>> Welcome to theCUBEs, continuing coverage of Splunk's dot conf 21. I'm Dave Nicholson, and I am joined by Chris Faulk, director, cybersecurity policy, and strategic partnerships at MITRE corporation; As well as Mohan Koo, the co-founder and chief technology officer at tech systems. Now, uh, gentlemen, we've heard this before, but I think this is going to be the best example of a conversation on this subject I've ever had. Security is a team sport. So let's talk about how that applies, where MITRE and D techs and Splunk all come together and work as a team. Uh, starting with you, Chris. miter published the, the attack framework. And, just so people are clear on that Ca- all caps, ATT, Ampersand or, AndSign, I should say. Capital C, capital K looks like attack. That's how you say it. Their framework was created by MITRE. Uh, It's a bit of a game changer. Now, enterprise security teams use that pretty religiously. So, so tell us about that, and tell us what we can expect next from MITRE. >> So thank you David, uh, pleasure to be here. You know, I think that the, um, what made attack resonate with users is it's based on data; It started with data that we observed in our networks and organized around at that time, the emergent principle that Lockheed Martin had put out on the kill chain. Uh, so it gave it structure. And we have, we have been lucky that the community has sort of embraced that concept of what we started off. We got the numbers completely wrong. Uh, we, we started off with like 41 TTPs. And, um, that was because that was based on a small subset of data that we had, uh, and what's been powerful and what's made it truly wonderful as the community's adopted it. And it's, that's, what's it's added to it. It's an additive approach. Um, and but it's all based on data and it's all just a fabulous, um, opportunity for the community to come together. So, what Myers really focused on is understanding how data, and those, uh, problems come together. And then, we surround the ecosystem of that problem with things like language. So we give it a framework and we give it, um, we give it operational data so that it actually has resonance with the users of that community. >> So give me an example, uh, of the language that's used. You know, there are, there are things that are, that are under the heading of tactics as an example. Give me an example of some of those things. What did, what's the term in plain English, and what does it mean? >> So tactics are a way for, um, an adversary to go about taking care of their business. So, in the day, uh, when we were first thinking about this, we thought about it as, um, the old cartoons where you'd have the-the-the coyote and the-the sheep would check in, you know, the coyote was given his lunchbox. He was given it, um, if you think about it, as a, uh, the adversary target list. And he was given his tools, he was, he would open up his toolbox, and he would go after those targets for the day. And he would use those tools. What we realized is that in most cases, a lot of those tools were expensive to create. They were, uh, hard to, um, train up on. And so they tended to use the same basic toolkit over and over again. What changed was, perhaps one little thing that they would exploit that was always changing. And so what, you know, what I likened it to was a burglar. A burglar would show up with his bag of- of, uh, tools. He would have a crowbar, and he would have a flashlight, and he would have a bag. And what he would do is he sometimes choose to go in through the windows. Sometimes they choose to go in through the door. Sometimes he choose to go in through the basement. It didn't matter. But once he got in the house, he had that flashlight, he had that bag, and he had that crowbar, I could figure out through my sensors, what he had in his bag or with, with him, I could catch that. And then I could alert on that, and find the other pieces of that. And so that's what really tactics, um, are about and getting that-that concept boiled down to a language that, uh, cyber defenders could readily understand and put into practice in their businesses. >> So Mohan, tell us about Dtex; And I'm particularly interested in the, in the connection between DTex and what Chris was just talking about; That MITRE has provided us, uh, this language that attack provides us. Um, essentially, you're- You're looking- you're listening for those things that go bump in the night. Chris has given us a language to describe them. Tell- tell us how Dtex fits here. >> Yeah. So, so what we're doing, David, um, and thank you for having me as well, um, what we're doing is we're bringing to the table a whole different type of telemetry, and it's all around human behavior. And, and how we got together with MITRE, um, is actually a direct connection to how we got together with Splunk as well. I'm actually sitting here in Adelaide, in Australia, at the Australian Cyber Collaboration Center. And this is an initiative we put together with the state government of South Australia, and federal government as well, um, to actually bring everybody onto one trusted group. So we could break down the silos and collaborate a hell of a lot better. As we all know, the bad guys collaborate extremely well. You know, they share everything, including their IP and their tactics, and their techniques, everything is shared. And that puts them at an extreme advantage to the good guys, and girls, right? And-and so we have to do a much better job at that collaboration. And-and when we came together and were introduced to MITRE here at the Australian Cyber Collaboration Center, we decided that taking MITREs expertise, and they've got like 15, more than 15 years, worth of dedicated experience around behavioral science, and how it contributes to insider threats and studying that in some depth. Putting that together with the data that we're collecting for our enterprise customers was something that was really, really important, and actually, you know, it was here in the Australian Cyber Collaboration Center that we first kept locked together with Splunk. And Splunk started to identify a problem statement amongst their customers too, That, you know, the data that exists out there for security operations teams just doesn't have that cleanliness and, it doesn't have the context when it comes to human behavior. And that's really what we're bringing to the, to the table here. >> So give me an example of a human behavior that you're looking for, or, you know, so, so Splunk is- Splunk is providing this data that's being gathered from logs. These events are being rolled up and, uh, and-and DTex is analyzing them. Can you give us an example that doesn't educate adversaries of-of behaviors that you look at? >> Yeah, absolutely. And I'll-I'll just touch on it. And then I'll hand over to Chris cause, cause uh, MITRE are truly the experts of this stuff. But- but what I will say is that a lot of organizations, when they think about human behavior and the insider threat, per se, they always think about the malicious actor, right? The, the Snowden type character that's, that's maliciously, and intentionally, trying to get access to take stuff. But it's, it's much more than that. It's, it's also insiders that do negligent things, and it's insider's that are victims of-of their own lack of understanding of things that they're facing. And when outsiders are cleverer, or more technically proficient, they can find ways to-to usurp the insider, and get them to do bad things without them even knowing they're doing it. And so understanding intent, and we call it, at Dtex, we call it, indicators of intent, are really important for us to know. Those indicators are what we've been working with MITRE on for the last year or so; Kind of understanding what the newest, most complicated indicators of intent are. And how do we determine those to be able to know the difference between a malicious insider, versus somebody that's just doing the wrong thing without even knowing about it? I-I don't know, Chris, if-if you wanted to touch on that a little bit. >> Yeah, yeah, yeah Chris, absolutely. You've, you know, uh, Mohan's joining us from Australia, Chris, you and MITRE have done a ton of work with the U.S. Federal Government around detection, and prevention of those insider threats. Talk to us, talk us through that. And, and more specifically, tell us how that is applicable to nongovernmental agencies. >> Yeah, well, so I mean, think at the, at the core of it, human behavior is human cue and behavior. And whether those are being applied to, uh, critical infrastructures, whether they're being applied to working at a federal government organization, or a state, local, uh, government organization, it doesn't matter. Humans, humans have behaviors. Every human has behaviors. What makes them unique, is understanding the context behind those behaviors. And then looking for, uh, indicators that are distinguishable from an individual doing his, or her, job. Right? So, one of the challenges that you have with insider behavior is that, you know, data collection is everyone's job, at every organization, right? You're always trying to put together the numbers for the spreadsheet to-to brief to your boss. Well, when you're doing that data collection, it can look like normal work. And you can't trigger on something like that, because otherwise you're going to be triggering, uh, every individual doing their job every day. So you have to add additional context, and behavioral indicators to that, to understand how the individual is doing that differently in a case where they are up to-up to no good, we'll say, as opposed to under circumstances of doing their job in a regular course of action. So, what we have long held as beliefs about how people behave are actually manifesting themselves differently in online behavior; How fast they click, um, what kinds of tools they use to do legitimate work, versus the kinds of tools that they do-to do, uh, I'll call it elicit collection. Uh, literally those kinds of subtle nuances. So while they might do the same collection activities, how fast they do it, um, where they put that information, um, how they, how often they go back to the same site, those are indicators that when taken with that behavioral context really matter. And that's what distinguishes them from just normal, typical user behavior. >> So how much does that context vary between private entities, governmental entities, and across private entities? Is this the classic 80/20 situation where, you know, 80-80% of it's the same, 20% very different? What, what does that look like? >> Yeah, I would say that, you know, an 80/20 is a very good rule. I'd probably put it up closer to 90 to 95 to five, right? So behaviors work the same. Now, the protocols that organizations have are going to drive some of that, right? So a-a government organization is going to have certain things in place that a private company may or may not. So, you know, how, how locked down the systems are, the kinds of access, um, things that, that you allow. So do you allow USB drives? Do you allow, um, those kinds of-of capabilities in your organization? So, if you're a private sector organization, but even within a private sector organization, they'd run the gamut, right? You have very locked down environments like banks, and regulated industries and then, you have very unregulated industries as well. So it really isn't about government and industry. It's about the kind of, um, protocols that are already in place for other reasons that really drive the differences between that. And then you have, again, you have those additional safeguards that you have, say with a-with a government organization and that you've got, uh, security vetting, right? So you've done security vetting of a lot of your employees, whether even if it's not security clearance, it's a- it's a personnel vetting. And so, it's an additional level, um, but all it does is change the-the emphasis of-of where you place the value in your security mechanisms. >> So, you mentioned a variety of contexts. Mohan, We've had a mass shift to remote working, obviously. Um, Splunk has shared with us that, uh, that the customers are concerned about, you know, giving- giving people visibility without compromising privacy. And I, and I-I say Splunk like Splunk is a person (man laughing) We like to personalize everything here at theCUBE, but how is DTex helping with this challenge, this challenge of not being intrusive, yet, uh, getting the important work done that needs to be done? >> Yeah, that's a, that's a great question. And-and for us, you know, we, as DTex, we kind of grew up in-in Europe, that's kind of where we became an international organization. So, employee privacy is at the heart of everything that we do. And-and, we make privacy by designing into everything that we do. So, we're actually able to, uh, pseudo anonymize every bit of data that we're collecting, so that you're actually really, truly looking for bad behaviors or unusual behaviors. You're not looking for bad people or unusual people, right? Like it's, it's a very clear distinction; and being able to do it in a way that gives you the visibility, gives the organization, the visibility to prevent against risk and to de-risk the organization without infringing on anyone's privacy is, is really critical. And, you know, as Chris was mentioning, even if you go to the private sector, you know, you've got those very regulated banks or healthcare organizations that are typically quite locked down, but we're dealing more and more with, with high-tech companies, right? A lot of bay area firms, Silicon valley companies, which have always required the flexibility for their workforce, right? They want them to be innovative. They want them to do different things. And in order to do that, they need the ability to have any tools they need to get their job done. But in those environments, you can't have too many hard and fast controls. So how do we actually provide that visibility to the organization without infringing privacy? That is absolutely what the game is about. And so, you know, not kind of having to scrape screens, and type key strokes and type video capture, you know, that's the old school way of doing it. You know, in some cases maybe you do need that level of surveillance, but in most cases you absolutely do not. And so, you know, for many, many years, a lot of enterprise security organizations have been collecting way more data than they need to and taking way more intrusive approaches. And we're about backing that off and kind of getting the right balance between security and privacy, because what we truly believe is where you overlap security and privacy, that Venn diagram that you get in the middle is where you get safety. And we really see it as, as an extension of health and safety. >> So Mohan, if we do all of these things correctly, between Splunk, MITRE, and DTex, you get the perfect scenario where you're catching bad actors and you're not inconveniencing good actors. So what's your view of this? Dystopian future, Utopian future, a mix of both? >> Well, uh, look, I think-I think that the future really is, you know, as the title to this discussion is it's a team sport, right? Like, and, and I think the, the approach that Splunk is taking right now is absolutely the right one. Like we, we need to all come together. We can't be everything to everyone. I don't think there is a one size fits all solution in enterprise security today. And those organizations that understand that and recognize that, but neither is it, are we able to continue just kind of investing in hundreds of point solutions across the enterprise and layering them across the business. Like, band-aids, we need that consolidation, but we do need to take best of breed solution providers to, to focus on those integrations and doing it properly. And that's what we've really enjoyed about working with Splunk over the last couple of years is kind of taking a very holistic approach and realizing that we all need to come together to play these teams sport because, you know, we, as detects, we bring together a very clean data set that gives you that human telemetry and then MITRE brings to get brings the behavioral science capability and behavioral science understanding. And Splunk provides that big data platform to bring everything together and show it and visualize it. And, and really that's, that's, that's, that's one way of looking at it. And I, and I think, you know, going forward those vendors or those organizations that don't recognize that that proper integration actual true integration has to be done collectively. And it has to be done in a way that's light and easy for anybody to consume. >> Perfect way to wrap this cube conversation. Thank you, Mohan. Thank you, Chris. And thank all of you for joining us on this cube conversation or continuing coverage of splunk.com 21 continues. I'm Dave Nicholson. Thanks for joining.

