is now entire workforces that are working home and now some companies are scrambling to ensure that they have a secure work at home for teleworkers at scale. In addition some organizations that never had a work from home practice are now being forced into that and so a lot of organizations now are faced with the challenge that employees are now bringing their own device into connecting to their networks. 'Cause employees can't be bring their workstations home with them. And if they don't have a company laptop they're of course using their own personal devices. And some personal devices are used by their kids. They're going out to gaming sites that could be impacted with malware. So it creates a lot of different challenges from a security perspective that a lot of organizations aren't necessarily prepared for. It's not only from a security but also from a scalability perspective. >> When I'm at home working... I came into the studio to do this interview. So I really wanted to talk to you guys. But when I'm at home, this past couple weeks. My kids are home. My daughter is watching Netflix. My son's gaming, multiplayer gaming. The surface area from a personnel standpoint or people standpoint is increased. My wife's working at home. My daughters there, two daughters. So this is also now a social issue because there are more people on the WiFi, there's more bandwidth being used. There's more fear. This has been an opportunity for the hackers. This crime of fear using the current situation. So is it changing how you guys are recommending people protect themselves at home? Or is it just accelerating a core problem that you've seen before? >> Yeah, so I think it's not changing. It's changing in terms of priority. I mean, all the things that we've talked about before it's just becoming much more critical. I think, at this point in time. If you look at any histories that we've... Lessons we've learned from the past or haven't learned (laughs). That's something that is just front and center right now. We've seen attack campaigns on any high level news. Anything that's been front and center. And we've seen successful attack campaigns in the past owing to any sort of profile events. We had Olympic destroyer last last Olympic period, when we have them in Korea as an example, in South Korea. We've seen... I can go back 10 years plus and give a History timeline, every single there's been something dominating the news. >> John: Yeah. And there's been attack campaigns that are leveraged on that. Obviously this is a much higher focus now given the global news domination that's happening with COVID. The heightened fear and anxiety. Just the other day FortiGuard labs, we pulled up over 600 different phishing emails and scam attempts for COVID-19. And we're actively poring through those. I expect that number to increase. Everybody is trying to hop on this bandwagon. I was just talking to our teams from the labs today. Groups that we haven't seen active since about 2011, 2012. Malware campaign authors. They're riding this bandwagon right now as well. So it's really a suction if you will, for these cyber criminals. So all of the things that we recommend in the past, obviously being vigilant, looking at those links coming in. Obviously, there's a lot of impersonators. There's a lot of spoofing out there. People prefer pretending to be the World Health Organization. We wrote a blog on this a couple of weeks back. People have to have this zero trust mentality coming in. Is everyone trying to ride on this? Especially on social networks, on emails. Even phishing and voice vishing. So the voice phishing. You really have to put more... People have to put more of a safeguard up. Not only for their personal health like everyone's doing the social distancing but also virtual (laughs) social distancing when it comes to really trusting who's trying to send you these links. >> Well, I'm glad you guys have the FortiGuard guard labs there. And I think folks watching should check it out and keep sending us that data. I think watching the data is critical. Everyone's watching the data. They want the real data. You brought up a good point, Rene. I want to get your thoughts on this because the at scale thing really gets my attention because there's more people at home as I mentioned from a social construct standpoint. Work at home is opening up new challenges for companies that haven't been prepared. Even though ones that are prepared have known at scale. So you have a spectrum of challenges. The social engineering is the big thing on Phishing. You're seeing all kinds of heightened awareness. It is a crime of opportunity for hackers. Like Derek just pointed out. What's your advice? What's your vision of what's happening? How do you see it evolving? And what can people do to protect themselves? What's the key threats? And what steps are people taking? >> Yeah, I think, like Derek said, kind of similar how in the physical world we're washing our hands. We're keeping 6 feet away from people. We could distance from our adversaries, as well. Again when you're looking at your emails ensuring that you're only opening attachments from people that you know. Hovering over the links to ensure that they are from legitimate sources. And being mindful that when you're seeing these type of attacks coming in, whether they are coming through emails. Through your phones. Take a moment and pause and think about would someone be contacting me through my cell phone? Through sending me a text message? or emails asking me for personal information? Asking me for user IDs and passwords, credential and information. So you kind of need to take that second and really think before you start taking actions. And similar to opening attachments we've seen a lot of cases where someone attaches a PDF file to an email but when you open up the PDF it's actually a malware. So you need to be careful and think to yourself, was I expecting this attachment? Do I know the person? And take steps to actually follow up and call that person directly and say, "Hey, did you really send this to me? "Is this legitimate?" >> And the thing-- >> You got to to be careful what you're opening up. Which links you click on. But while I got you here, I want to get your opinion on this because there's digital attacks and then there's phone based attacks. We all have mobile phones. I know this might be a little bit too elementary, but I do want to get it out there. Can you define the difference in phishing and spear phishing for the folks that are trying to understand the difference in phishing and spear phishing techniques. >> The main difference is spear phishing is really targeting a specific individual, or within a specific role within a company. For example, targeting like the CEO or the CFO. So those are attacks that are specifically targeting a specific individual or specific role. Where phishing emails are targeting just mass people regardless of their roles and responsibilities. >> So I'm reading the blog post that you guys put out. Which I think everyone... I'll put the link on SiliconANGLE later. But it's on fortinet.com Under digital attacks you've got the phishing and spear phishing which is general targeting an email or individually spear spearing someone specifically. But you guys list social media deception, pre-texting and water holing as the key areas. Is that just based on statistics? Or just the techniques that people are using? Can you guys comment on and react to those different techniques? >> Yeah, so I think with the water holing specifically as well. The water holing attack refers to people that every day as part of their routine going to some sort of, usually a news source. It could be their favorite sites, social media, etc. Those sorts of sources because it's expected for people to go and drink from a water hole, are prime targets to these attackers. They can be definitely used for spear phishing but also for the masses for these phishing campaigns. Those are more effective. Attackers like to cast a wide net. And it's especially effective if you think of the climate that's happening right now, like you said earlier at the start of this conversation. That expanded attack surface. And also the usage of bandwidth and more platforms now applications. There's more traffic going to these sites simply. People have more time at home through telework. To virtually go to these sites. And so, yeah. Usually what we see in these water holing attacks can be definitely phishing sites that are set up on these pages. 