>>EDR NDR, what are the differences, which one's better? Are they better together? Today's security stack contains a lot of different tools and types of data and fortunate, as you know, this creates data silos, which leads to vis visibility gaps. EDR is endpoint detection and response. It's designed to monitor and mitigate endpoint attacks, which are typically focused on computers and servers, NDR network detection, and response. On the other hand, monitors network traffic to gain visibility into potential or active cyber threats, delivering real time visibility across the broader network. One of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data, pretty easily network data. On the other hand, much harder to manipulate because attackers and malware can avoid detection at the endpoint. NDR, as you're gonna hear is the only real source for reliable, accurate, and comprehensive data. >>All endpoints use the network to communicate, which makes your network data, the ultimate source of truth. My name is Lisa Martin, and today on the special cube presentation, Tom Binkowski senior director of product marketing at net scout, and I are gonna explore the trends and the vital reasons why relying upon EDR is not quite enough. We're also gonna share with you the growing importance of advanced NDR. Welcome to the series, the growing importance of advanced NDR in the first segment, Tom's gonna talk with me about the trends that are driving enterprise security teams to implement multiple cyber security solutions that enable greater visibility, greater protection. We're also gonna explore Gartner's concept of the security operations center, SOC visibility triad, and the three main data sources for visibility, SIM EDR and NDR in segment two, Tom. And I will talk about the role of NDR and how it overcomes the challenges of EDR as Tom's gonna discuss, as you'll hear EDR is absolutely needed, but as he will explain it, can't be solely relied upon for comprehensive cybersecurity. And then finally, we'll come back for a third and final segment to discuss why not all NDR is created equal. Tom's gonna unpack the features and the capabilities that are most important when choosing an NDR solution. Let's do this. Here comes our first segment. >>Hey, everyone kicking things off. This is segment one. I'm Lisa Martin with Tom Binowski, senior director of product marketing at nets scout. Welcome to the growing importance of advanced NDR. Tom, great to have you on the program, >>Glad to be here. >>So we're gonna be talking about the trends that are driving enterprise security teams to implement multiple cyber security solutions that really enable greater visibility and protection. And there are a number of factors that continue to expand the ECAC service for enterprise networks. I always like to think of them as kind of the spreading amorphously you shared had shared some stats with me previously, Tom, some cloud adoption stats for 2022 94% of all enterprises today use a cloud service and more than 60% of all corporate data is store in the cloud. So, Tom, what are some of the key trends that nets scout is seeing in the market with respect to this? >>Yeah, so just to continue that, you know, those stats that, that migration of workloads to the cloud is a major trend that we're seeing in that was exasperated by the pandemic, right along with working from home. Those two things are probably the most dramatic changes that we we see out there today. But along with that is also this growing sophistication of the network, you know, today, you know, your network environment, isn't a simple hub and spoke or something like that. It is a very sophisticated combination of, you know, high speed backbones, potentially up to a hundred gigabits combination with partner networks. You have, like we said, workloads up in, in private clouds, pub public clouds. So you have this hybrid cloud environment. So, and then you have applications that are multi-tiered, there are pieces and parts. And in all of that, some on your premise, some up in a private cloud, some on a public cloud, some actually pulling data off when you a customer network or potentially even a, a partner network. So really, really sophisticated environment today. And that's requiring this need for very comprehensive network visibility, not only for, for cybersecurity purposes, but also just to make sure that those applications and networks are performing as you have designed them. >>So when it comes to gaining visibility into cyber threats, I, you talked about the, the sophistication and it sounds like even the complexity of these networks, Gartner introduced the concept of the security operations, visibility triad, or the SOC visibility triad break that down for us. It consists of three main data sources, but to break those three main data sources down for us. >>Sure. So Gartner came out a few years ago where they were trying to, you know, summarize where do security operations team get visibility into threats and they put together a triad and the three sides of the trier consists of one, the SIM security information event manager, two, the endpoint or, or data that you get from EDR systems, endpoint detection, response systems. And the third side is the network or the data you get from network detection, response systems. And, you know, they didn't necessarily say one is better than the other. They're basically said that you need all three in order to have comprehensive visibility for cybersecurity purposes. >>So talk, so all, all three perspectives are needed. Talk about what each provides, what are the different perspectives on threat detection and remediation? >>Yeah. So let's start with the SIM, you know, that is a device that is gathering alerts or logs from all kinds of different devices all over your network. Be it routers servers, you know, firewalls IDs, or even from endpoint detection and network detection devices too. So it is, it is the aggregator or consumer of all those alerts. The SIM is trying to correlate those alerts across all those different data sources and, and trying to the best it can to bubble up potentially the highest priority alerts or drawing correlations and, and, and, and giving you some guidance on, Hey, here's something that we think is, is really of importance or high priority. Here's some information that we have across these disparate data sources. Now go investigate the disadvantage of the SIM is that's all it gives you is just these logs or, or, or information. It doesn't give you any further context. >>Like what happened, what is really happening at the end point? Can I get visibility into the, into the files that were potentially manipulated or the, the registry setting or what, what happened on the network? And I get visibility into the packet date or things like that. It that's, so that's where it ends. And, and that's where the, so there other two sides of the equation come in, the endpoint will give you that deeper visibility, endpoint detection response. It will look for known and or unknown threats, you know, at that endpoint, it'll give you all kinds of additional information that is occurring in endpoint, whether it be a registry setting in memory on the file, et cetera. But you know, one of, some of its disadvantages, it's really difficult because really difficult to deploy pervasive because it requires an agent and, you know, not all devices can accept an agent, but what it miss, what is lacking is the context on the network. >>So if I was an analyst and I started pursuing from my SIM, I went down to the end point and, and said, I wanna investigate this further. And I hit a, I hit a dead end from some sort, or I realize that the device that's potentially I should be alerted to, or should be concerned about is an IOT device that doesn't even have an agent on it. My next source of visibility is on the network and that's where NDR comes in. It, it sees what's traversing. The entire network provides you visibility into that from both a metadata and even a ultimately a packer perspective. And maybe, you know, could be deployed a little bit more strategically, but you know, it doesn't have the perspective of the endpoint. So you can see how each of these sort of compliments each other. And that's why, you know, Gartner said that, that you need 'em all, then they all play a role. They all have their pros and cons or advantage and disadvantages, but, you know, bringing them and using 'em together is, is the key. >>I wanna kinda dig into some of the, the EDR gaps and challenges, as you talked about as, as the things evolve and change the network, environment's