>> Welcome to this Cube Conversation, I'm Lisa Martin. I'm joined by Derek Manky next, the Chief Security Insights and Global Threat Alliances at Fortiguard Labs. Derek, welcome back to the program. >> Hey, it's great to be here again. A lot of stuff's happened since we last talked. >> So Derek, one of the things that was really surprising from this year's Global Threat Landscape Report is a 10, more than 10x increase in ransomware. What's going on? What have you guys seen? >> Yeah so this is massive. We're talking over a thousand percent over a 10x increase. This has been building Lisa, So this has been building since December of 2020. Up until then we saw relatively low high watermark with ransomware. It had taken a hiatus really because cyber criminals were going after COVID-19 lawyers and doing some other things at the time. But we did see a seven fold increase in December, 2020. That has absolutely continued this year into a momentum up until today, it continues to build, never subsided. Now it's built to this monster, you know, almost 11 times increase from, from what we saw back last December. And the reason, what's fueling this is a new verticals that cyber criminals are targeting. We've seen the usual suspects like telecommunication, government in position one and two. But new verticals that have risen up into this third and fourth position following are MSSP, and this is on the heels of the Kaseya attack of course, that happened in 2021, as well as operational technology. There's actually four segments, there's transportation, automotive, manufacturing, and then of course, energy and utility, all subsequent to each other. So there's a huge focus now on, OT and MSSP for cyber criminals. >> One of the things that we saw last year this time, was that attackers had shifted their focus away from enterprise infrastructure devices, to home networks and consumer grade products. And now it looks like they're focusing on both. Are you seeing that? >> Yes, absolutely. In two ways, so first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure, and then they can load things like ransomware on there. They can little things like information stealers as an example. The way they do that is through botnets. And what we reported in this in the first half of 2021 is that Mirai, which is about a two to three-year old botnet now is number one by far, it was the most prevalent botnet we've seen. Of course, the thing about Mirai is that it's an IOT based botnet. So it sits on devices, sitting inside consumer networks as an example, or home networks, right. And that can be a big problem. So that's the targets that cyber criminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. And so what that means Lisa, is that cyber criminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to web born threats, right. So they're infecting sites, waterhole attacks, where, you know, people will go to read their daily updates as an example of things that they do as part of their habits. They're getting sent links to these sites that when they go to it, it's actually installing those botnets onto those systems, so they can get a foothold. We've also seen scare tactics, right. So they're doing new social engineering lures, pretending to be human resource departments. IT staff and personnel, as an example, with popups through the web browser that look like these people to fill out different forms and ultimately get infected on home devices. >> Well, the home device use is proliferate. It continues because we are still in this work from home, work from anywhere environment. Is that, you think a big factor in this increase from 7x to nearly 11x? >> It is a factor, absolutely. Yeah, like I said, it's also, it's a hybrid of sorts. So a lot of that activity is going to the MSSP angle, like I said to the OT. And to those new verticals, which by the way, are actually even larger than traditional targets in the past, like finance and banking, is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's, further backed up from what we're seeing on with the, the botnet activity specifically with Mirai too. >> Are you seeing anything in terms of the ferocity, we know that the volume is increasing, are they becoming more ferocious, these attacks? >> Yeah, there is a lot of aggression out there, certainly from, from cyber criminals. And I would say that the velocity is increasing, but the amount, if you look at the cyber criminal ecosystem, the stakeholders, right, that is increasing, it's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record cases year, almost every week we've seen one or two significant, cyber security events that are happening. That is a dramatic shift compared to last year or even, two years ago too. And this is because, because the cyber criminals are getting deeper pockets now. They're becoming more well-funded and they have business partners, affiliates that they're hiring, each one of those has their own methodology, and they're getting paid big. We're talking up to 70 to 80% commission, just if they actually successfully, infect someone that pays for the ransom as an example. And so that's really, what's driving this too. It's a combination of this kind of perfect storm as we call it, right. You have this growing attack surface, work from home environments and footholds into those networks, but you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. >> So what can organizations do to start- to slow down or limit the impacts of this growing ransomware as a service? >> Yeah, great question. Everybody has their role in this, I say, right? So if we look at, from a strategic point of view, we have to disrupt cyber crime, how do we do that? It starts with the kill chain. It starts with trying to build resilient networks. So things like ZTA and a zero trust network access, SD-WAN as an example for protecting that WAN infrastructure. 'Cause that's where the threats are floating to, right. That's how they get the initial footholds. So anything we can do on the preventative side, making networks more resilient, also education and training is really key. Things like multi-factor authentication are all key to this because if you build that preventatively and it's a relatively small investment upfront Lisa, compared to the collateral damage that can happen with these ransomware paths, the risk is very high. That goes a long way, it also forces the attackers to- it slows down their velocity, it forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here, too, that we can talk about because there's things that we can actually do apart from that to really fight cyber crime, to try to take the cyber criminals offline too. >> All right, hit me with the good news Derek. >> Yeah, so a couple of things, right. If we look at the botnet activity, there's a couple of interesting things in there. Yes, we are seeing Mirai rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples, EMOTET, that was one of the most prolific botnets that was out there for the past two to three years, there is a take-down that happened in January of this year. It's still on our radar but immediately after that takedown, it literally dropped to half of the activity it had before. And it's been consistently staying at that low watermark now at that half percentage since then, six months later. So that's very good news showing that the actual coordinated efforts that were getting involved with law enforcement, with our partners and so forth, to take down these are actually hitting their supply chain where it hurts, right. So that's good news part one. Trickbot was another example, this is also a notorious botnet, takedown attempt in Q4 of 2020. It went offline for about six months in our landscape report, we actually show that it came back online in about June this year. But again, it came back weaker and now the form is not nearly as prolific as before. So we are hitting them where it hurts, that's that's the really good news. And we're able to do that through new, what I call high resolution intelligence that we're looking at too. >> Talk to me about that high resolution intelligence, what do you mean by that? >> Yeah, so this is cutting edge stuff really, gets me excited, keeps me up at night in a good way. 'Cause we we're looking at this under the microscope, right. It's not just talking about the what, we know there's problems out there, we know there's ransomware, we know there's a botnets, all these things, and that's good to know, and we have to know that, but we're able to actually zoom in on this now and look at- So we, for the first time in the threat landscape report, we've published TTPs, the techniques, tactics, procedures. So it's not just talking about the what, it's talking about the how, how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system? And exactly how are they doing that? What's the technique? And so we've highlighted that, it's using the MITRE attack framework TTP, but this is real time data. And it's very interesting, so we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defense innovation, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. As an example, lateral movement, there's still a preferred over 75%, 77 I believe percent of activity we observed from malware was still trying to move from system to system, by infecting removable media like thumb drives. And so it's interesting, right. It's a brand new look on these, a fresh look, but it's this high resolution, is allowing us to get a clear image, so that when we come to providing strategic guides and solutions in defense, and also even working on these takedown efforts, allows us to be much more effective. >> So one of the things that you said in the beginning was we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that ceiling yet, but are we at an inflection point? Data showing that we're at an inflection point here with being able to get ahead of this? >> Yeah, I would like to believe so, there is still a lot of work to be done unfortunately. If we look at, there's a recent report put out by the Department of Justice in the US saying that, the chance of a criminal to be committing a crime, to be caught in the US is somewhere between 55 to 60%, the same chance for a cyber criminal lies less than 1%, well 0.5%. And that's the bad news, the good news is we are making progress in sending messages back and seeing results. But I think there's a long road ahead. So, there's a lot of work to be done, We're heading in the right direction. But like I said, they say, it's not just about that. It's, everyone has their role in this, all the way down to organizations and end users. If they're doing their part of making their networks more resilient through this, through all of the, increasing their security stack and strategy. That is also really going to stop the- really ultimately the profiteering that wave, 'cause that continues to build too. So it's a multi-stakeholder effort and I believe we are getting there, but I continue to still, I continue to expect the ransomware wave to build in the meantime. >> On the end-user front, that's always one of the vectors that we talk about, it's people, right? There's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the White House, but other organizations like Interpol, the World Economic Forum, Cyber Crime Unit, what are some of the things that governments are doing that you're seeing that as really advantageous here for the good guys? >> Yeah, so absolutely. This is all about collaboration. Governments are really focused on public, private sector collaboration. So we've seen this across the board with Fortiguard Labs, we're on the forefront with this, and it's really exciting to see that, it's great. There's always been a lot of will to work together, but we're starting to see action now, right? Interpol is a great example, they recently this year, held a high level forum on ransomware. I actually spoke and was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world, that public, private sector we need. They actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too. Because it is becoming that much of a problem and that we need to work together to be able to create action, action against this, measure success, become more strategic. The World Economic Forum were leading a project called the Partnership Against Cyber Crime Threat Map Project. And this is to identify, not just all this stuff we talked about in the threat landscape report, but also looking at, things like, how many different ransomware gangs are there out there. What do the money laundering networks look like? It's that side of the supply chain to map out, so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's innovation and there's R&D behind this as well, that's coming to the table to be able to make it impactful. >> So it sounds to me like ransomware is no longer a- for any organization in any industry you were talking about the expansion of verticals. It's no longer a, "If this happens to us," but a matter of when and how do we actually prepare to remediate, prevent any damage? >> Yeah, absolutely, how do we prepare? The other thing is that there's a lot of, with just the nature of cyber, there's a lot of connectivity, there's a lot of different, it's not just always siloed attacks, right. We saw that with Colonial obviously, this year where you have attacks on IT, that can affect consumers, right down to consumers, right. And so for that very reason, everybody's infected in this. it truly is a pandemic I believe on its own. But the good news is, there's a lot of smart people on the good side and that's what gets me excited. Like I said, we're working with a lot of these initiatives. And like I said, some of those examples I called up before, we're actually starting to see measurable progress against this as well. >> That's good, well never a dull day I'm sure in your world. Any thing that you think when we talk about this again, in a few more months of the second half of 2021, anything you predict crystal ball wise that we're going to see? >> Yeah, I think that we're going to continue to see more of the, I mean, ransomware, absolutely, more of the targeted attacks. That's been a shift this year that we've seen, right. So instead of just trying to infect everybody for ransom, as an example, going after some of these new, high profile targets, I think we're going to continue to see that happening from the ransomware side and because of that, the average costs of these data breaches, I think they're going to continue to increase, it already did in 2021 as an example, if we look at the cost of a data breach report, it's gone up to about $5 million US on average, I think that's going to continue to increase as well too. And then the other thing too is, I think that we're going to start to see more, more action on the good side like we talked about. There was already a record amount of takedowns that have happened, five takedowns that happened in January. There were arrests made to these business partners, that was also new. So I'm expecting to see a lot more of that coming out towards the end of the year too. >> So as the challenges persist, so do the good things that are coming out of this. Where can folks go to get this first half 2021 Global Threat Landscape? What's the URL that they can go to? >> Yeah, you can check it out, all of our updates and blogs including the threat landscape reports on blog.fortinet.com under our threat research category. >> Excellent, I read that blog, it's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for us, showing what's going on. Both the challenging things, as well as the good news. I look forward to our next conversation. >> Absolutely, it was great chatting with you again, Lisa. Thanks. >> Likewise for Derek Manky, I'm Lisa Martin. You're watching this Cube Conversation. (exciting music)