'Cause they might have been compromised. So this is something even for people who are hosting these websites, right? There's always two sides of the coin. You got security of your client side security And your service side security-- >> So spear phishing is targeting an individual, water holing is the net that gets a lot of people and then they go from there. Can you guys, Renee or Derek talk about social media deception and pretexting. These are other techniques as well that are popular. Can you guys comment and define those? >> Yeah, so some of the pretexting that you're saying is what's happening is adversaries are either sending text, trying to get people to click on links, go to malicious sites. And they're also going setting up these fabricated stories and they're trying to call. Acting like they're a legitimate source. And again, trying to use tactics and a lot of times scare tactics. Trying to get people to divulge information, personal information. Credit card numbers, social security numbers, user IDs and passwords to gain access to either-- >> So misinformation campaigns would be an example that like, "I got a coven virus vaccine, put your credit card down now and get on the mailing list." Is that was that kind of the general gist there? >> Absolutely. >> Okay. >> And we've also seen as another example, and this was in one of our blogs I think about a couple weeks ago some of the first waves of these attacks that we saw was also again, impersonating to be the World Health Organization as part of pretexting. Saying that there's important alerts and updates that these readers must read in their regions, but they're of course malicious documents that are attached. >> Yeah, how do people just get educated on this? This is really challenging because if you're a nerd like us you can know what a URL looks like. And you can tell it's a host server or host name, it's not real. But when they're embedded in these social networks, how do you know? what's the big challenge? Just education and kind of awareness? >> Yeah, so I'll just jump in quickly on that. From my point of view, it's the whole ecosystem, right? There's no just one silver bullet. Education, cyber hygiene for sure. But beyond that obviously, this is where the security solutions pop in. So having that layered defense, right? That goes a long way of everything from anti-spam to antivirus. To be able to scan those malicious attachments. Endpoint security. Especially now in the telework force that we're dealing with having managed endpoint security from distributed enterprise angle is very important because all of these workstations that were within the corporate network before are now roaming--quote unquote--roaming or from home. So it's a multi-pronged approach, really. But education is of course a very good line of defense for our employees. And I think updated education on a weekly basis. >> Okay, before we get to the remote action steps, 'Cause I think the remote workers at scales like the critical problem that we're seeing now. I want to just close out this attack social engineering thing. There's also phone based attacks. We all have mobile phones, right? So we use such smartphones. There's other techniques in that. What are the techniques for the phone based attacks? >> Yeah, a lot of times you'll see adversaries, they're spoofing other phones. So what happens is that when you receive a call or a text it looks like it's coming from a number in your local area. So a lot of times that kind of gives you a false sense of security thinking in that it is a legitimate call when in reality they're simply just spoofing the number. And it's really coming from somewhere else in the country or somewhere else in the world. >> So I get a call from Apple support and it's not Apple support. They don't have a callback, that's spoofing? >> That's one way but also the number itself. When you see the number coming in. For example, I'm in the 410 area code. Emails coming in from my area code with my exchange is another example where it looks like it's someone that's either a close friend or someone within my community when in reality, it's not. >> And at the end of the day too the biggest red flags for these attacks are unsolicited information, right? If they're asking for any information always, always treat that as a red flag. We've seen this in the past. Just as an example with call centers, hotels too. Hackers have had access right to the switchboards to call guests rooms and say that there's a problem at the front desk and they just want to register the users information and they asked for credit card guest information to confirm all sorts of things. So again, anytime information is asked for always think twice. Try to verify. Callback numbers are a great thing. Same thing in social media if someone's messaging you, right? Try to engage in that dialect conversation, verify their identity. >> So you got-- >> That's also another good example of social media, is another form of essential engineering attacks is where people are creating profiles in say for example, LinkedIn. And they're acting like they're either someone from your company or a former colleague or friend as another way to try and make that human to human connection in order to do malicious things. >> Well, we've discussed with you guys in the past around LinkedIn as a feeding ground for spear phishing because, "Hey, here, don't tell your boss but here's "a PDF job opening paying huge salary. "You're qualified." Of course I'm going to look at that, right? So and a lot of that goes on. We see that happen a lot. I want to get your thoughts, Renee on the the vishing and phishing. Smishing is the legitimate source spoofing and vishing is the cloaking or spoofing, right? >> Yeah, smishing is really the text based attacks that you're seeing through your phones. Vishing is using more of a combination of someone that is using a phone based attack but also creating a fake profile, creating a persona. A fabricated story that's ultimately fake but believable. And to try and encourage you to provide information, sensitive information. >> Well, I really appreciate you guys coming on and talking about the attackers trying to take advantage of the current situation. The remote workers again, this is the big at scale thing. What are the steps that people can take, companies can take to protect themselves from or the at scale remote worker situation that could be going on for quite some time now? >> Yeah. So again, at that scale with people in this new normal as we call it, teleworking. Being at scale is... Everyone has to do their part. So I would recommend A from an IT standpoint, keeping all employees virtually in the loop. So weekly updates from security teams. The cyber hygiene practice, especially patch management is critically important too, right? You have a lot of these other devices connected to networks, like you said. IoT devices, all these things that are all prime attack targets. So keeping all the things that we've talked about before, like patch management. Be vigilant on that from an end user perspective. I think especially putting into the employees that they have to be aware that they are highly at risk for this. And I think there has to be... We talked about changes earlier. In terms of mentality education, cyber hygiene, that doesn't change. But I think the way that this isn't forced now, that starts with the change, right? That's a big focus point especially from an IT security standpoint. >> Well, Derek, keep that stat and keep those stats coming in to us. We are very interested. You got the insight. You're the chief of the insights and the global threat. You guys do a great job at FortiGuard guard labs. That's phenomenal. Renee, I'd like you to have the final word on the segment here and we can get back to our remote working and living. What is going on the mind of the CISO right now? Because again, a lot of people are concerned. They don't know how long it's going to last. Certainly we're now in a new normal. Whatever happens going forward as post pandemic world, what's going on in the mind of the CISO right now? What are they thinking? What are they planning for? What's going on? >> Yeah, I think there's a lot of uncertainty. And I think the remote teleworking, again, making sure that employees have secure remote access that can scale. I think that's going to be on the forefront. But again, making sure that people connecting remotely don't end up introducing additional potential vulnerabilities into your network. And again, just keeping aware. Working closely with the IT teams to ensure that we keep our workforces updated and trained and continue to be vigilant with our monitoring capabilities as well as ensuring that we're prepared for potential attacks. >> Well, I appreciate your insights, folks, here. This is great. Renee and Derek thanks for coming on. We want to bring you back in when should do a digital event here in the studio and get the data out there. People are interested. People are making changes. Maybe this could be a good thing. Make some lemonade out of the lemons that are in the industry right now. So thank you for taking the time to share what's going on in the cyber risks. Thank you. >> Thank you, we'll keep those stats coming. >> Okay, CUBE conversation here in Palo Alto with the remote guests. That's what we're doing now. We are working remotely with all of our CUBE interviews. Thanks for watching. I'm John Furrier, co-host to theCUBE. (soft music)

