>> Welcome to this Cube Conversation, I'm Lisa Martin. I'm joined by Derek Manky next, the Chief Security Insights and Global Threat Alliances at Fortiguard Labs. Derek, welcome back to the program. >> Hey, it's great to be here again. A lot of stuff's happened since we last talked. >> So Derek, one of the things that was really surprising from this year's Global Threat Landscape Report is a 10, more than 10x increase in ransomware. What's going on? What have you guys seen? >> Yeah so this is massive. We're talking over a thousand percent over a 10x increase. This has been building Lisa, So this has been building since December of 2020. Up until then we saw relatively low high watermark with ransomware. It had taken a hiatus really because cyber criminals were going after COVID-19 lawyers and doing some other things at the time. But we did see a seven fold increase in December, 2020. That has absolutely continued this year into a momentum up until today, it continues to build, never subsided. Now it's built to this monster, you know, almost 11 times increase from, from what we saw back last December. And the reason, what's fueling this is a new verticals that cyber criminals are targeting. We've seen the usual suspects like telecommunication, government in position one and two. But new verticals that have risen up into this third and fourth position following are MSSP, and this is on the heels of the Kaseya attack of course, that happened in 2021, as well as operational technology. There's actually four segments, there's transportation, automotive, manufacturing, and then of course, energy and utility, all subsequent to each other. So there's a huge focus now on, OT and MSSP for cyber criminals. >> One of the things that we saw last year this time, was that attackers had shifted their focus away from enterprise infrastructure devices, to home networks and consumer grade products. And now it looks like they're focusing on both. Are you seeing that? >> Yes, absolutely. In two ways, so first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure, and then they can load things like ransomware on there. They can little things like information stealers as an example. The way they do that is through botnets. And what we reported in this in the first half of 2021 is that Mirai, which is about a two to three-year old botnet now is number one by far, it was the most prevalent botnet we've seen. Of course, the thing about Mirai is that it's an IOT based botnet. So it sits on devices, sitting inside consumer networks as an example, or home networks, right. And that can be a big problem. So that's the targets that cyber criminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. And so what that means Lisa, is that cyber criminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to web born threats, right. So they're infecting sites, waterhole attacks, where, you know, people will go to read their daily updates as an example of things that they do as part of their habits. They're getting sent links to these sites that when they go to it, it's actually installing those botnets onto those systems, so they can get a foothold. We've also seen scare tactics, right. So they're doing new social engineering lures, pretending to be human resource departments. IT staff and personnel, as an example, with popups through the web browser that look like these people to fill out different forms and ultimately get infected on home devices. >> Well, the home device use is proliferate. It continues because we are still in this work from home, work from anywhere environment. Is that, you think a big factor in this increase from 7x to nearly 11x? >> It is a factor, absolutely. Yeah, like I said, it's also, it's a hybrid of sorts. So a lot of that activity is going to the MSSP angle, like I said to the OT. And to those new verticals, which by the way, are actually even larger than traditional targets in the past, like finance and banking, is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's, further backed up from what we're seeing on with the, the botnet activity specifically with Mirai too. >> Are you seeing anything in terms of the ferocity, we know that the volume is increasing, are they becoming more ferocious, these attacks? >> Yeah, there is a lot of aggression out there, certainly from, from cyber criminals. And I would say that the velocity is increasing, but the amount, if you look at the cyber criminal ecosystem, the stakeholders, right, that is increasing, it's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record cases year, almost every week we've seen one or two significant, cyber security events that are happening. That is a dramatic shift compared to last year or even, two years ago too. And this is because, because the cyber criminals are getting deeper pockets now. They're becoming more well-funded and they have business partners, affiliates that they're hiring, each one of those has their own methodology, and they're getting paid big. We're talking up to 70 to 80% commission, just if they actually successfully, infect someone that pays for the ransom as an example. And so that's really, what's driving this too. It's a combination of this kind of perfect storm as we call it, right. You have this growing attack surface, work from home environments and footholds into those networks, but you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. >> So what can organizations do to start- to slow down or limit the impacts of this growing ransomware as a service? >> Yeah, great question. Everybody has their role in this, I say, right? So if we look at, from a strategic point of view, we have to disrupt cyber crime, how do we do that? It starts with the kill chain. It starts with trying to build resilient networks. So things like ZTA and a zero trust network access, SD-WAN as an example for protecting that WAN infrastructure. 'Cause that's where the threats are floating to, right. That's how they get the initial footholds. So anything we can do on the preventative side, making networks more resilient, also education and training is really key. Things like multi-factor authentication are all key to this because if you build that preventatively and it's a relatively small investment upfront Lisa, compared to the collateral damage that can happen with these ransomware paths, the risk is very high. That goes a long way, it also forces the attackers to- it slows down their velocity, it forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here, too, that we can talk about because there's things that we can actually do apart from that to really fight cyber crime, to try to take the cyber criminals offline too. >> All right, hit me with the good news Derek. >> Yeah, so a couple of things, right. If we look at the botnet activity, there's a couple of interesting things in there. Yes, we are seeing Mirai rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples, EMOTET, that was one of the most prolific botnets that was out there for the past two to three years, there is a take-down that happened in January of this year. It's still on our radar but immediately after that takedown, it literally dropped to half of the activity it had before. And it's been consistently staying at that low watermark now at that half percentage since then, six months later. So that's very good news showing that the actual coordinated efforts that were getting involved with law enforcement, with our partners and so forth, to take down these are actually hitting their supply chain where it hurts, right. So that's good news part one. Trickbot was another example, this is also a notorious botnet, takedown attempt in Q4 of 2020. It went offline for about six months in our landscape report, we actually show that it came back online in about June this year. But again, it came back weaker and now the form is not nearly as prolific as before. So we are hitting them where it hurts, that's that's the really good news. And we're able to do that through new, what I call high resolution intelligence that we're looking at too. >> Talk to me about that high resolution intelligence, what do you mean by that? >> Yeah, so this is cutting edge stuff really, gets me excited, keeps me up at night in a good way. 'Cause we we're looking at this under the microscope, right. It's not just talking about the what, we know there's problems out there, we know there's ransomware, we know there's a botnets, all these things, and that's good to know, and we have to know that, but we're able to actually zoom in on this now and look at- So we, for the first time in the threat landscape report, we've published TTPs, the techniques, tactics, procedures. So it's not just talking about the what, it's talking about the how, how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system? And exactly how are they doing that? What's the technique? And so we've highlighted that, it's using the MITRE attack framework TTP, but this is real time data. And it's very interesting, so we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defense innovation, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. As an example, lateral movement, there's still a preferred over 75%, 77 I believe percent of activity we observed from malware was still trying to move from system to system, by infecting removable media like thumb drives. And so it's interesting, right. It's a brand new look on these, a fresh look, but it's this high resolution, is allowing us to get a clear image, so that when we come to providing strategic guides and solutions in defense, and also even working on these takedown efforts, allows us to be much more effective. >> So one of the things that you said in the beginning was we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that ceiling yet, but are we at an inflection point? Data showing that we're at an inflection point here with being able to get ahead of this? >> Yeah, I would like to believe so, there is still a lot of work to be done unfortunately. If we look at, there's a recent report put out by the Department of Justice in the US saying that, the chance of a criminal to be committing a crime, to be caught in the US is somewhere between 55 to 60%, the same chance for a cyber criminal lies less than 1%, well 0.5%. And that's the bad news, the good news is we are making progress in sending messages back and seeing results. But I think there's a long road ahead. So, there's a lot of work to be done, We're heading in the right direction. But like I said, they say, it's not just about that. It's, everyone has their role in this, all the way down to organizations and end users. If they're doing their part of making their networks more resilient through this, through all of the, increasing their security stack and strategy. That is also really going to stop the- really ultimately the profiteering that wave, 'cause that continues to build too. So it's a multi-stakeholder effort and I believe we are getting there, but I continue to still, I continue to expect the ransomware wave to build in the meantime. >> On the end-user front, that's always one of the vectors that we talk about, it's people, right? There's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the White House, but other organizations like Interpol, the World Economic Forum, Cyber Crime Unit, what are some of the things that governments are doing that you're seeing that as really advantageous here for the good guys? >> Yeah, so absolutely. This is all about collaboration. Governments are really focused on public, private sector collaboration. So we've seen this across the board with Fortiguard Labs, we're on the forefront with this, and it's really exciting to see that, it's great. There's always been a lot of will to work together, but we're starting to see action now, right? Interpol is a great example, they recently this year, held a high level forum on ransomware. I actually spoke and was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world, that public, private sector we need. They actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too. Because it is becoming that much of a problem and that we need to work together to be able to create action, action against this, measure success, become more strategic. The World Economic Forum were leading a project called the Partnership Against Cyber Crime Threat Map Project. And this is to identify, not just all this stuff we talked about in the threat landscape report, but also looking at, things like, how many different ransomware gangs are there out there. What do the money laundering networks look like? It's that side of the supply chain to map out, so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's innovation and there's R&D behind this as well, that's coming to the table to be able to make it impactful. >> So it sounds to me like ransomware is no longer a- for any organization in any industry you were talking about the expansion of verticals. It's no longer a, "If this happens to us," but a matter of when and how do we actually prepare to remediate, prevent any damage? >> Yeah, absolutely, how do we prepare? The other thing is that there's a lot of, with just the nature of cyber, there's a lot of connectivity, there's a lot of different, it's not just always siloed attacks, right. We saw that with Colonial obviously, this year where you have attacks on IT, that can affect consumers, right down to consumers, right. And so for that very reason, everybody's infected in this. it truly is a pandemic I believe on its own. But the good news is, there's a lot of smart people on the good side and that's what gets me excited. Like I said, we're working with a lot of these initiatives. And like I said, some of those examples I called up before, we're actually starting to see measurable progress against this as well. >> That's good, well never a dull day I'm sure in your world. Any thing that you think when we talk about this again, in a few more months of the second half of 2021, anything you predict crystal ball wise that we're going to see? >> Yeah, I think that we're going to continue to see more of the, I mean, ransomware, absolutely, more of the targeted attacks. That's been a shift this year that we've seen, right. So instead of just trying to infect everybody for ransom, as an example, going after some of these new, high profile targets, I think we're going to continue to see that happening from the ransomware side and because of that, the average costs of these data breaches, I think they're going to continue to increase, it already did in 2021 as an example, if we look at the cost of a data breach report, it's gone up to about $5 million US on average, I think that's going to continue to increase as well too. And then the other thing too is, I think that we're going to start to see more, more action on the good side like we talked about. There was already a record amount of takedowns that have happened, five takedowns that happened in January. There were arrests made to these business partners, that was also new. So I'm expecting to see a lot more of that coming out towards the end of the year too. >> So as the challenges persist, so do the good things that are coming out of this. Where can folks go to get this first half 2021 Global Threat Landscape? What's the URL that they can go to? >> Yeah, you can check it out, all of our updates and blogs including the threat landscape reports on blog.fortinet.com under our threat research category. >> Excellent, I read that blog, it's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for us, showing what's going on. Both the challenging things, as well as the good news. I look forward to our next conversation. >> Absolutely, it was great chatting with you again, Lisa. Thanks. >> Likewise for Derek Manky, I'm Lisa Martin. You're watching this Cube Conversation. (exciting music)

>> Announcer: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, I'm Stu Miniman, and this is a special CUBE Conversation coming to us from our Boston area studio. We know that so much has changed in 2020 with the global pandemic on, with people working from home, staying safe is super important, and that especially is true when it comes to the threats that are facing us. So really happy to welcome to the program Hardik Modi, we're going to be talking about the NETSCOUT threat intelligence report for the first half of 2020. Hardik's the AVP of engineering for threat and mitigation products. Hardik, thanks so much for joining us. >> Thanks Stu, it's great to be here. Thanks for having me. >> Alright, so first set this up. This is NETSCOUT does these threat reports and on a pretty regular cadence, I have to think that the first half of 2020, we'll dig into this a little bit, is a little different because I know everybody when they had their plans at the beginning of 2020, by the time we got to March, we kind of shredded them and started over or made some serious adjustments. So why don't you introduce us to this? And then we'll talk specifically about the first half 2020 results. >> Right, thanks, Stu. So I'm here to speak about the fifth NETSCOUT threat intelligence report. So this is something that we do every six months in my team, in particular, the NETSCOUT threat intelligence organization, we maintain visibility across the internet and in particular threat activity across the internet, and very specifically with a strengthened DDoS activity. And so, you know, there's a lot of data that we have collected. There's a lot of analysis that we conduct on a regular basis. And then every six months, we try to roll this up into a report that gives you a view into everything that's happened across the landscape. So this is our report for the first half of the year. So through June 2020, and yes, you know, as we came into March 2020, everything changed. And in particular, when, you know, the pandemic kind of set upon us, you know, countries, entire continents went into lockdown and we intuited that this would have an impact on the threat landscape. And you know, this is even as we've been reporting through it, this is our first drill of roll up and look at really everything that happened and everything that changed in the first half of 2020. >> Yeah. It absolutely had such a huge impact. You know, my background, Hardik, is in networking. You think about how much over the last decade we've built out, you know, those corporate networks, all the Wi-Fi environments, all the security put there, and all of a sudden, well, we had some people remote, now everybody is remote. And you know, that has a ripple on corporate IT as well as, you know, those of us at home that have to do the home IT piece there. So why don't you give us a look inside the report? What are some of the main takeaways that the report had this time? >> No, so you're right, the network became everything for us and the network became how we, how our students attended school, right? And how we did our shopping, you know, how we did certainly finance and most definitely how for a lot of us how we did work, and suddenly the network, which, you know, certainly was a driver for productivity, and just business worldwide suddenly became that much more central. And so, we tend to look at the network, both sort of at the enterprise level, but then also a lot of what we get to see is at the service provider level. So what's happening on the big networks worldwide, and that's what we've rolled up into this report. So a few things that I want to kind of highlight from the report, the first thing is there were a lot of DDoS attacks. So we recorded through our visibility, 4.83 million DDoS attacks in the first six months of the year. That's almost 30,000 attacks a day. And you know, it's not like we hear about 30,000 outages every day. Certainly aren't 30,000 outages every day, but you know, this is an ongoing onslaught, for anybody who exists on the internet, and this didn't update at all through the first half of the year. If you kind of go like, just look at the numbers, it went up 15% for the same period year on year. But then as you enter into March, and in particular, the date when the WHO sort of announced the global pandemic, that's essentially the start that we marked. From that day onwards, the rise in attacks year on year for the same period, you know, a year ago was 25%. So that really, just in sheer numbers a lot changed. And then, you know, as we go a level deeper, and we look at like the nature of these attacks. You know, a lot of that actually has evolved considerably, over the past few years. And then in particular, like we're able to highlight a few stats in the first half of the