(upbeat music) >> Hey, welcome to this Cube conversation with NetScout. I'm Lisa Martin. Excited to talk to you. Richard Hummel, the manager of threat research for Arbor Networks, the security division of NetScout. Richard, welcome to theCube. >> Thanks for having me, Lisa, it's a pleasure to be here. >> We're going to unpack the sixth NetScout Threat Intelligence Report, which is going to be very interesting. But something I wanted to start with is we know that and yes, you're going to tell us, COVID and the pandemic has had a massive impact on DDoS attacks, ransomware. But before we dig into the report, I'd like to just kind of get some stories from you as we saw last year about this time rapid pivot to work from home, rapid pivot to distance learning. Talk to us about some of the attacks that you saw in particular that literally hit close to home. >> Sure and there's one really good prime example that comes to mind because it impacted a lot of people. There was a lot of media sensation around this but if you go and look, just Google it, Miami Dade County and DDoS, you'll see the first articles that pop up is the entire district school network going down because the students did not want to go to school and launched a DDoS attack. There was something upwards of 190,000 individuals that could no longer connect to the school's platform, whether that's a teacher, a student or parents. And so it had a very significant impact. And when you think about this in terms of the digital world, that impacted very severely, a large number of people and you can't really translate that to what would happen in a physical environment because it just doesn't compute. There's two totally different scenarios to talk about here. >> Amazing that a child can decide, "I don't want to go to school today." And as a result of a pandemic take that out for nearly 200,000 folks. So let's dig into, I said this is the sixth NetScout Threat Intelligence Report. One of the global trends and themes that is seen as evidence in what happened last year is up and to the right. Oftentimes when we're talking about technology, you know, with analyst reports up and to the right is a good thing. Not so in this case. We saw huge increases in threat vectors, more vectors weaponized per attack sophistication, expansion of threats and IOT devices. Walk us through the overall key findings from 2020 that this report discovered. >> Absolutely. And if yo glance at your screen there you'll see the key findings here where we talk about record breaking numbers. And just in 2020, we saw over 10 million attacks, which, I mean, this is a 20% increase over 2019. And what's significant about that number is COVID had a huge impact. In fact, if we go all the way back to the beginning, right around mid March, that's when the pandemic was announced, attacks skyrocketed and they didn't stop. They just kept going up and to the right. And that is true through 2021. So far in the first quarter, typically January, February is the down month that we observe in DDoS attacks. Whether this is, you know, kids going back to school from Christmas break, you have their Christmas routines and e-commerce is slowing down. January, February is typically a slow month. That was not true in 2021. In fact, we hit record numbers on a month by month in both January and February. And so not only do we see 2.9 million attacks in the first quarter of 2021, which, I mean, let's do the math here, right? We've got four quarters, you know, we're on track to hit 12 million attacks potentially, if not more. And then you have this normal where we said 800,000 approximately month over month since the pandemic started, we started 2021 at 950,000 plus. That's up and to the right and it's not slowing down. >> It's not slowing down. It's a trend that it shows, you know, significant impact across every industry. And we're going to talk about that but what are some of the new threat vectors that you saw weaponized in the last year? I mean, you talked about the example of the Miami-Dade school district but what were some of those new vectors that were really weaponized and used to help this up and to the right trend? >> So there's four in particular that we were tracking in 2020 and these nets aren't necessarily new vectors. Typically what happens when an adversary starts using this is there's a proof of concept code out there. In fact, a good example of this would be the RDP over UDP. So, I mean, we're all remotely connected, right? We're doing this over a Zoom call. If I want to connect to my organization I'm going to use some sort of remote capability whether that's a VPN or tunneling in, whatever it might be, right? And so remote desktop is something that everybody's using. And we saw actors start to kind of play around with this in mid 2020. And in right around September, November timeframe we saw a sudden spike. And typically when we see spikes in this kind of activity it's because adversaries are taking proof of concept code, that maybe has been around for a period of time, and they're incorporating those into DDoS for hire services. And so any person that wants to launch a DDoS attack can go into underground forums in marketplaces and they can purchase, maybe it's $10 in Bitcoin, and they can purchase an attack. That leverage is a bunch of different DDoS vectors. And so adversaries have no reason to remove a vector as new ones get discovered. They only have the motivation to add more, right? Because somebody comes into their platform and says, "I want to launch an attack that's going to take out my opponent." It's probably going to look a lot better if there's a lot of attack options in there where I can just go through and start clicking buttons left and right. And so all of a sudden now I've got this complex multi-vector attack that I don't have to pay anything extra for. Adversary already did all the work for me and now I can launch an attack. And so we saw four different vectors that were weaponized in 2020. One of those are notably the Jenkins that you see listed on the screen in the key findings. That one isn't necessarily a DDoS vector. It started out as one, it does amplify, but what happens is Jenkins servers are very vulnerable and when you actually initiate this attack, it tips over the Jenkins server. So it kind of operates as like a DoS event versus DDoS but it still has the same effect of availability, it takes a server offline. And then now just in the first part of 2021 we're tracking multiple other vectors that are starting to be weaponized. And when we see this, we go from a few, you know, incidents or alerts to thousands month over month. And so we're seeing even more vectors added and that's only going to continue to go up into the right. You know that theme that we talked about at the beginning here. >> As more vectors get added, and what did you see last year in terms of industries that may have been more vulnerable? As we talked about the work from home, everyone was dependent, really here we are on Zoom, dependent on Zoom, dependent on Netflix. Streaming media was kind of a lifeline for a lot of us but it also was healthcare and education. Did you see any verticals in particular that really started to see an increase in the exploitation and in the risk? >> Yeah, so let's start, let's separate this into two parts. The last part of the key findings that we had was talking about a group we, or a campaign we call Lazarus Borough Model. So this is a global DDoS extortion campaign. We're going to cover that a little bit more when we talk about kind of extorted events and how that operates but these guys, they started where the money is. And so when they first started targeting industries and this kind of coincides with COVID, so it started several months after the pandemic was announced, they started targeting a financial organizations, commercial banking. They went after stock exchange. Many of you would hear about the New Zealand Stock Exchange that went offline. That's this LBA campaign and these guys taking it off. So they started where the money is. They moved to a financial agation targeting insurance companies. They targeted currency exchange places. And then slowly from there, they started to expand. And in so much as our Arbor Cloud folks actually saw them targeting organizations that are part of vaccine development. And so these guys, they don't care who they hurt. They don't care who they're going after. They're going out there for a payday. And so that's one aspect of the industry targeting that we've seen. The other aspect is you'll see, on the next slide here, we actually saw a bunch of different verticals that we really haven't seen in the top 10 before. In fact, if you actually look at this you'll see the number one, two and three are pretty common for us. We almost always are going to see these kinds of telecommunications, wireless, satellite, broadband, these are always going to be in the top. And the reason for that is because gamers and DDoS attacks associated with gaming is kind of the predominant thing that we see in this landscape. And let's face it, gamers are on broadband operating systems. If you're in Asian communities, often they'll use mobile hotspots. So now you start to have wireless come in there. And so that makes sense seeing them. But what doesn't make sense is this internet publishing and broadcasting and you might say, "Well, what is that?" Well, that's things like Zoom and WebEx and Netflix and these other streaming services. And so we're seeing adversaries going after that because those have become critical to people's way of life. Their entertainment, what they're using to communicate for work and school. So they realized if we can go after this it's going to disrupt something and hopefully we can get some recognition. Maybe we can show this as a demonstration to get more customers on our platform or maybe we can get a payday. In a lot of the DDoS attacks that we see, in fact most of them, are all monetary focused. And so they're looking for a payday. They're going to go after something that's going to likely, you know, send out that payment. And then just walk down the line. You can see COVID through this whole thing. Electronic shopping is