>>Welcome to this cube conversation. I'm Lisa Martin. I'm joined by Derek manky next, the chief security insights and global threat alliances at 40 guard labs. Derek. Welcome back. >>Yeah, it's great to be here again. So then, uh, uh, a lot of stuff's happened since we last talked. >>One of the things that was really surprising from this year's global threat landscape report is a 10 more than 10 X increase in ransomware. What's going on? What have you guys seen? >>Yeah, so, uh, th th this is, is massive. We're talking about a thousand percent over a 10, a 10 X increase. This has been building police. So this, this has been building since, uh, December of 2020 up until then we saw relatively low, uh, high watermark with ransomware. Um, it had taken a hiatus really because cyber criminals were going after COVID-19 lawyers and doing some other things at the time, but we did see us a seven fold increase in December, 2020. That is absolutely continued. Uh, continued this year into a momentum up until today. It continues to build never subsided. Now it's built to this monster, you know, almost 11 times increase from, from what we saw back last December and what the, uh, the reason what's fueling. This is a new verticals that cyber criminals are targeting. We've seen the usual suspects like telecommunication government and, uh, position one and two, but new verticals that have risen up into this, uh, third and fourth position following our MSSP. And this is on the heels of the Casia attack. Of course, that happened in 2021, as well as operational technology. There's actually four segments, there's transportation, uh, automotive manufacturing, and then of course, energy and utility all subsequent to each other. So there's a huge focus now on, on OTA and MSSP for cybercriminals. >>One of the things that we saw last year, this time was that attackers had shifted their focus away from enterprise infrastructure devices, to home networks and consumer grade products. And now it looks like they're focusing on both. Are you seeing that? >>Yes, absolutely. I in two ways. So first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure, and then they can load things like ransomware on there. They can little things like information Steelers as an example, the way they do that is through botnets. And, uh, what we reported in this, um, in the first half of 2021 is that Mariah, which is about a two to three-year old button that now is, is number one by far, it was the most prevalent bond that we've seen. Of course, the thing about Mariah is that it's an IOT based bot net. So it sits on devices, uh, sitting inside a consumer networks as an example, or home networks, right? And that, that can be a big problem. So that's the targets that cyber criminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. >>And so what that means at least, is that cyber criminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to a web born threats, right? So they're infecting sites, waterhole attacks, where people would go to read their, their, their daily updates as an example of things that they do as part of their habits. Um, they're getting sent links to these sites that when they go to it, it's actually installing those botnets onto those systems. So they can get a foothold. We've also seen scare tactics, right? So they're doing new social engineering Lewis pretending to be human resource departments, uh, you know, uh, uh, it staff and personnel, as an example, with pop-ups through the web browser that looked like these people to fill out different forms and ultimately get infected on, on a home devices. >>Well, the home device we use is proliferate. It continues because we are still in this work from home work, from anywhere environment. Is that when you think a big factor in this increased from seven X to nearly 11 X, >>It is a factor. Absolutely. Yeah. Like I said, it's, it's also, it's a hybrid of sorts. So, so a lot of that activity is going to the MSSP, uh, angle, like I said, uh, to, to the OT. And so to those verticals, which by the way, are actually even larger than traditional targets in the past, like, uh, finance and banking is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's, that's further, uh, backed up from what we're seeing on with the, the, the, the botnet activity specifically with Veronica too. Are >>You seeing anything in terms of the ferocity? We know that the volume is increasing. Are they becoming more ferocious? These attacks? >>Yeah. Yeah. There, there is. There's a lot of aggression out there, certainly from, from criminals. And I would say that the velocity is increasing, but the amount of, if you look at the cyber criminal ecosystem, the, the stakeholders, right. Um, that is increasing, it's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record cases here almost every week. We've seen one or two significant, you know, cyber security events that are happening. That is a dramatic shift compared to, to, to last year or even, you know, two years ago too. And this is because, um, because the cyber criminals are getting deeper pockets now, they're, they're becoming more well-funded and they have business partners, affiliates that they're hiring each one of those has their own methodology, and they're getting paid big. We're talking up to 70 to 80% commission, just if they actually successfully, you know, in fact, someone that pays for the ransom as an example. And so that's really, what's driving this too. It's, it's, it's a combination of this kind of perfect storm as we call it. Right. You have this growing attack surface and work from home, uh, environments, um, and footholds into those networks. But you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. >>What can organizations do to start to slow down or limit the impacts of this growing ransomware as a service? >>Yeah, great question. Um, everybody has their role in this, I say, right? So, uh, if we look at, from a strategic point of view, we have to disrupt cyber crime. How do we do that? Um, it starts with the kill chain. It starts with trying to build resilient networks. So things like a ZTE and a zero trust network access, a SD LAN as an example, as an example for producting that land infrastructure on, because that's where the threats are floating to, right? That's how they get the initial footholds. So anything we can do on the, on the, you know, preventative, preventative side, making, uh, networks more resilient, um, also education and training is really key. Things like multi-factor authentication are all key to this because if you build that, uh, uh, preventatively and that's a relatively small investment upfront, Lisa compared to the collateral damage that can happen with these ransomware, it passes, the risk is very high. Um, that goes a long way. It also forces the attackers to it slows down their velocity. It forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here too, uh, that we can talk about because there's, there's things that we can actually do. Um, apart from that to, to really fight cyber crime, to try to take the cyber criminal cell phone. >>All right. Hit me with the good news Derek. >>Yeah. So, so a couple of things, right. If we look at the bot net activity, there's a couple of interesting things in there. Yes, we are seeing Mariah rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples, a motel that was one of the most prolific botnets that was out there for the past two to three years, there is a take-down that happened in January of this year. Uh, it's still on our radar, but immediately after that takedown, it literally dropped to half of the activity. It hadn't before. And it's been consistently staying at that low watermark now had that half percentage since, since that six months later. So that's very good news showing that the actual coordinated efforts that we're getting involved with law enforcement, with our partners and so forth to take down, these are actually hitting their supply chain where it hurts. >>Right. So that's good news part one trick. Bob was another example. This is also a notorious spot net take down attempt in Q4 of 2020. It went offline for about six months. Um, in our landscape report, we actually show that it came back online, uh, in about June this year. But again, it came down, it came back weaker and another form is not nearly as prolific as before. So we are hitting them where it hurts. That's, that's the really good news. And we're able to do that through new, um, what I call high resolution intelligence. >>Talk to me about that high resolution intelligence. What do you mean by that? >>Yeah, so this is cutting edge stuff really gets me excited and keeps, keeps me up at night in a good way. Uh, cause we're, we're looking at this under the microscope, right? It's not just talking about the why we know there's problems out there. We know there's, there's ransomware. We know there's the botnets, all these things, and that's good to know, and we have to know that, but we're able to actually zoom in on this now and look at it. So we, for the first time in the threat landscape report, we've published TTPs, the techniques, tactics procedures. So it's not just talking about the, what it's talking about, the how, how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system and exactly how are they doing that? What's the technique. And so we've highlighted that it's using the MITRE attack framework TTP, but this is real-time data. >>And it's very interesting. So we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defensive, Asian, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. Uh, as an example, a lateral movement on there's still a preferred over 75%, 77, I believe percent of activity we observed from malware was still trying to move from system to system by infecting removable media like thumb drives. And so it's interesting, right? It's a brand new look on the, these a fresh look, but it's this high resolution is allowing us to get a clear image so that when we come to providing strategic guidance and solutions of defense, and also even working on these, take down that Fritz, it allows us to be much more effective. So >>One of the things that you said in the beginning was we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that, that ceiling yet, but are we at an inflection points, the data showing that we're at an inflection point here with being able to get ahead of this? >>Yeah, I, I, I would like to believe so. Um, it, there is still a lot of work to be done. Unfortunately, if we look at, you know, there is a, a recent report put out by the department of justice in the S saying that, you know, the chance of, uh, criminal, uh, to be committing a crime, but to be caught in the U S is somewhere between 55 to 60%, the same chance for a cyber criminal lies less than 1% above 0.5%. And that's the bad news. The good news is we are making progress and sending messages back and seeing results. But I think there's a long road ahead. So, um, you know, there there's a lot of work to be done. We're heading in the right direction. But like I said, they say, it's not just about that. It's everyone has, has their role in this all the way down to organizations and end users. If they're doing their part and making their networks more resilient through this, through all the, you know, increasing their security stack and strategy, um, that is also really going to stop the, you know, really ultimately the profiteering, uh, that, that wave, you know, cause that continues to build too. So it's, it's a multi-stakeholder effort and I believe we are, we are getting there, but I continue to still, uh, you know, I continue to expect the ransomware wave to build. In the meantime, >>On the end user front, that's always one of the vectors that we talk about it's people, right? It's there's so there's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the white house, but other organizations like Interpol, the world, economic forum, cyber crime unit, what are some of the things that governments are doing that you're seeing that as really advantageous here for the good guys? >>Yeah, so absolutely. This is all about collaboration. Governments are really focused on public private sector collaboration. Um, so we've seen this across the board, uh, with 40 guard labs, we're on the forefront with this, and it's really exciting to see that it's great. Uh, there, there, there's always been a lot of will work together, but we're starting to see action now. Right. Um, Interpol is a great example. They recently this year held a high level forum on ransomware. I was actually spoken was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world, that public private sector we need. They actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too, because it is becoming that much of a problem and that we need to work together to be able to create action, action action against this measure, success become more strategic. >>The world economic forum, uh, were, were, uh, leading a project called the partnership against cyber crime threat map project. And this is to identify not just all this stuff we talked about in the threat landscape report, but also looking at, um, you know, things like how many different ransomware gangs are there out there. Uh, what are their money laundering networks look like? It's that side of the side of the supply chains of apple so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's, um, innovation and there's R and D behind this as well. That's coming to the table to be able to make, you know, make it impactful. >>So it sounds to me like ransomware is no longer a for any organization in any, any industry you were talking about the expansion of verticals, it's no longer a, if this happens to us, but a matter of when and how do we actually prepare to remediate prevent any damage? Yeah, >>Absolutely. How do we prepare? The other thing is that there's a lot of, um, you know, with just the nature of, of, of cyber, there's a lot of, uh, connectivity. There's a lot of different, uh, it's not just always siloed attacks. Right? We saw that with colonial obviously this year where you have the talks on, on it that can affect consumers right now to consumers. Right. And so for that very reason, um, everybody's infected in this, uh, it, it truly is a pandemic, I believe on its own. Uh, but the good news is there's a lot of smart people, uh, on the good side and, you know, that's what gets me excited. Like I said, we're working with a lot of these initiatives and like I said, some of those examples I called up before, we're actually starting to see measurable progress against this as well. >>That's good. Well, never adult day, I'm sure. In your world, any thing that you think when we talk about this again, in a few more months of the second half of 2021, anything that, that you predict crystal ball wise that we're going to see? >>Yeah. I think that we're going to continue to see more of the, I mean, ransomware, absolutely. More of the targeted attacks. That's been a shift this year that we've seen. Right. So instead of just trying to infect everybody for ransom, but as an example of going after some of these new, um, you know, high profile targets, I think we're going to continue to see that happening from there. Add some more side on, on, and because of that, the average costs of these data breaches, I think they're going to continue to increase. Um, they had already did, uh, in, uh, 20, uh, 2021, as an example, if we look at the cost of the data breach report, it's gone up to about $5 million us on average, I think that's going to continue to increase as well too. And then the other thing too, is I think that we're going to start to see more, um, more, more action on the good side. Like we talked about, there was already a record amount of take downs that have happened five take downs that happened in January. Um, there were, uh, arrests made to these business partners that was also new. So I'm expecting to see a lot more of that coming out, uh, uh, towards the end of the year, too. >>So as the challenges persist, so do the good things that are coming out of this. They're working folks go to get this first half 2021 global threat landscape. What's the URL that they can go to. >>Yeah, you can check it all, all of our updates and blogs, including the threat landscape reports on blog about 40 nine.com under our threat research category. >>Excellent. I read that blog. It's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for us showing what's going on. Both the challenging things, as well as the good news. I look forward to our next conversation. >>Absolutely. It's great. Chatting with you again, Lisa. Thanks. >>Likewise for Derek manky. I'm Lisa Martin. You're watching this cube conversation.