year, and certainly like a lot of the drivers for this, the technical drivers are understood. And then there's just the human drivers for this, right? And we understand that a lot more people are at home. A lot more people are reliant on the internet and, you know, just sad to say, but you know, certainly also a lot more people aren't as engaged with school, with work, with society at large. And these tend to have knock on effects across large, a lot of things that we do in life, but also in like cyber crime and in particular, like in the DDoS space. >> Maybe if you could for our audience, I think they're in general familiar with DDoS, it's typically when, you know, sites get overwhelmed with traffic, different from say, everybody working at home is it'd be a little bit more cautious about phishing attacks. You're getting, you know, links and tax links in email, "Super important thing, please check this," please don't click those links. Does this impact, you know, those workers at home or is it, you know, all the corporate IT and all the traffic going through those that there's ways that they can stop, halt that, or, you know, interfere, get sensitive data? >> That's a really good point. And in large parts, I mean, and like with a lot of other kind of cyber crime activity, this is primarily felt inside the enterprise. And so the, as far as like, you know, companies are concerned and people who are using VPN and other kinds of remote access to get to critical resources, the key challenge here is the denial of availability. And so, okay. So you're right. Let's take a step back. DDoS, distributed denial of service. This is typically when like a large polarity of devices are used to direct traffic towards a device on the internet. And we typically think of this as a site. And so maybe, your favorite newspaper went down because of a DDoS attack, or you couldn't get to your bank or your retail, you know, e-commerce as a result of the DDoS attack, but this plays out in many different ways, including the inability for people to access work, just because their VPN concentrators have been DDOSed. I think, you know, just coming back to the split between people who work for a company and the company themselves, ultimately it's a shared responsibility, there's some amount of best practices that employees can follow. I mean, a lot of this enforcement and, you know, primarily ensuring that your services are running to expectation, as always, there's going to be the responsibility of the enterprise and something that enterprise security typically will want to cater for. >> All right. And how are these attacks characterized? You said it was up significantly 15% for the half year, overall, 25% overall, anything that differentiates big attacks, small attacks? Do we know how many of them actually freeze a site or pause how much activity is going on? >> Right, so what I will say is that within just those numbers, and we're simply just counting attacks, right? Even within those numbers, a key aspect that has changed is the rise in what we call multi-vector attacks. And so these are attacks in which they're, you go back maybe five years, certainly like going back further, typically a DDoS attack would involve a single technique that was being used to cause damage. And then over time, as many techniques were developed and new vulnerable services are discovered on the internet, what we find is that there's, you know, occasionally there would be a combination of these vectors, as we call them, being used against the target. And so a big thing that has changed within the last two years is what we think of as the rise in multi-vector attacks. And what we are seeing is that attacks that involve even 15 separate vectors are up considerably, over 1000% compared to the same time last year, and correspondingly attacks that involve a single vector are down in a really big way. And so we're just seeing a shift in the general, the techniques that are used within these attacks, and, you know, that has been considerable over certainly, you know, the same time 2019. But if you go back two years, even, it would seem like a complete sea change. >> What other key things, key learnings did you have from the survey this year that you can share? >> Yeah, so one thing I want to highlight that, you know, we kind of, and I think it's been implicit in some of your questions, certainly in many conversations that I have, like, what is the cost of these attacks? You know, what is ultimately the impact of these attacks on society? And one of the ways in which we tend to think of the impact is in simply like outages, like an e-commerce site that does a certain amount of business every day, you know, they can easily recognize that "All right, if I'm off for a day, for two days, for seven days, here's the impact to my business." So that tends to be understood at the individual enterprise level. Another cost that that often is well recognized as like the cost of mitigating attacks. And so now there's, whether it's the service provider, the enterprise themselves, other forms of business or other entities who will invest in mitigation techniques and capacity, those costs tend to kind of rack up. What we have done, and thanks to our kind of really unique visibility into service provider networks worldwide. What we've been able to do is extract essentially the, what we call the DDoS attack coefficient. And this is, think of it as like, here's how much DDoS attack traffic is going on worldwide or across any set of networks at any given time. So if you had zero DDoS in the world, that number will be zero, but it most definitely is not. You know, there's, we have represented numbers for different parts of the world. This can be many, many, many gigabits per second, many terabits per second. And essentially there's a, even just a transit cost for carrying this traffic from one point to another. And that is actually like the, you know, what we call the DDoS attack coefficient. And that cost is something that I want to highlight is being borne by everyone. So this ultimately is what shows up in your internet bills, whether you're a residential subscriber, whether you're using your phone and paying for internet through your phone, or you're an enterprise, and now you have network connections for your service providers, because ultimately this is a cost that we're bearing as a society. This is the first time that we've actually conducted research into this phenomenon. And I'm proud to say that we've captured this split across multiple geographies of the world. >> Yeah. It's been a big challenge these days. The internet is a big place, there's worry about fragmentation of the internet. There's worry about some of the countries out there, as well as some of the large, multinational global companies out there, really are walling our piece of the internet. Hardik, one thing I'm curious about, we talked about the impact of work from home and have a more distributed workforce. One of the other big mega trends we've been seeing even before 2020 is the growth of edge computing. You talk about the trillions of IOT devices that will be out there. Does DDoS play into this? You know, I just, the scenario runs through my mind. "Okay, great. We've got all these vehicles running that has some telemetry," all of a sudden, if they can't get their telemetry, that's a big problem. >> Yeah. So this is both the, this is the devices themselves and the, basically the impact that you could see from an attack on them. But more often what we see on the internet in the here and now is actually the use of these devices to attack other more established entities on the internet. So then, so for us now, for many years, we've been talking about the use of IOT devices in attacks, and simply the fact that so many devices are being deployed that are physically, they're vulnerable from the get-go, insecure at birth, essentially, and then deployed across the internet. You know, even if they were secure to start, they often don't have update mechanisms. And now, they, over a period of time, new vulnerabilities are discovered in those devices and they're used to attack other devices. So in this report, we have talked about a particular family of malware called Mirai, and Mirai has been around since 2016, been used in many high profile attacks. And over time there have been a number of variations to Mirai. And, you know, we absolutely keep track of the growth in these variations and the kinds of devices where they attack. Sorry, that they compromise, and then use to attack other targets. We've also kind of gone into another malware family that has been talked about a bit called Lucifer, and Lucifer was another, I think originally more Microsoft Windows, so you're going to see it more on your classic kind of client and server kind of computing device. But over time, we've seen, we have reported on Linux variants of Lucifer that not only can be installed on Linux devices, but also have DDoS capabilities. So we're tracking like the emergence of new botnets. Still, Stu, going straight back to your question. They are, this is where IOT, you know, even for all the promise that it holds for us as society, you know, if we don't get this right, there's a lot of pain in our future just coming from the use of these devices in attacks. >> Well, I thought it was bad enough that we had an order of magnitude more surface area to defend against on, I hadn't really thought about the fact that all of these devices might be turned into an attack vector back on what we're doing. Alright, Hardik. So you need to give us some, the ray of hope here. We've got all of these threats out here. How's the industry doing overall defending against this, what more can be done to stop these threats? What are some of the actions people, and especially enterprise techs should be doing? >> Yeah, so I absolutely start with just awareness. This is why we publish the report. This is why we have resources like NETSCOUT Cyber Threat Horizon that provides continuous visibility into attack activity worldwide. So it absolutely just starts with that. We're actually, this is not necessarily a subject of the report because it's happened in the second half of the year, but there have been a wave of high profile attacks associated with extortion attempts, over the past month. And, these attacks aren't necessarily complex, like the techniques being used aren't novel. I think in many ways, these are the things that we would have considered maybe run of the mill, at least for us on the research side and the people who live this kind of stuff, but, they have been successful, and a number of companies right now, a number of entities worldwide right now are kind of rethinking what they're doing in particular DDoS protection. And for us, you know, our observation is that this happens every few years, where every few years, there's essentially a reminder that DDoS is a threat domain. DDoS typically will involve an intelligent adversary on the other side, somebody who wants to cause you harm. To defend against it, there are plenty of well known kind of techniques and methodology, but that is something that enterprises, all of us, governments, service providers, those of us on the research side have to kind of stay on top of, keep reminding ourselves of those best practices and use them. And, you know, I'll say that again, for me, the ray of hope is that we haven't seen a new vector in the first six months of the year, even as we've seen a combination of other known vectors. And so for these, just from that perspective, there's these attacks we should be able to defend against. So that's essentially where I leave this, in terms of the hope for the future. >> Alright, Hardik, what final tips do you have? How do people get the report itself and how do they keep up? Where do you point everyone to? >> Yes, so the report itself is going to be, is live on the 29th of September 2020. It will be available at NETSCOUT.com/threatreport. I'll also point you to another resource, Cyber Threat Horizon, that gives you more continuous visibility into a tech activity, and that's NETSCOUT.com/horizon. And so these are the key resources that I leave you with, again, this is, there's plenty to be hopeful about. As I said, there hasn't been a new vector that we've uncovered in the first six months of the year, as opposed to seven vectors in the year 2019. So, that is something that certainly gives me hope. And, for the things that we've talked about in the report, we know how to defend against them. So, this is something that I think with action, we'll be able to live through just fine. >> Well, Hardik, thanks so much for sharing the data, sharing the insight, pleasure catching up with you. >> Okay. Likewise, Stu, thank you. >> All right, and be sure to check out theCUBE.net for all of the videos we have, including many of the upcoming events. I'm Stu Miniman and thank you for watching theCUBE. (calm music)

>> Announcer: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, I'm Stu Miniman, and this is a special CUBE Conversation coming to us from our Boston area studio. We know that so much has changed in 2020 with the global pandemic on, with people working from home, staying safe is super important, and that especially is true when it comes to the threats that are facing us. So really happy to welcome to the program Hardik Modi, we're going to be talking about the NETSCOUT threat intelligence report for the first half of 2020. Hardik's the AVP of engineering for threat and mitigation products. Hardik, thanks so much for joining us. >> Thanks Stu, it's great to be here. Thanks for having me. >> Alright, so first set this up. This is NETSCOUT does these threat reports and on a pretty regular cadence, I have to think that the first half of 2020, we'll dig into this a little bit, is a little different because I know everybody when they had their plans at the beginning of 2020, by the time we got to March, we kind of shredded them and started over or made some serious adjustments. So why don't you introduce us to this? And then we'll talk specifically about the first half 2020 results. >> Right, thanks, Stu. So I'm here to speak about the fifth NETSCOUT threat intelligence report. So this is something that we do every six months in my team, in particular, the NETSCOUT threat intelligence organization, we maintain visibility across the internet and in particular threat activity across the internet, and very specifically with a strengthened DDoS activity. And so, you know, there's a lot of data that we have collected. There's a lot of analysis that we conduct on a regular basis. And then every six months, we try to roll this up into a report that gives you a view into everything that's happened across the landscape. So this is our report for the first half of the year. So through June 2020, and yes, you know, as we came into March 2020, everything changed. And in particular, when, you know, the pandemic kind of set upon us, you know, countries, entire continents went into lockdown and we intuited that this would have an impact on the threat landscape. And you know, this is even as we've been reporting through it, this is our first drill of roll up and look at really everything that happened and everything that changed in the first half of 2020. >> Yeah. It absolutely had such a huge impact. You know, my background, Hardik, is in networking. You think about how much over the last decade we've built out, you know, those corporate networks, all the Wi-Fi environments, all the security put there, and all of a sudden, well, we had some people remote, now everybody is remote. And you know, that has a ripple on corporate IT as well as, you know, those of us at home that have to do the home IT piece there. So why don't you give us a look inside the report? What are some of the main takeaways that the report had this time? >> No, so you're right, the network became everything for us and the network became how we, how our students attended school, right? And how we did our shopping, you know, how we did certainly finance and most definitely how for a lot of us how we did work, and suddenly the network, which, you know, certainly was a driver for productivity, and just business worldwide suddenly became that much more central. And so, we tend to look at the network, both sort of at the enterprise level, but then also a lot of what we get to see is at the service provider level. So what's happening on the big networks worldwide, and that's what we've rolled up into this report. So a few things that I want to kind of highlight from the report, the first thing is there were a lot of DDoS attacks. So we recorded through our visibility, 4.83 million DDoS attacks in the first six months of the year. That's almost 30,000 attacks a day. And you know, it's not like we hear about 30,000 outages every day. Certainly aren't 30,000 outages every day, but you know, this is an ongoing onslaught, for anybody who exists on the internet, and this didn't update at all through the first half of the year. If you kind of go like, just look at the numbers, it went up 15% for the same period year on year. But then as you enter into March, and in particular, the date when the WHO sort of announced the global pandemic, that's essentially the start that we marked. From that day onwards, the rise in attacks year on year for the same period, you know, a year ago was 25%. So that really, just in sheer numbers a lot changed. And then, you know, as we go a level deeper, and we look at like the nature of these attacks. You know, a lot of that actually has evolved considerably, over the past few years. And then in particular, like we're able to highlight a few stats in the first half of the year, and certainly like a lot of the drivers for this, the technical drivers are understood. And then there's just the human drivers for this, right? And we understand that a lot more people are at home. A lot more people are reliant on the internet and, you know, just sad to say, but you know, certainly also a lot more people aren't as engaged with school, with work, with society at large. And these tend to have knock on effects across large, a lot of things that we do in life, but also in like cyber crime and in particular, like in the DDoS space. >> Maybe if you could for our audience, I think they're in general familiar with DDoS, it's typically when, you know, sites get overwhelmed with traffic, different from say, everybody working at home is it'd be a little bit more cautious about phishing attacks. You're getting, you know, links and tax links in email, "Super important thing, please check this," please don't click those links. Does this impact, you know, those workers at home or is it, you know, all the corporate IT and all the traffic going through those that there's ways that they can stop, halt that, or, you know, interfere, get sensitive data? >> That's a really good point. And in large parts, I mean, and like with a lot of other kind of cyber crime activity, this is primarily felt inside the enterprise. And so the, as far as like, you know, companies are concerned and people who are using VPN and other kinds of remote access to get to critical resources, the key challenge here is the denial of availability. And so, okay. So you're right. Let's take a step back. DDoS, distributed denial of service. This is typically when like a large polarity of devices are used to direct traffic towards a device on the internet. And we typically think of this as a site. And so maybe, your favorite newspaper went down because of a DDoS attack, or you couldn't get to your bank or your retail, you know, e-commerce as a result of the DDoS attack, but this plays out in many different ways, including the inability for people to access work, just because their VPN concentrators have been DDOSed. I think, you know, just coming back to the split between people who work for a company and the company themselves, ultimately it's a shared responsibility, there's some amount of best practices that employees can follow. I mean, a lot of this enforcement and, you know, primarily ensuring that your services are running to expectation, as always, there's going to be the responsibility of the enterprise and something that enterprise security typically will want to cater for. >> All right. And how are these attacks characterized? You said it was up significantly 15% for the half year, overall, 25% overall, anything that differentiates big attacks, small attacks? Do we know how many of them actually freeze a site or pause how much activity is going on? >> Right, so what I will say is