number five, right? Everybody turned to e-commerce because we're not going to in-person stores anymore. Electronic computer manufacturing, how many more people have to get computers at home now because they're no longer in a corporate environment? And so you can see how the pandemic has really influenced this industry target. >> Significant influencer and I also wonder too, you know, Zoom became a household name for every generation. You know, we're talking to five generations and maybe the generations that aren't as familiar with computer technology might be even more exploitable because it's easy to click on a phishing email when they don't understand how to look for the link. Let's now unpack the different types of DDoS attacks and what is on the rise. You talked about in the report the triple threat and we often think of that in entertainment. That's a good thing, but again, not here. Explain that triple threat. >> Yeah, so what we're seeing here is we have adversaries out there that are looking to take advantage of every possible angle to be able to get that payment. And everybody knows ransomware is a household name at this point, right? And so ransomware and DDoS have a lot in common because they both attack the availability of network resources, where computers or devices or whatever they might be. And so there's a lot of parallels to draw between the two of these. Now ransomware is a denial of service event, right? You're not going to have tens of thousands of computers hitting a single computer to take it down. You're going to have one exploitation of events. Somebody clicked on a link, there was a brute force attempt that managed to compromise a little boxes, credentials, whatever it might be, ransomware gets put on a system, it encrypts all your files. Well, all of a sudden, you've got this ransom note that says "If you want your files decrypted you're going to send us this amount of human Bitcoin." Well, what adversaries are doing now is they're capitalizing on the access that they already gained. So they already have access to the computer. Well, why not steal all the data first then let's encrypt whatever's there. And so now I can ask for a ransom payment to decrypt the files and I can ask for an extortion to prevent me from posting your data publicly. Maybe there's sensitive corporate information there. Maybe you're a local school system and you have all of your students' data on there. You're a hospital that has sensitive PI on it, whatever it might be, right? So now they're going to extort you to prevent them from posting that publicly. Well, why not add DDoS to this entire picture? Now you're already encrypted, we've already got your files, and I'm going to DDoS your system so you can't even access them if you wanted to. And I'm going to tell you, you have to pay me in order to stop this DDoS attack. And so this is that triple threat and we're seeing multiple different ransomware families. In fact, if you look at one of the slides here, you'll see that there's SunCrypt, there's Ragnar Cryptor, and then Maze did this initially back in September and then more recently, even the DarkSide stuff. I mean, who hasn't heard about DarkSide now with the Colonial Pipeline event, right? So they came out and said, "Hey we didn't intend for this collateral damage but it happened." Well, April 24th, they actually started offering DDoS as part of their tool kits. And so you can see how this has evolved over time. And adversaries are learning from each other and are incorporating this kind of methodology. And here we have triple extortion event. >> It almost seems like triple extortion event as a service with the opportunities, the number of vectors there. And you're right, everyone has heard of the Colonial Pipeline and that's where things like ransomware become a household term, just as much as Zoom and video conferencing and streaming media. Let's talk now about the effects that the threat report saw and uncovered region by region. Were there any regions in particular that were, that really stood out as most impacted? >> So not particularly. So one of the phenomena that we actually saw in the threat report, which, you know, we probably could have talked about it before now but it makes sense to talk about it regionally because we didn't see any one particular region, one particular vertical, a specific organization, specific country, none was more heavily targeted than another. In fact what we saw is organizations that we've never seen targeted before. We've seen industries that have never been targeted before all of a sudden are now getting DDoS attacks because we went from a local on-prem, I don't need to be connected to the internet, I don't need to have my employees remote access. And now all of a sudden you're dependent on the internet which is really, let's face it, that's critical infrastructure these days. And so now you have all of these additional people with a footprint connected to the internet then adversary can figure out and they can poke at it. And so what we saw here is just overall, all industries, all regions saw these upticks. The exception would be in China. We actually, in the Asia Pacific region specifically, but predominantly in China. But that often has to do with visibility rather than a decrease in attacks because they have their own kind of infrastructure in China. Brazil's the same way. They have their own kind of ecosystems. And so often you don't see what happens a lot outside the borders. And so from our perspective, we might see a decrease in attacks but, for all we know, they actually saw an increase in the attacks that is internal to their country against their country. And so across the board, just increases everywhere you look. >> Wow. So let's talk about what organizations can do in light of this. As we are here, we are still doing this program by video conferencing and things are opening up a little bit more, at least in the states anyway, and we're talking about more businesses going back to some degree but there's going to still be some mix, some hybrid of working from home and maybe even distance learning. So what can enterprises do to prepare for this when it happens? Because it sounds to me like with the sophistication, the up and to the right, it's not, if we get attacked, it's when. >> It's when, exactly. And that's just it. I mean, it's no longer something that you can put off. You can't just assume that I've never been DDoS attacked, I'm never going to be DDoS attacked anymore. You really need to consider this as part of your core security platform. I like to talk about defense in depth or a layer defense approach where you want to have a layered approach. So, you know, maybe they target your first layer and they don't get through. Or they do get through and now your second layer has to stop it. Well, if you have no layers or if you have one layer, it's not that hard for an adversary to figure out a way around that. And so preparation is key. Making sure that you have something in place and I'm going to give you an operational example here. One of the things we saw with the LBA campaigns is they actually started doing network of conasense for their targets. And what they would do is they would take the IP addresses belonging to your organization. They would look up the domains associated with that and they would figure out like, "Hey, this is bpn.organization.com or VPN two." And all of a sudden they've found your VPN concentrator and so that's where they're going to focus their attack. So something as simple as changing the way that you name your VPN concentrators might be sufficient to prevent them from hitting that weak link or right sizing the DDoS protection services for your company. Did you need something as big as like OnPrem Solutions? We need hardware. Do you instead want to do a managed service? Or do you want to go and talk to a cloud provider because there's right solutions and right sizes for all types of organizations. And the key here is preparation. In fact, all of the customers that we've worked with for the LBA extortion campaigns, if they were properly prepared they experienced almost no downtime or impact to their business. It's the people like the New Zealand Stock Exchange or their service provider that wasn't prepared to handle the attacks that were sent out them that were crippled. And so preparation is key. The other part is awareness. And that's part of what we do with this threat report because we want to make sure you're aware what adversaries are doing, when new attack vectors are coming out, how they're leveraging these, what industries they're targeting because that's really going to help you to figure out what your posture is, what your risk acceptance is for your organization. And in fact, there's a couple of resources that that we have here on the next slide. And you can go to both both of these. One of them is the threat report. You can view all of the details. And we only scratched the surface here in this Cube interview. So definitely recommend going there but the other one is called Horizon And netscout.com/horizon is a free resource you can register but you can actually see near real-time attacks based on industry and based on region. So if your organization out there and you're figuring, "Well I'm never attacked." Well go look up your industry. Go look up the country where you belong and see is there actually attacks against us? And I think you'll be quite surprised that there's quite a few attacks against you. And so definitely recommend checking these out >> Great resources netscout.com/horizon, netscout.com/threatreport. I do want to ask you one final question. That's in terms of timing. We saw the massive acceleration in digital transformation last year. We've already talked about this a number of times on this program. The dependence that businesses and consumers, like globally in every industry, in every country, have on streaming on communications right now. In terms of timing, though, for an organization to go from being aware to understanding what adversaries are doing, to being prepared, how quickly can an organization get up to speed and help themselves start reducing their risks? >> So I think that