becoming far more sophisticated and as well as threat actors are, and malware is. So can you crack that open more on some of the challenges that EDR is presenting? What are some of those gaps and how can organizations use other, other, other data sources to solve them? >>Yeah, sure. So, you know, again, just be clear that EDR is absolutely required, right? We, we need that, but as sort of these network environments get more complex, are you getting all kinds of new devices being put on the network that devices being brought into the network that may be, you didn't know of B Y O D devices you have, I T devices, you know, popping up potentially by the thousands in, in, in some cases when new applications or world that maybe can't accept an and endpoint detection or an EDR agent, you may have environments like ICS and skate environments that just, you can't put an endpoint agent there. However, those devices can be compromised, right? You have different environments up in the cloud or SaaS environments again, where you may not be able to deploy an endpoint agent and all that together leaves visibility gaps or gaps in, in, in the security operation triad. Right. And that is basically open door for exploitation >>Open door. Go ahead. Sorry. >>Yeah. And then, then you just have the malware and the, and the attackers getting more sophisticated. They, they have malware that can detect an EDR agent running or some anti malware agent running on device. And they'll simply avoid that and move on to the next one, or they know how to hide their tracks, you know, whether it be deleting files, registry, settings, things like that. You know, so it's, that's another challenge that, that, that just an agent faces. Another one is there are certain applications like my SQL that are, you know, have ministry administrative rights into certain parts of the windows operate system that EDR doesn't have visibility into another area that maybe EDR may not have visibility is, is, is in, you know, malware that tries to compromise, you know, hardware, especially like bios or something like that. So there's a number of challenges as sort of the whole network environment and sophistication of bad actors and malware increases. >>Ultimately, I think one of the things that, that we've learned, and, and we've heard from you in this segment, is that doing business in, in today's digital economy, demands, agility, table stakes, right? Absolutely essential corporate digital infrastructures have changed a lot in response to the dynamic environment, but its businesses are racing to the clouds. Dave Alane likes to call it the forced March to the cloud, expanding activities across this globally distributed digital ecosystem. They also sounds like need to reinvent cybersecurity to defend this continuously expanding threat surface. And for that comprehensive network, visibility is, as I think you were saying is really, really fundamental and more advanced network detection is, and responses required. Is that right? >>That's correct. You know, you know, we, we at ESCO, this is, this is where we come from. Our perspective is the network. It has been over for over 30 years. And, and we, as well as others believe that that network visibility, comprehensive network visibility is fundamental for cyber security as well as network performance and application analysis. So it, it, it's sort of a core competency or need for, for modern businesses today. >>Excellent. And hold that thought, Tom, cause in a moment, you and I are gonna be back to talk about the role of NDR and how it overcomes the challenges of EDR. You're watching the cube, the leader in enterprise tech coverage. Hey everyone, welcome back. This is segment two kicking things off I'm Lisa Martin with Tom Binkowski, senior director of product marketing at nets scout, Tom, great to have you back on the program. >>Good to be here. >>We're gonna be talking about the growing importance of advanced NDR in this series. In this segment specifically, Tom's gonna be talking about the role of NDR and how it overcomes the challenges of EDR. So Tom, one of the things that we talked about previously is one of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data pretty easily, whereas network data, much harder to manipulate. So my question, Tom, for you is, is NDR the only real source for reliable, accurate, comprehensive data. >>I'm sure that's arguable, right? Depending on who you are as a vendor, but you know, it's, it's our, our answer is yes, NDR solutions also bring an analyst down to the packet level. And there's a saying, you know, the, the packet is the ultimate source or source of truth. A bad actor cannot manipulate a packet. Once it's on the wire, they could certainly manipulate it from their end point and then blast it out. But once it hits the wire, that's it they've lost control of it. And once it's captured by a network detection or, or network monitoring device, they can't manipulate it. They can't go into that packet store and, and manipulate those packets. So the ultimate source of truth is, is lies within that packet somewhere. >>Got you. Okay. So as you said in segment one EDR absolutely necessary, right. But you did point out it can't organizations can't solely rely on it for comprehensive cybersecurity. So Tom, talk about the benefits of, of this complimenting, this combination of EDR and NDR and, and how can that deliver more comprehensive cybersecurity for organizations? >>Yeah, so, so one of the things we talked about in the prior segment was where EDR, maybe can't be deployed and it's either on different types of devices like IOT devices, or even different environments. They have a tough time maybe in some of these public cloud environments, but that's where NDR can, can step in, especially in these public cloud environments. So I think there's a misconception out there that's difficult to get packet level or network visibility and public clouds like AWS or Azure or Google and so on. And that's absolutely not true. They have all kinds of virtual tapping capabilities that an NDR solution or network based monitoring solution could take advantage of. And one of the things that we know we spoke about before some of that growing trends of migrating workloads to the cloud, that's, what's driving that those virtual networks or virtual taps is providing visibility into the performance and security of those workloads. >>As they're migrated to public clouds, NDR can also be deployed more strategically, you know, prior segment talking about how the, in order to gain pervasive visibility with EDR, you have to deploy an agent everywhere agents can't be deployed everywhere. So what you can do with NDR is there's a lot fewer places in a network where you can strategically deploy a network based monitoring device to give you visibility into not only that north south traffic. So what's coming in and out of your network, but also the, the, the, the east west traffic too west traversing, you know, within your network environment between different points of your op your, your multi-tiered application, things like that. So that's where, you know, NDR has a, a, a little bit more advantage. So fewer points of points in the network, if you will, than everywhere on every single endpoint. And then, you know, NDR is out there continuously gathering network data. It's both either before, during, and even after a threat or an attack is, is detected. And it provides you with this network context of, of, you know, what's happening on the wire. And it does that through providing you access to, you know, layer two through layer seven metadata, or even ultimately packets, you know, the bottom line is simply that, you know, NDR is providing, as we said before, that that network context that is potentially missing or is missing in EDR. >>Can you talk a little bit about XDR that kind of sounds like a superhero name to me, but this is extended detection and response, and this is an evolution of EDR talk to us about XDR and maybe EDR NDR XDR is really delivering that comprehensive cybersecurity strategy for organizations. >>Yeah. So, you know, it's, it's interesting. I think there's a lot of confusion out there in the industry. What is, what is XDR, what is XDR versus an advanced SIM, et cetera. So in some cases, there are some folks that don't think it's just an evolution of EDR. You know, to me, XDR is taking, look at these, all these disparate data sources. So going back to our, when our first segment, we talked about the, the, the security operations center triad, and it has data from different perspectives, as we were