that within just those numbers, and we're simply just counting attacks, right? Even within those numbers, a key aspect that has changed is the rise in what we call multi-vector attacks. And so these are attacks in which they're, you go back maybe five years, certainly like going back further, typically a DDoS attack would involve a single technique that was being used to cause damage. And then over time, as many techniques were developed and new vulnerable services are discovered on the internet, what we find is that there's, you know, occasionally there would be a combination of these vectors, as we call them, being used against the target. And so a big thing that has changed within the last two years is what we think of as the rise in multi-vector attacks. And what we are seeing is that attacks that involve even 15 separate vectors are up considerably, over 1000% compared to the same time last year, and correspondingly attacks that involve a single vector are down in a really big way. And so we're just seeing a shift in the general, the techniques that are used within these attacks, and, you know, that has been considerable over certainly, you know, the same time 2019. But if you go back two years, even, it would seem like a complete sea change. >> What other key things, key learnings did you have from the survey this year that you can share? >> Yeah, so one thing I want to highlight that, you know, we kind of, and I think it's been implicit in some of your questions, certainly in many conversations that I have, like, what is the cost of these attacks? You know, what is ultimately the impact of these attacks on society? And one of the ways in which we tend to think of the impact is in simply like outages, like an e-commerce site that does a certain amount of business every day, you know, they can easily recognize that "All right, if I'm off for a day, for two days, for seven days, here's the impact to my business." So that tends to be understood at the individual enterprise level. Another cost that that often is well recognized as like the cost of mitigating attacks. And so now there's, whether it's the service provider, the enterprise themselves, other forms of business or other entities who will invest in mitigation techniques and capacity, those costs tend to kind of rack up. What we have done, and thanks to our kind of really unique visibility into service provider networks worldwide. What we've been able to do is extract essentially the, what we call the DDoS attack coefficient. And this is, think of it as like, here's how much DDoS attack traffic is going on worldwide or across any set of networks at any given time. So if you had zero DDoS in the world, that number will be zero, but it most definitely is not. You know, there's, we have represented numbers for different parts of the world. This can be many, many, many gigabits per second, many terabits per second. And essentially there's a, even just a transit cost for carrying this traffic from one point to another. And that is actually like the, you know, what we call the DDoS attack coefficient. And that cost is something that I want to highlight is being borne by everyone. So this ultimately is what shows up in your internet bills, whether you're a residential subscriber, whether you're using your phone and paying for internet through your phone, or you're an enterprise, and now you have network connections for your service providers, because ultimately this is a cost that we're bearing as a society. This is the first time that we've actually conducted research into this phenomenon. And I'm proud to say that we've captured this split across multiple geographies of the world. >> Yeah. It's been a big challenge these days. The internet is a big place, there's worry about fragmentation of the internet. There's worry about some of the countries out there, as well as some of the large, multinational global companies out there, really are walling our piece of the internet. Hardik, one thing I'm curious about, we talked about the impact of work from home and have a more distributed workforce. One of the other big mega trends we've been seeing even before 2020 is the growth of edge computing. You talk about the trillions of IOT devices that will be out there. Does DDoS play into this? You know, I just, the scenario runs through my mind. "Okay, great. We've got all these vehicles running that has some telemetry," all of a sudden, if they can't get their telemetry, that's a big problem. >> Yeah. So this is both the, this is the devices themselves and the, basically the impact that you could see from an attack on them. But more often what we see on the internet in the here and now is actually the use of these devices to attack other more established entities on the internet. So then, so for us now, for many years, we've been talking about the use of IOT devices in attacks, and simply the fact that so many devices are being deployed that are physically, they're vulnerable from the get-go, insecure at birth, essentially, and then deployed across the internet. You know, even if they were secure to start, they often don't have update mechanisms. And now, they, over a period of time, new vulnerabilities are discovered in those devices and they're used to attack other devices. So in this report, we have talked about a particular family of malware called Mirai, and Mirai has been around since 2016, been used in many high profile attacks. And over time there have been a number of variations to Mirai. And, you know, we absolutely keep track of the growth in these variations and the kinds of devices where they attack. Sorry, that they compromise, and then use to attack other targets. We've also kind of gone into another malware family that has been talked about a bit called Lucifer, and Lucifer was another, I think originally more Microsoft Windows, so you're going to see it more on your classic kind of client and server kind of computing device. But over time, we've seen, we have reported on Linux variants of Lucifer that not only can be installed on Linux devices, but also have DDoS capabilities. So we're tracking like the emergence of new botnets. Still, Stu, going straight back to your question. They are, this is where IOT, you know, even for all the promise that it holds for us as society, you know, if we don't get this right, there's a lot of pain in our future just coming from the use of these devices in attacks. >> Well, I thought it was bad enough that we had an order of magnitude more surface area to defend against on, I hadn't really thought about the fact that all of these devices might be turned into an attack vector back on what we're doing. Alright, Hardik. So you need to give us some, the ray of hope here. We've got all of these threats out here. How's the industry doing overall defending against this, what more can be done to stop these threats? What are some of the actions people, and especially enterprise techs should be doing? >> Yeah, so I absolutely start with just awareness. This is why we publish the report. This is why we have resources like NETSCOUT Cyber Threat Horizon that provides continuous visibility into attack activity worldwide. So it absolutely just starts with that. We're actually, this is not necessarily a subject of the report because it's happened in the second half of the year, but there have been a wave of high profile attacks associated with extortion attempts, over the past month. And, these attacks aren't necessarily complex, like the techniques being used aren't novel. I think in many ways, these are the things that we would have considered maybe run of the mill, at least for us on the research side and the people who live this kind of stuff, but, they have been successful, and a number of companies right now, a number of entities worldwide right now are kind of rethinking what they're doing in particular DDoS protection. And for us, you know, our observation is that this happens every few years, where every few years, there's essentially a reminder that DDoS is a threat domain. DDoS typically will involve an intelligent adversary on the other side, somebody who wants to cause you harm. To defend against it, there are plenty of well known kind of techniques and methodology, but that is something that enterprises, all of us, governments, service providers, those of us on the research side have to kind of stay on top of, keep reminding ourselves of those best practices and use them. And, you know, I'll say that again, for me, the ray of hope is that we haven't seen a new vector in the first six months of the year, even as we've seen a combination of other known vectors. And so for these, just from that perspective, there's these attacks we should be able to defend against. So that's essentially where I leave this, in terms of the hope for the future. >> Alright, Hardik, what final tips do you have? How do people get the report itself and how do they keep up? Where do you point everyone to? >> Yes, so the report itself is going to be, is live on the 29th of September 2020. It will be available at NETSCOUT.com/threatreport. I'll also point you to another resource, Cyber Threat Horizon, that gives you more continuous visibility into a tech activity, and that's NETSCOUT.com/horizon. And so these are the key resources that I leave you with, again, this is, there's plenty to be hopeful about. As I said, there hasn't been a new vector that we've uncovered in the first six months of the year, as opposed to seven vectors in the year 2019. So, that is something that certainly gives me hope. And, for the things that we've talked about in the report, we know how to defend against them. So, this is something that I think with action, we'll be able to live through just fine. >> Well, Hardik, thanks so much for sharing the data, sharing the insight, pleasure catching up with you. >> Okay. Likewise, Stu, thank you. >> All right, and be sure to check out theCUBE.net for all of the videos we have, including many of the upcoming events. I'm Stu Miniman and thank you for watching theCUBE. (calm music)

>> Announcer: From around the globe, it's theCUBE with digital coverage of next level network experience event, brought to you by Infoblox. >> Okay, welcome back everyone's to CUBE's coverage and co creation with Infoblox. Next Level networking event, virtual event, I'm John Furrier, your host to theCUBE. We're here with Craig Sanderson, Vice President security products at Infoblox. Talking about securing the borderless enterprise, obviously Infoblox, we had a variety of different conversations. Craig, welcome to theCUBE. >> Thank you. Thanks, it's great to be here. >> Remote CUBE, normally we're in person, but since it's COVID-19, we're doing our best to get the stories out and one of things I want to chat with you is with COVID-19, this shift to remote working is interesting and the word work is interesting you got the work forces which are people work places which are locations, which is now home, workflows and work loads all work related, right? So if you think about the enterprise, you know, just the disruption to business model around this unforeseen, almost 100% VPN usage maybe or you got all this remote action, no one could have foreseen all this coming. How is this shift change the security paradigm and posture for enterprises? >> Yeah, I think for a lot of the customers that we've talked to, a lot of them are thinking about digital transformation for some time. What COVID has really done is rapidly expanded or kind of accelerated the need for them to think about what the digital transformation plans are. And unfortunately for some organizations who may be not as far down the line as others, they've looked at their current implementation for remote access, and their traditional security models of like perimeter based and they found that you know in this current environment where suddenly you've gone from being only a partial set of your workforce or remote to now all of them being remote and their applications, their data, the users, they're all kind of spread anytime, anyplace, anywhere. Their traditional models don't really work. So what it's caused a lot of organizations to do is to really accelerate their digital transformation plans and quite often for some of those organizations, they've realized that they've had to make the move relatively quickly because their traditional architectures have just not been designed for this level of disruption the digital transformation has had on their businesses. >> Give some examples of how companies have either been flat footed or on their heels, kind of push back and saying, well, we got caught off guard to ones that are kind of in place that kind of managed the pandemic well, what's the difference? Can you just give some color commentary around, you know, the the profile who got it right or some were right, and some that have gotten it wrong, or are struggling? >> So I think the ones who got it right are the ones who were already thinking about digital transformation. They're looking at the fact that a lot of the applications that their consumers or their users are consuming are increasingly going to be in the Cloud anyway. So the traditional architecture of all the good stuffs on the inside and the bad stuff on the outside, that simply doesn't work with Cloud and those organizations who were looking at obviously Cloud deployments for their applications, SDN IoT, those organizations have had be thinking about how they can secure those devices, the applications and users in a way that is going to be ubiquitous. The fact that you can deploy the security controls wherever those applications users or devices are going to be. So those organizations are already starting to think about how they can build a networking architecture that is going to be suited for digital transformation, and by extension, they've been recognizing that the security model has to change, 'cause they were much further down the path. Really, this has been an acceleration. For those organizations that well, I'm not really interested in Cloud, are worried about the risks associated with Cloud and things like that, who tended to try and stick or cling to the old traditional model. Where they really run into trouble now, it's like this model just doesn't work. And now the decisions almost been taken out of the hands with COVID, because now their users are not on the corporate network. They can't build a rock wall around those users. They now have to provide protection for a user who's potentially not even using the device that they can control. So for those organizations who are already thinking about cloud and SDN and IoT, because of that digital transformation effect they've been starting to think about security, for those who have not thought about that or who have tried have been pushing that off, they're the ones who've been caught somewhat flat footed and now they're been forced to make a decision which maybe not they're actually feeling comfortable already ready to go off and do. >> You know, Craig, I sat with a friend the other day and we're like briefing on hey, you know, COVID-19 really, kind of, exposes almost like the tide coming out as that tsunami comes. You can see everything, all the scabs and all the problems. And then we started talking about the whole work at home situation, like this is probably the biggest use case of IoT in real life because you can really see it play out, not just a factory or sensor or device at the edge of the network, these are work, people doing work, right? So this whole IoT Edge, it's about addressability. So you know, I have to ask you, 'cause we've talked with you guys earlier in other segments around this next level networking experience, I love the word experience, but next level networking means next level. So DDI has an abstraction, DDI being DNS DHCP, and IP address management. How does the security piece fit in? Because certainly, yes, you got at home, we got a bunch of IoT people running their stuff from their home networks and so remote access, and you got also the business around, which includes everything that's connected to the network now, and literally is borderless. So I like that term. So how does DDI security fit into that? Yeah, I mean, it's part of having the experience, I mean, one of the things that's changed, I mean, I've been in security for over 20 years, probably about 10 or 15 years ago, as a security guy, you could come back and you had a veto, you'd come back and say, well, no, we're not going to roll this thing out, these applications, or these services, because it's a risk to the business. Now in a lot of the CSOs that I've talked to is that veto is going away. If this application is going to get rolled out, we're going to run this service security has to catch up. Now what you can't have is from a seamless experience point of view, is to say well, okay, you've now got wonderful application experience, but then it gets ruined by all the security controls are very invasive. So all organizations are having to do is to think about how you can build a seamless networking architecture that can also seamlessly include the security as part of that. And so you can still have the security of the organization needs without it becoming a massive disruption to the experience. And one of the good examples is, for a lot of organizations their remote access, going back to the COVID example, is based on VPN. VPNs are cumbersome and have got troubles with passwords and all these sort of like traditional issues associated with the user experience from a VPN perspective. I mean, a lot of users have the patience to deal with that, and they don't necessary follow all the necessary security controls. So people are being forced to rethink how they can build the quality application experience underpinned by a digitally transformed network, but at the same time, making sure you could layer in at foundational layer, the security functions as well. And that's where a lot of organizations who are a little bit more forward thinking understood that and start to think about like DNS, is essentially this ubiquitous platform, which is already there it can already provide the sort of security services by default. Because going back to your example about IoT, one of the jokes with one of my friends is, and for every IoT security, sorry, every IoT offering, there's a separate IoT security offering. And one of the things that was a lightbulb moment for us is, if you're trying to secure all these heterogeneous IoT devices, well, one thing they have in common, they're all going to get an IP address, so we're going to use DNS. So what people have to start to do is to try and make security seamless, it has to be built into the foundations. It can't be this extra thing that you kind of glob on the side, because it then ruins the overall experience for the users. The nice thing about DNS is its ubiquitous, and you can apply the security, regardless of what the endpoint and application is, because the common denominator they choose they get an IP address and they use DNS. >> And DNS has such a great track record over the years of having layers of abstractions on top of it to pace with the functionality and it's really been an operating model and you bring up the different security packages and postures for each thing. And you mentioned, you know, the old days security guy, oh, no we're killing that, no we're going this way. That was the operational model, but now with DevOps, you put a Cloud earlier, DevOps has proven that agility, speed scale can work, and how to security catch up? It's an operating model. So this is really kind of the key epiphany is, hey, VPNs, that's not the experience that people want. And, you know, I was just talking with someone from Amazon this morning in another interview segment and the discussion was new expectations, new solutions. So that's kind of what we're seeing right now. So how do you enable that out at speed by not screwing over the operations people, right? So 'cause they got to be, operationally, I need to be really rock solid, so you need automation, you got to have those factors and requirements built in, but you got the agility for development. your reaction> >> Yeah, absolutely. We see that especially is one of the things about 'cause DNS essentially ubiquitous. You can apply similar security controls regardless of the environment. So, right now I'm stuck at home because of the COVID virus. So again, I'm going to use DNS, I go through one of our Cloud platforms, I have DNS applying the security controls there. But within the same thing because DNS works as one