with DDoS, as opposed to things like ransomware, the ramp up time for that is much, much faster. There is a finite period of time with DDoS attacks that is actually going to impact you. And so maybe you're a smaller organization and you get DDoS attacked. There's a, probably a pretty high chance that that DDoS attack isn't going to last for multiple days. So maybe it's like an hour, maybe it's two hours, and then you recover. Your network resources are available again. That's not the same for something like ransomware. You get hit with ransomware, unless you pay or you have backups, you have to do the rigorous process of getting all your stuff back online. DDoS is more about as soon as the attack stops, the saturation goes away and you can start to get back online again. So it might not be as like immediate critical that you have to have something but there's also solutions, like a cloud solution, where it's as simple as signing up for the service and having your traffic redirected to their scrubbing center, their detection center. And then you may not have to do anything on-prem yourself, right? It's a matter of going out to an organization, finding a good contract, and then signing up, signing on the dotted line. And so I think that the ramp up time for mitigation services and DDoS protection can be a lot faster than many other security platforms and solutions. >> That's good to know cause with the up and to the right trend that you already said, the first quarter is usually slow. It's obviously not that way as what you've seen in 2021. And we can only expect what way, when we talk to you next year, that the up and to the right trend may continue. So hopefully organizations take advantage of these resources, Richard, that you talked about to be prepared to mediate and protect their you know, their customers, their employees, et cetera. Richard, we thank you for stopping by theCube. Talking to us about the sixth NetScout Threat Intelligence Report. Really interesting information. >> Absolutely; definitely a pleasure to have me here. Lisa, anytime you guys want to do it again, you know where I live? >> Yes. It's one of my favorite topics that you got and I got to point out the last thing, your Guardians of the Galaxy background, one of my favorite movies and it should be noted that on the NetScout website they are considered the Guardians of the Connected World. I just thought that connection was, as Richard told me before we went live, not planned, but I thought that was a great coincidence. Again, Richard, it's been a pleasure talking to you. Thank you for your time. >> Thank you so much. >> Richard Hummel, I'm Lisa Martin. You're watching this Cube conversation. (relaxing music)

(upbeat music) >> Hey, welcome to this Cube conversation with NetScout. I'm Lisa Martin. Excited to talk to you. Richard Hummel, the manager of threat research for Arbor Networks, the security division of NetScout. Richard, welcome to theCube. >> Thanks for having me, Lisa, it's a pleasure to be here. >> We're going to unpack the sixth NetScout Threat Intelligence Report, which is going to be very interesting. But something I wanted to start with is we know that and yes, you're going to tell us, COVID and the pandemic has had a massive impact on DDoS attacks, ransomware. But before we dig into the report, I'd like to just kind of get some stories from you as we saw last year about this time rapid pivot to work from home, rapid pivot to distance learning. Talk to us about some of the attacks that you saw in particular that literally hit close to home. >> Sure and there's one really good prime example that comes to mind because it impacted a lot of people. There was a lot of media sensation around this but if you go and look, just Google it, Miami Dade County and DDoS, you'll see the first articles that pop up is the entire district school network going down because the students did not want to go to school and launched a DDoS attack. There was something upwards of 190,000 individuals that could no longer connect to the school's platform, whether that's a teacher, a student or parents. And so it had a very significant impact. And when you think about this in terms of the digital world, that impacted very severely, a large number of people and you can't really translate that to what would happen in a physical environment because it just doesn't compute. There's two totally different scenarios to talk about here. >> Amazing that a child can decide, "I don't want to go to school today." And as a result of a pandemic take that out for nearly 200,000 folks. So let's dig into, I said this is the sixth NetScout Threat Intelligence Report. One of the global trends and themes that is seen as evidence in what happened last year is up and to the right. Oftentimes when we're talking about technology, you know, with analyst reports up and to the right is a good thing. Not so in this case. We saw huge increases in threat vectors, more vectors weaponized per attack sophistication, expansion of threats and IOT devices. Walk us through the overall key findings from 2020 that this report discovered. >> Absolutely. And if yo glance at your screen there you'll see the key findings here where we talk about record breaking numbers. And just in 2020, we saw over 10 million attacks, which, I mean, this is a 20% increase over 2019. And what's significant about that number is COVID had a huge impact. In fact, if we go all the way back to the beginning, right around mid March, that's when the pandemic was announced, attacks skyrocketed and they didn't stop. They just kept going up and to the right. And that is true through 2021. So far in the first quarter, typically January, February is the down month that we observe in DDoS attacks. Whether this is, you know, kids going back to school from Christmas break, you have their Christmas routines and e-commerce is slowing down. January, February is typically a slow month. That was not true in 2021. In fact, we hit record numbers on a month by month in both January and February. And so not only do we see 2.9 million attacks in the first quarter of 2021, which, I mean, let's do the math here, right? We've got four quarters, you know, we're on track to hit 12 million attacks potentially, if not more. And then you have this normal where we said 800,000 approximately month over month since the pandemic started, we started 2021 at 950,000 plus. That's up and to the right and it's not slowing down. >> It's not slowing down. It's a trend that it shows, you know, significant impact across every industry. And we're going to talk about that but what are some of the new threat vectors that you saw weaponized in the last year? I mean, you talked about the example of the Miami-Dade school district but what were some of those new vectors that were really weaponized and used to help this up and to the right trend? >> So there's four in particular that we were tracking in 2020 and these nets aren't necessarily new vectors. Typically what happens when an adversary starts using this is there's a proof of concept code out there. In fact, a good example of this would be the RDP over UDP. So, I mean, we're all remotely connected, right? We're doing this over a Zoom call. If I want to connect to my organization I'm going to use some sort of remote capability whether that's a VPN or tunneling in, whatever it might be, right? And so remote desktop is something that everybody's using. And we saw actors start to kind of play around with this in mid 2020. And in right around September, November timeframe we saw a sudden spike. And typically when we see spikes in this kind of activity it's because adversaries are taking proof of concept code, that maybe has been around for a period of time, and they're incorporating those into DDoS for hire services. And so any person that wants to launch a DDoS attack can go into underground forums in marketplaces and they can purchase, maybe it's $10 in Bitcoin, and they can purchase an attack. That leverage is a bunch of different DDoS vectors. And so adversaries have no reason to remove a vector as new ones get discovered. They only have the motivation to add more, right? Because somebody comes into their platform and says, "I want to launch an attack that's going to take out my opponent." It's probably going to look a lot better if there's a lot of attack options in there where I can just go through and start clicking buttons left and right. And so all of a sudden now I've got this complex multi-vector attack that I don't have to pay anything extra for. Adversary already did all the work for me and now I can launch an attack. And so we saw four different vectors that were weaponized in 2020. One of those are notably the Jenkins that you see listed on the screen in the key findings. That one isn't necessarily a DDoS vector. It started out as one, it does amplify, but what happens is Jenkins servers are very vulnerable and when you actually initiate this attack, it tips over the Jenkins server. So it kind of operates as like a DoS event versus DDoS but it still has the same effect of availability, it takes a server offline. And then now just in the first part of 2021 we're tracking multiple other vectors that are starting to be weaponized. And when we see this, we go from a few, you know, incidents or alerts to thousands month over month. And so we're seeing even more vectors added and that's only going to continue to go up into the right. You know that theme that we talked about at the beginning here. >> As more vectors get added, and what did you see last year in terms of industries that may have been more vulnerable? As we talked about the work from home, everyone was dependent, really here we are on Zoom, dependent on Zoom, dependent on Netflix. Streaming media was kind of a lifeline for a lot of us but it also was healthcare and education. Did you see any verticals in particular that really started to see an increase in the exploitation and in the risk? >> Yeah, so let's start, let's separate this into two parts. The last part of the key findings that we had was talking about a group we, or a campaign we call Lazarus Borough Model. So this is a global DDoS extortion campaign. We're going to cover