saying, right? And XCR, to me is the, is, is trying to bring them all together. All these disparate data source sets or sources bring them together, conduct some level of analysis on that data for the analyst and potentially, you know, float to the top. The most, you know, important events are events that we, that you know, that the system deems high priority or most risky and so on. But as I, as I'm describing this, I know there are many advanced Sims out there trying to do this today too. Or they do do this today. So this there's this little area of confusion around, you know, what exactly is XDR, but really it is just trying to pull together these different sources of information and trying to help that analyst figure out, you know, what, where's the high priority event that's they should be looking at, >>Right? Getting those high priority events elevated to the top as soon as possible. One of the things that I wanted to ask you about was something that occurred in March of this year, just a couple of months ago, when the white house released a statement from president Biden regarding the nation's cyber security, it included recommendations for private companies. I think a lot of you are familiar with this, but the first set of recommendations were best practices that all organizations should already be following, right? Multifactor authentication, patching against known vulnerabilities, educating employees on the phishing attempts on how to be effective against them. And the next statement in the president's release, focus on data safety practices, also stuff that probably a lot of corporations doing encryption maintaining offline backups, but where the statement focused on proactive measures companies should take to modernize and improve their cybersecurity posture. It was vague. It was deploy modern security tools on your computers and devices to continuously look for and mitigate threats. So my question to you is how do, how do you advise organizations do that? Deploy modern security tools look for and mitigate threats, and where do the data sources, the SOC tri that we talked about NDR XDR EDR, where did they help fit into helping organizations take something that's a bit nebulous and really figure out how to become much more secure? >>Yeah, it was, it was definitely a little vague there with that, with that sentence. And also if you, if you, I think if, if you look at the sentence, deploy modern security tools on your computers and devices, right. It's missing the network as we've been talking about there, there's, there's a key, key point of, of reference that's missing from that, from that sentence. Right. But I think what they mean by deploying monitor security tools is, is really taking advantage of all these, these ways to gain visibility into, you know, the threats like we've been talking about, you're deploying advanced Sims that are pulling logs from all kinds of different security devices or, and, or servers cetera. You're, you're deploying advanced endpoint detection systems, advanced NDR systems. And so on, you're trying to use, you're trying to utilize XDR new technology to pull data from all those different sources and analyze it further. And then, you know, the other one we, we haven't even mentioned yet. It was the, so the security operation and automation, right. Response it's now, now what do we do? We've detected something, but now help me automate the response to that. And so I think that's what they mean by leveraging modern, you know, security tools and so on >>When you're in customer conversations, I imagine they're coming to, to Netscale looking for advice like what we just talked through the vagueness in that statement and the different tools that organizations can use. So when you're talking to customers and they're talking about, we need to gain visibility across our entire network, across all of our devices, from your perspective from net Scout's perspective, what does that visibility actually look like and deliver across an organization that does it well? >>Yeah, we, I mean, I think the simple way to put it is you need visibility. That is both broad and deep. And what I mean by broad is that you need visibility across your network, no matter where that network may reside, no matter what protocols it's running, what, you know, technologies is it, is it virtualized or, or legacy running in a hundred gigabits? Is it in a private cloud, a public cloud, a combination of both. So that broadness, meaning wherever that network is or whatever it's running, that's, that's what you need visibility into. It has to be able to support that environment. Absolutely. And the, the, absolutely when I, we talk about being deep it's, it has to get down to a packet level. It can't be, you know, as high as say, just looking at net flow records or something like that, that they are valuable, they have their role. However, you know, when we talk about getting deep, it has to ultimately get down to the packet level and that's, and we've said this in this time that it's ultimately that source of truth. So that, that's what that's, I think that's what we need. >>Got it. That that depth is incredibly important. Thanks so much, Tom, for talking about this in a moment, you and I are gonna be back, we're gonna be talking about why not all NDR is created equally, and Tom's gonna actually share with you some of the features and capabilities that you should be looking for when you're choosing an NDR solution. You're watching the cube, the leader in enterprise tech coverage, >>And we're clear. >>All right. >>10 45. Perfect. You guys are >>Okay. Good >>Cruising. Well, >>Welcome back everyone. This is segment three. I'm Lisa Martin with Tom gin. Kowski senior director of product marketing at nets scout. Welcome back to the growing importance of advanced NDR in this segment, Tom and I are gonna be talking about the fact that not all NDR is created equally. He's gonna impact the features, the capabilities that are most important when organizations are choosing an NDR solution. Tom, it's great to have you back on the program. >>Great, great to be here. >>So we've, we've covered a lot of content in the first two segments, but as we, as we see enterprises expanding their it infrastructure, enabling the remote workforce, which is here to stay leveraging the crowd cloud, driving innovation, the need for cybersecurity approaches and strategies that are far more robust and deep is really essential. But in response to those challenges, more and more enterprises are relying on NDR solutions that fill some of the gaps that we talked about with some of the existing tool sets in the last segment, we talked about some of the gaps in EDR solutions, how NDR resolves those. But we also know that not all NDR tools are created equally. So what, in your perspective, Tom are some of the absolutely fundamental components of NDR tools that organizations need to have for those tools to really be robust. >>Yeah. So we, we, we touched upon this a little bit in the previous segment when we talked about first and foremost, your NDR solution is providing you comprehensive network visibility that must support whatever your network environment is. And it should be in a single tool. It shouldn't have a one vendor per providing you, you know, network visibility in the cloud and another vendor providing network visibility in a local network. It should be a single NDR solution that provides you visibility across your entire network. So we also talked about it, not only does it need to be broadened like that, but also has to be deep too, eventually down to a packet level. So those are, those are sort of fundamental table stakes, but the NDR solution also must give you the ability to access a robust source of layer two or layer three metadata, and then ultimately give you access to, to packets. And then last but not least that solution must integrate into your existing cybersecurity stack. So in the prior segments, we talked a lot about, you know, the, the SIM, so that, that, that NDR solution must have the ability to integrate into that SIM or into your XDR system or even into your source system. >>Let's kind of double click on. Now, the evolution of NDR can explain some of the differences between the previous generations and advanced NDR. >>Yeah. So let's, let's start with what we consider the most fundamental difference. And that is solution must be packet based. There are other ways to get network visibility. One is using net flow and there are some NDR solutions that rely upon net flow for their source of, of, of visibility. But that's too shallow. You