ubiquitous system and it's like how the internet works with DNS is quite easily, not only can you block malicious threats for myself, but also you can push that same block mitigation to a DNS server that's running in AWS. So if your workload that may also have been compromised, trying to go to the same malicious domain, you can also be blocked by DNS. And so that ubiquity, the fact that it's built as this ubiquitous system, mean one thing is very different in the networking world standards are great. We can plug different things together, they all kind of fit together nicely. Insecurity is not normally that not only the cases, normally, you've got this jigsaw puzzle, where all the pieces don't really fit together. The nice thing with DNS is is absolutely ubiquitous. So one basic example is, if I try to go to a malicious domain, or I tried to steal data over DNS, not only would we be able to block it, but we'd also be able to dynamically share that mitigation to all of the on prem DNS servers, the DNS servers rather in your public or private Cloud, and for all the other like remote users. So the fact you've got this pre built fabric, and it's not that we're security geniuses, it's just it happens to already be there because of DNS and how DNS has been developed over the last 30 or 40 years. So I think the nice thing about it is a lot of organizations are starting to realize that you've got this foundation already there. Ostensibly, it's there for networking purposes, but the ability to repurpose all the core assets of DNS, the scalability, the flexibility, adaptability, the ubiquity, all those things are there by default. Why don't you use that as the new foundation for that next gen security architecture? >> And you know, you got me as a fan, I'll say that right away, because when we think about the simplicity of going to the low level building block in DNS, it fits for what I said earlier, the future of work, the word Work, workplace, workforce, workload, workflows, no matter what it is, it works across. So it's a consistent, primitive. I mean, it makes total sense. Why would you want to have different things. So again, this brings up the whole foundational level of DDI that's got my interest. And I want you to explain this for folks, because I think it's not obvious. Abstractions are pretty clear, people get abstraction layers, reduce complexity, and increase functionality and capability. But DDI, you guys have from a foundational security standpoint, is kind of the unique thing Infoblox has. How is that different, DDI from other offerings in the security stack? >> Yeah, I think the one thing is pretty unique, especially when it comes to DNS is the fact that it's built together as this ubiquitous system, and it's there by default. I mean, otherwise, the internet just wouldn't work. So the nice thing is, is that if you deploy a DNS system we can deploy as a grid, so whether it's the an appliance running on prem or sitting in a public Cloud, or even for roaming users who are going through one of our points of presence, it works as one big ubiquitous system, whereas you take like traditional firewalls, you're configuring these devices separately, and you have to manually stitch it together. And you take multiple different vendors and you know, it doesn't quite fit neatly together. DNS is based on the standard, you could take a DNS server for master DNS server from another company and because it's based on standards, it will work seamlessly together, in fact, that the threat mitigation mechanism where you distribute threat intelligence to tell the DNS, what is the malicious domains or IP addresses to block is based on so called response policy zones. That's been part of the DNS standard since 2010. And it works seamlessly across multiple vendors, whereas in the security world, as I said, it's kind of like a jigsaw where you get all the pieces together that you think you need and then the burden is always on the customer or the organization to then piece these things together and as a chief source it doesn't fit together. I can see that burden can cause a hell of a lot of issues for a lot of the customers. >> Yeah, I got to ask you since DNS is so foundational to element *and have all internet activities obviously, you know URLs is DNS, it's string actually. So everything's based on DNS, how it resolves. So what what about the, how would you respond if someone said, hey, you know, I don't even know DNS is still around. I know it's palm. It's underneath there somewhere, I don't even have to deal with it, it just runs things, we've been using it for years. What's the big deal? So how do you go in and say, hey, customer, hey, enterprise, you're not borderless, I get a hitch. But they have DNS. How do they modernize it? How do they assess it? How do you go in and some of the young kids don't even know what DNS might even is? I mean, like, it's a new, so like, *what do you go where, how do you approach that and what's the pitch because they got it and as an opportunity to innovate. what's the story there? >> *Is really two aspects to it. The first one is, I mean, DNS is a bit like oxygen. If it's not there, you really need to notice it. You just take when we had the Mirai botnet attack a few years back, all these organizations suddenly realized how important DNS is. And there's a reason why DNS is the number one attack vector for DDoS attacks. If I'm an adversary, I could try and take out individual applications it's going to take me forever. I take out your DNS, everything's going to stop. I mean, it's that *foundational z. But because its been >> *Hackers no problem, yeah. >> Exactly, so and for that reason, that's why it's constantly targeted. So firstly, my first pitch to customers is, you've got to take this stuff seriously, because when it goes down, everything is down. And the impact to your organization, not just from a brand reputation, but just from running your business is going to be huge. But on top of that, the way to think of DNS is, the nice thing is is you don't have to change your network architecture. If you think about a typical user who clicks on a phishing link. When they click on a phishing link, who's going to see the malicious requests first? Is it your firewall? No, your DNS server. Because you made the request, you have to resolve the malicious domain that you're going to try and connect to. You need to find out the IP address of it. So your DNS server and it's been proven multiple studies that, the vast majority of malware uses DNS as its control plane. So if you want to understand what the bad guys are doing, you know, your DNS servers got a front row seat to exactly what the bad guys are doing. And to implement security on it is you don't have to change your network architecture, because your DNS is already there by default. All you need to do is infuse it with security knowledge, whether that is machine learning, analytics or threat intelligence. But those DNS servers are ideally positioned. They're going to see the malicious activity, regardless of what the application is. So it's foundational, not just in terms of, if it's not there, it's going to cause a massive issue to your field or environment anyway. But even if you secure the DNS, the DNS is also this wonderful tool that is in all the right places and it's also deeper into the network. One of the challenges you mentioned about operations is the challenges is okay, you can block malware but if you don't know the source address of the device that is actually trying to make the request, you don't know what to go and clean up, where's your DNS server, your DHCP server knows exactly who it is because we handed out the IP address, we know the MAC address, we know the IP address, we know the user name, we have all that information that is going to be critical for security operations. And now you can see what *it's or about maybe the first report, you start to see that organizations are waking up to the fact that you have this treasure trove of security operations data that you haven't tapped largely for political reasons, because the security guys can't reach over and grab the necessary DDI network context from those DNS platforms, because typically they're owned by the networking or the server team. >> Before we get into that *force reports, I think that had some threat investigation data. What you're getting at about this DNS is that basically, it's critical infrastructure. And if you try to forget about it, 'cause it works, you lose sight of the real opportunity, which is, if it's critical infrastructure, you got to treat it like critical infrastructure, and make sure it's modernized, refreshed in the right position to manage all this, right? >> Absolutely. Absolutely, yeah. It's unfortunate With the Mirai botnet attack. A lot of organizations, as they said well, okay, we'll just outsource this, we don't have to worry about it. But when it wasn't there, and it wasn't the fact that, I mean, it was an attempt to take out like Minecraft servers. Nothing to do with most of the businesses who were impacted, but there was a lot of collateral damage. And unfortunate is like one of those things is because DNS is a victim of its own success. The fact that is reliable, it is consistent. You don't have lots of DNS outages typically. As a result of that people tend to forget about how critical it is as the role it plays in serving all of your applications and your users. >> Let's get into the *fourth report 'cause they surveyed a bunch of hundreds of security and risk management leaders, both compliance and also security pros that are using DNS, what were your key thoughts on the takeaways from that study? What should people know about it? >> It's very encouraging as up in Infoblox about five years when I first joined, the usage of DNS as a network context as a way to help with security operations is very, very low. And that causes all sorts of issues for organizations when it comes to doing security operations. I mean, a prime example is, the guys who work in security operations, that is the biggest issue for customers right now. They've bought almost too much security gear. And each of those security tools and platforms, they're generating security events. So again, security events from your firewall, or from your IPS or from your neck system, or whatever it happens to be and the burden now falls on the security operations teams. And it's been proven that there's huge amounts of open opportunities because there just, isn't enough trained security operations staff and the ones who are already in the business, are massively overworked and struggle to get through all the security events that have been firing from their security operations tools. So for what I was encouraging from the first report is that organizations are realizing that DHCP is going to help* you be able to identify the fact that these two security events seem completely separate. One of them is got a source address of 10.1, the other ones 20.1, well, you know what? This laptop moved from one side the building to the other and got a different address, it's actually the same device. But based on the traditional security events you're getting from the existing tools, you know, you're going to think it's two separate events, and they're not. Likewise, one of the things that's coming out is that people start to use DNS as an audit trail. And one of the challenges for organizations is, if you get a data breach, what's one of the first questions a journalist is going to ask you is like, well, what is the scope of the breach? What was impacted? And quite often organizations are not prepared. They come back and say, well, at this stage, we don't know. That's a great way for a CEO or CFO to get fired. So a smarter way of doing it is, if you think about you got the devices under investigation, the DNS queries that those* machines have been making is a wonderful audit trail of not just the external resources it's been accessing, but also the internal resources as well, what has been potentially exposed. So I think from the forest report, we're certainly seeing people realizing what were their biggest challenges security operations. Essentially, the DDI data is almost like the oil that's going to grease the wheels of security operations. And if you don't do that, buying more security gear, it's not going to make the problem better, it's actually going to make it worse unless you can operationalize it. >> Yeah, at the end of the day, the failures right there in the low level of critical infrastructure and building floors no one cares what happened on the 10th floor foundations. I got to get your thoughts on this because as you guys have DDI abstraction, DNS, you know, as it's growing, had its evolutions with abstractions, you know, as these things kind of flex, used to be an old expression DNS tricks, you know, you would mangle DNS, and it was a naming system. So you use it the way you use it and then new innovation layers create more upside and more, takes away complexities. How does DNS scale enable value? Because now you got Cloud, you got Cloud native, new software's being written and developers want to rely on the DNS as a critical infrastructure, but also want to be enabled to have, you know, really robust applications. >> Yeah and I think with the, given the fact that all the work has been put into DNS over the last 20 or 30 years, work has resolved in a very highly available very resilient system. And so a lot of stuff has to go wrong for DNS to fully go down. And it's easy to just take things like *Anycast, Anycast allows you to connect to the nearest DNS server, that's going to give you the resolution. So it's going to give you the best performance. This also can give you the high availability and resilience that goes along with that. And I think also from the security guys point of view, is if all the things that we've started to realize is that DNS is a great avenue by which you can detect somewhat unique threats. So one of the things that comes up quite a lot, we're starting to see old malware being re weaponized to exfiltrate data over DNS. So if you're a DevOps guy, and you're building your new application, if someone compromises your application, if I tried to extract the data over HTTP or email, you probably have a solution for that. 6But how many organizations have visibility in the billions of DNS queries that's going to come out your network in a day. Which ones are those might be actually data that has been stolen, it gets encoded and corrupted, chopped up and sent out and DNS packets. Is very difficult for traditional security appliances to understand and really differentiate between legitimate DNS requests, the malicious ones are actually the ones who are benign applications that essentially tunnel over DNS because they're trying to bypass firewalls. So increasingly, DNS is a threat vector for basic data loss. It's also important to understand is really gives you a window into what the adversary is doing. So not just when it comes to data exfiltration, but other things like domain generation algorithms that allow adversaries to maintain control of devices that they compromised. So a lot of that stuff is not just about the high availability and the ubiquity of DNS, but also making sure you can be fully on top of the potential impact of DNS being exploited as a potential backdoor out of your network. >> Critical infrastructure, but also that's where you're going to see the footprints of any kind of activity right there, it's a great observation space as well for detection and analysis, great stuff. Craig, thank you for taking the time, great insight, great conversation. DNS is critical infrastructure, get on it, and people are on it, they're going to go the next level. Getting the next level networking experience is about having that security always on high availability, and protecting the bad guys. Craig, thanks for joining me on this CUBE conversation for the Infoblox virtual event. Thank you. >> Pleasure. Thanks for having me. >> Okay, that's the CUBE coverage of Infoblox is next level networking virtual event. I'm John Furrier, your hosts of the CUBE. Thanks for watching. (upbeat music)

>>buy from San Francisco. It's the queue covering our essay conference 2020. San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in downtown San Francisco. It is absolutely spectacular. Day outside. I'm not sure why were incited. Mosconi. That's where we are. It's the RCC conference, I think 50,000 people the biggest security conference in the world here in Mosconi this week. We've been here, wall to wall coverage. We'll be here all the way till Thursday. So thanks for joining us. We're excited to have our next guest. He's got a lot of great data to share, so let's jump into it. It's hard mode. He's a VP engineering threat and mitigation products for nets. Cowhearted. Great to meet you. >>Thank you. Good to be here, >>too. So for people who aren't familiar with Net Scout, give em kind of the basic overview. What do you guys all about? Yes, and that's what we consider >>ourselves their guardians of the connected world. And so our job is to protect, like, you know, companies, enterprises, service providers, anybody who has on the Internet and help keep their services running your applications and things returned deliver to your customers would make sure that it's up there performing to, like, you know the way you want them to, but also kind of give you visibility and protect you against DDOS attacks on other kind of security threats. That's basically in a nutshell. What we do as a company and, yeah, wear the garden of connected world. >>So So I just from a vendor point of the I always I feel so sorry for >>buyers in this environment because you walk around. I don't know how many vendors are in here. A lot of >>big boost, little boost. So how do you kind of help separate? >>You know, Netsch out from the noise? How what's your guys? Secret sauce? What's your kind of special things? >>Really, it's like 30 years >>off investment in like, network based visibility, and >>we truly >>believe in the network. Our CEO, he says, like you know the network like, you know, actually, when you monitor the network, it's like taking a blood test. It tells you the truth, right? And it's really like how you find out, like, you know, some things right or wrong. I mean, I actually, for my background to like network monitoring. There's a lot of our what we think of as like the endpoint is actually contested territory. That's where the adversary is. When you're on the network and your monitoring all activity, it really gives you a vantage point. You know, that's >>really special. So we really focus on the network. Our heritage and the network is is one of our key strengths and then, you know, as part of >>us as a company like Arbor Arbor. Networks with coming in that's got acquired some years ago were very much part of Net Scout with our brand of products. Part of that, you know, the Arbor legacy includes huge visibility into what's happening across the Internet and visibility like nobody else like in terms of the number of service providers and large enterprises who work with us, help us understand what's happening across the landscape. That's like nobody else out here. And that is what we consider a key differentiator. >>Okay, great. So one of the things you guys do >>a couple times years, I understand his publisher reporting solution, gift people. Some information as to what's going on. So we've got the We've >>got the version over four here. Right Net scout threat, intelligence report. So you said this comes out twice a year, twice a year. So what is the latest giving some scoop >>here, Hot off the presses we published last week. Okay, so it's really just a few days old and, you know, our focus here is what happened in the last six months of last year. So that and then what we do is we compare it against data that we've collected a year prior. >>So really a few things >>that we want you to remember if you're on the right, you know, the first number is 8.4 million. That's the number of D DOS attacks that >>we saw. This doesn't mean that >>we've seen every attack, you know, in the world, but that's like, you know just how many DDOS attacks we saw through the eyes of our customers. That's >>in this in six months. 