that a little bit more when we talk about kind of extorted events and how that operates but these guys, they started where the money is. And so when they first started targeting industries and this kind of coincides with COVID, so it started several months after the pandemic was announced, they started targeting a financial organizations, commercial banking. They went after stock exchange. Many of you would hear about the New Zealand Stock Exchange that went offline. That's this LBA campaign and these guys taking it off. So they started where the money is. They moved to a financial agation targeting insurance companies. They targeted currency exchange places. And then slowly from there, they started to expand. And in so much as our Arbor Cloud folks actually saw them targeting organizations that are part of vaccine development. And so these guys, they don't care who they hurt. They don't care who they're going after. They're going out there for a payday. And so that's one aspect of the industry targeting that we've seen. The other aspect is you'll see, on the next slide here, we actually saw a bunch of different verticals that we really haven't seen in the top 10 before. In fact, if you actually look at this you'll see the number one, two and three are pretty common for us. We almost always are going to see these kinds of telecommunications, wireless, satellite, broadband, these are always going to be in the top. And the reason for that is because gamers and DDoS attacks associated with gaming is kind of the predominant thing that we see in this landscape. And let's face it, gamers are on broadband operating systems. If you're in Asian communities, often they'll use mobile hotspots. So now you start to have wireless come in there. And so that makes sense seeing them. But what doesn't make sense is this internet publishing and broadcasting and you might say, "Well, what is that?" Well, that's things like Zoom and WebEx and Netflix and these other streaming services. And so we're seeing adversaries going after that because those have become critical to people's way of life. Their entertainment, what they're using to communicate for work and school. So they realized if we can go after this it's going to disrupt something and hopefully we can get some recognition. Maybe we can show this as a demonstration to get more customers on our platform or maybe we can get a payday. In a lot of the DDoS attacks that we see, in fact most of them, are all monetary focused. And so they're looking for a payday. They're going to go after something that's going to likely, you know, send out that payment. And then just walk down the line. You can see COVID through this whole thing. Electronic shopping is number five, right? Everybody turned to e-commerce because we're not going to in-person stores anymore. Electronic computer manufacturing, how many more people have to get computers at home now because they're no longer in a corporate environment? And so you can see how the pandemic has really influenced this industry target. >> Significant influencer and I also wonder too, you know, Zoom became a household name for every generation. You know, we're talking to five generations and maybe the generations that aren't as familiar with computer technology might be even more exploitable because it's easy to click on a phishing email when they don't understand how to look for the link. Let's now unpack the different types of DDoS attacks and what is on the rise. You talked about in the report the triple threat and we often think of that in entertainment. That's a good thing, but again, not here. Explain that triple threat. >> Yeah, so what we're seeing here is we have adversaries out there that are looking to take advantage of every possible angle to be able to get that payment. And everybody knows ransomware is a household name at this point, right? And so ransomware and DDoS have a lot in common because they both attack the availability of network resources, where computers or devices or whatever they might be. And so there's a lot of parallels to draw between the two of these. Now ransomware is a denial of service event, right? You're not going to have tens of thousands of computers hitting a single computer to take it down. You're going to have one exploitation of events. Somebody clicked on a link, there was a brute force attempt that managed to compromise a little boxes, credentials, whatever it might be, ransomware gets put on a system, it encrypts all your files. Well, all of a sudden, you've got this ransom note that says "If you want your files decrypted you're going to send us this amount of human Bitcoin." Well, what adversaries are doing now is they're capitalizing on the access that they already gained. So they already have access to the computer. Well, why not steal all the data first then let's encrypt whatever's there. And so now I can ask for a ransom payment to decrypt the files and I can ask for an extortion to prevent me from posting your data publicly. Maybe there's sensitive corporate information there. Maybe you're a local school system and you have all of your students' data on there. You're a hospital that has sensitive PI on it, whatever it might be, right? So now they're going to extort you to prevent them from posting that publicly. Well, why not add DDoS to this entire picture? Now you're already encrypted, we've already got your files, and I'm going to DDoS your system so you can't even access them if you wanted to. And I'm going to tell you, you have to pay me in order to stop this DDoS attack. And so this is that triple threat and we're seeing multiple different ransomware families. In fact, if you look at one of the slides here, you'll see that there's SunCrypt, there's Ragnar Cryptor, and then Maze did this initially back in September and then more recently, even the DarkSide stuff. I mean, who hasn't heard about DarkSide now with the Colonial Pipeline event, right? So they came out and said, "Hey we didn't intend for this collateral damage but it happened." Well, April 24th, they actually started offering DDoS as part of their tool kits. And so you can see how this has evolved over time. And adversaries are learning from each other and are incorporating this kind of methodology. And here we have triple extortion event. >> It almost seems like triple extortion event as a service with the opportunities, the number of vectors there. And you're right, everyone has heard of the Colonial Pipeline and that's where things like ransomware become a household term, just as much as Zoom and video conferencing and streaming media. Let's talk now about the effects that the threat report saw and uncovered region by region. Were there any regions in particular that were, that really stood out as most impacted? >> So not particularly. So one of the phenomenon that we actually saw in the threat report, which, you know, we probably could have talked about it before now but it makes sense to talk about it regionally because we didn't see any one particular region, one particular vertical, a specific organization, specific country, none was more heavily targeted than another. In fact what we saw is organizations that we've never seen targeted before. We've seen industries that have never been targeted before all of a sudden are now getting DDoS attacks because we went from a local on-prem, I don't need to be connected to the internet, I don't need to have my employees remote access. And now all of a sudden you're dependent on the internet which is really, let's face it, that's critical infrastructure these days. And so now you have all of these additional people with a footprint connected to the internet then adversary can figure out and they can poke it. And so what we saw here is just overall, all industries, all regions saw these upticks. The exception would be in China. We actually, in the Asia Pacific region specifically, but predominantly in China. But that often has to do with visibility rather than a decrease in attacks because they have their own kind of infrastructure in China. Brazil's the same way. They have their own kind of ecosystems. And so often you don't see what happens a lot outside the borders. And so from our perspective, we might see a decrease in attacks but, for all we know, they actually saw an increase in the attacks that is internal to their country against their country. And so across the board, just increases everywhere you look. >> Wow. So let's talk about what organizations can do in light of this. As we are here, we are still doing this program by video conferencing and things are opening up a little bit more, at least in the states anyway, and we're talking about more businesses going back to some degree but there's going to still be some mix, some hybrid of working from home and maybe even distance learning. So what can enterprises do to prepare for this when it happens? Because it sounds to me like with the sophistication, the up and to the right, it's not, if we get attacked, it's when. >> It's when, exactly. And that's just it. I mean, it's no longer something that you can put off. You can't just assume that I've never been DDoS attacked, I'm never going to be DDoS attacked anymore. You really need to consider this as part of your core security platform. I like to talk about defense in depth or a layer defense approach where you want to have a layered approach. So, you know, maybe they target your first layer and they don't get through. Or they do get through and now your second layer has to stop it. Well, if you have no layers or if you have one layer, it's not that hard for an adversary to figure out a way around that. And so preparation is key. Making sure that you have something in place and I'm going to give you an operational example here. One of the things we saw with the LBA campaigns is they actually started doing network of conasense for their targets. And what they would do is they would take the IP addresses belonging to your organization. They would look up the domains associated with that and they would figure out like, "Hey, this is bpn.organization.com or VPN two." And all of a sudden they've found your VPN concentrator and so that's where they're going to focus