ultimately, you need to get deeper. You need to get down to a pack level and that's again where some, so, you know, you, you want to make sure that your NDR or advanced NDR solution is packet based. Number two, you wanna make sure that when you're pulling packets off the wire, you can do it at scale, that full line rate and in any environment, as we, as we spoke about previously, whether it be your local environment or a public cloud environment, number three, you wanna be able to do this when your traffic is encrypted. As we know a lot of, lot of not of network traffic is encrypted today. So you have the ability to have to have the ability to decrypt that traffic and then analyze it with your NDR system. >>Another, another, another one number four is, okay, I'm not just pulling packets off the wire, throwing full packets into a data storage someplace. That's gonna, you know, fill up a disc in a matter of seconds, right? You want the ability to extract a meaningful set of metadata from layer two to layer seven, the OSI model look at key metrics and conducting initial set of analysis, have the ability to index and compress that data, that metadata as well as packets on these local storage devices on, you know, so having the ability to do this packet capture at scale is really important, storing that packets and metadata locally versus up in a cloud to, you know, help with some compliance and, and confidentiality issues. And then, you know, last final least when we talk about integration into that security stack, it's multiple levels of integration. Sure. We wanna send alerts up into that SIM, but we also want the ability to, you know, work with that XDR system to, or that, that source system to drill back down into that metadata packets for further analysis. And then last but not least that piece of integration should be that there's a robust set of information that these NDR systems are pulling off the wire many times in more advanced mature organizations, you know, security teams, data scientists, et cetera. They just want access to that raw data, let them do their own analysis outside, say the user interface with the boundaries of a, of a vendor's user interface. Right? So have the ability to export that data too is really important and advance in the systems. >>Got it. So, so essentially that the, the, the breadth, the visibility across the entire infrastructure, the depth you mentioned going down to a packet level, the scale, the metadata encryption, is that what net scout means when you talk about visibility without borders? >>Yeah, exactly. You know, we, we have been doing this for over 30 years, pulling packets off of wire, converting them using patent technology to a robust set of metadata, you know, at, at full line rates up to a hundred in any network environment, any protocols, et cetera. So that, that's what we mean by that breadth. And in depth of visibility, >>Can you talk a little bit about smart detection if we say, okay, advanced NDR needs to deliver this threat intelligence, but it also needs to enable smart detection. What does net scout mean by that? >>So what you wanna make sure you have multiple methods of detection, not just a methods. So, you know, not just doing behavioral analysis or not just detecting threats based on known indicators or compromise, what you wanna wanna have multiple ways of detecting threats. It could be using statistical behavioral analysis. It could be using curated threat intelligence. It could be using, you know, open source signature engine, like from Sara COTA or other threat analytics, but to, but you also wanna make sure that you're doing this both in real time and have the ability to do it historically. So after a, a threat has been detected, for example, with another, with another product, say an EDR device, you now want the ability to drill into the data from the network that had occurred in, in, you know, prior to this. So historically you want the ability to comb through a historical set of metadata or packets with new threat intelligence that you've you've gathered today. I wanna be able to go back in time and look through with a whole new perspective, looking for something that I didn't know about, but you know, 30 days ago. So that's, that's what we, what we mean by smart detection. >>So really what organizations need is these tools that deliver a far more comprehensive approach. I wanna get into a little bit more on in integration. You talked about that in previous segments, but can you, can you give us an example of, of what you guys mean by smart integration? Is that, what does that deliver for organizations specifically? >>Yeah, we really it's three things. One will say the integration to the SIM to the security operations center and so on. So when, when an ed, when an NDR device detects something, have it send an alert to the SIM using, you know, open standards or, or, or like syslog standards, et cetera, the other direction is from the SIM or from the so, so one, you know, that SIM that, so is receiving information from many different devices that are, or detecting threats. The analyst now wants the ability to one determine if that's a true threat or not a false positive, if it is a true threat, you know, what help me with the remediation effort. So, you know, an example could be an alert comes into a SIM slash. So, and part of the playbook is to go out and grab the metadata packets associated with this alert sometime before and sometime after when that alert came in. >>So that could be part of the automation coming from the SIM slash. So, and then last one, not least is we alluded to this before is having the ability to export that robust set of layer two through layer seven metadata and or packets to a third party data lake, if you will, and where analysts more sophisticated analysts, data scientists, and so on, can do their own correlation, enrich it with their own data, combined it with other data sets and so on, do their own analysis. So it's that three layers of, of integration, if you will, that really what should be an advanced NDR system? >>All right, Tom, take this home for me. How does nets scout deliver advanced NDRs for organizations? >>We do that via solution. We call Omni the security. This is Netscout's portfolio of, of multiple different cyber security products. It all starts with the packets. You know, our core competency for the last 30 years has been to pull packets off the wire at scale, using patented technologies, for example, adapt service intelligence technologies to convert those broad packets into robust set of layer seven layer two through seven metadata. We refer to that data as smart data with that data in hand, you now have the ability to conduct multiple types of threat detection using statistical behavioral, you know, curative threat intelligence, or even open source. So rules engine, you have the ability to detect threats both in real time, as well as historically, but then a solution goes beyond just detecting threats or investigating threats has the ability to influence the blocking of threats too. So we have integrations with different firewall vendors like Palo Alto, for example, where they could take the results of our investigation and then, you know, create policies, blocking policies into firewall. >>In addition to that, we have our own Omni a E D product or our Arbor edge defense. That's, that's a product that sits in front of the firewall and protects the firewall from different types of attacks. We have integration that where you can, you can also influence policies being blocked in the a E and in last but not least, our, our solution integrates this sort of three methods of integration. As we mentioned before, with an existing security system, sending alerts to it, allowing for automation and investigation from it, and having the ability to export our data for, you know, custom analysis, you know, all of this makes that security stack that we've been talking about better, all those different tools that we have. That's that operations triads that we talked about or visibility triad, we talked about, you know, our data makes that entire triad just better and makes the overall security staff better and makes overall security just, just better too. So that, that that's our solution on the security. >>Got it. On the security. And what you've talked about did a great job. The last three segments talking about the differences between the different technologies, data sources, why the complimentary and collaborative nature of them working together is so important for that comprehensive cybersecurity. So Tom, thank you so much for sharing such great and thoughtful information and insight for the audience. >>Oh, you're welcome. Thank you. >>My pleasure. We wanna thank you for watching the program today. Remember that all these videos are available@thecube.net, and you can check out today's news on Silicon angle.com and of course, net scout.com. We also wanna thank net scout for making this program possible and sponsoring the cube. I'm Lisa Martin for Tomski. Thanks for watching and bye for now.