8.4 number is >>actually for the entire year here in an entire year of 2019. There's a little bit of seasonality to it. So if you think of it like a 4.4, maybe something that that was the second half of the year. But that's where I want to start. That's just how many DDOS attacks we observed. And so, in the >>course of the report, what we can do a >>slice and dice that number talk about, like, different sizes, like, what are we seeing? Between zero and 100 gigabits per 2nd 102 104 100 above and >>kind of give you a sense of just what kind of this separation there is who is being targeted >>like we had a very broad level, like in some of the verticals and geographies. We kind of lay out this number and give you like, a lot of contact. So if you're if you're in finance and you're in the UK, you want to know like, Hey, what happened? What happened in Europe, for example, In the past 66 months, we have that data right, and we've got to give you that awareness of what's happening now. The second number I want you to remember is seven seven or the number of new attack vectors reflection application attack vectors that we observed being used widely in in in the second half. >>Seven new 17 new ones. So that now kind of brings our tally >>up to 31 like that. We have those listed out in here. We talk about >>just how much? Uh huh. Really? Just how many of these vectors, how they're used. Also, these each of these vectors >>leverage vulnerabilities in devices that are deployed across the Internet. So we kind of laid out like, you know, just how many of them are out there. But that's like, You know that to us seven is reflecting how the adversary is innovating. They're looking for new ways to attack us. They've found 71 last year. They're going to war, right? Right. And that's that's kind of what we focus on. >>Let's go back to the 8.4. So of those 8.4 million, how many would you declare >>successful from the attacker point of view? >>Yeah, You know something that this is always >>like, you know, you know, it's difficult to go estimate precisely or kind of get within some level of >>precision. I think that you know, the the adversaries, always trying to >>of course, they love to deliver a knockout blow and like all your services down but even like every attack inflicts a cost right and the cost is whether it's, you know, it's made its way all the way through to the end target. And now you know, they're using more network and computing resource is just to kind of keep their services going while they're under attack. The attack is low, You're still kind of you. You're still paying that cost or, you know, the cost of paid upstream by maybe the service provider. Somebody was defending your network for you. So that way, like, you know, there's like there's a cost to every one of these, right? In >>terms of like outages. I should also point out that the attacks that you might think >>that this attack is like, you know, hey, you know, there was a specific victim and that victim suffered as a result of but >>in many cases, the adversaries going after people who are providing services to others. So I mean, if a Turkish bank >>goes down right, like, you know, our cannot like services, customers for a month are maybe even a few hours, right, And you know, the number of victims in this case is fairly broad. Might be one attacks that might be one target, however, like the impact is fairly, >>is very large. What's interesting is, have begs a question. Kind of. How do you >>define success or failure from both the attacker's point of view as well as the defender? >>Yeah, I mean, I mean and again, like there's a lot of conversation in the industry about for every attack, right? Any kind of attack. What? When do I say that? You know what? I was ready for it. And, you know, I was I was fine. I mean, I don't care about, you know, ultimately, there's a cost to each of these things. I'd say that everybody kind of comes at it with their You know, if you're a bank, that you might go. Okay. You know what? If my if I'm paying a little bit extra to keep the service up and running while the Attackers coming at me, No problem. If I if my customers air aren't able to log in, some subset of my customers aren't able to log in. Maybe I can live through that. A large number of my customers can't log in. That's actually a really big problem. And if it's sustained, then you make your way into the media or you're forced to report to the government by like, outages are like, You know, maybe, you know, you have to go to your board and go like a sorry, right? Something just happened. >>But are the escalation procedures >>in the definition of consistency? Right? Getting banged all the time right? And there's something like you said, there's some disruption at some level before it fires off triggers and remediation. So so is there some level of okay, that's kind of a cost of doing business versus, you know, we caught it at this. They're kind of like escalation points that define kind of very short of a full line. >>I think when we talk to our service provider customers, we talked to the very large kind of critical enterprises. They tend to be more methodical about how they think of like, Okay, you know, degradation of the service right now, relative to the attack. I think I think for a lot of people, it's like in the eyes of the beholder. Here's Here's something. Here's an S L. A. That I missed the result of the attack at that point. Like you know, I have, I certainly have a failure, but, you know, it's it's up until there is kind of like, Okay, you're right >>in the eyes the attacker to delay service >>at the at the Turkish bank because now their teams operate twice, twice the duration per transaction. Is it? Just holding for ransom is what benefit it raises. A range >>of motivations is basically the full range of human nature. There's They're certainly like we still see attacks that are straight journalism. I just I just cause I could just I wanted I wanted to write. I wanted to show my friend like, you know, that I could do this. There's there's definitely a lot of attacks that have that are like, you know, Hey, I'm a gamer and I'm like, you know, there's I know that person I'm competing with is coming from this I p address. Let me let me bombard them with >>an attack. And you know, there's a huge kind of it could be >>a lot of collateral damage along the way because, you know, you think you're going after this one person in their house. But actually, if you're taking out the network upstream and there's a lot of other people that are on that network, like you know, there's certain competitive element to it. They're definitely from time to time. There are extortion campaigns pay up or we'll do this again right in some parts of the world, like in the way we think of it. It's like cost of doing business. You are almost like a business dispute resolution. You better be. You know, you better settle my invoice or like I'm about, Maybe maybe I'll try and uses take you out crazy. Yeah, >>it, Jeff. I mean things >>like, you know the way talked about this in previous reports, and it's still true. There's especially with d dos. There's what we think of it, like a democratization off the off the attack tools where you don't have to be technical right. You don't have to have a lot of knowledge, you know, their services available. You know, like here's who I'm going to the market by the booth, so I'd like to go after and, you know, here's my $50 or like a big point equivalent. All right, >>let's jump to >>the seven. We talked about 8.4 and the seven new attack vectors and you outline, You know, I think, uh, the top level themes I took from the summary, right? Weaponizing new attack vectors, leveraging mobile hot spots targeting compromised in point >>about the end points. I o t is >>like all the rage people have mess and five G's just rolling out, which is going to see this huge i o t expansion, especially in industrial and all these connected devices and factories in from that power people. How are people protecting those differently now, as we're getting to this kind of exponential curve of the deployment of all these devices, >>I mean, there are a lot of serious people thinking about how to protect individual devices, but infrastructure and large. So I'm not gonna go like, Hey, it's all bad, right? Is plenty back on it all to be the next number, like 17 and 17 as the number of architectures for which Amir, I mean, I was really popular, like in a bar right from a few years ago. That still exists. But over time, what's happened is people have reported Mirai to different architectures so that, you know, think of it like, you know, if you have your your refrigerator connected to the Internet, it comes. It's coming with a little board, has CPU on it like >>running a little OS >>runs and runs in the West on it. Well, there's a Mirai variant ready for that. Essentially, as new devices are getting deployed like, you know, there's, you know, that's kind of our observation that there's even as new CPUs are introduced, a new chips or even the West they're introduced. There's somebody out there. We're ready to port it to that very now, Like, you know, the next level challenges that these devices, you know, they don't often get upgraded. There's no real. In many cases, they're not like, you know, there's very little thought given to really kind of security around it. Right? There are back doors and, like default passwords used on a lot of them. And so you take this combination. I have a whole you know, we talk about, you know, large deployments of devices every year. So you have these large deployments and now, you know, bought is just waiting for ready for it Now again, I will say that it's not. It's not all bad, but there are serious people who were thinking about this and their devices that are deployed on private networks. From the get go, there was a VPN tunnel back to a particular control point that the the commercial vendor operates. I mean, there are things like that, like, hardening that people have done right, So not every device is gonna find its way into a botnet. However, like, you know, you feel like you're getting a toy like Christmas and against $20 you know, and it can connect to the Internet. The odds are nobody's >>thinking not well. The thing we've heard, too, about kind of down the i t and kind of bringing of operations technology and I t is. A lot of those devices weren't developed for upgrades and patches, and Lord knows what Os is running underneath the covers was a single kind of use device. It wasn't really ever going to be connected to the outside world. But now you're connecting with the I t. Suddenly exposing a whole host of issues that were never kind of part of the plan when whoever designed that thing in the first place for sure for sure is crazy. Alright, so that's that. Carpet bombing tactics, increased sector attack, availability. What is there's carpet bomb and carpet bombing generally? What's going on in this space? >>Well, so carpet bombing is a term that we applied a few years ago to a kind of a variation of attack which, like >>traditionally, you know, we see an attack >>against a specific I P address or a specific domain, right? That's that's where that's what I'm targeting. Carpet bombing is taking a range of API's and go like, you know, hey, almost like cycling through every single one of them. So you're so if your filters, if your defense is based on Hey, if my one server sees a spike, let me let me block traffic while now you're actually not seeing enough of a spike on an individual I p. But across a range there's a huge you know, there's a lot of traffic that you're gonna be. >>So this is kind of like trips people >>up from time to time, like are we certainly have defensive built for it. But >>now what? We're you know, it's it's really like what we're seeing is the use >>off Muehr, our other known vectors. We're not like, Okay, C l dap is a protocol feel that we see we see attacks, sealed up attacks all the time. Now what we're >>seeing is like C l >>dap with carpet bombing. Now we're seeing, like, even other other reflection application protocols, which the attack isn't like an individual system, but instead the range. And so that's that's what has changed. Way saw a lot of like, you know, TCP kind of reflection attacks, TCP reflection attacks last year. And then and then the novelty was that Now, like okay, alongside that is the technique, right? Carpet bombing technique. That's that's a pipe >>amounts never stops right? Right hard. We're out of time. I give you the final word. One. Where can people go get the information in this report? And more importantly, for people that aren't part of our is a matter that you know kind of observers or they want to be more spark. How should they be thinking about security when this thing is such a rapidly evolving space? >>So let me give you two resource is really quickly. There's this this >>report available Dub dub dub dub dot com slash threat report. That's that's that's what That's where this report is available on Google Next Threat report and you'll find your way there. We've also, you know, we made another platform available that gives you more continuous visibility into the landscape. So if you read this and like Okay, what's happening now? Then you would go to what we call Met Scout Cyber Threat Horizon. So that's >>kind of tell you >>what's happening over the horizon. It's not just like, you know, Hey, what's what am I seeing? What are people like me seeing maybe other people other elsewhere in the world scene. So that's like the next dot com slash horizon. Okay, to find >>that. And I think like between those two, resource is you get >>access to all of our visibility and then, you know, really, in terms of like, our focus is not just to drive awareness, but all of this knowledge is being built into our products. So the Net's got like arbor line of products. We're continually innovating and evolving and driving like more intelligence into them, right? That's that's really? How We help protect our customers. Right >>hearted. Thanks for taking a few minutes >>and sharing the story. Thank you. 18 Scary. But I'm glad you said it's not all bad. So that's good. >>Alright, he started. I'm Jeff. You're watching the Cube. We're at the RSA conference 2020 >>Mosconi. Thanks for watching. We'll see you next time. >>Yeah, yeah, yeah.

>> Announcer: From downtown San Francisco, it's theCUBE. Covering RSA North America 2018. >> Hey welcome back everybody, Jeff Frick here with theCUBE. We're at RSA North America 2018 in San Francisco. 40,000 plus people talking security, enterprise security, cloud security, a lot going on. It just continues to get more and more important. And we're really excited for our next guest who's been playing in the enterprise space for as long as I can remember, which has been a little while. Mike Decesare, he's the CEO and President of ForeScout. Mike, great to see you. >> Started my career off when I was one. (Jeff laughs) So, I've been in this for a long time. >> You have been in it a long time. So you guys now you're all about, right so there's so much stuff going on in security and security is one of these things that I have to look at it as kind of like insurance. You can't put every last nickel in security, but at the same time, you have to protect yourself. The attack surfaces are only growing with IIoT and we were at an autonomous vehicle show, and 5G is just coming around the corner, and all these connected devices and APIs. So you guys have a pretty unique approach to how you top level think about security called visibility. Explain that to us. >> So visibility is the next big thing in the world of cybersecurity and the dynamic is very basic. It's, for 20 plus years, CIOs and CSOs were substantially able to control everything that was on their network. You'd buy your servers and Windows machines and Blackberries for your employees and then there was very little tolerance for other devices being on those organization's networks. And what happened 10 years ago this year, with the birth of the iPhone was that CIOs, those same CIOs now had to deal with allowing things onto their network that don't subscribe to those same philosophies and when you can't buy it and outfit it with security before you put it into the environment. And that's the gap that ForeScout closes for organizations is we have an agentless approach which means we plug into the network infrastructure itself and we give customers visibility into everything that is connected to their network. >> So that begs a question, how do you do that without an agent? I would imagine you would put a little agent on all the various devices. So what's your technique? >> We actually don't. That's the secret sauce of the company is that >> okay >> you know over 10 years ago, we recognized this IoT trend coming because that's, that's the thing in the world of IoT is unlike the first kind o' 20 years of the internet, there was a substantially smaller number of operating systems, most of them open. The different characteristic about the current internet is that many of these use cases are coming online as closed proprietary operating systems. The example I use here is like your home. You know, you get a Nest thermostat and you put in on your network and it monitors, you know, heating and cooling but the device, the operating system, the application is all one consumer device. It doesn't run Windows. You can't install antivirus on you Nest thermostat. So our approach is we plug into the network infrastructure. We integrate to all of the network vendors, the firewall vendors, the wireless controlling vendors and we pull both active and passive techniques for gathering data off those devices and we translate that into a real-time picture of not just everything connected to the network but we know what those devices are without that client having to do anything. >> So you have what you call device cloud or yeah, ForeScout device cloud. So is that, is that a directory of all potential kind of universe of devices that you're querying off of or is that the devices within the realm of control of your of your clients directly? >> It's the second. It's the, so the way that our product works is we plug into the network infrastructure so anything that requests an IP address, whether is wired and wireless in the campus environment, whether it's data center or cloud in the data center environments or even into the OT space, anything that requests an IP address pops onto our radar the second it requests that address. And that cloud that we've built, that we've had for about nine months, we already have three million devices inside, almost three and a half million devices, is a superset of all of the different devices across our entire install base just from the clients that have been willing to share that data with us already. And that gives us optimism because what that becomes is a known set of fingerprints about all known devices so the first time that we discover a Siemens camera that might be a manufacturer, the company might have ten thousand of those in the environment, the first time that we see that device, we have to understand the pattern of traffic off that device, we label that as a security camera and any other customer world-wide that's has that same device connects, we instantaneously know it's a Siemens security camera. So we need the fingerprint of those devices once. >> Right, and so you're almost going to be like the GE Predix of connected devices down the road potentially with this cloud. >> We won't go there on that. >> He won't go there, alright. We've talked to Bill Ruh a lot of times but he does an interesting concept. The nice thing 'cause you can leverage from a single device and knowledge across the other ones which is so, so important on security so you can pick up multiple patterns, repeated patterns et cetera. >> One of the best parts about ForeScout is the fact that we deployed incredibly quickly. We have clients that have almost a million devices that got live in less than three months. And the reason we're able to do that is we plug into the infrastructure, and then our product kind o' does its own thing with very little effort from the client where we compare what we have in this repository against what they have in their environment. We typically get to an 80 or 90% auto-classification meaning that we know 80 or 90% of the time, not just what's on the network but what that device is and then the other 20% is where we have the implementation where we go through and we look at unique devices. It might be a bank has some model of ATM we've never seen before or a healthcare company has beds or machines on a hospital floor that we haven't recognized before. And the first time that we see each of those devices uniquely, we have to go through the process of fingerprinting it which means that we're looking for the unique pattern of traffic that's coming off a, you know, a router, a switch and a firewall and we're ingesting that and we're tagging that device and saying anytime we see that unique pattern of traffic, that's a certain device, a security camera or what have you. >> Right. >> The reason's that useful is then we get to put a policy in place about how those devices are allowed to behave on the network. So if you take something like the Mirai Botnet which hit about a year ago, was the thing that took down a big chunk of the Northeast, you know, utilities and you know, internet, it infected, it was a bot that infected security cameras predominantly. Nobody thought twice about having security cameras in their environment, but they're the same as they are in your house where you know, you put it online, you hit network pair and it's online. >> Right. >> But that bot was simply trying to find devices that had the default password that shipped from the security manufacturer and was able to be successful millions of time. And with our product in place, that couldn't happen because when you set us up, we would know it's a security camera, we'd put a policy in place that says security camera can speak to one server in the data center called the security camera server. And if that device tries to do anything more criminal, if it tries to dial the internet, if it tries to break into your SAP backend, any of those activities, we would give the customer the ability to automatically to take that device offline in real time. >> Right, so you're... >> And that's why our clients find us to be very useful. >> Right, so you're really segregating the devices to the places they're supposed to play, not letting 'em out of the areas they're supposed to be. Which is the >> Absolutely. >> Which is the classic kind of back door way in that the bad guys are coming in. >> Our philosophy is let everything onto the network. We take a look at that traffic. We give you a picture of all those devices and we allow each customer to put an individual policy in place that fences that in. If you take the other extreme like a Windows machine in a corporate environment, our typical policy will be you know, do you have Windows 2009 or later? 