their attack. So something as simple as changing the way that you name your VPN concentrators might be sufficient to prevent them from hitting that weak link or right sizing the DDoS protection services for your company. Did you need something as big as like OnPrem Solutions? We need hardware. Do you instead want to do a managed service? Or do you want to go and talk to a cloud provider because there's right solutions and right sizes for all types of organizations. And the key here is preparation. In fact, all of the customers that we've worked with for the LBA extortion campaigns, if they were properly prepared they experienced almost no downtime or impact to their business. It's the people like the New Zealand Stock Exchange or their service provider that wasn't prepared to handle the attacks that were sent out them that were crippled. And so preparation is key. The other part is awareness. And that's part of what we do with this threat report because we want to make sure you're aware what adversaries are doing, when new attack vectors are coming out, how they're leveraging these, what industries they're targeting because that's really going to help you to figure out what your posture is, what your risk acceptance is for your organization. And in fact, there's a couple of resources that that we have here on the next slide. And you can go to both both of these. One of them is the threat report. You can view all of the details. And we only scratched the surface here in this Cube interview. So definitely recommend going there but the other one is called Horizon And netscout.com/horizon is a free resource you can register but you can actually see near real-time attacks based on industry and based on region. So if your organization out there and you're figuring, "Well I'm never attacked." Well go look up your industry. Go look up the country where you belong and see is there actually attacks against us? And I think you'll be quite surprised that there's quite a few attacks against you. And so definitely recommend checking these out >> Great resources netscout.com/horizon, netscout.com/threatreport. I do want to ask you one final question. That's in terms of timing. We saw the massive acceleration in digital transformation last year. We've already talked about this a number of times on this program. The dependence that businesses and consumers, like globally in every industry, in every country, have on streaming on communications right now. In terms of timing, though, for an organization to go from being aware to understanding what adversaries are doing, to being prepared, how quickly can an organization get up to speed and help themselves start reducing their risks? >> So I think that with DDoS, as opposed to things like ransomware, the ramp up time for that is much, much faster. There is a finite period of time with DDoS attacks that is actually going to impact you. And so maybe you're a smaller organization and you get DDoS attacked. There's a, probably a pretty high chance that that DDoS attack isn't going to last for multiple days. So maybe it's like an hour, maybe it's two hours, and then you recover. Your network resources are available again. That's not the same for something like ransomware. You get hit with ransomware, unless you pay or you have backups, you have to do the rigorous process of getting all your stuff back online. DDoS is more about as soon as the attack stops, the saturation goes away and you can start to get back online again. So it might not be as like immediate critical that you have to have something but there's also solutions, like a cloud solution, where it's as simple as signing up for the service and having your traffic redirected to their scrubbing center, their detection center. And then you may not have to do anything on-prem yourself, right? It's a matter of going out to an organization, finding a good contract, and then signing up, signing on the dotted line. And so I think that the ramp up time for mitigation services and DDoS protection can be a lot faster than many other security platforms and solutions. >> That's good to know cause with the up and to the right trend that you already said, the first quarter is usually slow. It's obviously not that way as what you've seen in 2021. And we can only expect what way, when we talk to you next year, that the up and to the right trend may continue. So hopefully organizations take advantage of these resources, Richard, that you talked about to be prepared to mediate and protect their you know, their customers, their employees, et cetera. Richard, we thank you for stopping by theCube. Talking to us about the sixth NetScout Threat Intelligence Report. Really interesting information. >> Absolutely; definitely a pleasure to have me here. Lisa, anytime you guys want to do it again, you know where I live? >> Yes. It's one of my favorite topics that you got and I got to point out the last thing, your Guardians of the Galaxy background, one of my favorite movies and it should be noted that on the NetScout website they are considered the Guardians of the Connected World. I just thought that connection was, as Richard told me before we went live, not planned, but I thought that was a great coincidence. Again, Richard, it's been a pleasure talking to you. Thank you for your time. >> Thank you so much. >> Richard Hummel, I'm Lisa Martin. You're watching this Cube conversation. (relaxing music)

>> Narrator: From theCUBE Studios in Palo Alto and Boston, it's theCUBE, covering IBM Think, brought to you by IBM. >> Hi everybody. Welcome back to theCUBE's continuous coverage of IBM Think 2020, the digital version of IBM Think. Wendi Whitmore is here. She's the vice president of IBM X-Force Threat Intelligence. Wendy, thanks for coming on. >> Thanks for having me. I'm excited to be here. >> Yeah, you're welcome. With a name like X-Force. That is a killer name. Tell us about X-Force. How are you protecting us? >> Yeah, we get a lot of interesting questions. So, my team is responsible for a pretty wide range of things. They range from incident response. So, when you think of data breaches, typically organizations will call an outside firm, and they'll jump on a plane and respond to threats on-site. Obviously right now, we're jumping on a bit fewer planes, but we still are helping our customers investigate data breaches, and we are on-site when needed. We also have a team of threat intelligence analysts and researchers, who are experts in a wide range of fields from geopolitical issues to cyber-related issues to industry specific. And then we've also got a team that does data breach simulations in a very immersive environment. We've got facilities at Cambridge Massachusetts, as well as within Europe, and now of course, we're bringing all those virtual as well. So, really anything that helps our clients respond more effectively to a data breach is something that we do. >> So, X-Force is traveling right now on empty planes, I presume. >> We are as needed. So, many clients have certainly shifted to where their whole environments are off-site and working remote as well, but we still have clients who are asking us to work on-site, and in those cases we have added a new protective gear to our go-backs, which are usually equipped with hard drives and disc imaging software and passports, and now we have some additional equipment to bring as well. >> And that breach simulation that you talked about. So that's what, like a penetration test, or in similar type of activities? >> Yeah, great question. No, it's actually an immersive environment where we go in, and actually simulate an entire breach for our clients. So, everything from the initial attack, how they would do the data analytics, to things like, how do they respond to the press, and inquiries from the press about the breach, how do they do media training, how they work with their legal counsel. So, it's really a comprehensive immersive environment that simulates kind of the heart pounding that occurs when you actually respond to a data breach. >> Oh, that's awesome, so that mean best practices in communications as well and the PR. I mean, that is obviously, maybe something that's often overlooked, but something that you guys are applying best practice to. >> Wendi: It's such a huge piece of it now, right? Our organizations are not always graded just on the breach itself, but more so on how they respond and how they communicate. The good news is, in that scenario that you can communicate effectively about a breach, and you can have something pretty negative that happens to your organization, but if you respond well, and you communicate really effectively to your clients and to the public, we've seen time and again that those brands actually have no reputational damage, and if anything, their clients trust them even more moving forward. >> We were early on when recording the, just trying to measure the budget impact of COVID-19, but we were early in recording the work from home shift. About 20% of the CIO organizations that we surveyed, actually spending more, or planning to spend more, but many weren't prepared for this work from home. They had to really beef up, and not just adding licenses of video collaboration software, but security for sure, a VPN infrastructure, et cetera. So, can you talk a little bit about how clients have responded, how you've helped them respond to that shif? How has the threat matrix changed? >> Well, so in terms of the attack surface, you mentioned there's a lot more people working from home, right? So, what we've got is over 220 million people in the United States, over one billion people in India alone, that are now working from home. So as you can imagine, that attack surface has really increased from an attacker perspective, right? And coupled with that, is that since March 1st, we've already seen a 6000% increase in coronavirus related spam. So, you've now got this larger attack surface that organizations need to protect against, and you've got an increase in threats and threat activity that is attacking them. So, from that perspective, pretty difficult for CIOs who are used to defending an environment that may be more on-site, and now have this really wide range of