>>From our studios in the heart of Silicon Valley, Palo Alto, California. This is a cute conversation. >>Hi and welcome to the cube studios in Palo Alto, California for another cube conversation where we go in depth with the tech leaders driving innovation across the technology industry. I'm your host, Peter Burris. Well, it's that time of quarter again. Every quarter we get together with Fortinet to discuss their threat landscape report, which is one of the industry's best and most comprehensive views into how the bad guys are utilizing bad software and bad access to compromise digital business and steal digital assets. Now, this quarter's report suggests that there's not as much new stuff going on. If you look at the numbers, they're relatively flat compared to previous quarters, but that doesn't tell the real story. Underneath those numbers, we see that there is a churn. There's an incredibly dynamic world of bad actors doing bad things with old and new bad stuff to try to compromise digital business, to learn more about this dynamism and what's really happening. Once again, we've got a great cube guest, Tony Gian. Medico is a senior security strategist and researcher and CTI lead at Fordanet. Tony, welcome back to the cube. >>Hey Peter, it's great to be here. >>So Tony, I started off by making this observation that the index suggests that we're in kind of a steady state, but that's not really what's happening. Is it? What's really going on? Where it's going on inside the numbers? >>Yeah, no, we start to see a little bit of a shift of tactics. Um, what has happened, I think, uh, not all the time, but sometimes with the adversaries like to do is penetrate an organization where maybe us as defenders aren't necessarily as focused in on, and a great example is this. For many years we were focused on and rightfully so. And we continue to be focused on this is being able to block a phishing email, right? We have our email security gateways to be able to not allow that email to come into the network. We also then for for whatever reason, if it happens to get into the network, we focus on user awareness training to educate our users to make sure that they can identify a malicious email. They're not clicking that link or clicking that attachment. Now with that said, we look at the actual data in our queue three threat last grade and what we're seeing is the adversaries are targeting vulnerabilities that if they were successfully exploited would give them remote code execution, meaning that they, they, they can compromise that box and then move further and further inside the network. >>Now granted that's been happening for many years, but we have actually seen an increase order. As a matter of fact, it was number one prevalence across all the actual regions. So with that said, I think it's worth making sure that you're looking at your edge devices or your edge services that are publicly exposed out there. Make sure that there's no vulnerabilities on them, make sure that they're not misconfigured and also make sure that you have some type of multifactor authentication. And I think like we've talked about many times that threat landscape or that, you know, threat attack surface continues really to expand, right? You've got, you've got cloud, you have IOT. So it's becoming more and more difficult to be able to secure all those edge services. Definitely. You know, something you should take a look at >>and you got more people using more mobile devices to do more things. So, so it sounds as though it's a combination of two things. It's really driving this dynamism, right, Tony? It's one, just the raw numbers of growth and devices and opportunities and the threat surface is getting larger and the possibility that something's misconfigured is going up and to that they're just trying to catch your organization's by surprise. One of those is just make sure you're doing things right, but the other one is don't keep, take your eye off the ball, isn't it? How are organizations doing as they try to, uh, expand their ability to address all of these different issues, including a bunch that are tried and true and mature, uh, that we may have stopped focusing on? >>Yeah. You know, it's really hard, right? I always say this and um, you know, I get some mixed kind of reaction sometimes, but you can't protect and monitor everything. I mean, depending on how large your network is, it's really difficult. So I mean, really focusing on what's important, what's critical in your organization is probably really the best approach, right? Really kind of focusing on that. Now with that said though, the reason why it becomes so, so difficult these days is the volumes of threats that we're seeing. I'm kind of come out of what I refer to the cybercrime ecosystem, right? Where anytime, do you know anybody who wants to get into a life of cyber crime, they really don't need to know much. They just need to understand, right? Where to get these particular services that they can sort of rent, right? You have malware as a service, right? You got kind of ransomware as a service. So that's an important to make sure we understand. Um,, Hey, anybody can get into a life of cyber crime and that volume is really sort of being driven by the cyber crime ecosystem. >>Well, the threat report noted, uh, specifically that the, uh, as you said, the life of crime is getting cheaper for folks to get into because just as we're moving from products to services in technology and in other parts of the industry, we're moving from products to services in, uh, the threat world. To talk a little bit about this, what you just said, this notion of, you know, bad guy as a service, what's happening. >>Yeah, I like that bad guy as a service. Um, what's really kind of popular these days is ransomware as a service. Um, then two, three we saw two more variants, uh, ramps and wears as a service, uh, you know, Soden and then also, um, I think I can pronounce it empty. I always have a hard time pronouncing all of these malware name. But anyway, these are new variants now that are coming up. Um, and of course anytime you get something new, the malware usually has more, you know, more a more advanced kind of capabilities. And you know, these malwares have, you know, ways to evade a Vieta taction you know, they're looking for different services that may be on the, the operating system, finding ways to be able to the war, the detection of their particular malware or if someone is analyzing that particular threat, making it longer for an analyst to be able to figure out what's going on. >>Mmm. And as well as trying to avoid different types of sandbox technologies. Now I think that's something bad to actually, you know, really worry about. But what really gets me, and I might've said this, um, in some of the previous conversations this year is that the tactics are also kind of changing a bit for ransomware as a service coming out of the cyber-crime ecosystem. It used to be more opportunistic. There was a spray and pray approach, let's hope something sticks. Right. Totally changed. They're becoming a lot more targeted. And one of the main reasons why it was because organizations are paying large amounts of money or the ransom depending large amounts of money to the group yo yo to have 'em the ability to decrypt their files after they get hit with ransomware. And you've seen this right now, the adversaries are targeting organizations or industries that may not have the most robust security posture. >>They're focused on municipalities. Yeah, they're focused on, okay. Cities also state local government. Um, well we saw it earlier on this year, the city of Baltimore, we had a bunch of cities in Florida, actually one city in Florida ended up having to pay $600,000 in a ransom to be able to have their files decrypted. And also in the state of Texas we saw, Mmm. A, uh, malware variant or ransomware variant hit about 22 municipalities throughout the state of Texas. And you know, the one other thing I think seems to be common amongst all of these victims is a lot of them have some type of insurance. So I think the bad guys are also doing some research or doing their homework to make sure, Hey, if I'm going to spend the money to target this individual or this organization, I want to make sure that they're going to be able to >>painting the ransom. They're refining their targets based on markers, which is how bad guys operate everywhere, right? You decide who your Mark is and what their attributes are. And because these are digital, there's also a lot more data flying around about who these marks are, how they work. Uh, as you said, the availability of insurance means that there is no process for payment in place because insurance demands it and it accelerates, uh, the, the, the time from hitting them to getting paid if I got that right. >>Yeah, that is 100% spot on, you know, efficiency, efficiency, officio. I mean, we all want to get paid as fast as possible, right? Yeah. >>Peter. Yeah, that's true. That's true. All right, so it's time for prescription time, Tony. It's a, uh, we've talked about this for probably six or eight quarters now and every time I ask you, and what do folks do differently in the next few months? Uh, what should they do differently in the next few months? >>You know, I like to talk a lot about how we, you know, you have to have that foundational, uh, it kind of infrastructure in place, having visibility and all that debt and that's 100% sort of true. Um, that doesn't change. But I think one thing that we can start doing, um, and this is wonderful. Um, I'm sort of project that had transpired over the last few years from the MITRE, uh, organization is the MITRE attack framework. Uh, what had happened was miter had gone out there and brought in, um, through all these open source outlets, different types of threat reports. Mmm. That the adversaries, um, you know, we're, di we're documented actually doing, they took all those tactics and corresponding techniques and documented all of them in one location. So now you have a common language for you to be able to determine and be able to learn what the actors are actually doing to come their cyber mission. >>And because now we have that there's a trend. Now organizations are starting to look at this data, understand it, and then operationalizing it into their environment. And what I mean by that is they're looking at the axle the, uh, tactic and the technique and not know, understanding what it is, looking at, what is the actual digital dust that it might leave behind, what's the action and making sure that they have the right protections and and they're grabbing the right logs at least to be able to determine when that particular threat actor, using that technique happens to be in there environment. >>But it also sounds as though you, you know, you noted the use of common language that it sounds as though, uh, you're suggesting that enterprises should be taking a look at these reports, studying them, uh, reaching agreement about, uh, what they mean, the language so that they are acculturating themselves to this more common way of doing things. Because it's the ability to not have to negotiate with each other when something happens and to practice how to respond. That really leads to a faster, more certain, uh, more protecting response if I got that right. Yeah. >>You know, 100%. And I'll also add though, um, as you start to operationalize this no miter attack framework and understanding what the adversaries are kind of doing, you get more visibility. Yeah. But then also what you're seeing is there's a trend of vendors starting to create what's referred to as threat actor playbooks, right? So there, as they discover these actual threads, they're mapping the actual tactics and techniques back to this common language. So now you have the ability to be able to say, Hey, I just seen a, you know, Fordanet just put this report out on this particular, you know, threat actor or this malware because we're leveraging a common language. They can more easily go back and see how they're actually defending against these particular, you know, TTPs. Well, and the latest one, you know, that we put out, uh, just this week was, um, uh, uh, a playbook on the malware that's a banking Trojan. >>Well, at least it started out as a banking Trojan. It's kind of morphed into something a little more now. You see it delivering a bunch of malware variants, um, you know, different malware families. It's almost like a botnet now. And, uh, we hadn't actually seen it, um, really for a little while. But in Q three we saw a bunch of different campaigns spawn. And like I always say, malware a hibernate for a little bit, but when it comes back, it comes back bigger, faster, stronger. There's always new tactics, there's only new capabilities. And then this case, that's no exception. What they did, Mmm. And I thought was very unique, uh, at being able to, again, crayon, Mmm. The humans to be able to make a mistake. So what they did is they as a victim, they would grab the email, thread from the emails, grab those threads, I put it in a spoofed email, and then email that to the next victim. And they'll actually, um, so know when the victim opens up that particular email, they see that thread that looks like, Hey, I've had this correspondence, you know, before this has to be a good email, I'm going to clip that attachment. And when they do, now they're compromised and that whole process happens over and over and over again. >>So there's, they're scraping the addressees and they are taking the email and creating a new AML and sending it onto new, uh, addressees hopefully before the actual real email gets there. Right. >>Uh, you know, yes. But also say that, um, they're actually, they're taking the context of the email, right? So the email sort of thread. So it makes it, it's an actual real thread. Well, they're just kind of adding it in there. So it's really it really looks like it's, hello. Hey, I've had that correspondence before. Um, I'm just going to click that link. >>So that's me. This notion of operationalizing through the minor and these new playbooks, uh, is a, a way ultimately that more people, presumably we're creating more of a sense of professionalism that will diffuse into new domains. So, for example, you mentioned early on, uh, municipalities and whatnot that may not have the same degree of sophistication through this playbook approach, through the utilizing these new resources and tools that Fortinet and others are providing. It means that you can raise to some degree, the level of responsiveness in shops that may not have the same degree of sophistication. Correct? >>Yeah, I didn't, you know, I definitely would have to agree. And it also, I think as you start to understand these techniques, you will never just have one technique as a standalone, right? These techniques are Holies chained together, right? You're going to have, once this technique is there, you're going to know that there's a few techniques are probably have a happen before and there's some, they're going to happen later. A great example of this, let's say, when you know, when an adversary is moving laterally inside the network, there's really three basic things that they have to be able to have. One is they have to have the authorization, the access, you know, to be able to move from system to system. Once they have that, you know, and there's a way a variety of ways that they can do that. Once they're there, now they have to somehow copy that malware from system to system. >>And you know, you can do that through, you know, ah, remote desktop protocol. You can do that through no P S exact. It's a variety of different ways you can do that. And then once the malware's there, then you have to execute it somehow. And there's ways to do that. Now if you have a common language for each one of those, now you start chaining these things together, you know, the digital dust or the actual behaviors and what's actually left behind with these actual tactics. And now as manually you can start better understanding how to, you know, thread hunt more efficiently and also start to actually let the technology do this kind of threat hunting for you. So I guarantee you we're going to see innovation and technology where they're going to be doing automatic through hunting for you based on these types of understandings in the future. >>Tony, what's growing? Once again, great cube conversation. Thanks again for being on the cube. Tony John, John de Medico is, I'm going to just completely shorten your title, uh, threat landscape expert Fort Tony. Thanks again. >>Yeah, it's great to be here. Peter. Thanks a lot, >>and thanks once again for joining us for another cube conversation on Peter Burris. See you next time..