>>Kicking things off for Netscout's latest threat intelligence reports. I'm Lisa Martin with Richard Hummel manager of threat intelligence at NetScout. We're going to be talking about DDoSs for hire. It's a free for all Richard, welcome to the program. >>Thanks for having me. At least that's always a pleasure to do interviews with you here on acuity. >>Likewise. So, which are the dark web is a dangerous place. We know that we're adversaries own and operate DDoS for hire platforms and botnets to launch everything from free tests to high powered multi-vector attacks. What did you find? What kind of attacks are being launched on the dark web, >>Sadly, any and every type of attack you. And I think you put it eloquently that it's free a little while ago. I got a question come in from a media journalists that I was talking to and they asked me what is the average cost of a DDoS attack? And my gut reaction was mad, 10, 20 USD. I even asked another reporter later on, what do you think it costs? And he came out with two or 300 USD. And so that was kinda my expectations. Well, just because of that question, I broke up my lab and I said, you know what? I'm just going to kind of sleuth a little bit. And so I started logging in, I started looking at these underground platforms and I spend time on 19 of hundreds. There's a website out there that lists all with like three or 400 of these things, but I just chose the top 19. >>And when I started looking at these, every platform that I evaluated had some form of free attacks during launch. And these are the typical for your five attacks like NTP, cl doubt, DNS amplification. These are the, the rope or routine types of attacks we see in the DDoS threat landscape and it's free. And then it scales from there. You have $5 entry fees to do trials. You have a week trial, you can go all the way up to 6,500 USD. And the adversary reports to launch one terabit per second attack with that costs. There's another one that says, Hey, we have 150,000 button-up nodes. He has $2,500, and then you can launch it from this platform. And they also have customization. They have these little sliders on there. You can go in and say, you know what? I have five targets. I want to launch 10 attacks at once. I want it to last this many minutes. These are the vectors I want to use. And then it just tells you here's what you got to pay. Now, it used to be, you needed to have a crypto wallet to even launch a DDoS attack. Well, that's no longer the case. Second. It used to be crypto currency. Well, now they take PayPal. They take wire transfers. They do Western union transfers. And so yeah, this barrier to entry, it doesn't exist anymore. >>Wow. The evolution of data also attacks the low barrier to entry. The customization. You mentioned that you researched the top 19 validated DDoS for hire services. You guys captured the types of attacks, reported number of users and the costs to launch what you went through. What are some of the things that really stuck out to you that you found? >>I think the biggest thing, the biggest outlier that I saw with a lot of these things is that this, the sheer amount of attacks or tech types that they purport to launch that combined with one other metric that I'll, I'll tell you in just a minute. But when I started adding all of these out, I came out with a list of something like 450 different line items. This is taking the attack types from all 19 of these platforms and putting it into a spreadsheet. And then when I actually got rid of the duplicates and I started looking at each one of these to see, did they call it this? And then this one called it, this, there was still 200 different types of attacks. And these attacks are not just your typical volume metric things or your typical like botnet net related things. I mean, they're going after applications. >>They're going after capture pages. They're going after some website based anti DDoSs stuff. They're going after specific games, grand theft, auto Counter-Strike, all of these things. And they have specific attacks designed to overwhelm those layers. And you can actually see in some of the, the, the news or the update boxes they have on their platforms that they put rolling updates similar to like what you would see with Microsoft update. Here's what changed. And so they'll list, oh, we added this capture bypass, or we tweak this bypass, or guess what? We added a new server. And now you have this, this more power to launch bigger attacks. The other thing that really surprised me was the sheer number of users and attacks that they put for it to have and have launched. So across these 19 platforms, I counted over 1 million registered users. Now it could be that multiple users are registered across multiple platforms. >>And so maybe that's a little redundant, but a million or 19. And then the attacks, just whatever they showed in their platform. Now, I don't know what time segment that says it could be all time. It could be a certain snapshot, whatever, 19 of several hundred of these things, more than 10 million attacks. Now, if we look at 2020, we saw 10 million attacks on the whole year, 2021, we saw 9.7 million. So you can just see it. I mean, we're not seeing the whole breadth of the threat landscape. We see about a third probably of the world's internet traffic. And so if what they say is true, there's a lot more attacks out there than even. We talk about >>A lot more attacks than, than are even uncovered. That's shocking. The evolution of DDoSs is, is also quite shocking. One of the things I noticed in the first half 2021 threat intelligence report that NetScout published was some of the underground services offer blacklists or delisting services to prevent attacks. And I thought that sounds like a good thing, but what does that really mean? >>So actually, when we were writing the last chart report, a colleague of mine role in Dobbins had actually talked about this and he's like, Hey, I saw this thing where it's this quasi illegal organization. And they were talking about listing you as this. And they actually turn around and sell these lists. And so I started researching that a little bit. And what it turns out is these organizations, they report to be VPN services. Yeah. And they also say, you know what, we're offer these kinds of lists or block lists. We offer this VPN service, but we are also collecting your IP address. And so if you don't want us to basically resell that to somebody else, or if you want us to add that so that people can attack you based on what they're seeing on the VPN, then you can pay us money and you can do like different tiers of this. >>You can say, block me for a week or a block me for a lifetime and all of these different platforms. I wouldn't say all of them, probably four of the 19 that I looked at had this service. Now as a user, I'm not going to go to every single DDoS for hire platform. I'm not going to purchase the VPN from every single one of these. I'm not going to go and add myself to their denialist across all of these things. That's, that's kind of way too much work for one. And the cost is going to be in the thousands, if not tens of thousands, as you start to add all of these things together. And so they, they report to do something good and in turn, take your information and sell it. And what's worse is they actually assign your username or your handle or your gamer tag to that IP address. >>And so now you have this full list of IPS with gamer tags. And so an adversary Alto that has no qualms or scruples about launching DDoS attacks can then purchase that list. And guess what, Hey, this, this gamer over here who has this gamer tag, he always tells me I don't, I don't want to face them anymore. So anytime I see him in a match, I'm going to go over here to this DDoS for hire platform. And I'm going to just launch attack against him, try to knock them off of them. And so that's the kind of shady business practices that we're seeing here in the underground forums. >>Well, I knew that wasn't a good, I knew that you would actually give me the skinny on what that was. So another thing that I was wondering