attack surface certainly more difficult for them to respond to. The other thing that we've seen, so one of the things that's super critical in these types of situations is to have an incident response plan, and to make sure that you're testing it. So, in our work that we've done both with our incident response teams, as well as with the teams that train clients in how to respond to breaches more effectively, we've seen that 76% of organizations don't actually have a consistently tested or applied incident response plan, and one in four have no plan at all. So, I will say that in terms of how we're working with clients, the first thing that any organization can do right now, is actually, have a plan and test it. So, if you're starting from scratch, it's really as simple as putting words on paper, understanding how you're going to get a hold of your critical team members, having a backup plan in place for communication strategies if your primary infrastructure goes offline. So making sure you know how to get a hold of your personnel. If you're more mature, then what we're really encouraging our clients to do is have a variety of scenarios that they're testing against, and make sure that they're running through those. So, a great one to practice right now, would be a ransomware attack. In particular, how does your organization respond effectively to it? What do you do when you get the initial notification? Do you have critical and sensitive data that's backed up offline, and not always connected to the network? If so, you're going to be in a much better spot to effectively defend against those attacks and limit any of the negative impact to them. >> So, a couple things I want to sort of follow up in. So, what I heard was you've got more fragile work-from-home infrastructure, and you've got somewhat, well, significantly more vulnerable users. I've often said, bad user behavior is going to trump good security infrastructure every time. So, you've got many more opportunities for the bad guys to get in. And so, I'm hearing that threat response is now more critical than ever. It's always been critical. The communication to the board has been hey, chances are we're going to get infiltrated. We got to find it fast, and it's really about response, incident response. We can build modes, we can build layers, but we have to put a plan for that response. And so, it sounds like that's something that maybe is heightened as a result of this COVID-19 crisis. >> Wendi: Oh, it absolutely is. I think it's now more critical than ever. I think there's two approaches, right? So, one of them would be improvising through chaos, which we don't necessarily encourage, right? There's a difference between that and really managing through disruption, and that's what we're encouraging our clients to do, is look at how we can create sustainable processes and procedures. You may have a very well-established team that does response, but perhaps they haven't worked remotely before. So, that means testing those procedures, now taking them to a scenario where everyone is remote. What does that mean? It may mean that you need to capture less data over the network, because perhaps you just don't have the bandwidth or the capacity to do it. We've certainly looked at how we do that. How do we answer questions that are critically needed from an investigative perspective, for example, but without maybe all the resources that we would prefer to have. So, what we're really looking at, is kind of shifting in the way that we manage through these. And then, you mentioned that users who maybe sometimes make bad decisions, right? We're all guilty of that, because especially with that increase in spam, there's also been an increase in Nation-State actors who are now sending out new lures and new attempts to get access to environments that are related to coronavirus. So, we've got cyber criminals, Nation-State actors, everyone, and we're now at home looking to effectively defend. So, some things that organizations can do with that, would be insuring that they have multi-factor authentication on all remotely accessible systems. So, devices, applications, anything that can be accessed remotely should have multi-factor authentication. That will help limit some of the impact. As it relates to spam, organizations should really be making sure they've got good email spam-filtering systems in place, and if they have the capability to send out some test emails to their employees, they should do that, right? We are getting numb. I will say, our CIO and their office does it at least once a week where I know I'm getting a very well-crafted email, and I have to really think twice, and it's really made me think differently about opening my email, and making sure that I'm doing some due diligence, to make sure I know where the email's coming from. One of the things we do, is also any external email is labeled external, so that way if it's a lure that appears to be, it's coming from another employee, but it's actually coming from an external email address, that's another way to help users make some good decisions, and really limit your attack surface, and reduce the threat. >> I think the points you're making here are very important, because if you think about the work-from-home cadence, it's a lot different. You're not nine to five. I mean, who works nine to five anyway, but your hours are different. Oftentimes, you got children to hone. You got dogs barking, kids are crawling all over us on the video. And so, oftentimes, of course we're frenzied at work, but there's a different kind of frenzy, so you might not be as in tune. So, you're basically saying, exercise that a little bit to get people, like a fire drill, to really get them tuned to being sensitized to such phishing attack. >> Right, well if you think about this from the viewpoint of an attacker, all of those scenarios that you mentioned, where you have a global pandemic. So, we're not just talking about a regional threat, like a hurricane or a tornado. In a case of a pandemic, or any of these type of situations, people are more likely to be reading the news, be probably checking social media more often, so that they can get an understanding of the latest news and information that may impact them. If you're an attacker, you've got now this kind of environment of global chaos that's been created, and you can use it to your advantage, because the reality is, as long as there's money to be made, attackers are going to want to take advantage of that scenario. So, what we're really talking about is, as you're reading your work email, as you're checking your personal email, taking a step back, slowing things down amidst all the distractions, barking dogs and co-workers now that may be at your house, also known as children, right? So, we need to really take a step back, and make sure that we are slowing things down, reading and doing due diligence in opening emails that will help all of the CIO and CISO type organizations more effectively to protect their organizations and their clients as well. >> When you talked about ransomware earlier, and I inferred from your comments that best practice, create an air gap, but I'm wondering also, can analytics play a role there, just in terms of identifying anomalous behavior? What else can I do to protect myself from ransomware? >> Great question. So, on the visibility side, which I think is what you're talking about, right? How do we detect these types of attacks? There's lots of great software out there. Typically, what we would want our visibility at the endpoints. So, usually some sort of EDR tool, which is an endpoint detection and response tool. That's going to allow us to capture things. In the old days, we would talk about antivirus software, and now you really have kind of next generation of antivirus software, which also gives you behavioral analytics and actions on the keyboard. We want to be able to detect that in any size environment. So, the more visibility we have into that, the better, but aside from just adopting new technology, potentially, there are best practices steps that we can take, and I mentioned earlier about making sure that you understand what is your most critical and sensitive data, and that you've got it backed up, and a lot of times we go into environments, and they say, "Well yeah, we have backups." This is great, but what they're not realizing, is that oftentimes those backups are connected to the network at all times, and in the case of a ransomware breach, you typically then will see those backups corrupted as well, and organizations will find themselves in a position where they say, "Well, we don't have any valid backups now "that we can restore from, in order to make sure "that we have a safe environment." And so, it's important that organizations understand and do a survey of what is their most critical and sensitive data, and then make sure that's backed up offline, and I say that, because it's not usually viable for organizations to have all of their data backed up offline. That costs a lot of money. That requires a lot of storage, but to look at really prioritizing their environment, their data within it, and making sure that they can have access to that which is needed, and then ultimately that's going to prevent you even needing to have the conversation about ransomware, because you still have access to that data. >> Yeah Wendi, I think you're making some really important points there. The tech obviously, is critical. People shifting to SD-WAN, securing endpoints, securing gateways, but really the processes are very very important, and I'll just throw out an example. If I'm making a snapshot of the Cloud, I'm not backed up. You better make sure that you understand how to recover from that backup, because just that copy is not a backup. You need the proper type of recovery software. You need to test that. Your thoughts on that. >> Yeah, that's absolutely true. So, what we want to make sure is that during the course of a potential ransomware attack, that the email's critical sensitive data is available offline. So, I mentioned earlier that testing is one of the best things that we're recommending. One of the most effective preparations is having