(dramatic string music) >> Hi I'm Peter Burris and welcome to another theCUBE Conversation from our outstanding studios here in beautiful Palo Alto, California. Like all our CUBE Conversations, we've got a great one today. In this one we're going to talk about some of the trends that people are experiencing in the world of security and threats. And to have that conversation, we've got Tony Giandomenico who's a senior security strategist researcher at Fortinet's FortiGuard Labs. Tony welcome back to theCUBE. >> Hey Peter, how ya doin' man? It's great to be here. >> It's great to see you again Tony. Look, we've had this conversation now for at least four quarters and FortiGuard Labs has published their overall threat analysis for at least the past couple of years and that's what we're going to talk about today. So, give us a little bit of overview of what this report entails. Where does the data come from and how are you using it within Fortinet and FortiGuard Labs? >> Sure, sure, well, so this is a quarterly threat landscape report, right? So obviously, we do it on a quarterly basis and it's really geared towards the IT security professional from the CSO all the way down to, you know, the folks that are actually in the operations, you know, the daily operations. And we're getting billions of events that we're observing in real time production environments and we're looking specifically at application exploits, we're looking at malware, we're looking at botnets, and we hope to be able to identify different trends and then maybe able to translate into that IT security professional to be able to figure out where they should be focusing their security efforts. >> Yeah, and I think that's an important issue because you can't know what you should do next if you don't know what's happening right now or what has happened recently. But you've tried to provide, let's call a more general flavor to the report this year in the sense that you've introduced some indices that shows trends over time. Talk to us a little bit about that. >> Sure yeah, so last quarter we finally introduced what's referred to as our threat index. And what we were trying to do is be able track the ebbs and flows of threats over time and like you know, we always break down our exploits or our threats into application exploits, malware and botnets, so each one of them also have their individual index. Now, although there was some peaks and valleys and application exploits did hit an all-time high, at the end of the quarter, it ended up around the same the threat index did as last quarter, and I think a lot of that may be actually driven by the holiday season. Now, if I had a crystal ball, I would've probably think that the future quarters, the threat index is probably going to continue to increase. >> And I think that there's a couple reasons for that, right? When you say it's the holiday quarter, the overall threat index goes down because as people spend time home for the holidays, take vacation, little less time at work, they're opening fewer malicious files from fewer unknown sources or bad websites. But I think you've made the point multiple times that just because they're not opening a bad file in an email attachment right now, doesn't mean that they're not going to open it when they get back from work. >> Yeah, that is definitely true, but you know what? Maybe they are more focused and they'll be more attentive to looking at their email. I will also say, the bad guys need a break too, right? So, when a holiday season comes around, I mean, they're going to probably slow down some of their malware and some of their exploits and you know, just kind of enjoy the holidays. >> (laughs) Good for them. All right, so let's take a look at each of the different areas. The overall threat index is comprised of, as you said, the application exploits, malware and botnets. So, let's take them one at each. What did we see in the threat index as it pertains to application exploits? What were the big trends? >> Well, of the top 12, six of them, you know Peter, do you know what, the six exploits we're focusing on for the top 12, any idea? >> I read the report so yes, but tell us. >> Okay, yes, IOT. Now, that's not like extremely interesting because we continue to see that a quarter over quarter the adversaries are targeting more on the IOT device, which makes sense, right? I mean, there's a lot of them out there, the volume is there, and of course, they're not as secure as they typically need to be. But what's interesting though, out of those six, four of them happen to be IP cameras, right? So, these monitoring devices that are monitoring your physical security, the adversaries are targeting those a little bit more because they understand that this cyber world and the physical security, they're combining, and when they're combining, if you're bringing over a physical security device that already has vulnerabilities, you're bringing that vulnerability with you, and that would just open up an opportunity for the adversary to be able to penetrate into that particular device and then get access to your internal network. >> Yeah, let me ask you a question Tony because I was very interested in the incidents related to cameras because cameras is kind of one of those domains, one of those technologies, one of those use cases that is somewhere between the old OC world or the OT world, the operational technology world and the IT world or the IOT world where in the OT world folks have spent an enormous amount of time making sure that the devices that they utilize are as secure as they possibly can be. I mean, they've got huge teams devoted to this. In the IOT world, we're working on speed, we're working on software defined, we're working on a little bit more generalization. But this notion of cameras just kind of coming in from an IOT side but hitting the OT side, is that one of the reasons why cameras in particular are vulnerable? And does that tell us something about how IT and OT have to work together based on the data that we're seeing in the report? >> Yeah, I mean, I would totally agree, right? Because a lot of those different types of technologies have been isolated, meaning that not everybody had the ability to reach out and touch it, maybe security, you know, wasn't top of mind here, but now that convergence is taking place, it's really top priority to make sure that if you are merging those things together, make sure that those devices are part of your threat and vulnerability management process 'cause now vulnerabilities that may actually be introduced from that particular device can affect your entire cyber assets. >> Yeah, I think it's a great point. The cheap, what one might regard as constrained devices, nonetheless have an awesome processing power and if they're connected can enormous implication. Okay, let's move from the application exploits into the malware world. What was the big trend in malware in this past report? >> Sure, sure, yeah, so what we continue to see, and I think this is great, sharing information, sharing threat information, sharing malware samples, is awesome and we've been doing it for a long time and we continue to see more and more of public available sources for showing exploits, for showing malware, you know, open source malware and that's great because as a cyber defender, it's great that I can research this and I can ensure that I have the right detections and ultimately the right protections against those particular threats. I would also add that we have such a skill shortage, right? I mean, we're trying to build up our future cyber warriors and the way we want to be able to do that obviously is through a lot of training and we can give them great examples that they can actually glean and learn from. And so all of this is good but at the same time, when you have all this information out there, you know, freely