>>Our studios. Silicon Valley, Palo Alto, California is a Q conversation. Hi and welcome to the cube studios in Palo Alto, California for another cube conversation where we go in depth with the tech leaders driving innovation across the technology industry. I'm your host Peter Burris. Well, it's that time of quarter again. Every quarter we get together with Fortinet to discuss their threat landscape report, which is one of the industry's best and most comprehensive views into how the bad guys are utilizing bad software and bad access to compromise digital business and steel digital assets. Now, this quarter's report suggests that there's not as much new stuff going on. If you look at the numbers, they're relatively flat compared to previous quarters, but that doesn't tell the real story. Underneath those numbers, we see that there is a churn. There's an incredibly dynamic world of bad actors doing bad things with old and new bad stuff to try to compromise digital business to learn more about this dynamism and what's really happening. Once again, we've got a great cube guest, Tony Gian. Medico is a senior security strategist and researcher and CTI lead at Fortinet. Tony, welcome back to the cube. >>Hey Peter, it's great to be here. >>So Tony, I started off by making this observation that the index suggests that we're in kind of a steady state, but that's not really what's happening. Is it? What's really going on? Where it's going on inside the numbers? >>Yeah, no, we start to see a little bit of a shift of tactics. Um, what has happened, I think, uh, not all the time, but sometimes with the adversaries like to do is penetrate an organization where maybe us as defenders aren't necessarily as focused in on, and a great example is this. For many years we were focused on at and rightfully so, and we continue to be focused on this is being able to block a phishing email, right? We have our email security gateways to be able to not allow that email to come into the network. We also then for for whatever reason, if it happens to get into the network, we focus on user awareness training to educate our users to make sure that they can identify a malicious email. They're not clicking that link are clicking that attachment. Now with that said, we look at the actual data in our Q three threat last grade report and what we're seeing is the adversaries are targeting vulnerabilities that if they were successfully exploited would give them remote code execution, meaning that they, they they can compromise that box further and further inside the network. >>Now granted that's been happening for many years but we have actually seen an increase order. As a matter of fact, it was number one prevalence across all the actual regions. So with that said, I think it's worth making sure that you're looking at your edge devices or your edge services that are publicly exposed out there. Make sure that there's no vulnerabilities on them, make sure that they're not misconfigured and also make sure that you have some type of multifactor authentication. And I think like we've talked about many times that threat landscape or that no threat attack surface continues really to expand, right? You got, you got cloud, you have IOT. So it's becoming more and more difficult to be able to secure all those edge services. But definitely you know, something you should take a look at >>and you got more people using more mobile devices to do more things. So, so it sounds as though it's a combination of two things. It's really driving this dynamism, right, Tony? It's one, just the raw numbers of growth and devices and opportunities and the threat surface is getting larger and the possibility that something's misconfigured is going up and to that they're just trying to catch organizations by surprise. One of those is just make sure you're doing things right, but the other one is don't keep, take your eye off the ball, isn't it? How are organizations doing as they try to, uh, expand their ability to address all of these different issues, including a bunch that are tried and true and mature, uh, that we may have stopped focusing on? >>Yeah. You know, it's really hard, right? I always say this and um, you know, I get some mixed kind of reacts in sometimes, but you can't protect and monitor everything. I mean, depending on how large your network is, it's really difficult. So, I mean really focusing on what's important, what's critical in your organization is probably really the best approach. I mean, really kind of focusing on that. Now with that said though, the reason why it becomes so, so difficult these days is the volumes of threats that we're seeing. Um, kind of come out of what I refer to the cybercrime ecosystem, right? Where anytime, do you know anybody who wants to get into a life of cyber crime, they really don't need to know much. They just need to understand, right, where to get these particular services that they can sort of rent, right? You have malware as a service, right? You got kind of ransomware as a service. So it's an important to make sure we understand, um, Hey, anybody can get into a life of cyber crime and that volume is really sort of being driven by the cyber crime ecosystem. >>Well, the threat report noted, uh, specifically that the, uh, as you said, the life of crime is getting cheaper for folks to get into because just as we're moving from products to services in technology and in other parts of the industry, we're moving from products to services in, uh, the threat world. To talk a little bit about this, what you just said, this notion of, you know, bad guy as a service, what's happening? >>Yeah, I actually that bad guy as a service. Um, what's really kind of popular these days is ransomware as a service. Um, as a matter of fact, uh, In Fortiguard labs, we were tracking for about two years or so, one of the most prolific ransomware-as-a-service GandCrab. Matter of fact, over the two year period, they gleaned off about over $2 billion  dollars worth of ransoms. Now, they said that they kind of shut down and as they started closing down operations in Q3, we saw two more variants of ransomware as a service. You know, Soden and, and also, uh, I think I can pronounce it ... "Nempty". I always have a hard time pronouncing all of these malware name. But anyway, these are new variants now that are coming up. And of course anytime you get something new, the malware usually has more, you know, more a more advanced kind of capabilities in, you know, these malwares have, you know, ways to evade detection, you know, they're looking for different services that may be on the, the operating system, finding ways to be able to thwart the detection of their particular malware, or if someone is analyzing that particular threat, making it longer for an analyst to be able to figure out what's going on. >>Um, and as well as trying to avoid different types of sandbox technologies. Now I think that's something bad that actually, you know, really worry about. But what really gets me, and I might have said this, um, in some of the previous conversations this year, is that the tactics are also kind of changing a bit for ransomware as a service coming out of the cyber-crime ecosystem. It used to be more opportunistic. There was a spray and pray approach, let's hope something sticks. Right? Totally changed. They're becoming a lot more targeted. And one of the main reasons why it is because organizations are paying large amounts of money or the ransom depending large amounts of money to the group. Yo yo to have 'em the ability to decrypt their files after they get hit with ransomware. And you've seen this right now, the adversaries are targeting organizations or industries that may not have the most robust security posture. >>They're focused on municipalities. No, they're focused on, you know, cities also state local government. Um, well we saw it earlier on this year, the city of Baltimore. We had a bunch of cities in Florida, actually one city in Florida ended up having to pay $600,000 in a ransom to be able to have their files decrypted. And also in the state of Texas we saw, um, a uh, malware variant or ransomware variant hit about 22 municipalities throughout the state of Texas. And you know, the one other thing I think seems to be common amongst all of these victims is a lot of them have some type of insurance. So I think the bad guys are also doing some research or doing their homework to sure, Hey, if I'm going to spend the money to target this individual or this organization, I want to make sure that they're going to be able to, yeah, pay me the ransom. >>They're refining their targets based on markers, which is how bad guys operate everywhere, right? You decide who your market is and what their attributes are. And because these are digital, there's also a lot more data flying around about who these marks are, how they work. Uh, as you said, the of the availability of insurance means that there's now a process for payment in place because insurance demands it and it accelerates, uh, the, the, the time from hitting them to getting paid. If I got that right. >>Yeah, that is 100% spot on, you know, efficiency, efficiency, officio. I mean, we all want to get paid as fast as possible. Right? Right. >>Peter? Yeah, that's true. That's true. Alright, so it's time for prescription time, Tony. It's a, a, we've talked about this for probably six or eight quarters now and every time I ask you and what do folks do differently in the next few months? Uh, what should they do differently and the next few months? >>Ah, you know, I like to talk a lot about how we, you know, you have to have that foundational, it kind of infrastructure in plays, having visibility and all that debt and that's 100% sort of true. Um, that doesn't change. But I think one thing that we can start doing, um, and this is wonderful. Um, I'm sort of project that had transpired over the last few years from the MITRE, uh, organization is the MITRE attack framework. Uh, what had happened was MITRE had gone out there and brought in, um, through all these open source outlets, different types of threat reports, um, that the adversaries, um, you know, we're di we're documented actually doing, they took all those tactics and corresponding techniques and documented all of them in one location. So now you have a common language for you to be able to determine and be able to learn what the actors are actually doing to come cyber mission. >>And because now we have that there's a trend. Now organizations are starting to look at this data, understand it and then operationalizing it into their environment. And what I mean by that is they're looking at the actual, the uh, tactic and the technique and you know, understanding what it is, looking at, what is the actual digital dust that it might leave behind, what's the action and making sure that they, I have the right protections and the Texans and they're grabbing the right logs at least to be able to determine when that particular threat actor, using that technique happens to be in there environment. >>But it also sounds as though you, you know, you noted the, uh, use of common language that it sounds as though, uh, you're suggesting that enterprises should be taking a look at these reports, studying them, uh, reaching agreement about what they mean, the language so that they are acculturating themselves to this more common way of doing things. Because it's the ability to not have to negotiate with each other when something happens and to practice how to respond. That really leads to a faster, more certain, more protecting response if I got that right. Yeah. >>You know, 100%. And I'll also add though, um, as you start to operationalize this no miter attack framework and understanding what the adversaries are kind of doing, you get more visibility. Yeah. But then also what you're seeing is it's a trend of vendors starting to create what's referred to as threat actor playbooks, right? So there, as they discover these actual threads, they're mapping the actual tactics and techniques back to this common language. So now you have the ability to be able to say, Hey, I just seen, uh, you know, Fordanet just put this report out on this particular, you know, threat actor or this malware because we're leveraging a common language. They can more easily go back and see how they're actually defending against these particular, you know, TTPs. Well, and the latest one, you know, that we put out, uh, just this week was, um, uh, Oh, a playbook on the malware it's a banking Trojan. >>Uh, well at least it started out as a banking Trojan. It's kinda morphed into something a little more now. You see it delivering a bunch of malware variants, um, you know, different malware families. It's almost like a botnet now. And, uh, we hadn't actually seen it, um, really for a little while. But in Q three we saw a bunch of different campaigns spawn. And like I always say, malware a hibernate for a little bit, but when it comes back, it comes back bigger, faster, stronger. There's always new tactics, there's always new capabilities. And then this case, that's no exception. What they did, um, and I thought was very unique, uh, at being able to, again, Ray on, um, the humans to be able to make a mistake. So what they did is they, as a victim, they would grab the email thread from the emails, grab those threads, I put it in a spoofed email, and then email that to the next victim. And they'll actually, um, so you know, when the victim opens up that particular email, they see that thread that looks like, Hey, I've had this correspondence, you know, before this has to be a good email, I'm going to click that attachment. And when they do, now they're compromised and that whole process happens over and over and over again. >>So there's, they're scraping the addressees and they are taking the email and creating a new AML and sending it onto new, uh, addressees hopefully before the actual real email gets there. Right? >>No, yes, but also say that, um, they're actually, they're taking the context of the email, right? So the email sort of thread, so it makes it, it's an actual real thread. Well, they're just kind of adding it in there. So it's really. It really looks like it's, hello. Hey, I've had that correspondence before. Um, I'm just going to click that link for attachments. >>This notion of operationalizing through the minor framework and these new playbooks, uh, is a, a way ultimately that more people, presumably we're creating more of a sense of professionalism that will diffuse into new domains. So, for example, you mentioned early on, uh, municipalities and whatnot that may not have the same degree of sophistication through this playbook approach, through the utilizing these new resources and tools that Fort Dannon and others are providing. It means that you can raise to some degree, the level of responsiveness in shops that may not have the same degree of sophistication. Correct? >>Yeah, I did. You know, I, I definitely would have to agree. And then also, I think as you start to understand these techniques, you will never just have one technique as a standalone, right? These techniques are Holies chained together, right? You're going to have, once this technique is there, you're going to know that there's a few techniques or probably have happened before and there's some, they're going to happen later. A great example of this, let's say, when you know, when an adversary is moving laterally inside the network, there's really three basic things that they have to be able to have. One is they have to have the authorization, the access, you know, to be able to move from system to system. Once they have that, you know, and there's a way a variety of ways that they can do that. Once they're there, now they have to somehow copy that malware from system to system. >>And you know, you can do that through, you know, ah, remote desktop protocol. You can do that through no P S exact. There's a variety of different ways you can do that. And then once the malware's there, then you have to execute it somehow. And there's ways to do that now if you have a common language for each one of those, now you start chaining these things together, you know, the digital dust or the actual behaviors and what's actually left behind with these actual tactics. And now as manually you can start better understanding how to, you know, threat hunt more efficiently and also start to actually let the technology do this kind of threat hunting for you. So I guarantee you we're going to see innovation and technology where they're going to be doing automatic through hunting for you based on these types of understandings in the future. >>Tony, what's growing? Once again, great cube conversation. Thanks again for being on the cube. Tony John, John de Medico is, I'm going to just completely shorten your title, uh, threat landscape expert Fort net. Tony, thanks again. >>Hey, it's great to be here, Peter. >>Thanks a lot, and thanks once again for joining us for another cube conversation on Peter Burris. See you next time..