an incident response plan, testing it for particular scenarios, and so in this case, one of the other things that we talk about a lot is limiting the impact of a breach. Every organization is going to get attacked, especially in today's day and age where you've got a larger attack surface. The win is really limiting the impact of that attack, and limiting the cost, and having an incident response plan, and having a team of people, whether they're internal or external that are responsible for responding to attacks, is the number one cost management. The number one decrease in cost is having access to that team. Typically, it will save an organization over a million dollars when the average cost of a data breach is about $4 million. So, that's pretty significant, and ultimately, if we can test, as you mentioned, those backups, that they are available in an offline scenario. In the course of one of those IR program plans or tests, that's great. It's a win for the organization. They can ensure that that data is going to be available, and it really helps them exercise that muscle memory in advance of an actual attack. >> Yeah, so the backup corp is actually becomes a really even more important component now. This has been great information. Where can people go specifically as it relates to COVID-19? I want to go look up a checklist to make sure. I've been scrambling to get my homeworkers up and running, get them productive, but boy, I really want to focus now on the things that I should be doing to button up my organization. Where can I go to learn more about this? >> Yeah, so there's so much great information out there, from everyone in the industry, but IBM is clearly no different. So, what we've done is action repurpose at IBM.com homepage where we've got a tremendous amount of information on COVID-19, and then IBM Security.com as well. Our team that focuses on breach response, has in particular, a site called X-Force Exchange, where we're sharing indicators, and we have a particular component that's related to COVID-19 specifically, and then lastly, we've got a free service, which is a threat intelligence enclave that we are hosting with our partner TruSTAR, that is specific to COVID-19 where industry organizations can sign up and then share in real time, threat indicators related to this, and have really that intelligence that's been also qualified by their peers, and many large organizations are using that to defend their environments. So, a lot of great resources out there. >> Wendy, you're an amazing source of knowledge. Thanks so much for coming on the theCUBE, and thanks to the X-Force team, doing some travel when necessary, and helping people really get a handle on this in this crazy crisis time. So, thank you very much. I really appreciate it. >> You're welcome, and certainly stay safe, and thanks for having me on. >> Back at you. All right, and thank you everybody. This is Dave Vellante for theCUBE. You're watching our continuous coverage of IBM Think 2020 Digital Think. Be right back right after this short break. (uplifting music)

>> live from Orlando, Florida It's the que covering accelerate nineteen. Brought to you by important >> Hey, welcome back to the Cube. We are live at forty nine. Accelerate nineteen in Orlando, Florida I am Lisa Martin with Peter Births, and Peter and I are pleased to welcome one of our alumni back to the program during Mickey, the chief of security insights for forty nine. Derek. It's great to have you back on the program, >> so it's always a pleasure to be here. It's tze always good conversations. I really look forward to it and it's It's never a boring day in my office, so we're than happy to talk about this. >> Fantastic. Excellent. Well, we've been here for a few hours, talking with a lot of your leaders. Partners as well. The keynote this morning was energetic. Talked a lot about the evocation, talked a lot about the evolution of not just security and threat, but obviously of infrastructure, multi cloud hybrid environment in which we live. You have been with forty girl lives for a long time. Talk to us about the evolution that you've seen of the threat landscape and where we are today. >> Sure, Yeah, so you know? Yeah, I've been fifteen years now, forty guards. So I flashed back. Even a two thousand, for it was a vastly different landscape back there and Internet and even in terms of our security technology in terms of what the attack surface was like back then, you know, Ken Kennedy was talking about EJ computing, right? Because that's what you know. Seventy percent of data is not going to be making it to the cloud in the future. A lot of processing is happening on the edge on DH. Threats are migrating that way as well, right? But there's always this mirror image that we see with the threat landscape again. Threat landscape. Back in nineteen eighty nine, we started with the Morris Worm is very simple instructions. It took down about eighty percent of the Internet at the time, but he was It is very simple. It wasn't to quote unquote intelligence, right? Of course, if we look through the two thousands, we had a lot of these big worms that hit the scene like Conficker. I love you, Anna Kournikova. Blaster slammer. All these famous rooms I started Teo become peer to peer, right? So they were able to actually spread from network to network throughout organizations take down critical services and so forth. That was a big evolutionary piece at the time. Of course, we saw fake anti virus ransomware. Come on stage last. Whereas I called it, which was destructive Mauer That was a big shift that we saw, right? So actually physically wiping out data on systems these air typically in like star but warfare based attacks. And that takes us up to today, right? And what we're seeing today, of course, we're still seeing a lot of ransom attacks, but we're starting to see a big shift in technology because of this edge computing used case. So we're seeing now things like Swarm networks have talked about before us. So these are not only like we saw in the two thousand's threats that could shift very quickly from network to network talk to each other, right? In terms of worms and so forth. We're also seeing now in intelligence baked in. And that's a key difference in technology because these threats are actually able, just like machine to machine. Communication happens through a pea eye's protocols and so forth threats are able to do this a swell. So they ableto understand their own local environment and how to adapt to that local environment and capitalized on that effort on DH. That's a very, very big shift in terms of technology that we're seeing now the threat landscape. >> So a lot of those old threats were depending upon the action of a human being, right? So in many respects, the creativity was a combination of Can you spook somebody make it interesting so that they'll do something that was always creativity in the actual threat itself. What you're describing today is a world where it's almost like automated risk. We're just as we're trying to do automation to dramatically increase the speed of things, reduce the amount of manual intervention. The bad guy's doing the same thing with the swarms there, introducing technology that is almost an automated attack and reconfigures itself based on whatever environment, conditions of encounters. >> Yeah, and the interesting thing is, what's happening here is we're seeing a reduction in what I call a t t be a time to breach. So if you look at the attack lifecycle, everything does doesn't happen in the blink of an instant it's moving towards that right? But if you look at the good, this's what's to come. I mean, we're seeing a lot of indications of this already. So we work very closely with Miter, the minor attack framework. It describes different steps for the attack life cycle, right? You start with reconnaissance weaponization and how do you penetrator system moving the system? Collect data monetize out as a cyber criminal. So even things like reconnaissance and weaponization. So if you look at fishing campaigns, right, people trying to fish people using social engineering, understanding data points about them that's becoming automated, that you sought to be a human tryingto understand their target, try toe fish them so they could get access to their network. There's tool kits now that will actually do that on their own by learning about data points. So it's scary, yes, but we are seeing indications of that. And and look, the endgame to this is that the attacks were happening much, much quicker. So you've got to be on your game. You have to be that much quicker from the defensive point of view, of course, because otherwise, if successful breach happens, you know we're talking about some of these attacks. They could. They could be successful in matter of seconds or or minutes instead of days or hours like before. You know, we're talking about potentially millions dollars of revenue loss, you know, services. They're being taken out flying intellectual properties being reached. So far, >> though. And this is, you know, I think of health care alone and literally life and death situations. Absolutely. How is Fortinet, with your ecosystem of partners poised to help customers mitigate some of these impending risk changing risk >> coverage? Strengthen numbers. Right. So we have, ah, strong ecosystem, of course, through our public ready program. So that's a technology piece, right? And to end security, how we can integrate how we can use automation to, you know, push security policies instead of having an administrator having to do that. Humans are slow a lot of the time, so you need machine to machine speed. It's our fabric ready program. You know, we have over fifty seven partners there. It's very strong ecosystem. From my side of the House on Threat Intelligence. I had up our global threat alliances, right? So we are working with other security experts around the World Cyberthreat Alliance is a good example. We've created intelligence sharing platforms so that we can share what we call indicators of compromise. So basically, blueprints are fingerprints. You can call them of attacks as they're happening in real time. We can share that world