if it was a good, you know, despite this, you talked about the incredible diversity of these platforms, the majority of attack types that you sign are recognized and mitigated by standard defensive practices. Is that another good, bad disguise as good? >>No, in this case, it is very much good. So I, as far as I've seen, there's not a single DDoS attack type from a Google stressor service to date that you can't mitigate using preparation and your, your typical DDoSs platforms, mitigation protection systems. And even, even the bandwidth, the throughput, what some people call the size or the speed of attacks. We don't really see anything in the terabit per second range from these services. Now they'll, they'll boast about having the capability to do X number of packets per second, or this size of an attack. And so some of them will even say that, Hey, you pay us this money and we're going to give you a one terabit per second attack to date in the four years that I've been here on NetScout. And even some of my colleagues who've been around the space for decades. >>They have yet to see an attack source from one of these details for higher platforms that exceed one terabit per second in bandwidth or volume. And so they might talk a big game. They might boast about these things, but oftentimes it's, it's smoke and mirrors. It's a way to get people into their platforms to purchase things. If I had to pick kind of an average volume or size of attacks for these beer stressors on the high-end, I would say around the 150 to 200 gigabit per second. Now they're a small organization that might seem huge, but to a service provider, that's, that's probably a drop in the bucket and they can easily saturate that across their network, or observe, absorb that even without the top of the line mitigation services. So just being able to have something in place, understand how adversaries are launching these attacks, what attack vectors they are, you know, do some research. >>We have this portal called ominous threat horizon, where you can actually go in there and into your industry segment and your country. And you can just look to see, are there attacks against people like me in my country? And so, but understanding if you are the target of attacks, which it's not, if it's a win, then you can understand, okay, I need to probably have provisions in place for up to this threshold and ensure there's a tax that will exceed that. But at least you're doing due diligence to have some measure of protection, understanding that these are the typical kinds of attacks that you can expect. >>Yeah. That due diligence is key. Richard, thanks for joining me talking about DDoSs for hire a lot of interesting things there that was uncovered in a moment. Richard and I are going to be back to talk about the rise of server class bot net armies.

>>All right. Let's kick things off. I'm Lisa Martin with Richard Hummel manager of threat intelligence at NetScout. We're going to be talking about the vertical industries where attackers really zeroed in for DDoSs attacks. Richard. This is some interesting findings in the second half of 20 21, 20 21. >>It is in it's unfortunate because I never liked to see individuals or organizations specifically targeted by DDoS attacks and often this kind of individualistic targeting isn't so individual. And what I mean by that is DDoS attacks. Almost always have some form of ripple effects. It collateral damage that extends far beyond who the adversary is going after. We've got an example of this. There's there's been a lot of reports recently about, uh, various void providers, um, starting in Eastern Europe and expanding even to north America and various other parts of the world that have reported this DDoS extortion campaign or crew or whoever it might be copycatting as our eval, which is a notable ransomware group that all those publicly no, no that they were successful. Well, these guys are, are copycatting that unfortunately they've been very successful in some of these attacks and some of the companies have gone on record saying that, look, this didn't just impact us. >>They didn't just take our services offline. None of our customers could make calls. They could not do the reputation damage alone. How many of you users or subscribers did they lose as a result of them not being able to meet phone calls, how much revenue loss during that time period that they're losing out on. I go back all the way back to last year, and we saw something similar with another DDoSs extortion campaign against the New Zealand stock exchange. It was down for almost four days. Just think about the sheer amount of revenue loss and just all of the things that domino effect from there, right? It's not just the exchange commission that had problems. It's not just them. It's all of the stockholders and anybody that couldn't make a trade. And so yes, adversaries absolutely single out organizations, but the damage that it causes to those around them can be astronomical. >>Right? The downstream effects are just go, as you said, the ripple effect just goes on and on. And on. One of the things that I found interesting in the second half of 2021 threat intelligence report was that telecommunications verticals, which are usually a popular target for attackers actually saw fewer attacks in second half. Why is that? What are your thoughts there? >>So I think a lot of this goes back to why we saw a decrease in the second half of the year. Yeah. That decrease is almost exclusively attributed to a decrease in DNS amplification in CLD, DNS being like the predominant, uh, the us attack factor for many, many years, uh, TCP attacks, these direct path attacks that we talked about in our last segment, where they are direct from button ads or they're source from high powered, we're seeing a rebalancing, the scales here. So we're seeing about equal parts of both of these kinds of attacks now versus the reflection amplification that the amplification stuff being predominant. Um, and so that's one of the reasons why we saw that decrease. And when we look at the telecommunications and wired it and wireless, um, these are your consumers. These are your gamers. These are just individuals sitting at home, minding their own business that are getting DDoS attack. >>Then we've talked about it on previous interviews that we've done, that gamers are predominantly the targets of DDoS attacks. And so if we're seeing a decrease in like the preferred method for these attacks to occur, naturally, we're going to see a decrease in some of the attacks against these consumers. But what's notable here in, in telecommunication is considered like this big umbrella, right? You have wired, you have wireless, you have mobile, you have satellite, you have all other telecommunications, which is where your work providers fall. Um, so most of them we saw decreases, but in wireless and all other telecommunications now wireless, remember this 5g advent, and then the other telecommunications with this digital extortion stuff against the void providers. Those are two areas where we saw increases wireless, saw 32% increase and all other telecommunications think void saw at 93% increase. And so we are seeing some increases here, but the higher kind of frequency or attack counts in the wired, um, in a mobile, those saw decreases. >>Let's talk about 5g where, you know, everybody is so excited about it. The adoption is coming. What's going to be the amplification implication of 5g in terms of feeling increased attacks, >>Just the sheer volume. I mean, when we start to introduce 5g, now we're talking about every single device that we have potentially having its own space on the internet. You may have high bandwidth, high throughput capacity. And so we're not talking about just in the home, right. 