(upbeat music) >> Narrator: Live from Las Vegas, it's theCUBE, covering Splunk .Conf19. Brought to you by Splunk. >> Welcome to theCUBE everybody, we're here in Las Vegas for Splunk's .Conf, I'm John Furrier, host of theCUBE, here with Lisa Martin for the next three days. Lisa will be here tomorrow and the next day. I'm going to be carrying it solo, this is our seventh year .Conf, Splunk's conference celebrating their 10th year. Our first guest is Melissa Zicopula, vice president of managed services of Herjavec Group. Robert's been on before, welcome to theCUBE. >> Thank you. >> I always get that, Herjavec? >> Herjavec Group. >> Herjavec Group. >> Happy to be here. >> Well known for the Shark Tank, but what's really interesting about Robert and your company is that we had multiple conversations and the Shark Tanks is what he's known for in the celebrity world. >> Melissa: Yes. >> But he's a nerd, he's a geek, he's one of us! (laughing) >> He's absolutely a cyber-security expert in the field, yes. >> So tell us what's going on this year at .Conf obviously security continues to be focus you guys have a booth here, what's the message you guys are sharing, what's the story from your standpoint? >> Yeah, so we do, Herjavec we're focusing on managed security services, where information security is all we do, focusing on 24/7 threat detection, security operations and also threat management. So, we want to be able to demo a lot of our capabilities, we're powered by Splunk, our HG analytics platform uses, heavily uses Splunk on the back end. So we want to be able to showcase for our customers, our clients, our prospects different types of use cases, different types of ways to detect malicious activity, while leveraging the tool itself. >> And data we're been covering since 2013, Splunk's .Conf, it's always been a data problem, but the data problem gets bigger and bigger, there's more volume than ever before which shifts the terms to the adversaries because ransomware is at an all time high. >> Melissa: Sure. >> Data is where the value is, but that's also where the attack vectors are coming from. This isn't going away. >> Absolutely, yeah, we want to focus on not just what type of data you're ingesting into your instance but to also understand what types of log sources you're feeding into your sim today. So we have experts actually focus on evaluating the type of log sources we're bringing in. Everything from IPS, to AV, to firewall you know, solutions into the sim so that way we can build use cases those, to be able to detect different types of activity. We leverage different types of methodologies, one of them is Mitre framework, CIS top 20. And being able to couple those two together it's able to give you a better detection mechanism in place. >> I want to some kind of, clarification questions because we talked to a lot of CSOs and CIOs and and CXOs in general. >> Melissa: Sure. >> The roles are changing, but the acronyms of the providers out in the market place are specializing, some have unique focuses, some have breadth, some have depth, you guys are an MSSPP. So, MSSPP, not to be confused with an MSP. Or ISV, there's different acronyms, what is the difference between an MSSPP versus an MSP? >> Melissa: Correct, so it's, we are a MSSP, which is a Managed Security Service Provider. And what we do is just, we're focused on we're very security-centric. So information, security is all we do everything from threat detection, we even have a consulting advisory role where we're actually doing penetration exams. We're PCI compliant, obviously SOC operations are the bread and butter of our service. Whereas, other MSPs, Managed Services Providers, they can do anything from architecture, network operations in that purview. So, we're focused on more of SIM solutions, endpoint, being able to manage any of your security technologies. And also, monitor them to take a fact into the SOC. >> So you guys are very focused? >> Melissa: Very focused on security. >> Then what's the key decision point for a customer to go with you guys, and what's the supplier relationship to the buyer because they're buying everything these days! >> Melissa: Sure. >> But they want to try and get it narrowed down so the right people are in the right place. >> Melissa: Yeah, so one of the great things about Herjavec Group is we are, you know, we're vendor agnostic, we have tons of experts in, you know, expertise resources that monitor, manage different types of technologies. Whether it's Splunk and other technologies out there, we have a team of people, that are very, very, you know, centric to actually monitor and manage them. >> How big is Splunk, in relative with your services? How involved are they with the scope? >> Melissa: Over 60% of our managed clients today, utilize Splunk, they're heavy Splunk users, they also utilize Splunk ES, Splunk Core, and from a management side, they're implementing them into their service. All of the CSOs and CROs or CIOs are leveraging and using it, not just for monitoring and security but they're also using it in development environments, as well as their network operations. >> So, one of the things I've been, I won't say preaching, because I do tend to preach a lot, but I've been saying and amplifying, is that tools that have come a long in the business and there's platforms and Splunk has always kind of been that, a platform provider, but also a good tool for folks. But, they've been enabling value, you guys have built an app on Splunk, the proprietary solutions. >> Absolutely. >> Could you tell me about that because this is really where the value starts to shift, where domain expertise focused practices and services, like you guys are doing, are building on someone else's platform with data, talk about your proprietary app. >> Absolutely, so we discovered, a few years ago, was that customers needed help getting to the data faster. So we were able to build in built-in queries, you know literally one click, say if you wanted to get to a statistical side of how many data sources are logging your SIM, is the data, you know, modeling complete, you know, is there anything missing in the environment or are there any gaps that we need to fill? You're able to do it by just clicking on a couple of different, you know, buttons within the tool itself. It gives you a holistic view of not just the alerts that are firing in your environment but all the data log sources that are coming into your SIM instance. It's a one stop shop. And also, what's great about it, is that it also powers Splunk ES, so Splunk ES also has similar tools and they are, literally, I mean that tool is so great you can go in, you can look at all the alerts, you can do an audit trail, you can actually do drill-down analysis, you can actually see the type of data like PCAP analysis, to get to the, you know, the type of activity you want to get to on a granular level. So, both tools do it really well. >> So you have hooks into ES, Splunk ES? >> Yes, we can actually see, depending on the instance that it's deployed on, 'cause our app is deployed on top of Splunk for every customer's instance. They're ale to leverage and correlate the two together. >> What are some of the trends in the marketplace that you're seeing with your customers? Obviously, again, volumes are increasing, the surface area of attacks is coming in it's more than log files now, it's, you got traces, you got other metrics >> Melissa: Sure. >> Other things to measure, it's almost It's almost too many alerts, what do you-- >> Yeah, a lot of KPI's. The most important thing that any company, any entity wants to measure is the MTTD, the Mean Time To Detection, and also mean time to resolve, right? You want to be able to ensure that your teams are have everything at their fingertips to get to the answer fast. And even if there's an attack or some type of breach in their environment, to at least detect it and understand where it is so they can quarantine it from spreading. >> What's the biggest surprise that you've seen in the past two years? I mean, 'cause I look back at our interviews with you guys in 2013, no 2015. I mean, the narrative really hasn't changed global security, I mean, all the core, top line stories are there, but it just seems to be bigger. What's the big surprise for you in terms of the marketplace? >> The big surprise for me is that companies are now focusing more on cyber-hygiene. Really ensuring that their infrastructure is you know, up to par, right? Because you can apply the best tools in-house but if you're not cleaning up you know, your backyard (laughing) it's going to get tough. So now we have a lot of entities really focusing and using tools like Splunk you know, to actually analyze what's happening in their environment, to clean up their back of house, I would say and to put those tools in place so they could be effective. >> You know, that's a classic story clean up your own house before you can go clean up others, right? >> Right. >> And what a trend we've been seeing in the marketplace on theCUBE and talking to a lot of practitioners is, and channel partners and suppliers is that, they tend to serve their customers, but they don't clean up their own house and data's moving around so now with the diversity of data, they've got the fabric search, they got all kind of new tools within Splunk's portfolio. >> It's a challenge, and it could be you know, lack of resources, it just means that we have you know, they don't have the right expertise in-house so they used managed security providers to help them get there. For example, if a network, if we identify the network being flat, we can identify you know, how to help them how to be able to kind of, look at the actual security landscape and what we need to do to have good visibility in their environment from places they didn't know existed. >> What's the one, one or two things that you see customers that need to do that, they aren't doing yet? You mentioned hygiene is a trend, what are some other things that that need to be addressed, that are almost, well that could be critical and bad, but are super important and valuable? >> I think now a lot of, actually to be quite honest a lot of our clients today or anyone who's building programs, security programs are getting you know, very mature. They're adopting methodologies, like Mitre Framework, CIS Top 20, and they're actually deploying and they're actually using specific use cases to identify the attacks happening in their environment. Not just from a security-centric standpoint but also from an operations side you know, you could identify misconfigurations in your environment, you can identify things that are you know, just cleaning up the environment as well. >> So, Splunk has this thing called SOAR, Security-- >> Automation. >> Orchestration Automation Recovery, resilience whatever R, I think R stands for that. How does that fit in to your market, your app and what you guys are doing? >> So it definitely fits in basically, being able to automate the redundant, mundane types of tasks that anyone can do, right? So if you think about it, if you have a security operations center with five or 10 analysts, it might take one analyst to do a task, it might take them two or three hours, where you can leverage a tool like Phantom, any type of SOAR platform to actually create a playbook to do that task within 30 seconds. So, not only are you minimizing the amount of you know, head count to do that, you're also you know, using your consistent tool to make that function make that function you know, more, I want to say enhanced. So you can build play books around it, you can basically use that on a daily basis whether it's for security monitoring or network operations, reporting, all that becomes more streamlined. >> And the impact to the organization is those mundane tasks can be demotivating. Or, there's a lot more problems to solve so for productivity, creativity, can you give some examples of where you've seen that shift into the personnel, HR side the human resource side of it? >> Yeah, absolutely so you know, you want to be able to have something consistent in your environment, right? So you don't want others to get kind of, get bored or you know, when you're looking at a platform day in and day out and you're doing the same task everyday, you might miss something. Whereas, if you build an automation tool that takes care of the low hanging fruit, so to speak, you're able to use a human component to put your muscles somewhere else, to find some you know, the human element to actually look for any types of malicious anomalies in the environment. >> How much has teamwork become a big part of how successful companies manage a security threat landscape? >> Very, very important. I mean, you're talking about leveraging different teams on the engineering side, on the operations side, even you know, coupling that with business stakeholders. You absolutely need to get the business involved so they have an understanding of what's critical to their environment, what's critical to their business, and making sure that we're taking security, obviously seriously, which a lot of companies know already, but not impeding on the operation. So doing it safely without having to minimize impact. >> Well let's just, I got to ask you this question around kind of, doing the cutting edge but not getting bled out, bleeding edge, bleeding out and failing. Companies are trying to balance you know, being cutting edge and balancing hardcore security Signal FX is a company that Splunk bought, we've been following them from the beginning. Strong tracing, great in that cloud native environment. So cloud native with micro services is super hot in areas you know, people see with Kubernetes and so on happening, kind of cutting edge though! >> Melissa: Right. >> You don't want to be bleeding edge 'cause there's some risks there too so, how do you guys advise your clients to think about cloud native with Splunk and some of the things that they're there but as the expression goes "there's a pony in there somewhere" but it's risky still, but certainly it's got a lot of promise. >> Yeah, you know, it's all about you know, everyone's different, every environment's different. It's really about explaining those options to them what they have available, whether they go on the cloud, whether they stay on-prem, explaining them from a cost perspective, how they can implement that solution, and what the risks are involved if they had and how long that will take for them to implement it in their environment. >> Do you see a lot of clients kicking the tires in cloud native? >> A lot of customers are migrating to cloud. One, because they don't have to keep it in a data warehouse, they don't have to have somebody manage it, they don't have to worry about hardware or licenses, renewals, all that. So, it's really easy to spin up a you know, a cloud instance where they can just keep a copy of it somewhere and then configure it and manage it and monitor it. >> Melissa, great insight, and love to have you on theCUBE, I got to ask you one final question >> Melissa: Sure. >> As a, on a personal note well, personal being you're in the industry you know, I hear a lot of patterns out there, see a lot of conversations on theCUBE. One consistent theme is the word scale. Cloud brings scale to the table, data scaling, so data at scale, cloud at scale, is becoming a reality for customers, and they got to deal with it. And this also impacts the security piece of it. What are some of the things that you guys and customers are doing to kind of one, take advantage of that wave but not get buried into it? >> Absolutely, so you just want to incorporate into the management life cycle, you know you don't want to just configure then it's one and done, it's over. You want to be able to continually monitor what's happening quarter over quarter you know, making sure that you're doing some asset inventory, you're managing your log sources, you have a full team that's monitoring, keeping up with the processes and procedures, and making sure that you know, you're also partnering with a company that can can follow you you know, year over year and build that road map to actually see what you're building your program, you know. >> So here's the personal question now, so, you're on this wave, security wave. >> Melissa: Sure. >> It's pretty exciting, can be intoxicating but at the same time, it's pretty dynamic. What are you excited about these days in the industry? What's really cool that you're getting jazzed about? What's exciting you in the industry these days? >> Automation, absolutely. Automation, being able to build as many playbooks and coupling that with different types of technologies, and you know, like Splunk, right? You can ingest and you can actually, automate your tier one and maybe even a half of a tier two, right, a level two. And that to me is exciting because a lot of what we're seeing in the industry now is automating as much as possible. >> And compare that to like, five years ago in terms of-- >> Oh absolutely, you know, SOAR wasn't a big thing five years ago, right? So, you had to literally sit there and train individuals to do a certain task, their certain function. And then you had to rely on them to be consistent across the board where now, automation is just taken that to the next level. >> Yeah it's super exciting, I agree with you. I think automation, I think machine learning and AI data feeds, machine learning. >> Michelle: Right. >> Machine learning is AI, AI is business value. >> Being able to get to the data faster, right? >> Awesome, speed, productivity, creativity, scale. This is the new formula inside the security practice I'm John Furrier with theCUBE. More live coverage here for the 10th anniversary of Splunk .Conf, our seventh year covering Splunk from a start-up, to going public, to now. One of the leaders in the industry. I'm John Furrier, we'll be right back. (techno music)