wide on a platform so that we can actually get a heads up from other security vendors of something that we might not see on. We can integrate that into our security fabric in terms of adding new, new, you know, intelligence definitions, security packages and so forth. And that's a very powerful thing. Beyond that, I've also created other alliances with law enforcement. So we're working with Interpol that's attribution Base work right that's going after the source of the problem. Our end game is to make it more expensive for cyber criminals to operate. And so we're doing that through working with Interpol on law enforcement. As an example, we're also working with national computer emergency response, so ripping malicious infrastructure off line, that's all about partnership, right? So that's what I mean strengthen numbers collaboration. It's It's a very powerful thing, something close to my heart that I've been building up over over ten years. And, you know, we're seeing a lot of success and impact from it, I think. >> But some of the, uh if you go back and look at some of the old threats that were very invasive, very problematic moved relatively fast, but they were still somewhat slow. Now we're talking about a new class of threat that happens like that. It suggests that the arrangement of assets but a company like Ford and that requires to respond and provide valued customers has to change. Yes, talk a little about how not just the investment product, but also the investment in four guard labs is evolving. You talked about partnerships, for example, to ensure that you have the right set of resources able to be engaged in the right time and applied to the right place with the right automation. Talk about about that. >> Sure, sure. So because of the criticality of this nature way have to be on point every day. As you said, you mentioned health care. Operational technology is a big thing as well. You know, Phyllis talking about sci fi, a swell right. The cyber physical convergence so way have to be on our game and on point and how do we do that? A couple of things. One we need. People still way. Can't you know Ken was talking about his his speech in Davos at the World Economic Forum with three to four million people shortage in cyber security of professionals There's never going to be enough people. So what we've done strategically is actually repositioned our experts of forty guard labs. We have over two hundred thirty five people in forty guard lab. So as a network security vendor, it's the largest security operation center in the world. But two hundred thirty five people alone are going to be able to battle one hundred billion threat events that we process today. Forty guard lab. So so what we've done, of course, is take up over the last five years. Machine learning, artificial intelligence. We have real practical applications of a I and machine learning. We use a supervised learning set so we actually have our machines learning about threats, and we have our human experts. Instead of tackling the threat's one on one themselves on the front lines, they let them in. The machine learning models do that and their training the machine. Just it's It's like a parent and child relationship. It takes time to learn a CZ machines learn. Over time they started to become more and more accurate. The only way they become more accurate is by our human experts literally being embedded with these machines and training them >> apart for suspended training. But also, there's assortment ation side, right? Yeah, we're increasing. The machines are providing are recognizing something and then providing a range of options. Thie security, professional in particular, doesn't have to go through the process of discovery and forensics to figure out everything. Absolution is presenting that, but also presenting potential remedial remediation options. Are you starting to see that become a regular feature? Absolutely, and especially in concert with your two hundred thirty five experts? >> Yeah, absolutely. And that's that's a necessity. So in my world, that's what I refer to is actionable intelligence, right? There's a lot of data out there. There's a lot of intelligence that the world's becoming data centric right now, but sometimes we don't have too much data. Askew Mons, a CZ analysts administrators so absolutely remediation suggestions and actually enforcement of that is the next step is well, we've already out of some features in in forty six two in our fabric to be able to deal with this. So where I think we're innovating and pioneering in the space, sir, it's it's ah, matter of trust. If you have the machines O R. You know, security technology that's making decisions on its own. You really have to trust that trust doesn't happen overnight. That's why for us, we have been investing in this for over six years now for our machine learning models that we can very accurate. It's been a good success story for us. I think. The other thing going back to your original question. How do we stack up against this? Of course, that whole edge computing use case, right? So we're starting to take that machine learning from the cloud environment also into local environments, right? Because a lot of that data is unique, its local environments and stays there. It stays there, and it has to be processed that such too. So that's another shift in technology as we move towards edge computing machine learning an artificial intelligence is absolutely part of that story, too. >> You mentioned strengthen numbers and we were talking about. You know, the opportunity for Fortinet to help customers really beat successful here. I wanted to go back to forty guard labs for a second because it's a very large numbers. One hundred billion security events. Forty Guard labs ingests and analyzes daily. Really? Yes, that is a differentiator. >> Okay, that that's a huge huge differentiator. So, again, if I look back to when I started in two thousand four, that number would have been about five hundred thousand events today, compared to one hundred billion today. In fact, even just a year ago, we were sitting about seventy five to eighty billion, so that numbers increased twenty billion and say twenty percent right in in just a year. So that's that's going to continue to happen. But it's that absolutely huge number, and it's a huge number because we have very big visibility, right. We have our four hundred thousand customers worldwide. We have built a core intelligence network for almost twenty years now, since for Deena was founded, you know, we we worked together with with customers. So if customers wish to share data about attacks that are happening because attackers are always coming knocking on doors. Uh, we can digest that. We can learn about the attacks. We know you know what weapons that these cybercriminals they're trying to use where the cybercriminals are. We learned more about the cyber criminals, so we're doing a lot of big data processing. I have a date, a science team that's doing this, in fact, and what we do is processes data. We understand the threat, and then we take a multi pronged approach. So we're consuming that data from automation were pushing that out first and foremost to our customers. So that's that automated use case of pushing protection from new threats that we're learning about were contextualizing the threat. So we're creating playbooks, so that playbook is much like football, right? You have to know your your your offense, right? And you have to know how to best understand their tactics. And so we're doing that right. We're mapping these playbooks understanding, tactics, understanding where these guys are, how they operate. We take that to law enforcement. As I was saying earlier as an example, we take that to the Cyber Threat Alliance to tow our other partners. And the more that we learn about this attack surface, the more that we can do in terms of protection as well. But it's it's a huge number. We've had a scale and our data center massively to be able to support this over the years. But we are poised for scale, ability for the future to be able to consume this on our anti. So it's it's, um it's what I said You know the start. It's never a boring day in my office. >> How can it be? But it sounds like, you know, really the potential there to enable customers. Any industry too convert Transport sees for transform Since we talked about digital transformation transformed from being reactive, to being proactive, to eventually predictive and >> cost effective to write, this's another thing without cybersecurity skills gap. You know this. The solution shouldn't be for any given customer to try. Toe have two hundred and thirty people in their security center, right? This is our working relationship where we can do a lot of that proactive automation for them, you know, by the fabric by the all this stuff that we're doing through our investment in efforts on the back end. I think it's really important to and yeah, at the end of the day, the other thing that we're doing with that data is generating human readable reports. So we're actually helping our customers at a high level understand the threat, right? So that they can actually create policies on their end to be able to respond to this right hard in their own security. I deal with things like inside of threats for their, you know, networks. These air all suggestions that we give them based off of our experience. You know, we issue our quarterly threat landscape report as an example, >> come into cubes. Some of your people come in the Cuban >> talk about absolutely so That's one product of that hundred billion events that were processing every day. But like I said, it's a multi pronged approach. We're doing a lot with that data, which, which is a great story. I think >> it is. I wish we had more time. Derek, Thank you so much for coming by. And never a dull moment. Never a dull interview when you're here. We appreciate your time. I can't wait to see what that one hundred billion number is. Next year. A forty nine twenty twenty. >> It will be more. I can get you. >> I sound like a well, Derek. Thank you so much. We appreciate it for Peter Burress. I'm Lisa Martin. You're watching the Cube?