available, of course, the adversaries have access, they have access to it as well. So, what that means is, I'll give you an example, Peter. You'll download, let's say there's open source malware that's ransomware. You can download that, modify the bitcoin address of where that victim is supposed to send the ransom, and you just operationalized this ransomware. But then again, you might be saying well, you know, you just said that it's available for us to be able to research and have better detections and you're right, most of the time we'll detect that. But now, you add in the fact that there's a whole bunch of open source evasion tools that you can run your malware through that would obfuscate possibly the malware enough that it can circumvent some of the actual security controls that you have in place. So, it's a good thing but we do continue to see some of the bad guys leverage it as well. >> So, let me see if I can put that in the context of some overall industry trends. Historically, the things that got the greatest install base were the targets that were preferred by bad actors because they could do the most damage in those large numbers and open source, as we improve these toolings, we see more people flock to that set of tools and as those tools become more popular, they both have more value to the enterprise as a protection, but they become increasingly obvious targets to the bad actors. Is that kind of what you're saying? >> Yeah sure, it's almost like the cybercrime ecosystem, the actual tools that are available, the services that are available at your fingertips, no longer do you need to be an expert. Begin a life of cybercrime, you just need to know where to get these resources and that is what's really driving the volume of attacks these days, so you're absolutely right, Peter. >> So, we've talked a little bit about application exploitation, we've talked a little about malware, now these are things that we look at before the system gets compromised. We're really concerned about avoiding them getting a footprint or hold within our system. Now, let's talk about botnets, which are particularly interesting because often the botnet gets turned on and becomes a source of danger after the compromises take place. What do trends in botnets tell us? >> Sure, sure, yeah, so one interesting point in botnets in quarter four was the fact that the initial botnet infections per firm was up 15% from the quarter before, so what that means is, on average, each firm saw about 12 botnet infections for that quarter and that kind of translates into, out of maybe the 91 days that you have in that quarter, 12 of those days, they actually had some type of botnet infection that they had to actually respond to, right? 'Cause they got to respond. Like you said Peter, the infection's already there, somehow the payload circumvented their security defenses, it's on there and it's trying to communicate out to it's command and control infrastructure, whether it's to download other malware, whether it's to actually possibly provide different types of commands to execute their cyber mission, whatever it is, it's there, and that's where we were sort of triggering on it. And I'll add to this, because of this, you got to invoke your instant response process, which means you're taking time, you're taking resources away for folks that are probably working on other projects to be able to help them fortify their overall security program more, which I think underscores the need to be able to ensure that you're leveraging technology to help you make some of these automated decisions, with being able to prevent and ultimately, hopefully, be able to remediate those threats. >> Yeah, so we've seen application exploits down a little bit, malware down a little bit, largely because the fourth quarter's a holiday quarter. We've seen botnets also follow those trends but still we have to be concerned about the number of net new days in which a botnet is operating. Is there something that we started to see in the data that requires new thinking, new approaches? What about all these memes that people are downloading, for example? >> (laughs) Yeah, I tell ya, you know social media, right? Love pictures. You know, whether it's Facebook, whether it's Twitter, you know, Instagram, words are good, but what's even better it seems is pictures. People love pictures and adversaries know that, so with an attack called leveraging steganography, I think I spoke about that a couple, maybe it was last year, you know sometime, we talked about that, but if you don't remember, steganography is really the art of hiding something in a picture file, whether it was a message, whether it was a malicious payload or it could even be different types of commands that the adversary wants to do to overall be able to complete their cyber mission, so they hide that information in there. And the adversaries to be able to attack or leverage a steganography attack, they're used in social media as a means of that communication. And what's interesting about that is nowadays, you know, maybe 10 years ago, not as much, but nowadays, social media traffic and apps are kind of acceptable on a network these days, right? The marketing organizations' comms and PR, they leverage these social media sites. It's a key part of their overall plan, so you're going to see a lot of social media traffic in the network, so the adversary, if they can blend in with that normal traffic, they may go unnoticed for quite some time. >> So, as new sources of data are exploited by the business to engage their customers, like social media, new technologies or new concepts like steganography or, steganography's been around for a long time, but its new to a lot of people, becomes something that increasingly has to be observed and tracked and acted upon. >> Yeah, you know I always say this is like, we want to continue to advance technology, right? We want to leverage it, why? Because overall, it makes our society better. Makes my life better, makes your life better, makes everybody, you know, future generations' lives better, but we need to make sure that we are securing the advancement of that actual technology, so it's a constant kind of catch up game for us. >> Yes, I need my cat pictures, Tony. All right, so I want to do one last thing here. We learned a lot in the overall FortiGuard Labs reports over the past few quarters, certainly since you've come on theCUBE, I've learned a lot, and I'm sure everybody who's been watching these CUBE Conversations has learned a lot as well. Let's now think about some recommendations. If we kind of quickly summarize what happened in 2018, what does it tell us about things that people should do differently in 2019? What are the kind of two or three key recommendations that FortiGuard Labs is putting forward right now? >> Yeah, I think one of the things that we continue to see is just how these threats are becoming bigger, faster, stronger, right? And that's really being sort of driven by the cybercrime ecosystem, the advancement of these types of attacks. So, how do you continue to ensure that you can keep up with this sophistication and this volume? And I'll kind of make it simple at a high level, obviously it goes a lot a lot deeper, but the first thing is having awareness. I really feel people don't truly know what they're actually protecting within all of their cyber assets. What are operating systems? What software? Where are they located? Where is their data located? How is their data flowing from system to system? I don't think they have a good understanding of that, so having that awareness, right? It's getting even harder now because it's cloud, right? It's on your workstation It's in the cloud, it's all over the place. So, it's good to get a handle on that, and once you have that, you need to act on it. So, whether it's identifying vulnerabilities that need to be say, patched or whether it's finding some type of threat in your environment and taking action, it's important that we need skilled resources to be able to deal with that. But I would say, once again, look at automation. How can you leverage technology to be able to communicate with each other through open APIs and make some automated decisions for you, isolate those threats, allow you to fight through the attack a little bit more so you can figure out what to do? Ultimately, hopefully it's going to minimize the impact of that one breach. And I would say this, threats are going to get in, but if you can continue to resist that threat before it gets into the core of your network, that's a win for everybody. So, continue to resist is a big