>> Announcer: Live, from Stanford University in Palo Alto, California, it's theCUBE covering Women in Data Science Conference 2018, brought to you by Stanford. (light techno music) >> Welcome back to theCUBE's continuing coverage of the Women in Data Science event, WiDS 2018. We are live at Stanford University. You can hear some great buzz around us. A lot of these exciting ladies in data science are here around us. I'm pleased to be joined by my next guest, Bhavani Thuraisingham, who is one of the speakers this afternoon, as well as a distinguished professor of computer science and the executive director of Cyber Security Institute at the University of Texas at Dallas. Bhavani, thank you so much for joining us. >> Thank you very much for having me in your program. >> You have an incredible career, but before we get into that I'd love to understand your thoughts on WiDS. In it's third year alone, they're expecting to reach over 100,000 people today, both here at Stanford, as well as more than 150 regional events in over 50 countries. When you were early in your career you didn't have a mentor. What does an event like WiDS mean to you? What are some of the things that excite you about giving your time to this exciting event? >> This is such an amazing event and just in three years it has just grown and I'm just so motivated myself and it's just, words cannot express to see so many women working in data science or wanting to work in data science, and not just in U.S. and in Stanford, it's around the world. I was reading some information about WiDS and I'm finding that there are WiDS ambassadors in Africa, South America, Asia, Australia, Europe, of course U.S., Central America, all over the world. And data science is exploding so rapidly because data is everywhere, right? And so you really need to collect the data, stow the data, analyze the data, disseminate the data, and for that you need data scientists. And what I'm so encouraged is that when I started getting into this field back in 1985, and that was 32 plus years ago in the fall, I worked 50% in cyber security, what used to be called computer security, and 50% in data science, what used to be called data management at the time. And there were so few women and we did not have, as I said, women role models, and so I had to sort of work really hard, the commercial industry and then the MITRE Corporation and the U.S. Government, but slowly I started building a network and my strongest supporters have been women. And so that was sort of in the early 90's when I really got started to build this network and today I have a strong support group of women and we support each other and we also mentor so many of the junior women and so that, you know, they don't go through, have to learn the hard way like I have and so I'm very encouraged to see the enthusiasm, the motivation, both the part of the mentors as well as the mentees, so that's very encouraging but we really have to do so much more. >> We do, you're right. It's really kind of the tip of the iceberg, but I think this scale at which WiDS has grown so quickly shines a massive spotlight on there's clearly such a demand for it. I'd love to get a feel now for the female undergrads in the courses that you teach at UT Dallas. What are some of the things that you are seeing in terms of their beliefs in themselves, their interests in data science, computer science, cyber security. Tell me about that dynamic. >> Right, so I have been teaching for 13 plus years full-time now, after a career in industry and federal research lab and government and I find that we have women, but still not enough. But just over the last 13 years I'm seeing so much more women getting so involved and wanting to further their careers, coming and talking to me. When I first joined in 2004 fall, there weren't many women, but now with programs like WiDS and I also belong to another conference and actually I shared that in 2016, called WiCyS, Women in Cyber Security. So, through these programs, we've been able to recruit more women, but I would still have to say that most of the women, especially in our graduate programs are from South Asia and East Asia. We hardly find women from the U.S., right, U.S. born women pursuing careers in areas like cyber security and to some extent I would also say data science. And so we really need to do a lot more and events like WiDS and WiCys, and we've also started a Grace Lecture Series. >> Grace Hopper. >> We call it Grace Lecture at our university. Of course there's Grace Hopper, we go to Grace Hopper as well. So through these events I think that, you know women are getting more encouraged and taking leadership roles so that's very encouraging. But I still think that we are really behind, right, when you compare men and women. >> Yes and if you look at the statistics. So you have a speaking session this afternoon. Share with our audience some of the things that you're going to be sharing with the audience and some of the things that you think you'll be able to impart, in terms of wisdom, on the women here today. >> Okay, so, what I'm going to do is that, first start off with some general background, how I got here so I've already mentioned some of it to you, because it's not just going to be a U.S. event, you know, it's going to be in Forbes reports that around 100,000 people are going to watch this event from all over the world so I'm going to sort of speak to this global audience as to how I got here, to motivate these women from India, from Nigeria, from New Zealand, right? And then I'm going to talk about the work I've done. So over the last 32 years I've said about 50% of my time has been in cyber security, 50% in data science, roughly. Sometimes it's more in cyber, sometimes more in data. So my work has been integrating the two areas, okay? So my talk, first I'm going to wear my data science hat, and as a data scientist I'm developing data science techniques, which is integration of statistical reasoning, machine learning, and data management. So applying data science techniques for cyber security applications. What are these applications? Intrusion detection, insider threat detection, email spam filtering, website fingerprinting, malware analysis, so that's going to be my first part of the talk, a couple of charts. But then I'm going to wear my cyber security hat. What does that mean? These data science techniques could be hacked. That's happening now, there are some attacks that have been published where the data science, the models are being thwarted by the attackers. So you can do all the wonderful data science in the world but if your models are thwarted and they go and do something completely different, it's going to be of no use. So I'm going to wear my cyber security hat and I'm going to talk about how we are taking the attackers into consideration in designing our data science models. It's not easy, it's extremely challenging. We are getting some encouraging results but it doesn't mean that we have solved the problem. Maybe we will never solve the problem but we want to get close to it. So this area called Adversarial Machine Learning, it started probably around five years ago, in fact our team has been doing some really good work for the Army, Army research office, on Adversarial Machine Learning. And when we started, I believe it was in 2012, almost six years ago, there weren't many people doing this work, but now, there are more and more. So practically every cyber security conference has got tracks in data science machine learning. And so their point of view, I mean, their focus is not, sort of, designing machine learning techniques. That's the area of data scientists. Their focus is going to be coming up with appropriate models that are going to take the attackers into consideration. Because remember, attackers are always trying to thwart your learning process. >> Right, we were just at Fortinet Accelerate last week, theCUBE was, and cyber security and data science are such interesting and pervasive topics, right, cyber security things when Equifax happened, right, it suddenly translates to everyone, male, female, et cetera. And the same thing with data science in terms of the social impact. I'd love your thoughts on how cyber security and data science, how you can educate the next generation and maybe even reinvigorate the women that are currently in STEM fields to go look at how much more open and many more opportunities there are for women to make massive impact socially. >> There are, I would say at this time, unlimited opportunities in both areas. Now, in data science it's really exploding because every company wants to do data science because data gives them the edge. But what's the point in having raw data when you cannot analyze? That's why data science is just exploding. And in fact, most of our graduate students, especially international students, want to focus in data science. So that's one thing. Cyber security is also exploding because every technology that is being developed, anything that has a microprocessor could be hacked. So, we can do all the great data science in the world but an attacker can thwart everything, right? And so cyber security is really crucial because you have to try and stop the attacker, or at least detect what the attacker is doing. So every step that you move forward you're going to be attacked. That doesn't mean you want to give up technology. One could say, okay, let's just forget about Facebook, and Google, and Amazon, and the whole lot and let's just focus on cyber security but we cannot. I mean we have to make progress in technology. Whenever we make for progress in technology, driver-less cars or pacemakers, these technologies could be attacked. And with cyber security there is such a shortage with the U.S. Government. And so we have substantial funding from the National Science Foundation to educate U.S. citizen students in cyber security. And especially recruit more women in cyber security. So that's why we're also focusing, we are a permanent coach here for the women in cyber security event. >> What have some of the things along that front, and I love that, that you think are key to successfully recruiting U.S. females into cyber security? What do you think speaks to them? >> So, I think what speaks to them, and we have been successful in recent years, this program started in 2010 for us, so it's about eight years. The first phase we did not have women, so 2000 to 2014, because we were trying to get this education program going, giving out the scholarships, then we got our second round of funding, but our program director said, look, you guys have done a phenomenal job in having students, educating them, and placing them with U.S. Government, but you have not recruited female students. So what we did then is to get some of our senior lecturers, a superb lady called Dr. Janelle Stratch, she can really speak to these women, so we started the Grace Lecture. And so with those events, and we started the women in cyber security center as part of my cyber security institute. Through these events we were able to recruit more women. We are, women are still under-represented in our cyber security program but still, instead of zero women, I believe now we have about five women, and that's, five, by the time we will have finished a second phase we will have total graduated about 50 plus students, 52 to 55 students, out of which, I would say about eight would be female. So from zero to go to eight is a good thing, but it's not great. >> We want to keep going, keep growing that. >> We want out of 50 we should get at least 25. But at least it's a start for us. But data science we don't have as much of a problem because we have lots of international students, remember you don't need U.S. citizenship to get jobs at Facebook or, but you need U.S. citizenships to get jobs as NSA or CIA. So we get many international students and we have more women and I would say we have, I don't have the exact numbers, but in my classes I would say about 30%, maybe just under 30%, female, which is encouraging but still it's not good. >> 30% now, right, you're right, it's encouraging. What was that 13 years ago when you started? >> When I started, before data science and everything it was more men, very few women. I would say maybe about 10%. >> So even getting to 30% now is a pretty big accomplishment. >> Exactly, in data science, but we need to get our cyber security numbers up. >> So last question for you as we have about a minute left, what are some of the things that excite you about having the opportunity, to not just mentor your students, but to reach such a massive audience as you're going to be able to reach through WiDS? >> I, it's as I said, words cannot express my honor and how pleased and touched, these are the words, touched I am to be able to talk to so many women, and I want to say why, because I'm of, I'm a tamil of Sri Lanka origin and so I had to make a journey, I got married and I'm going to talk about, at 20, in 1975 and my husband was finishing, I was just finishing my undergraduate in mathematics and physics, my husband was finishing his Ph.D. at University of Cambridge, England, and so soon after marriage, at 20 I moved to England, did my master's and Ph.D., so I joined University of Bristol and then we came here in 1980, and my husband got a position at New Mexico Petroleum Recovery Center and so New Mexico Tech offered me a tenure-track position but my son was a baby and so I turned it down. Once you do that, it's sort of hard to, so I took visiting faculty positions for three years in New Mexico then in Minneapolis, then I was a senior software developer at Control Data Corporation it was one of the big companies. Then I had a lucky break in 1985. So I wanted to get back into research because I liked development but I wanted to get back into research. '85 I became, I was becoming in the fall, a U.S. citizen. Honeywell got a contract to design and develop a research contract from United States Air Force, one of the early secure database systems and Honeywell had to interview me and they had to like me, hire me. All three things came together. That was a lucky break and since then my career has been just so thankful, so grateful. >> And you've turned that lucky break by a lot of hard work into what you're doing now. We thank you so much for stopping. >> Thank you so much for having me, yes. >> And sharing your story and we're excited to hear some of the things you're going to speak about later on. So have a wonderful rest of the conference. >> Thank you very much. >> We wanted to thank you for watching theCUBE. Again, we are live at Stanford University at the third annual Women in Data Science Conference, #WiDs2018, I am Lisa Martin. After this short break I'll be back with my next guest. Stick around. (light techno music)