'Cause most customers have policies they don't want XP in their environments anymore. But we enforce it. So if an XP device hits the network, we can block that device or we can force a new version down. If you have Symantec, has it got a dat file update? If you've got Tenable, has it had a scan recently? If you've got, you know, any of the other products that are out there that are on those machines, our job is to enforce that the device actually matches the company's policy before that device is allowed in. >> Before you let it. Alright. >> And if at any time that it's on that network, it becomes noncompliant, we would take that device offline. >> You know, with the proliferation of devices and continuation growth of IoT and then industrial IoT, I mean, you guys are really in a good space because everything is getting an IP address and as you said, most of them have proprietary operation systems or they have some other proprietary system that's not going to allow, kind o' classic IT protections to be put into place. You've really got to have something special and it's a pretty neat approach coming at it from the connectivity. >> It's the secret sauce of the company is we recognized many years ago that the the combination of not just there being very few operating systems but they were all open. Windows, Lennox, right? I mean, you can buy a Windows machine and you can install any product you want on it. But we saw this trend coming when the next wave of devices was going to be massively heterogeneous and also in many cases, very closed. And you know, you mentioned the example of the OT space and that's one of the other, the third biggest driver for us in our business is the OT space because when you looking a WanaCry or a NotPetya and you see companies like Maersk and FedEx and others that are, that are publicly talking about the impact of these breaches on their earnings calls. What those companies are waking up and realizing is they've got 25 year old systems that have run, you know, an old version of Microsoft that's been end-of-life decades ago and the bad actors have proven very adept at trying to find any entry point into an organization, right, and the great news for ForeScout is that really lends itself very much towards our age-endless approach. I mean, many of these OT companies that we're in, devices that are in their manufacturing facilities don't even have an API. There were built so long ago so there's no concept of interacting with that machine. >> Right >> So for us, allowing that device to hit the Belden switches and then be able to interrogate the traffic coming off those switches let's us do the same thing that we do in the campus world over in the OT world as well. >> Good spot to be. So RSA 2018, what are ya looking forward to for this week? >> This is just massive in size. It's like speed dating. From a customer's perspective too, I mean, I meet so many customer's that come here and able to meet with 30 or 40 vendors in a single week and it's no different, you know, for the providers themselves so. You know, we've got some really, kind o' really high profile big wins, you know, it's very coming for us to be doing deals at this point that get up over a million devices so they're very high profile so it's a great chance to reconnect with customers. You know, one of the things I didn't mention to you is that kind o' the, the whole thing that we do of identifying devices and then understanding what they are and allowing those policies to get put in places, that's fundamentally done with our own IP, and the connections into the switch and firewall vendors. But we've built this whole other ecosystem of applications in the world of orchestration that set on top of our products. We integrate the firewall vendors, the vulnerability management vendors, the EDR vendors, the AV vendors, so it's a great chance for us to reconnect with you know, those vendors as well. In fact, we're doing a dinner tonight with CrowdStrike. They're one of our newer partners. Very excited about this week. It brings a lot of optimism. >> Well, great story Mike and excited to watch it to continue to unfold. >> We appreciate you giving us some time. >> Alright, thanks for stopping by. That's Mike Decesare. I'm Jeff Frick. You're watching theCUBE from RSA North America 2018. Thanks for watchin'. Catch you next time. (techno music)

>> Announcer: Live from San Francisco, it's theCUBE. Covering Samsung Developer Conference 2017. Brought to you by Samsung. (futuristic music) >> Okay, welcome back, everyone. Live here in San Francisco, this is theCUBE's exclusive coverage of Samsung Developer Conference, SDC 2017. I'm John Furrier, the co-founder of SiliconANGLE Media, co-host theCube. My next guest is James Stansberry. SVP, Senior Vice President general manager of ARTIK, IoT of Samsung, AR kid, art kid, whatever you want to call it, is the IoT piece key-note presenter today. Thanks for spending the time, thanks for coming on. >> It's my pleasure John. Thanks for having us. >> So we love the IOT story. We covered it heavily across all of our other shows we come to, but now as the edge of the network becomes human, and machines, you guys have the devices, you have the home, you have The SmartThing strategy. Everything's a device, it's everything to everything now. >> Most people think of Samsung as a consumer electronics company. What ARTIK actually is is an enabling platform to enable other devices. So we build and end to end Iot platform, which includes The Cloud. And today we re-branded it The SmartThings Cloud. Down into network devices. Gateways and inodes. So we actually enable not just Samsung products, but we enable other company's products to be connected to the Internet. Almost regardless of the market, not even consumer. >> Thomas Ko was on earlier talking about this open strategy, which is great, and he was very humble. He said look, we're going to be honest and transparent. This is the new Samsung way. We're going to (mumbles) the developers. We're going to be completely open. We're not going to try to lock you into Samsung, although we have some intelligence and tips and what not, which is cool. And I think that's going to play well with the developers. But you introduced something that was pretty compelling on stage, and this is to me, the key observation from theCUBE team, is the security module. Take us through specifically what you announced and what does it mean to the developer community and what is the impact? >> Okay, and before I do that, let me just talk about what's happening to security. We all know about Mirai and WannaCry and these things just keep happening. And in order for us to be able to stop these threats, we have to up the level of security. And what we announced today was an end-to-end security platform that utilizes the hardware that we supply, connected to our Cloud, and overlaying it on top of this hardware Cloud platform and abstracting it in such a way that is easy to implement. But it's and end-to-end security and it contains all the major components you need to be able to secure an IoT network, from basically down network. And I can explain it more it you'd like. >> Yeah, so down network means from the device. >> From The Cloud actually. >> Or from the device through The Cloud. The question that people will ask is, and this is where I'd love to get your explanation on is, they don't want Silos. They want to have the horizontally scalable nature of The Cloud but they want the specialism of the IoT device. Some software. Could be an AR application. That could be a virtual interface into a cell tower or whatever but, being done we see those all the time, but I want a full stat, but I don't want to be locked in. So want to move to something SmartThing over there. How do you guys enable that security end-to-end? >> It's really important. With the security, we don't create any proprietary solutions. As a matter of fact, if you look at we've implemented it, we use third party partners and we use standards. For example, how we do a secure over the air update to an Indo device, we actually use a standard piece of software that's specified by a standard called LW M to M. Most people, embedded designers, will know what this is. We use a public key infrastructure. We use well known code signing capability. >> FPGA, kind of thing? Field-programmable gate arrays? >> No. In terms of the code signing I'm talking about, if I write a piece of code and I want to authenticate that it's the code that I wrote that is on the device a year from now, I'll create a hash, store the hash, when I boot it, I compare that hash and make sure that no one has modified it. By the way, it's a known hack. You're inserting bad, malicious code on a device. That's one of the things you want to avoid. The other thing we use is very standardized encryption. We use TLS. Part of the HTTPS standard. And in that we use very well known encryptography. The other thing we do is we create a hardware root of trust, using a secure element. These are the same devices that are used in Smart cars today. It's not new science, it's just the smart way to do it to actually create a root of trust. >> What would you say if someone who's new to Samsung, maybe watching here today, as he knows the Samsung brand 'cause you guys now are expanding a brand, across the platform and fabric of Samsung, you're seeing it here, in the smart home, kitchen examples, smart Tvs. It's all over the place. There's no doubt what Samsung is. Explain the premise of the IoT strategy and what the goals are, what the objectives, and how does that relate to someones impression of Samsung that they know. >> I'll maybe give some insight inside Samsung. Maybe people don't realize that we really are an IoT company in many ways because inside our factories, we use IoT to run our smart factories. So we actually are a consumer. We set the goal of connecting all of our devices by 2020. The consumer products. So in order to be, IoT is connected devices. What ARTIK does, is actually a platform, that is not necessarily consumer focused but brings IoT to markets like smart factories, commercial buildings, healthcare, home appliances. It's actually multi-faceted. And not just Samsung products. We enable devices that are non-Samsung to create their own ecosystem or connect to our ecosystem. >> So a headline on siliconANGLE.com today is timely for you and I put it in context because it might have a little bit more range on the IoT side but one of our managing engineers, Paul Gillin, writes a story "Who owns the data from the 'internet of things'? "That's about to become a very big deal". So it's kind of provocative. Who owns the IoT data? That's about to become a big deal. I've read the article and what he's basically saying is you've got vehicles our there that connected. You've got smart things everywhere now. >> [James Stansberry] That's a great question. >> And there's also what do you do with the data? Do you move compute to the data? Do you move data across the network? These are physics questions, these are architectural questions, that is the bigger scheme, maybe outside the scope of STC, but lend a point or two to what's happening at the edge. >> So first of all, you have to define that data. (chuckles) Right? There's personally identified data and there's data that's been extracted from that. And I think that you're going to see some regulation around that, especially in Europe. Defining exactly what that is. From a Samsung perspective, I think it's pretty clear. We believe that the consumer owns the data. If we ever use it, it's being done with the consumer's permission. >> John Furrier: That's a very key word. >> Yeah. >> Permission based. >> Oh, of course. And I think that that's where most regulations going to go and I think that's where the industry will generally go. >> That's what we're seeing in Europe. >> And that's personally indentifying. >> Yeah, they're information. But you also have to balance out the openness of data. This is the GPRS kind of debate, right, which is you want to have a strict policy to protect the person's data, at the same time, offer organic ways to provide a great user experience with the data. And you fuel the experience with data, but the protection, it's a hard problem. >> Okay, it's even more complicated because individually some people are more open about the consumption of their data than other people. And what that actually means is the individuals have to start to manage their data. And so what does that mean, everybody has a web portal that says I have, I give this level? I don't know. And so, that's actually one of the unanswered question is how does a consumer manage their own data and other peoples access to it. >> But we think, and our indications were looking at the future, we think this is where Blockchain is relevant. Not so much the bit currency like Bitcoin or Ethereum but Blockchain is an immutable, decentralized, not just distributed, decentralized (mumbles) >> One way to actually keep track of what they're allowing, but at some point they have to specify. (chuckles) And I think there's the trick. >> This is the fun part about tech is it looks a lot of promise, looks good off the tee as they say in golf, but there's off-chain and on-chain dynamics, in terms of mining, Bitcoin. >> In the meantime, I think, people are just going to opt in. >> Yeah. >> That's how they need to get permission. >> Where society is impacting, were seeing this big time with IoT, these are norms that are coming. This is a yet to be written chapter. >> Yeah. We're going to see. You mentioned GPRS and they are going to regulate it. There will be the people who have to manage it. We'll see how that works and we'll probably evolve from that. >> The Y2K problem of our generation because there's consequences to that regulation. >> Yep. It'll probably go as well as Y2K. Which didn't go bad! (chuckles) >> It's going to be disaster. I'll say it, it's going to be a disaster. It puts extra pressure on companies, especially ones that are using Cloud, so I think this would be an example where Samsung's SmartThings Cloud, might be helpful. This is the big security. Do we need a do-over? Probably yes. >> What we will do, is we will do everything we can to secure their data and, again, going back to if they chose to allow us, or to provide the data for someone to use it, then that's up to them. But we will do everything we can to secure it on the device, in the network, and in our Cloud. >> People have things. We're walking around with things like this. That's a device. It's a Samsung, it's a j phone (ahem). I got to get the better phones so I'm working on that today. We'll get the Samsung, great new phones. >> Yeah. >> That's entertainment. That's ecommerce. That's web services kind of rolled into one. That's essentially what The SmartThings is about, pretty much, right? >> It absolutely is. Absolutely is. On the consumer side, I would say. But I would say, IoT is more than just consumer. It's healthcare. It's in hospitals. It's in factories. It's going to be in your car. It's in autonomous vehicles. >> We coined the term here on theCUBE, I think I did, e to e. Everything to everything. >> Yes. >> B to b is boring to boring. Consumer to consumer is old. So you bring them together, it's everything to everything. Exciting to exciting. >> We describe our business model as b to b so I guess I'll take it! I'll own it! >> If you look at b to b marketing, I'm not picturing marketing, (laughs) look at Facebook. Their slogan was move fast, break stuff to move fast, make sure it's secure. Boring is secure. (chuckles) B to b is exciting. You got augmented reality. You got Cloud computing. I mean literally, unlimited potential compute power that's available through Cloud. It's certainly transformative for enterprises, so we think it's going to be pretty exciting. I personally think. I just don't like the b to b thing. But that's us. (laughter) Anything else you'd like to share with the audience here on the event here? Observations, what's your thoughts? >> By the way, I appreciate the opportunity. I think the really important thing here, and maybe Thomas mentioned this, is Samsung's integrating basically five Clouds together. And these are coming from mobile, from digital display, from digital appliances, to SmartThings, to ARTIK. Being a maker of devices, and then having this open ARTIK platform, really, I believe, is going to position Samsung in a very unique way in IoT. Not just for our own products, but for people to interact with our products and create new services. So I'm really excited about it. >> I think the ecosystem opportunity is big too. One of the things we're seeing in The Cloud community here in North America, and starting to see it in China with Alibaba, is hardware configurations are now being dictated by the workload. >> Yeah. >> So what's happening is hardware soft stacks, technology in hardware, are being configured. Storage might be configured differently based upon the legacy requirements, so now you have hardware stacks that haven't been tested at scale. This is a huge issue in enterprise. 'Cause if they have multiple clusters for say a data lag, and then a real time in memory cluster, who tested that? >> Yeah. >> This is where the opportunity on the hardware side is interesting. Any thoughts on that? >> Not necessarily on the data center side. I was actually thinking about on the network side, with compute moving to the edge, what we ended up having to do is we actually created ARTIK zeros. Which are these low compute, single protocol devices for Indo devices like lights. And then when RT357, which are dual processing core, quad-quad processing core, and octa processing core, just because of the variations in the type of computation that has to be done actually in the network because the application for IoT are from extremely low power to extremely high compute. In some cases, we see AI machine learning coming to the edge. That's just totally off the scale to inference (mumbles) >> You put the data center at the edge, at some point >> It's coming. >> It's coming. >> It's the tide. It's going to move up The Cloud, then it's going to come back down. >> No virtual machines, non-volatile memory at the edge, fabrics are going to be out there... Here's theCUBE, bringing you all the data here at SDC 2017 with James Stansberry, who's the Senior Vice President, general manager of Samsung IoT. I'm John Furrier. More cube coverage, after this short break. (futuristic music)