one. That initial access, it's going to happen. Continue to resist, so you can ensure the minimization of the actual impact of that risk, of that threat. >> I got two quick comments about that, Tony. Tell me if I can summarize this right. One is that, look, everybody's going to digital, everybody's going through digital transformation, very few firms however have truly adopted an asset-oriented approach to their data. What you're saying is security is how you go about making your data private so that you get value out of it and not bad people. That's I think kind of an overarching statement, that this is a business problem that has to be treated like a business problem and invested in like a business problem. The second thing >> Possible. >> that I would say, and let me see if I got this right, that the idea ultimately, that data stays in one place and is used only in one way is wrong. It's going to change over time, and we have to acknowledge that there's not one approach to how we go about data security and handling these threats. There's differences in application exploitation, differences in malware and as you've said, botnets are indications that something's already happened, so we have to use a more balanced comprehensive view to how we think about handling the threats against us. Have I got that right? >> Yeah, absolutely. And I'll just end it with that, there's a lot of things that you have to deal with, and we have such a cybersecurity shortage, and you can never get to everything, but like you had said, it's a business issue. If you can understand your critical business processes and focus on those things, those assets, that data, that is going to be how you're going to prioritize and ensure that you can minimize the overall impact of an actually threat that may actually enter into your environment. >> Tony Giandomenico, senior security strategist and researcher at FortiGuard Labs at Fortinet. Once again Tony, thanks for being on theCUBE. >> It's always a pleasure Peter. >> And always love having Tony G. on. Hopefully, you've enjoyed this CUBE Conversation as well. Until next time, I'm Peter Burris. Talk to you soon. (upbeat string music)

(Intense orchestral music) >> Hi, I'm Peter Burris and once again welcome to a CUBEComnversation from our beautiful studios here in Palo Alto, California. For the last few quarters I've been lucky enough to speak with Tony Giandomenico, who's the Senior Security Strategist and Researcher at Fortinet, specifically in the FortiGuard labs, about some of the recent trends that they've been encountering and some of the significant, groundbreaking, industry-wide research we do on security threats, and trends in vulnerabilities. And once again, Tony's here on theCUBE to talk about the second quarter report, Tony, welcome back to theCUBE. >> Hey, Peter, it's great to be here man, you know, sorry I actually couldn't be right there with you though, I'm actually in Las Vegas for the Black Hat DEF CON Conference this time so, I'm havin' a lot of fun here, but definitely missin' you back in the studio. >> Well, we'll getcha next time, but, it's good to have you down there because, (chuckles) we need your help. So, Tony, let's start with the obvious, second quarter report, this is the Fortinet threat landscape report. What were some of the key findings? >> Yeah, so there's a lot of them, but I think some of the key ones were, one, you know, cryptojacking is actually moving into the IOT and media device space. Also, we did an interesting report, that we'll talk about a little bit later within the actual threat report itself, was really around the amount of vulnerabilities that are actually actively being exploited over that actual Q2 period. And then lastly, we did start to see the bad guys using agile development methodologies to quickly get updates into their malware code. >> So let's take each of those in tern, because they're all three crucially important topics, starting with crypto, starting with cryptojacking, and the relationship between IOT. The world is awash in IOT, it's an especially important domain, it's going to have an enormous number of opportunities for businesses, and it's going to have an enormous impact in people's lives. So as these devices roll out, they get more connected through TCP/IP and related types of protocols, they become a threat, what's happening? >> Yeah, what we're seeing now is, I think the bad guys continue to experiment with this whole cryptojacking thing, and if you're not really, for the audience who may not be familiar with cryptojacking, it's really the ability, it's malware, that helps the bad guys mine for cryptocurrencies, and we're seeing that cryptojacking malware move into those IOT devices now, as well as those media devices, and, you know, you might be saying well, are you really getting a lot of resources out of those IOT devices? Well, not necessarily, but, like you mentioned Peter, there's a lot of them out there, right, so the strength is in the number, so I think if they can get a lot of IOTs compromised into an actual botnet, really the strength's in the numbers, and I think you can start to see a lot more of those CPU resources being leverages across an entire botnet. Now adding onto that, we did see some cryptojacking affecting some of those media devices as well, we have a lot of honeypots out there. Examples would be say, different types of smart TVs, a lot of these software frameworks they have kind of plugins that you can download, and at the end of the day these media devices are basically browsers. And what some folks will do is they'll kind of jailbreak the stuff, and they'll go out there and maybe, for example, they want to be able to download the latest movie, they want to be able to stream that live, it may be a bootleg movie; however, when they go out there an download that stuff, often malware actually comes along for the ride, and we're seeing cryptojacking being downloaded onto those media devices as well. >> So, the act of trying to skirt some of the limits that are placed on some of these devices, gives often one of the bad guys an opportunity to piggyback on top of that file that's coming down, so, don't break the law, period, and copyright does have a law, because when you do, you're likely going to be encountering other people who are going to break the law, and that could be a problem. >> Absolutely, absolutely. And then I think also, for folks who are actually starting to do that, it really starts to-- we talk a lot about how segmentation, segmenting your network and your corporate environment, things in that nature but, those same methodologies now have to apply at your home, right? Because at your home office, your home network, you're actually starting to build a fairly significant network, so, kind of separating lot of that stuff from your work environment, because everybody these days seems to be working remotely from time to time, so, the last thing you want is to create a conduit for you to actually get malware on your machine, that maybe you go and use for work resources, you don't want that malware then to end up in your environment. >> So, cryptojacking, exploiting IOT devices to dramatically expand the amount of processing power that could be applied to doing bad things. That leads to the second question: there's this kind of notion, it's true about data, but I presume it's also true about bad guys and the things that they're doing, that there's these millions and billions of files out there, that are all bad, but your research has discovered that yeah, there are a lot, but there are a few that are especially responsible for the bad things that are being done, what did you find out about the actual scope of vulnerabilities from a lot of these different options? >> Yeah, so what's interesting is, I mean we always play this, and I think all the vendors talk about this cyber hygiene, you got to patch, got to patch, got to patch, well that's easier said than done, and what organizations end up doing is actually trying to prioritize what vulnerabilities they really should be patching first, 'cause they can't patch everything. So we did some natural research where we took about 108 thousand plus vulnerabilities that are actually publicly known, and we wanted to see which ones are actually actively being exploited over an actual quarter, in this case it was Q2 of this year, and we found out, only 5.7% of those vulnerabilities were actively being exploited, so this is great information, I think for the IT security professional, leverage these types of reports to see which particular vulnerabilities are actively being exploited. Because