>> Announcer: Live from Washington, DC, it's CUBEConversations with John Furrier. (techy music playing) >> Welcome back everyone, here to a special CUBEConversation in Washington, DC. We're actually in Arlington, Virginia, at Amazon Web Services Public Sector Headquarters. We're here with Sri Vasireddy, who is with REAN Cloud and recently won a big award for $950 million for the Department of Defense contract to partner with Amazon Web Services, really kind of changing the game in the cloud space with Amazon, among other partners. Thanks for joining me today. >> Thank you. >> So, obviously we love cloud. I mean, we actually, we have all of our stuff in Amazon, so we're kind of a little bit biased, but we're open minded to any cloud that we don't provision any infrastructure, so we love the idea of horizontally disrupting markets. We're just kind of doing it on a media business. You're taking an approach with REAN Cloud that's different. What's different about what you guys are doing and why are you winning so much? >> Yeah, I mean, I guess that is, you know, the key word being disruption. You know, I'm hearing more and more as this news spreads out about why, you know, we've disrupted, so they're proven the disruption, and when I mean disruption, you know, I'll explain what the disruption, you know, we're creating in the service industry is if you take a typical, like a services company-- >> John: Mm-hm. >> They integrate products using people to integrate products to solve a problem, but in the cloud world you can create those integrations with programmatic or APIs, so we can create turnkey solutions. With that, what we're able to do is really sell outcome based. We go to the customer and say it's not time and material, it's not fixed price, it's pure outcome based. So, to give you an example, let's say if you went to a theme park and while you're on a ride somebody just takes a picture, and then after you're done with the ride they put a picture in front of you and say, "Do you want to buy this?" And if you don't buy it they throw it away, so we literally have the ability to create those outcomes on the fly like that, and that's the disruption because that kind of outcome based allows customers to meet their goals much quicker. So, one of the secrets to do that, if I can get this right, is you have to have a really software driven, data driven environment. >> Sri: Absolutely. >> So, that's fundamental, so I want to explore how you do that, and then what does it mean for the customers because what you're essentially doing is kind of giving a little predictive solution management to them. Say you want to connect to this service-- >> Sri: Yeah. >> Is that microservices, is this where it's going to be wired, take us through how that works, because there's tech involved. I'm not saying you don't want to throw anything away, but if it's digital (chuckling) what does it mean to turn it on or off, so is this what people are referring to with microservices and cloud? >> Yeah, so I'll get to the microservices part. The disruption, the way, you know... The innovation that we created is if you take 20 years ago, when you look at people transforming to the internet, right, so their first time they're going on the internet, at the time they were paying a HTML developer that would develop a webpage. >> Mm-hm. >> You know, hundreds of dollars an hour, right, and today high school kids can create their own webpages. That's the outcome focus, because the technology matured to a point where it auto-generates those HTML pages. So, fast forward 20 years, today people are looking for devops engineer as a talent, and whatever that devops engineer produces, we've figured out a way to outcome base. We can drag and drop and create my architectures and we are to produce that code, right. That's what makes us very unique. Now, coming to your question about microservices, when we are going to large customers we're taking this phased approach, right. First they will do lift and shift based-- >> John: Mm-hm. >> Move to cloud, which actually doesn't even give them a lot of their features. It doesn't give them better response. It doesn't optimize for cloud and give the benefits. Say they put in the effort to apply devops to become very responsive to customers. Say if I'm a bank I have my checking business and savings business, and each line of business got very efficient by using cloud, but they have not disrupted an industry because they have not created a platform across lines of business. >> John: Mm-hm. >> Right, so what they really need to do is to take these services they are providing across lines of business and create a platform of microservices. >> So, you basically provide an automation layer for things that are automated, but you allow glue to bring them together. >> Absolutely. >> That then kicks off microservices on top of it. >> Absolutely, right. >> So, very innovative, so you essentially, it's devops in a box. (laughing) >> That's it and what-- >> Or in the cloud. >> Yeah, what normally takes three years, so most of our customers when they tell this story they tell us, "Oh, that's five years down the road." So, we knock out three years off the mark, right. There are companies that, for example, DOD is one of our customers. >> Mm-hm. >> There are some other companies that have been working with DOD for the last two, three years and they have not been able to accomplish what we accomplished in three months. >> You guys see a more holistic approach. I can imagine just you basically break it down, automate it, put it in a library, use the overlay to drag and drop. >> Exactly, plug and play and that's it. >> So, question for you, so this makes sense in hardened environments like DOD, probably locked and solid, pretty solid but what about unknown, new processes. How do you guys look at that, do you take them as they come or use AI, so if you have unknown processes that can morph out of this, how do you deal with that use case? >> So, yeah, those unfortunately, you know, so what... There's this notion of co-creation-- >> John: Yeah. >> So, there's unknown processes where we put out best engineers is what drives to this commoditization or legos that-- >> So, you're always feeding the system with new, if you will, recipes. I use that word as more of a chef thing, but you know, more-- >> Sri: Exactly. >> Modules, if you will. >> Sri: Yeah. >> As a bit of an automated way, so it's really push button cloud. >> Absolutely. >> So, no integration, you don't have to hire coders to do anything. >> No. >> At best hit a rest API-- >> Sri: Yeah. >> Or initiate a microservice. >> Yeah, so what, I mean, the company started with Amazon.com as a, sorry Amazon Web Services as our first customer, and they retained us for software companies like Microsoft, SAP, and they went to Amazon and said, "We want to create a turnkey solution," like email as a solution, for example, for Microsoft, exchanging software. Email as a solution is spam filters plus, you know, four or five other things that we have to click button and launch, and Amazon, then we were servicing Amazon to create these turnkey solutions. >> So, talk about the DOD deal, because now this is interesting because I can see how they could like this. What does it mean for the customer, your customer, in this case the DOD, when you won this new contract was announced a couple days ago, how'd that go down? >> Yeah, so you know, I think we're super happy. Actually, again, 2010-- >> All your friends calling you and saying, "Hey, that $950 million check clear yet?" (laughing) That doesn't work that way, does it? >> It doesn't, it doesn't quite work that way, but although, you know, just some history, 10 years ago I had to choose between joining as a lead cloud architect for DISA versus first architect for Amazon Web Services, and I made the choice to go to Amazon Web Services, although I really loved servicing DOD because I think DOD's very mature in what you're calling microservices. >> John: Mm-hm. Back in the day, they had to be on the forefront of net-centric enterprise services, modern day microservices, because the Information Sharing Act required them to create so many services across the department, right, but there wasn't a technology like Amazon Web Services to make them so successful. >> John: Yeah. >> So, we're coming back now and we're able to do this, and I was with a company called MITRE at the time-- >> John: Yeah. >> And we, you know, I was the lead on the first infrastructure as a service BPA. If I compare to what that infrastructure as a service BPA was, the blanket purchase agreement, to what this OTA I think it's a night and day difference. >> What's OTA? >> OTA stands for other transaction agreements. >> Okay, got it. >> Which is how-- >> It's a contract thing. >> It's a contract thing, it's outside of federal acquisition regulation. >> Okay, got it. >> Which is beautiful, by the way, because unlike if you are doing such a deal, $950 million deal, probably companies that spend millions of dollars to write paper to win the deal, OTA's a little different. DIUx, who has the charter for the OTA, they need to find a real customer and a real problem to bring commercial entities and the commercial innovation to solve a theory problem, and then we have to prove ourselves. Thereabout, I'm told 29 companies competed and we, you know, we won the first phase, but there were two consequent phases where we have to provide our services, our platform, to the customer's satisfaction, and the OTA can only be the services we already provide. So, it's a very proven technology. >> John: Mm-hm. >> And as I see some of the social media responses, I look at those responses that people are talking about, you know, small companies winning this big deal and somebody was responding like, okay, we spent, you know, hundreds of millions on large companies, did nothing, and this small company already did a lot with $6 million. >> Well, that's the flattening of the world we're living in. You're doing with devops, you've automated away a lot of their inefficiencies. >> Absolutely, yeah. >> And this is really what cloud's about. That's the promise that you're getting to the DOD. >> Sri: Yeah, absolutely. >> So, the question for you is, okay, now as you go into this, and they could've added another $50 million just to get a nice billion dollar, get a unicorn feature in there, but congratulations. >> Sri: Thank you. >> You got to go in and automate. How do you roll this out, how big is the company, what are your plans, are you... Where do you go from here? >> Our company today is, you know, about 300 plus people, but we're not rolling this out on a people basis, obviously, right. You know, usually we have at least 10x more productivity than a normal company because especially servicing someone like DOD, it's very interesting because they do follow standards set by DISA. >> Mm-hm. >> So, what that means is if I'm building applications or microservices, which is a collection of instances, I have, DISA has something called STIG. You know, it's security guidelines, so everybody is using these STIG components. Now we create this drag and drop package of those components, and at that point it's variations of, you know, those components that you drag and drop and create, right, and the best thing is you get very consistent quality, secure, you know, deployment. >> I mean, you and I are on the same page on this whole devops valuation, and certainly Mark and Teresa wrote that seminal common about the 10x engineer. >> Sri: Yeah. >> This is really the scale we're talking about here. >> Sri: Absolutely. >> You know, so for the folks that don't get this, how do you explain to them that they, like what Oracle and IBM and the other guys are trying to do there. All the old processes are like they got stacks of binders of paper, they have their strategies to go win the deals, and then they're scratching their heads saying, "Why didn't we win?" What are they missing, what are the competitors that failed in the bid, what are they missing with cloud in your opinion? Is it the architecture, is it the automation, is it the microservices, or are they just missing the boat on the sales motion? >> Yeah, I think the biggest thing that people need to know is being on their toes. When Andy talks about being on the toes, when companies like Amazon at scale being on their toes, which means gone are those days where you can have roadmaps that you plan year, you know, year from now and you know, you do it, you're away from the customer by then, right, but if you're constantly focusing on the customer and innovating every day, right, we have a vision and a backlog. We don't have a roadmap, right. What we work on is what our next customer needs. >> John: Mm-hm. >> Right, and you're constantly servicing customers and you have stories to tell about customers being successful. >> What's your backlog look like? (laughing) >> Backlog could be a zillion things. Like what-- >> Features. >> Yeah, exactly. >> Feature requests or just whatever the customer might need. >> Feature requests, user stories, really understanding the why part of it. We try to emphasize the why of, you know, why you're doing and whose pain are you solving type of things, but the important thing is, you know, are we focusing on what matters to the customer next. >> How hard is multi-cloud to do, because if you take devops and you have this abstraction layer that you're providing on top of elastic resources, like say Amazon Web Services, when you start taking multi-cloud, isn't that just an API call or does it kind of change because you have, Amazon's got S3 and EC2 and a variety of other services, Azure and Google have their own file system. How hard is it code-based-wise to do what you're doing across multiple clouds? >> It's not at all difficult because every cloud has their infrastructure as code language, just like I talked about, you know, HTML to be generated to get a webpage. We use a technology called Terraform-- >> Mm-hm. >> That is inherently multi-cloud, so when we generate that cord I could change the provider and make it, you know, another cloud, right. >> Just a whole nother language conversion. >> Sri: A whole nother language, yes, exactly. >> So, you guys, do you have to do that heavy lifting upfront? >> Again, we don't, and it so happened that it will look at our platform that automates all these-- >> Yeah. >> The Amazon part of it grew so much because of what I just said. Like, the customer demand, even the enterprise customers that do have a multi-cloud strategy-- >> Mm-hm. >> You know, they end up more of what is good. >> Yeah. >> Sri: Right, so we end up building more of what is good. >> So, the lesson is, besides be on your toes, which I would agree with Andy on that one, is to be devops, automate, connect via APIs. >> Yeah. >> Anything else you would add to that? >> Devops is a, it's a principle of being very agile, experimenting in small batches, being very responsive to customers, right. It is all principles that, you know, that we embody and just call it devops, it's a culture. >> Managing partner of REAN Cloud. Sri, thanks so much for coming in. Congratulations on your $950 million, this close to a billion, almost, and congratulations on your success. Infrastructures, code, devops, going to the next level is all about automation and really making things connect and easily driven by software and data. It's theCUBE bringing you the data here in Washington, DC, here in Arlington, Virginia, AWS's Public Sector World Headquarters. I'm John Furrier, thanks for watching. (techy music playing)