(upbeat music) >> Welcome to a CUBEConversation. I'm Peter Burris with Wikibon SiliconAngle. I am having a great conversation today with Derek Manky, who's a global securities strategist at Fortinet. >> Yes sir. >> Lots to talk about, Derek. I don't want to be too topical here, but still, why don't you tell us exactly what a global security strategist does. >> Yeah. So, obviously I've got a global region. We're looking at the past, the present, and the future. When I say that, we're looking at past events, learning from security, we're looking at present events, reacting to them, trying to beat the bad guys to the punch, doing advanced research on darknet, but also looking at statistical trends and modeling, a lot like a weather forecast. So, we're doing modeling as to where threats in the future, based on our expertise, knowledge and, obviously, a global telemetry base of data. Billions and billions of data points we look at. >> Everybody knows that this is enormous, that security in the past informed the current, and we are all worried about the future, but let's talk about where we are right now. >> Derek: Sure, sure, yeah. >> What is the state of things in global cybersecurity? >> It's flashing red, unfortunately, we're in this state. And what I mean by this is, CSOs and the likes always have to look at flashing red on their dashboards. They're a lot like car alarms and we get so many events that are happening day in and day out and we need to start looking at them and prioritizing: How do we respond to these events? What's the severity level of these? What are these events? And the context around that and why it matters. We look at a lot of events that are happening today, obviously we get into the IoT world, that's here, mobile threats are here. We've gone from, just from one year ago, we had about 2% of the global tax that we see were mobile, that number is reaching close to 10% now, so mobile threat activity is accounting for nearly 10% of all global activity that we're seeing. IoT is the next rising star that we're seeing in that as well. That's really the state that we're seeing. >> So, there's no really new normal in global cybersecurity, it's constantly changing, so give us an assessment and some insights into how the threat target is changing. What is the surface area and the surface attack area that we're worried about as we go forward? >> Sure. Up and to the right. What I mean by that is when I say that, we're seeing, obviously, volume increasing, and we're seeing the level of sophistication increasing in the threats as well. A lot more automated clever techniques are being put into threats. The attack surface is shifting into the IoT world, as I mentioned. Some of the top attacks we're seeing are CCTV cameras, which by the way, are not closed-circuit anymore, IP security cameras, we're looking at DVRs, consumer-grade routers, printers, all of these different devices now that are not just, obviously Windows-based as well. Because of that, the amount of volume of threats is increasing that attack surface, there's much more interconnectivity into these devices, which is a very large issue. We're dealing with a zero-patch environment now, as well. The reality is there's just not enough patches readily available for these devices too. And again, that comes back to the security strategy piece, we have to strategize. >> We're used to thinking about PCs being attacked, or servers being attacked, what happens if your router gets hacked in this way? Give us a little insight into how that propagates into a problem. >> Yeah, so worm-like activity, we look at a lot of, what I'm calling, shadow nets. These are IoT botnets. What I mean by that is you get a piece of code like Mirai, Hajime, there's also other flavors of this that we're seeing out there that basically look to propagate like a worm, spread from router to router, or different device to different device, plant malicious code. And then, once they have that, obviously, the device is compromised and it can be used for anything. It can be used for altering DNS traffic, hijacking credentials, it can be used to launch a DDos attack, like we saw with Mirai last year, as well. It's also being used now for more sophisticated attacks, so we look at like the Hajime botnet. Unlike Mirai, which I would consider more of a non-intelligent botnet, it's just using brute force techniques, Hajime is using automated techniques to download new password lists and try different attacks using updated and dynamic intelligence as being built into this automated code now as well. >> That sounds like it's an enormous amount of fun (laughs). We're talking mainly about devices at this point in time, but when we think about digital business, Wikibon likes to say that digital business is different from business in how a digital business uses data. And the idea that data is increasingly becoming an asset and is a differentiator for your business, especially in how you do things from engagement standpoint. How is the idea of data as an asset and the need for these new threats, this new landscape, going to come together over the course of the next few years? >> Yeah, absolutely. That's a really good point, what you bring up. Data is highly sought after by these threats. The initial stage of attack is building infrastructure and that's been done. We talk about these IoT botnets as gaining a foothold into networks where data is either stored or in transit, especially on mobile. And when we look at how data is stored or in transit, often enough it's stored for too long, it's too persistent, it's not stored properly, it's not hashed or salted and these sorts of techniques, and it's often, it may be going to the wrong places, or giving permission to the wrong users. These threats now that have a foothold onto these devices, can easily scrape and use data, send to their command and control operators, botnet operators, and then that data, as you are very well aware, can be used multiple times. We're seeing this data used, obviously, sold through crime services, sold on data dumps, on darknet. It's being used for things like identity theft, money mules, and laundering. We worked on a case last year with the EFCC in Nigeria, and INTERPOL, that's the expert working panel I'm on, we took down a $60 million crime ring. The heart of that crime ring was money laundering and that all revolves around identity theft, as well, which is all data. >> Right. So, let's build on this a little bit because one of the things I think people frequently get wrong is they don't understand data as an asset and that a crucial feature of it is it can be copied, and can be applied in two places at once. Now, that has a lot of business implication, but let's talk about the security implication. If somebody steals my money, I immediately know that my money is gone. If somebody steals my data, I may not know that my data is gone because it can be copied, and it can be reapplied and reused and I may never know it. Now, we're looking at a recent breach here at a big supplier's credit services, 165 million accounts being hacked. That might have only taken five minutes to download the data associated with those 165 million accounts, but that was probably a persistent, a few months, or maybe years getting to that point. What does a business have to do differently, from a security standpoint, to actually be able to capture those smaller events that may not have immediate proximate damage, but lead to a big hack like this? >> Yeah, absolutely, that's a really good point. Obviously, the threat landscape is extremely volatile. There's a lot of different characteristics or features you have to look for in these attacks. You're completely right, most of these attacks we see can play resident for months on networks. In fact, they want to lay as silent and as stealthy as possible. As I said, it's much more tricky today because threats are becoming more sophisticated to try to obfuscate into data flows and to try to remain silent on networks. What can be done, from an organization standpoint, is absolutely turning it around, looking at detection first. Threat intelligence, applying threat intelligence to detection. You need advanced threat intelligence to be able to find advanced threats. We're talking about solutions like SIEM, and so forth. Once you can see that threat activity on the network, that's key. Obviously, launching into incident response, how we deal with this, shut down that threat to mitigate the window because, otherwise, if you have a wide open window, obviously, more data is going to be leaked, the more data is leaked, the more damage and collateral damage is going to be done. >> And that's, still we're talking about consumers, which are problematic. But, when we start talking about critical infrastructure, we're talking about the social fabric itself. >> Yes. >> What new visibility, because Fortinet and auto research are on this, what visibility does Fortinet have into what's going on with some of the new critical infrastructure security--? >> Yeah, so looking at our threat landscape report, unfortunately, this is the normal still. I wouldn't say it's the new normal, in this case, because we're seeing 90% of organizations that are still facing attacks on application vulnerabilities that are three years or older. When we look critical infrastructure, it is over nine times, if we look at all industries, and just compare critical infrastructure to that baseline, so we're nine times higher with the tax on these application vulnerabilities. And so, the problem, unfortunately, with critical infrastructure, we're still seeing a lot of attacks on these IoT devices that are connected, the CCTV cameras, other things like that, that can be used as launchpads because they're not traditionally inspected by security. They're in a tough position with critical infrastructure, also healthcare, and ICU, critical care networks, because they're resistant to patch sometimes because if the patch is done, it could break. They have critical services and processes behind there that it could break it, but at the same time, what we're experiencing is that they're under rapid fire and if they don't patch, it's going to be much more damage done because we're seeing tremendous volume on the tax to those vulnerable applications lying on the networks. >> We now have a situation where we're trying to secure our critical infrastructure, which affects everybody, individuals have to be more cognizant of the role that a breach in their home network or their IoT devices can play. Increasingly, we're thinking about: How do we start putting together the idea of brand trust and security? Talk a little bit about how security is going to enter into the lexicon of brand, brand preference, and starting with what brands are going to have to do to transmit their commitment to security. >> Yeah, so again, we're talking about digital assets, when it comes to that. I think when it comes to brand integrity, if we flashback 10 years, I think, people had a false sense of security. They wouldn't really think twice about where their data is going, how that data is stored, and so forth. But, now that we're seeing consumers having a direct impact, when there are these massive data breaches, I think consumers are finally starting to become much more security conscious. That mentality, switching from that false sense of security, is really going to start having them have that cyber hygiene and have that daily thought process of where's my data going and they should have this. Where is my data going? Who is storing that? What are their security practices? Being able to readily access that sort of information on security posture. I think it's going to be critical moving forward-- >> So, what is it? Because this is very complex stuff, there are a limited number of people in the world who understand this really deeply. You're one of them, obviously. What does a consumer, then, have to know about security to be able to make that type of assessment? Because that's going to lead to some new conventions that we can start to promulgate and diffuse for how to get smarter about things. Is there like one or two things that someone has to be really aware of right now, questions that they can ask to get to that point where you're saying that they could be, therefore, smarter about how to evaluate different brands? >> I think they really have to, just at a basic level, treat their identity, treat their information, like the keys to their car, or their keys to their house, and their family's. It has to be personal, and so they have to be able to understand that they have a part to play, but they also have to understand that if I walk into a house and I leave the keys on the table somewhere and walk out, that somebody else can still easily access that. As opposed to me putting the keys to my car in a locker when I'm somewhere else. That is what they have to understand is that their assets, where they store those assets, and how they transmit those assets, is ultimately going to come back and impact them. >> If Wikibon says that digital business is about a business using data differently, in a matter of respects about what we're talking about, is digital life is a recognition, an acknowledgement, that data is playing a different role in your life and being really, really clear about that as an asset in the way that you conduct yourself. >> Yeah. And I think moving forward, that's just going to become even more critical. As I said, we're going to have more and more, as I said, with the world of IoT coming now, there's going to be more and more impact on daily life, there are more transit points for those data to go to. >> But the reality is, even though you're right, people don't, we might have been saying, "What about digital security?" a number of years ago because it wasn't on the forefront of everybody's minds. There are things that people can do to be smarter about this, treat your digital identity as an asset and be careful about it, but the reality is, most of us aren't really going to be smart enough to really make good decisions in this regard, we're going to rely on automation. Also, as you said earlier, we know that the bad guys are doing more with automation. Even if automation is not the complete goal, how are we going to fight more automation, on the bad guys' side, as we try to have more people involved in these good digital security practices? >> Yeah, there's a couple of approaches to that. First of all, number one, there is a severe, this is not a surprise or news, but there's a severe shortage in cybersecurity professionals out there. As you said, not a lot of people understand this stuff deeply, especially when we get down to the consumer level. How can we arm them to defend against all of this automation that the black hats are doing? We need to fight automation with automation. We need defensive measures, we need scalable security solutions, interconnected security solutions, security solutions that integrate threat intelligence, as well, to be able to identify the different stages of these threats. And the key here is quickly reacting to that because these threats are moving so quickly from the black hats' side, automated defense layers need to be able to identify those aspects of the threats and then make decisions, this is the key part, make a decision. This is what I call actionable intelligence. A security solution that can make a decision on its own, it's what I refer to as an expert system, is what's required to be able to block those, so that the people who don't know anything about these threats and worse, respond to them too slowly, don't have to do those measures. This is the idea of having an integrated intelligent security fabric. >> And where are we going to get that? >> Our approach is the security fabric. This is the Fortinet security fabric where we can take integrated intelligence, scale it up and make automated decisions that humans, we don't have to get rid of the humans, but we can repurpose the humans for that nature. >> Derek, once again, great insight. I think we'll call it a wrap there. Once again, this has been a CUBEConversation. I'm Peter Burris, Wikibon, and Derek Manky, who's the global securities strategist at Fortinet. Derek you and I have had, a couple of times, have talked, and every time it's been really insightful. The work you guys do is absolutely essential in today's world, so thank you very much for doing that. >> Yeah, it's a pleasure, anytime. >> Until we have another opportunity to speak again, track CUBEConversations, let's get the signal out of the noise. (upbeat music)

(upbeat music) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in downtown San Francisco. We're live, it's 40,000 people all talking about security, and we're excited for a first-time attendee of RSA. We're joined by John Smith, a solutions architect from ExtraHop Networks. Welcome, John. >> Hey, thanks for having me. >> Absolutely. So you said it's your first time to the RSA Conference? I'm just curious, kind of first impressions of the show? >> Wow. Well, there's certainly a lot of people here. It's the biggest show I've ever been to. We've been to Synergy, HIMSS, a couple of them. I think HIMSS might have more people, but it certainly seems more crowded. People are more involved in the booths here, asking a lot of really good questions. A lot of ones and zeros people at the booth, so you really got to be on your toes (laughs) when you're talking to folks. (Jeff laughs) >> All right, for the people that aren't familiar with ExtraHop, give us kind of the overview, what you guys are all about. >> So we're a real-time IT analytics product that uses wire data to provide, at least in the security space, the biggest play we have is more around surveillance and invisibility. One of the first two controls that SANS recognizes as being, that you need to secure your environment, is asset inventory and the ability to see what applications are running on those assets. A lot of the tools in the security industry try to engineer down to that, to try to give you that. That's one of the, a lot of security people will kind of name that as one of the more difficult things to get. We start there. So we are a wire data analytics, that's kind of the core of what we do, so we don't require any IP addresses, we don't, or, I'm sorry, we don't require any agents, we don't require any SNMP, any ping sweeps or anything like that. If it has an IP address, it can't hide from us. So that means whether it's an IOT device or a medical device that's been compromised, if it's someone who wants to work in the dark and they've got a NACL that's blocking people, the minute they communicate with someone else, they're made and they can't hide from us. So what we've seen in our, with our customer base, is kind of a burgeoning security practice where people are actually using the appliance more in a security use case, and that's probably our fastest-growing use case right now. >> So what was the core of the business before? You said ExtraHop's been around for 10 years, but you're new here. What was kind of the core business before your security practice really grew? >> So the core of the business, and, you know, there's three kind of major areas. There's, we generally use the wire as a data source. So we position the customer to interact directly with the wire and the data that's coming across it. So that can be break, fix, and performance of your different web applications from layer two up to layer seven. A lot of that is business intelligence. We had an online retailer that wanted to know, you know, the average of income of people who filled out their credit app by ZIP code so that they could adjust pricing. That used to be a complicated OLAP job on the back end. We were able to give that to them in real time so that they could see, "Hey, people in this ZIP code make $300 a month more "than people in this ZIP code, we can raise prices here." So business intelligence and break, fix, and performance are big ones, and then of course in the security place, or the security space, where we're able to provide full accountability for every single IP address on the network, has been very powerful. >> Interesting. So you said you had some announcements that you guys are making here at the show? >> Yeah, so we have, are announcing our SaaS offering, which is another, it's basically a machine-learning, a cloud-based machine-learning platform that allows us to do some anomaly detection without the need