the bad guys are going to look at the ones that are most effective, and they're going to continue to use those, so, prioritize your patching really based on these types of reports. >> Yeah, but let's be clear about this Tony, right, that 108 thousand, looking at 108 thousand potential vulnerabilities, 5.7% is still six thousand possible sources of vulnerability. (Tony laughs) >> So, prioritize those, but that's not something that people are going to do in a manual way, on their own, is it? >> No, no, no, not at all, so there's a lot of, I mean there's a lot of stuff that goes into the automation of those vulnerabilities and things of that nature, and there's different types of methodologies that they can use, but at the end of the day, if you look at these type of reports, and you can read some of the top 10 or top 20 exploits out there, you can determine, hey, I should probably start patching those first, and even, what we see, we see also this trend now of once the malware's in there, it starts to spread laterally, often times in worm like spreading capabilities, will look for other vulnerabilities to exploit, and move their malware into those systems laterally in the environment, so, just even taking that information and saying oh, okay so once the malware's in there it's going to start leveraging X, Y, Z, vulnerability, let me make sure that those are actually patched first. >> You know Tony the idea of cryptojacking IOT devices and utilizing some new approaches, new methods, new processes to take advantage of that capacity, the idea of a lateral movement of 5.7% of the potential vulnerabilities suggests that even the bag guys are starting to accrete a lot of new experience, new devices, new ways of doing things, finding what they've already learned about some of these vulnerabilities and extending them to different domains. Sounds like the bad guys themselves are starting to develop a fairly high degree of sophistication in the use of advanced application development methodologies, 'cause at the end of the day, they're building apps too aren't they? >> Yeah, absolutely, it's funny, I always use this analogy of from a good guy side, for us to have a good strong security program, of course we need technology controls, but we need the expertise, right, so we need the people, and we also need the processes, right, so very good, streamline sort of processes. Same thing on the bad guy side, and this is what we're starting to see is a lot more agile development methodologies that the bad guys--(clears throat) are actually using. Prior to, well I think it still happens, but, earlier on, for the bad guys to be able to circumvent a lot of these security defenses, they were leveraging polymorphous, modifying those kind of malwares fairly quickly to evade our defenses. Now, that still happens, and it's very effective still, but I think the industry as a whole is getting better. So the bad guys, I think are starting to use better, more streamlined processes to update their malicious software, their malicious code, to then, always try to stay one step ahead of the actual good guys. >> You know it's interesting, we did a, what we call a crowd chat yesterday, which is an opportunity to bring our communities together and have a conversation about a crucial issue, and this particular one was about AI and the adoption of AI, and we asked the community: What domains are likely to see significant investment and attention? And a domain that was identified as number one was crypto, and a lot of us kind of stepped back and said well why is that and we kind of concluded that one of the primary reasons is is that the bad guys are as advanced, and have an economic incentive to continue to drive the state of the art in bad application development, and that includes the use of AI, and other types of technologies. So, as you think about prices for getting access to these highly powerful systems, including cryptojacking going down, the availability of services that allow us to exploit these technologies, the expansive use of data, the availability of data everywhere, suggests that we're in a pretty significant arms race, for how we utilize these new technologies. What's on the horizon, do you think, over the course of the next few quarters? And what kinds of things do you anticipate that we're going to be talking about, what headlines will we be reading about over the course of the next few quarters as this war game continues? >> Well I think a lot of it is, and I think you touched upon it, AI, right, so using machine learning in the industry, in cyber we are really excited about this type of technology it's still immature, we still have a long way to go, but it's definitely helping at being able to quickly identify these types of malicious threats. But, on the flip side, the bad guys are doing the same thing, they're leveraging that same artificial intelligence, the machine learning, to be able to modify their malware. So I think we'll continue to see more and more malware that might be AI sort of focused, or AI sort of driven. But at the same time, we've been taking about this a little bit, this swarm type of technology where you have these larger, botnet infrastructures, and instead of the actual mission of a malware being very binary, and if it's in the system, it's either yes or no, it does or it doesn't, and that's it. But I think we'll start to see a little bit more on what's the mission? And whatever that mission is, using artificial intelligence then to be able to determine, well what do I need to do to be able to complete that place, or complete that mission, I think we'll see more of that type of stuff. So with that though, on the good guy side, for the defenses, we need to continue to make sure that our technology controls are talking with each other, and that they're making some automated decisions for us. 'Cause I'd rather get a security professional working in a saw, I want an alert saying: hey, we've detected a breach, and I've actually quarantined this particular threat at these particular endpoints, or we've contained it in this area. Rather than: hey, you got an alert, you got to figure out what to do. Minimize the actual impact of the breach, let me fight the attack a little longer, give me some more time. >> False positives are not necessarily a bad thing when the risk is very high. Alright-- >> Yeah, absolutely. >> Tony Giandomenico, Senior Security Strategist and Researcher at Fortinet, the FortiGuard labs, enjoy Black Hat, talk to you again. >> Thanks Peter, it's always good seein' ya! >> And once again this is Peter Burris, CUBEConversation from our Palo Alto studios, 'til next time. (intense orchestral music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say>> now I'm not condoning that you actually pay the ransom>> however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes>> and we've seen organizations actively go ahead and do this>> is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this CUBE conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next CUBE Conversation. (uplifting music)

(Upbeat orchestra music) >> Hi, it's Peter Burris with Cube Conversation. We're here with Anthony Giandomenico who's a senior security strategist and researcher at FortiGuard Labs. Tony G! >> Thanks for having me today, Peter! >> Good to see you again! So, Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals, you're doing a lot of research on issues. Give us a quick snapshot. What's the state of security today? >> Well I think there's a lot of things happening right now, I think in the cyberworld. One, a lot of us already know is we have a huge skill shortage. We just don't have enough folks to be able to defend our cyber assets. And, I think the other thing is, you look at some of the mid-tier organizations, maybe a thousand users or so, they don't have those skilled resources, and what happens is they end up relying on different types of technology to help fill that skills gap, and that's good, but what they need to also make sure is that they have an over-arching good solid security program that takes into consideration, technology controls, so you're buying these specific products, but also, what are the processes and what are the actual kind of people that are involved. And are you actually combining all of those to encompass a solid, good, cyber security program? >> Yeah, a bad guy who watches a ransomware attack on a mid-size company, may be a little disappointed that they are not able to get 10 million dollars, but they'll be pretty happy with a million or 500 thousand dollars. That's a good day's work for these