5g is going to be everywhere. So now just take all of your IOT devices that maybe either be isolated to your home network are now going to be across the entire globe, outside the home on 5g networks that have the capability to launch really fast, really, really potent attacks. And so just the, the footprint really of what we've got to think about from a security perspective and from a defense perspective, it's going to flip things on its head quite a bit, because you're going from here's everything that I'm going to secure inside. My let's just use the castle representation again, everything's inside the castle. >>I put my boundaries in place. I've got my firewalls. I've got my IDs is I've got my access control lists. So anything outside of my sphere or my domain is irrelevant because I don't care about it. Well, 5g is going to blast that away because not only do you not have it on prem anymore, everything starts to get its own direct connection to the internet. How do you secure 5g? Does your organization have that in practice? I mean, ISP is, are still rolling 5g out and are still trying to figure things out as they go, how much more do enterprises and others that are gonna be consumers of this need to figure out how we're going to secure against these. And so, yeah, it's gonna introduce a whole new realm of how we need to think about security, >>A whole new realm, lots to consider there. Another thing besides the wireless telecommunications that that report uncovered was that closely related related software and computer and manufacturing verticals also saw massive increases in attacks. Why talk to us about that? >>You know, I think it's a logical progression of attacks. Um, the last report we put out, we talked about the conduct of the supply chain and what we meant by that was how do we communicate? How do we talk to each other? How do we get into our work, uh, assets? We use a VPN, we use DNS servers. We use internet exchanges to resolve our websites, adversaries increase the tax against those. And that was kind of like the connectivity piece. Well, let's, let's take a step back. What do you need to be able to get online? You need a computer, you need software and you need the ability to store some of this data on your computer. So what we saw 606% increase in attacks against software publishers, 260 and 253% increases against computer manufacturing, computer storage manufacturing together. To me, these are the digital supply chain. >>These are the things that allow us to do what we need to do. And so it's almost like a natural progression. And we see this a lot with DDoS extortion. So take the Lazarus Paramatta guys. We talked about last time, you know, they've initially started against financial organizations going after banks. Then they moved to the stock markets and they moved to insurance brokerages accounts. They moved to travel exchanges, currency exchanges, and they started this domino effect that, you know what, let's go where the money is. Maybe we'll get a payday that didn't work so slowly. They started to expand. Eventually LBA started targeting anybody and everybody in every single industry in vertical. And so what we see here is kind of like a logical progression of, you know, what our, to the supply chain attacks didn't work. And there's a good reason for them because these devices that they're going after are usually very, very secure. And so DDoS attacks, they can absorb them. They can mitigate them that they just bounce off. So can we succeed by going a little bit more upstream or downstream? However you want to look at this by targeting the actual manufacturers themselves, the people who create the software, we need to be able to conduct our business. And so that's kind of the logical progression of what we're seeing here. >>So Richard, how can companies prepare, defend against the attacks against the digital supply chain? That's pretty critical >>Preparation. Preparation is the key. And if we follow best current or best industry practices, um, there's this 80 20 rule that a colleague of mine likes to use. If you do 80% of the recommended things, the best current practices, it solves 80% of your problem and not just for the DDoS problem, but also for things like ransomware, various other, it's really that 20% in there that you have to worry about. And that's going to be being aware, knowing the adversaries are actually going after software publishers who would have funk it. Right. Who would think that they're actually going after the manufacturer of the applications that I'm using to talk to you right now, Lisa, right. Yeah. And so these are the kinds of things that people just aren't always aware of. And so making sure that we're cognizant of the actual targets of these attacks, and then from there, figuring out is there is our business involved in any kind of, of the software publishing. >>Should we be concerned about that? And if not, what about where we're getting our software from? Do they have to worry about this? Is there a risk for them not being able to deliver something to us because they're under bombardment by detail sometimes. And so it's just being aware and taking steps to be able to handle prepare. And I will say it again. You must have some sort of DDoS protections in place. It's not when, or it's not, if it's when you're going to get attacked and everybody, even if you are not the direct target, there's collateral damage as we talked about in the last segment. >>Yep. It's a matter of, if not, when, and that's something that businesses of any size in any industry have to be prepared for, as you said, preparation is really number one. Richard, thank you for sharing some of the really interesting findings and the verticals that have saw massive increases in the second half of 2021. And we look forward to what you're going to uncover next. >>Absolutely. Thanks again for having me. It's been a pleasure. >>Likewise. We want to thank you for watching the program today. Remember all these videos are available@thecubedotnetandyoucancheckoutthenewsfromtodayonsiliconangledotcomandofcoursenetscout.com many thanks to NetScout for making this program possible and sponsoring the cube. This is Lisa Martin signing off. Thanks for watching and bye for now.

>>Kicking things off I'm Lisa Martin with Richard Hummel manager of threat intelligence at NetScout in this segment, we're going to be talking about the rise of server class bot net armies. Richard. Good to see you >>Again, Lisa, as always >>Likewise, so botnet armies, it sounds a bit ominous, especially given the current global climate. Now the first botnets came in the early 1990s. Those were comprised of servers followed over the years by PCs and then it botnets. But recently in the second half of 2021, what have you seen with respect to botnets and the armies? >>Yeah, so I think it's important for us to look at the history of where did we come from? How did we get here? What kind of kicked off this phenomena of botnets specifically DDoSs related botnets and bonnets have existed for a long time. Lisa, you mentioned it in the nineties, and then we move into kind of the two thousands and talking about IOT devices entering the scene. And then 2013, you start to see, hear more about these IOT botnets and in their surge, but then it wasn't until 2016, when the Mariah code was publicly released. And we all heard about the dine attacks at the time, which were record-breaking oh man, we launched this 600 gigabit per second attack using an IOT button and the world's is on fire and everything's going to burn down. And that was kind of the feeling at the time. >>Uh, little did we know that IOT based botnets typically have limits? And the reason for that as an IOT device itself, doesn't have a whole lot of processing capability. Often they're sitting in home networks, home networks that maybe don't have high bandwidth high throughput. Now that is changing, right? The world is adopting this 5g. And even for jeez, you're using mobile hotspots and now IOT devices being directly connected to 5g networks, you're talking about much more bandwidth throughput capabilities. However, they're still limited to what that device is capable of doing. And so an IOT device itself probably can't generate a whole lot of throughput or bandwidth, but what happens if you're able to compromise really high powered devices, such as routers or even server grade routers or even servers themselves sitting in data centers. So inter kind of what we're seeing the second half of the year, I think a lot of us heard about some of the recent attacks with the nearest bottleneck taking down notable websites and Maris is a little bit different because it uses what's called HTTP pipeline. >>And essentially what that does is the bot itself will take all of its butted nodes. And in today is sitting on Microtech routers using a old vulnerability from 2018 managed to be able to compromise these things. And it will generate a bunch of these HTTP requests and then it will release the gate. And so all of these requests essentially flood a web server and the web server just can't handle it. So maybe the first few thousand it can process, but eventually it starts to slow, slow down before it completely chokes off. And so that's kind of how that attack works. Now, the Maris button itself leveraging these Microtech routers. And again, like I said, a vulnerability from 2018 that a lot of these used to compromise