to, you know, a lot of your cloud-based anomaly detection tools require you to forward terabytes of data so that then they can look at it, analyze it, and then maybe an hour later you get some information that you've been breached or that there's a problem-- >> That, or a day. >> Yeah, or, maybe, yeah. >> Months and months and months. >> Exactly. We're kind of unique in that we're able to, you know, what our Atlas program is able to essentially interrogate systems that are deployed around the world, currently around the U.S., it's a U.S. offering today, but basically we can interrogate those systems for any types of anomalies that happen. Actually, in the run up to the offering, we had a customer that was able to reroute some traffic because they were able to see the mirai botnet was starting to meddle with some of the performance of different parts of their infrastructure. So having the ability to be able to provide customers visibility into what's going on on their networks without the burden of making them FTP data up to you so that then you can evaluate it, one, you don't have the infrastructure burden of sending the data to you and the delay with that, but in addition to that, you're able to provide some real-time visibility. One of the things we've noticed is that the people who have the ability to interpret the data and to kind of parse and tell you when there is an anomaly, they're very overworked and they're spread really thin in a lot of their organizations. We augment that capability by doing some of that heavy lifting for them so that we can say, "Hey, did you know you have 1,000% increase in, you know, "DNS traffic from this particular host?" >> Right. >> That type of visibility that you can do in real time, so that if you have multiple branches around the country, we can provide that visibility from one centralized location. >> Yeah, it's all about the real time, right? Real time is in time, hopefully. >> Real time, and really, the money is in the mash-up, right? We've had a lot of really, one of the things I've noticed over the years is thread intelligence has really matured, and I think that's great, but if you can't marry that with some of your own intelligence that's going on on your own networks, you know, the value is really a lot tougher to realize. If you can ad hoc or if you can engage in some ad hoc thread intelligence by leveraging a platform like ExtraHop that can do the evaluation and thread things like anomalous behavior, that makes your agility to deal with today's threats really, really, a lot more effective. Most threats, as you're probably aware, happen, I think 93% of them happen within a minute. Dealing with that with humans, dealing with that with logs, is, it's really, really tough to do. I love logs and I love humans, but if you can position yourself to engage in programmatically dealing with that, we see orchestration is becoming, you know, kind of an emerging technology, and we're uniquely positioned to be able to interact with any sort of orchestration engines, something like a phantom, you know, things like that, where we can observe some actionable data, and then we have an open platform that can then integrate with the orchestration they're after. >> All right. Well, John, that was a great summary. We're going to leave it there, thanks for stopping by. The money's in the mash-up, did I get it right? >> John And Jeff: The money's in the mash-up. >> Baby. >> All right. >> All right. >> He's John Smith, I'm Jeff Frick. You're watching theCUBE from RSA. >> Thank you. >> Thanks for watching. (upbeat music)

>> Narrator: Live from Las Vegas, Nevada, it's the Cube, covering accelerate 2017, brought to you by Fortinet. Now here are your hosts, Lisa Martin and Peter Burris. >> Hi, welcome back to the cube, we are live in Las Vegas at Fortinet Accelerate 2017. I'm you host , Lisa Martin, joined by my cohost, Peter Burris, and we're really excited about or next guest. We are talking next with Derek Manky. Derek, you are-- first of all, welcome to the cube. >> Thank you very much, I'm excited to be here. >> You have a really important role in Fortinet, you are the Global Security Strategist. >> Correct, yes. >> You have a... Established yourself as a thought leader with over 15 year of cyber security expertise, and your goal is to make a positive impact towards the global war on cyber-crime, that's a big goal. >> That's a very, very big goal, but it's a big hairy goal, but it's... Critically important, I believe, I firmly believe this over my whole career, and I'm starting to see some good traction with the efforts that we're doing too. >> And it's becoming more, and more, critical every day as breaches, and hacks, are a daily occurrence, you're also the leader of FortiGuard Labs, you've got a team of over 200, tell our viewers that can't be here today, what is FortiGuard Labs, what are you doing to leverage threat intelligence to help Fortinet's customers. >> Sure, so we're trying to manage complexity, cause that's always the enemy of security, and we're trying to make it simple across the board, so we're managing security for all of our customers, 300 000 customers plus. That's a big deal, so we had to invest a lot into that in terms of how we can do that to make it simple to the end users. So what FortiGuard Labs is, is it's services we deliver to the end user, protection services across the spectrum, our whole product portfolio. So we have world-class expertise as a security vendor, 200 plus people on the team, experts in each domain. We have researchers, and experts, looking at things like industrial attacks, mobile problems, malicious websites, ripping apart, what we call reverse engineering, malware samples to find out digital fingerprints of who's creating these attacks, so we can work also in partnerships with that too. At the end of the day, we have the humans working on that, but we've also invested a ton into artificial intelligence, and machine learning, we have to comb through over 50 billion attacks in a day, and so the machines are also helping us to create a lot of this automated protection, that's all driven by our patents, by our world-class development teams, that gets down to the end user, so that they don't have to invest as much into their own security operations centers, cause that's a big OpEx, expansions to the expenditure, so we're helping to alleviate that issue, especially with this, as everybody knows, today, the big gap in cyber security, professionals, so that helps to alleviate that issue too. >> You said 50 billion attacks a day. >> That's correct sir, yes. Potential attacks. >> Oh, potential attacks. Clearly that means that increasing percentages of the total body of attacks are no longer coming from humans, they're coming from other things, >> Derek: Absolutely. >> And how's that playing out? >> It's a fascinating landscape right now. With every legitimate model, there's an illegitimate model to follow, especially with cyber crime, and what we see in the digital underground, dark web, all these sorts of things, you rewind back to the 90s, your opportunistic hacker was just trying to plot, plot, plot, a message bar on a Windows 95, or Windows 98 system at the time. Nowadays, of course, the attack surface has grown tremendously. You look back to DARPA, back in 1989, it had 60 000 system connected on the Internet, now we have IPv6, 20 plus billions connected devices, everything is a target now, especially with the Internet of Things. Smart televisions-- >> Peter: And a potential threat. >> Exactly, and a weapon. >> Exactly, and so to capitalize on that, what we're seeing now is cyber criminals developing automated systems of their own, to infect these systems, to report back to them, so they're doing a lot of that heavy work, to the heavy lifting, using their own machines to infect, and their own algorithms to infect these systems, and then from there, it'll escalate back up to them to further capitalize, and leverage those attacks. On any given minute, we're seeing between 500 000 to 700 000 hacking attempts across, and this is our own infrastructure, so we're leading in terms of firewalls in units shipped so we're able to get a good grasp on intelligence out there, what's happening, and in any given minute, well over 500 000 hacking attempts on systems worldwide. >> So every hour, 30 million. >> Derek: Yeah that's some quick math. >> Yeah, I'm amazing at multiplication. I almost got it wrong though, I have to say. 30 million hacks an hour. >> Yeah, and so our job is to identify that, we don't want to block things we shouldn't be, so there has to be a very big emphasis on quality of intelligence as well, we've done a lot with our machines to validate attacks, to be able to protect against those attacks, and not, especially when it comes to these attacks like intrusion prevention, that attack surface now, we got to be able to not just look at attacks on PCs now, so that's why that number keeps ticking up. >> Lisa: Right, proliferation of mobile, IoT. >> Derek: It's directly related, absolutely. >> So, this is clearly something that eyeballs are not going to solve. >> Not alone, so I'm very, very big advocate saying that we cannot win this war alone, just relying even on the brightest minds on the world, but we can also not just rely a hundred percent on machines to control, it's just like autonomous vehicles. You look at Tesla, and these other vehicles, and Google, what they're doing, it's a trust exercise again, you can never pass a hundred percent control to that automation. Rather you can get up to that 99 percent tile with automation, but you still need those bright minds looking at it. So to answer your questions, eyeballs alone, no, but the approach we've taken is to scale up, distribute, and use machines to identify it, to try to find that needle in a haystack, and then, escalate that to our bright minds, when we need to take a look at the big attacks that matter, and solve some more of the complex issues. >> Speaking of bright minds, you and your team, recently published an incredible blog on 2017 predictions. Wow, that's on the Fortinet blog? >> Derek: Yeah, that's correct >> We can find that? Really incredibly thorough, eye-opening, and there were six predictions, take us through maybe the top three. We talked about the proliferation of devices, the attack surface getting larger, more and more things becoming potential threats, what are the top three, maybe biggest threats that you were seeing, and is there any industry, in particular, that pops up as one of the prime targets? >> Absolutely. I'll get into some buckets on this, I think first, and foremost, what is primary now in what we're seeing is, what we're calling, autonomous malware, so this is the notion of, basically what we're just talking about to your question on what's driving this data, what's driving all these attack points. First of all, the Internet's been seeded with, what I call, ticking time bombs right now, we have 20 plus, whatever the number's going to be, all of these billions of devices that are connected, that are inherently, in my professional opinion, insecure. A lot of these devices are not following proper security development life cycles. >> Lisa: Is there accountability to begin with? >> No, not at this point. >> Right. >> Right. And that's something that DHS, and NIST, just released some guidelines on, at the end of last year, and I think we're going to see a lot of activity on accountability for that, but that has to be taken care of. Unfortunately right now, it's been seeded, this attack surfaces there, so we already have all these open avenues of attack, and that's why I call it a ticking time bomb, because it's been seeded, and now these are ripe for attack, and we're seeing attackers capitalize on this, so what we're seeing is the first indications of autonomous malware, malware that is capable of mapping out these vulnerable points. The machine's doing this, and the machine's attacking the other machines, so it's not just the eyeballs then, and the cyber criminals doing this. We saw last year, unprecedented DDoS attacks, this is directly related to Mirai BotNet. We had gone from a 600 gig to terabit plus DDoS attacks, that was unheard of before. They are leveraging all of these different IoT devices as a horsepower to attack these systems in a massive distributed denial-of-service attack. The interesting part about Mirai is that it's also using open-source intelligence as well, so this is something that humans, like a black hat attacker, would typically have to do, they would have to get reports back from one of their systems, and say, "okay, now I've found all these vulnerable systems, I'm going to attack all these systems.", but they're the glue, so they're now removing themselves as the glue, and making this completely automated, where a BotNet like Mirai is able to use Shodan, as an example, it's an open-source database, and say, "here are a whole bunch of vulnerable systems, I'm going to go attack it, and so that's to my point of view, that's the first indication of the smart-malware, because malware has always been guided by humans. But now, I think, we're starting to see a lot of, more of that intelligent attack, the offense, the intelligent offense being baked in to these pieces of malware. So I think it's going to open this whole new breed of attacks and malware, and obviously, we're in a whole new arms race when it comes to that. How can we get ahead of the bad guys, and so this is obviously what Fortinet instituting on the autonomous defense, our Security Fabric, and Fabric-ready approach, that's all about, beating them to the punch on that, having our machines, the defensive machines talk to each other, combine world-class intelligence like FortiGuard so that it can defend against those attacks, it's a though task, but I really firmly believe that this year is a year that we have the advantage, we can have the advantage as white hats to get one leg up on the black hat attackers. As I said, for 15 years at FortiGuard Labs, we have invested a ton into our AI machine, learning intelligence, so we're experts on the automation, I don't believe the black hat attackers are experts on automation. So I think for that reason, we have a really good opportunity this year, because you always hear about the black hats, another data breach, and all these things happening, they're always had the advantage, and I think, we can really turn the tables this year. >> You have some great experience working, not just in the private sector, but in the public sector as well, you've done work with NATO, with Interpol, with SERT, what is your perspective on public sector, and private sector, working together, is that essential to win this war on cyber crime? >> Absolutely, we need everybody at the table, we cannot win it, as one single vendor alone, a good example of that is, we're starting to do across the board, this is something, I firmly believe in, it's really near and dear to my heart, I've worked on it for the course of, well over six years now, and we have a lot of the existing partnerships, across organizations, so other security vendors, and experts, Cyber Threat Alliance is an excellent example, we're a founding member of that, and these are competitors, but security vendors getting together to level the playing field on intelligence, we can still really remain competitive on the solutions, and how we implement that intelligence, but at least-- it's like a Venn diagram, you look at that attack surface out there, you want to try to share all that information, so that you can deliver that to security controls, and protect against it. So, the Cyber Threat Alliance is a good example, but that's private sector. If you look at National Computer Emergency Response, law enforcement, we have made great inroads into that working with the likes of Computer Emergency Response, to give them intel. If we find bad stuff happening somewhere, we're not law enforcement, we can't go take the server down, and disrupt campaign, we can't arrest, or prosecute people, but they can, but they don't have all that expertise, and intelligence that we do, all the data points, so this is, you're starting to see a lot of this string up, and we're doing a lot of leadership in this area, and I think, it's absolutely essential. President Obama last year mentioned it, the Cyber Threat Alliance, and the public-private sector, needing to work together in one of his speeches at Stanford, and I believe it's the only way we can win this. You have to go up to the head of the snake too, if we just are always on the defense, and we're always just trying to disrupt cyber criminals, it's a slap on the wrist for them, they're going to go set up shop somewhere else. We need to be able to actually go and prosecute these guys, and we had a really good case last year, we took down, working with Interpol, and the EFCC, a 62 million dollar crime ring in the US. They went, and prosecuted the kingpin of this operation, out of Nigeria. It's an unprecedented random example, but we need to do more of that, but it's a good example of a healthy working public-private sector relationship >> What an incredible experience that you have, what you have achieved with FortiGuard Labs, what excites you most, going forward, we're just at the beginning of 2017, with what's been announced here, the partnerships that you guys have formed, what excites you most about this year, and maybe... Some of the key steps you want to take against cyber crime as Fortinet. >> Sure, so I think we want to, so Cyber Threat Alliance is a very big machine, there's a lot of exciting things happening, so that's going to be a really good initiative, that's going to carry forward momentum this year. What excites me most? Well, it's not always a good thing I guess, but if you look at all the bad news that's out there, like I said, I think it's just going to be, there's so much fuel, that's being thrown on the fire when it comes to attacks right now. Like I said, these time bombs that have been planted out there. We're going to see the year of IoT attacks for sure, a new version of Marai has already come out, they're starting to sell this, commercialize this, and it's even more advanced in terms of intelligence than the previous one, so that sort of stuff. It depends on your definition of the word, excites, of course, but these are the things that we have opportunity, and again I think going back to my first point, the white hats having, for the first time in my point of view, a leg up on the black hats, that opportunity, that really excites me. When we look at what's happening, moving forward in 2017, healthcare, I think, is going to be a very big thing in terms of attack targets, so we're going to be focused on that, in terms of attacks on, not just healthcare records, which are more valuable than financial records as an example, but medical devices, again the IoT play in healthcare, that's a big deal, we're starting to already see attacks on that. Smart cities as well, you look forward to the next three years, building management systems, a lot of people talk about SCADA industrial control, this is definitely a big attack target to a certain... Attack surface, obviously, power plants, electrical grids, but building management systems, and these automated systems that are being put in, even smart vehicles, and smart homes is another big target that's unfolding over the next year. >> Hard to air gap a home, and certainly not a city. >> Absolutely, yeah, and again it goes back to the point that a lot of these devices being installed in those homes are inherently, insecure. So that's a big focus for us, and that's a big thing FortiGuard is doing, is looking at what those attacks are, so we can defend against that at the network layer, that we can work with all of our business partners that are here at Accelerate this year, to deliver those solutions, and protect against it. >> Wow, it sounds like, and I think Peter would agree, your passion for what you do is very evident, as those bad actors are out there, and as the technologies on the baton are getting more advanced, and intelligent, as you say, it's great to hear what you, and your team are doing to help defend against that on the enterprise side, and one day on the consumer side as well. So Derek Manky, Global Security Strategist for Fortinet, thank you so much cube and sharing your expertise with us. >> It's my pleasure, any time, thank you very much. >> Well, on behalf of my cohost, Peter Burris, I'm Lisa Martin, you've been watching the Cube, and stick around, we'll be right back. (electronic music)