guys. >> It's low-hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right, because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you're getting a decent amount, and a lot of times, they don't have that strong, cyber security program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. It's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets, what are those five, six business critical processes, understand the assets that those processes ride over, focus on protecting those. Everything else is ancillary because this is all that really matters to the business. The other thing I would say, Peter, and I think that this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breech in my network or not, so if there is a breech I fail, that has to go away. Because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified, something in the network, isolated it, we mitigated it, we got everything back up and running, and we're back up and running as normal, minimized the actual damage. That's how I should be graded on. >> So, it's an important point, Tony G, so what we're saying is, that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you're 100% clear of everything, because the bad guys are going to find their way at some point in time. >> They got enough time to do it and you don't. So, like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win! >> One of the things you mentioned, you mentioned for your cyber security, or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that, and that cyber asset's worth that, but we do have to make some effort to understand the risks associated with cyber where it's an opportunity cost or whether it's replacement cost or whatever else it might be. But it also suggests historically we invest in assets we appreciate the value of those assets. Should security be regarded as an asset, should cyber security be regarded as part of the asset base of the business? What do you think? >> Absolutely, you definitely as a consumer or as someone who is interested in looking at an actual business, I think that's a key asset to make sure that your information is being protected. And, honestly, I don't think it always is. We have these regulations that are tied to making sure for example, if you're storing customer credit cards, there's PCI, and there's all these other now HIPPA regulations, and all that type of stuff, but those regulations still don't seem to be enough, and I think the minute you can turn >> You mean it's not enough and it appears that enterprise has generally continued to under invest in their cyber security assets. Is that kind of what you mean? >> Yeah, I still think it's a check-box. >> Okay, I am compliant, okay, that's enough. I betcha, there are companies out there, they'll put a certain money aside knowing that they're going to get breached, and use that money to be able to pay for their breach or whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. >> Well, at wikibon->> we are doing research on related type things all the time, we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cyber security profile that allows you to take advantage of those opportunities, that allows you to connect with those partners, that allows you to set up more intimated relations with a big customer. And it just seems as though that something has to become an explicit feature of the conversation about what are strategic assets. >> Yeah, I totally agree. That kind of stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, well, let me just buy some kind of cyber insurance. And, in the beginning they would go ahead and buy those things, but what they would quickly find out, is that they wouldn't be able to reap the money on an actual breach, because they were out of compliance because they didn't have the good cyber security program they were supposed to have. >> Yeah, the insurance company always finds a way to not pay. Let's talk now about this notion of great agility. We talked about the role that cyber security could play in businesses as they transform the digital world. We've seen a lot of developers starting to enter into cloud-native, cloud-development, new ways of integrating, that requires a mindset shift in the development world about what constitutes security. Now everybody knows, we're not just talking about perimeter, we're talking about something different. What is it that we are talking about? Are we talking about how security is going to move with the data? Are the securities going to be embedded in the API? What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? >> Well, before you even start talking about the cloud, or anything else, we still have an issue when we're building our applications, developers still, I don't think are up to speed enough on tracking good, secure coding. I think we're still playing catch-up to that. Now, what you just said, think about where we're at now, we're not even sort of there, now you're going to expand that out into the cloud, it's only going to amplify the actual problem, so there's going to be a lot of challenges that we're going to have to face. We talked about this off-line before, is where's your data going to be? It's going to be everywhere. How are you going to be able to secure that particular data? I think that's going to be a lot of challenges that face ahead of us. We have to figure out how to deal with it. >> The last thing I want to talk about, Tony G, is a lot of the applications that folks are going to be building, a lot of things the developers are going to be building, are things that increasingly provide or bring a degree 6of automation to bear. hink about it, if you've got bad cyber security, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you've got some automation thing going on that's spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for more focus and attention on cyber security? >> Usually when I talk about automation, I'm talking about how the bad guys are leveraging automation. Now, I'll give you a little bit of an example here, in our FortiGuard Labs, I think last quarter, I think it was over a million exploits or at least exploit attempts that we were thwarting in one minute. The volume of the attacks are so large these days, and it's really coming from the cyber crime ecosystem. The human cannot actually deal with handling dealing with all those different threats out there, so they need to figure out a way to fight automation with automation. And that's really the key. I had mentioned this earlier on before, is you have to make sure that your technology controls are talking to each other so that they can actually take some automated action. As far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but usually it's a couple hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you, and that's where you start to hear a lot about, and all these buzz-words about artificial intelligence, machine learning, big data analytics. We're really diving into now and trying to figure out how can the machines help us make these automated decisions for us. >> But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and be taken over as a bad actor. They themselves are more connected. It just amplifies the whole problem. >> Yeah, it gets more complicated, so a system that's more complex, is less secure. >> More vulnerable, sir. >> Yeah, more vulnerable. Absolutely. >> Alright, so once again, Tony G, thanks for being here. We've been speaking on Cube Conversation with Anthony Giandomenico who's with the FortiGuard Labs. He's a security analyst and researcher. Thank you very much for being here. >> Thanks! Thanks for having me. (Techno music)

(Upbeat orchestra music) >> Hi, it's Peter Burris with Cube Conversation. We're here with Anthony Giandomenico who's a senior security strategist and researcher at FortiGuard Labs. Tony G! >> Thanks for having me today, Peter! >> Good to see you again! So, Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals, you're doing a lot of research on issues. Give us a quick snapshot. What's the state of security today? >> Well I think there's a lot of things happening right now, I think in the cyberworld. One, a lot of us already know is we have a huge skill shortage. We just don't have enough folks to be able to defend our cyber assets. And, I think the other thing is, you look at some of the mid-tier organizations, maybe a thousand users or so, they don't have those skilled resources, and what happens is they end up relying on different types of technology to help fill that skills gap, and that's good, but what they need to also make sure is that they have an over-arching good solid security program that takes into consideration, technology controls, so you're buying these specific products, but also, what are the processes and what are the actual kind of people that are involved. And are you actually combining all of those to encompass a solid, good, cyber security program? >> Yeah, a bad guy who watches a ransomware attack on a mid-size company, may be a little disappointed that they are not able to get 10 million dollars, but they'll be pretty happy with a million or 500 thousand dollars. That's a good day's work for these guys. >> It's low-hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right, because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you're getting a decent amount, and a lot of times, they don't have that strong, cyber security program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. It's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets, what are those five, six business critical processes, understand the assets that those processes ride over, focus on protecting those. Everything else is ancillary because this is all that really matters to the business. The other thing I would say, Peter, and I think that this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breech in my network or not, so if there is a breech I fail, that has to go away. Because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified, something in the network, isolated it, we mitigated it, we got everything back up and running, and we're back up and running as normal, minimized the actual damage. That's how I should be graded on. >> So, it's an important point, Tony G, so what we're saying is, that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you're 100% clear of everything, because the bad guys are going to find their way at some point in time. >> They got enough time to do it and you don't. So, like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win! >> One of the things you mentioned, you mentioned for your cyber security, or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that, and that cyber asset's worth that, but we do have to make some effort to understand the risks associated with cyber where it's an opportunity cost or whether it's replacement cost or whatever else it might be. But it also suggests historically we invest in assets we appreciate the value of those assets. Should security be regarded as an asset, should cyber security be regarded as part of the asset base of the business? What do you think? >> Absolutely, you definitely as a consumer or as someone who is interested in looking at an actual business, I think that's a key asset to make sure that your information is being protected. And, honestly, I don't think it always is. We have these regulations that are tied to making sure for example, if you're storing customer credit cards, there's PCI, and there's all these other now HIPPA regulations, and all that type of stuff, but those regulations still don't seem to be enough, and I think the minute you can turn >> You mean it's not enough and it appears that enterprise has generally continued to under invest in their cyber security assets. Is that kind of what you mean? >> Yeah, I still think it's a check-box. >> Okay, I am compliant, okay, that's enough. I betcha, there are companies out there, they'll put a certain money aside knowing that they're going to get breached, and use that money to be able to pay for their breach or whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. >> Well, at wikibon-- we are doing research on related type things all the time, we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cyber security profile that allows you to take advantage of those opportunities, that allows you to connect with those partners, that allows you to set up more intimated relations with a big customer. And it just seems as though that something has to become an explicit feature of the conversation about what are strategic assets. >> Yeah, I totally agree. That kind of stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, well, let me just buy some kind of cyber insurance. And, in the beginning they would go ahead and buy those things, but what they would quickly find out, is that they wouldn't be able to reap the money on an actual breach, because they were out of compliance because they didn't have the good cyber security program they were supposed to have. >> Yeah, the insurance company always finds a way to not pay. Let's talk now about this notion of great agility. We talked about the role that cyber security could play in businesses as they transform the digital world. We've seen a lot of developers starting to enter into cloud-native, cloud-development, new ways of integrating, that requires a mindset shift in the development world about what constitutes security. Now everybody knows, we're not just talking about perimeter, we're talking about something different. What is it that we are talking about? Are we talking about how security is going to move with the data? Are the securities going to be embedded in the API? What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? >> Well, before you even start talking about the cloud, or anything else, we still have an issue when we're building our applications, developers still, I don't think are up to speed enough on tracking good, secure coding. I think we're still playing catch-up to that. Now, what you just said, think about where we're at now, we're not even sort of there, now you're going to expand that out into the cloud, it's only going to amplify the actual problem, so there's going to be a lot of challenges that we're going to have to face. We talked about this off-line before, is where's your data going to be? It's going to be everywhere. How are you going to be able to secure that particular data? I think that's going to be a lot of challenges that face ahead of us. We have to figure out how to deal with it. >> The last thing I want to talk about, Tony G, is a lot of the applications that folks are going to be building, a lot of things the developers are going to be building, are things that increasingly provide or bring a degree 6of automation to bear. hink about it, if you've got bad cyber security, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you've got some automation thing going on that's spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for more focus and attention on cyber security? >> Usually when I talk about automation, I'm talking about how the bad guys are leveraging automation. Now, I'll give you a little bit of an example here, in our FortiGuard Labs, I think last quarter, I think it was over a million exploits or at least exploit attempts that we were thwarting in one minute. The volume of the attacks are so large these days, and it's really coming from the cyber crime ecosystem. The human cannot actually deal with handling dealing with all those different threats out there, so they need to figure out a way to fight automation with automation. And that's really the key. I had mentioned this earlier on before, is you have to make sure that your technology controls are talking to each other so that they can actually take some automated action. As far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but usually it's a couple hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you, and that's where you start to hear a lot about, and all these buzz-words about artificial intelligence, machine learning, big data analytics. We're really diving into now and trying to figure out how can the machines help us make these automated decisions for us. >> But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and be taken over as a bad actor. They themselves are more connected. It just amplifies the whole problem. >> Yeah, it gets more complicated, so a system that's more complex, is less secure. >> More vulnerable, sir. >> Yeah, more vulnerable. Absolutely. >> Alright, so once again, Tony G, thanks for being here. We've been speaking on Cube Conversation with Anthony Giandomenico who's with the FortiGuard Labs. He's a security analyst and researcher. Thank you very much for being here. >> Thanks! Thanks for having me. (Techno music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say- now I'm not condoning that you actually pay the ransom- however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes- and we've seen organizations actively go ahead and do this- is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this Cube conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next Cube Conversation. (uplifting music)

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.