these routers on, but what was notable about that vulnerability is that you could force the router itself to give you the username and password, and even patching those routers in, unless you explicitly change the usernames and passwords and those persistent the patch. >>And so inter a new button that called the Venice that also takes advantage of this same existing vulnerability, but leveraging these credentials that then are able to compromise. So now you have two botnets operating on these Microtech riders that often sit in high bandwidth, high throughput networks, being able to launch these really fast potent attacks. Now into the third one here, getting a ride. This is a version of Mariah that has been forked and now uses your vulnerability or an exploit against get servers and where to compromise server grade hardware. So if it wasn't bad enough that you have these high powered routers. Now you're talking about a server that maybe it has a TIG 10 gig interface. What happens if you get a hundred or even a thousand of these things launching a really fast attack? And so, yes, it's the rise of a server class button at army and army I think is very apt here. >>Um, often we think about button ads and we used to use the term zombies or zombie network and ever really heard that too much lately because zombie is basically these things exist. They're kind of out there. They don't really get initiated until they're used, but in the DDoSs world, these botnets are typically always active. So I don't really consider them zombies, um, because they're always brute forcing, and they're always trying to propagate and they're doing this automatically. And so a lot of times when we see these connections coming into like things like our honeypot, these are Muray or Satoria Lucifer GAF kit XR DDoSs I could go on, right? There's a lot of these different IOT botnets out there, but more and more they're turning towards these more high powered hardware in these servers in order to up the potency of their attacks. >>Let's talk about speed for a second. You mentioned the new server class, Mariah botnets. One of the things that the report uncovered was that online criminals were able to really quickly employ them to launch attacks that were details had talks that were pretty vicious. Why were they able to do that so quickly? >>The ecosystem and the criminal underground is so fast. It's so rapid. They have no red tape. You know, let's look at it from a defensive standpoint, there's a new hardware software that rolls out. There's a new patch that rolls out. What do we have to do? We have to go through this process of validating, testing it against our network, figuring out is it going to tip anything over? Maybe we deploy a first to a staging environment. Then we have to get executive bless off and approval. It has to evaluate this. We have to go to industry standards, okay, is it meeting these benchmarks? And we have this whole process, right? And sometimes even for critical patches, it can take us months to be able to roll these out for deployment. Adversaries have none of that. They have no, they have no oversight. A new vulnerability comes out. New capability comes out new exploits, come out the very next day, we're seeing this in metal split modules. A couple of days later, we're seeing it in Mariah and various other IOT flavors of Mauer. And so these guys have super fast, rapid adoption of new things that are coming out with zero overhead. And so they can implement this in practice very, very quickly, not just in bots, but even in DDoS for hire platforms. They're starting to use these kinds of novel attack vectors very, very quickly after they'd been uncovered or reveal >>No overhead, no red table. That must be like another thing that I noticed in the report in the second half of 2021 was that NetScout saw the first known terabit class direct path DDoSs attack terabit class. What's the significance of that. >>And so the significance here is, like I said, with IOT, achieving those kinds of levels is very, very difficult because IOT devices cannot gen up to that amount of bandwidth. But with these botnets existing on segments of the internet that have one gig or even 10 gig of capacity and the power by which to generate enough traffic to achieve those volumes. So it's, it's something we've never seen before, even going all the way back to the diner tacks with the IOT and marae, we were talking to hundreds of thousands of devices here contributing to that 600 gigabit per second range. That was a lot by those standards, right. And I would say that we probably have more button that's existing today, but the more fragmented, right? So you might have 30,000 over here. You might have 50,000 over here. Maybe you have a hundred thousand over here. Um, and so a lot of these botnets are a little bit smaller, but now if we can do 10,000 routers with one particular button ad that has the capacity to do one gig each, I mean, we're talking massive amounts of traffic here. And so that's really, it, that's the evolution that we're seeing. And I think that the, the advent and introduction of 5g more and more across the world is going to make this exponentially worse in terms of what botnets are capable of launching. >>Let's dig into that in about a minute or so. The significance of 5g, you know, we were talking about that as so much opportunity that that's going to unlock, but is that potentially going to be a bad thing? >>It could be in the DDoSs world. Um, we have some statistics actually, where we're already starting to see more attacks against the wireless. And so wireless is in, uh, it used to be Latin time would have a lot of wireless and mobile type stuff because a lot of gamers over there use mobile hotspots, but we're seeing them move over to the lad time. And in fact, globally, we saw 32% increase in wireless attacks. And I believe firmly that a lot of that is attributed to this rollout of 5g across the world. >>Interesting. We'll have to keep our eye on that. Well, I'm sure not Scott. Well, another thing, if we think about one of the things that we've been through the last couple of years in the pandemic, the adoption and the embracing of this hybrid work model, that we're many of us still in, what does NetScout expect to see with respect to expansion of botnets into our homes, into our residences. >>That is the key question there, because what, what happened when COVID kicked off, everybody took their corporate machines. We took all of our devices that were sitting inside a corporate office. We went home, we went home behind routers that have no firewall that had no IDs to have no IPS. In fact, most of us probably don't even know how to log into our routers to change things. And so they're using your default usernames and passwords, or maybe you haven't patched it, or there's no auto patching setup. So you are taking all of your essential vital components for working in you're leaving the castle. And now you are out in an open field and adversaries have free reign to do whatever they want. Couple that with the fact that a lot of us don't even care about the security of our IOT devices, uh, I always like to use this example of Christmas day. >>You get these cool new gadgets and tech devices. And for me, that's pretty much all I get because I love tech. And if you see this now I've got four monitors, plus my laptop and all kinds of stuff here on my desktop. But when I get a new device on Christmas morning, it's not my first instinct or gut reaction to get online and change my default using passwords, or to make sure it's patched or to update it. Now, sometimes those are being forced now, which is awesome. We need to do more of that, but it's not your first reaction, but we know that as soon as an IOT device goes online, you have about five minutes at most before you start getting inundated with, through forcing attempts. And so, yeah, the, the global work from home has really changed how we need to think about security and how organizations and enterprises really should consider how they secure those at-home devices versus being inside the enterprise. >>A lot to think about Richard. And if you're not thinking about it first on Christmas day, then I certainly am not thinking about it. Thanks so much for talking to us about what you guys uncovered with respect to that armies. A lot of interesting evolution there, and the fact that there's no red tape. Wow. What an environment in a moment, Richard and I are going to be back to talk about the vertical industries where attackers zeroed in for DDoSs attacks. You're watching the cube, the leader in tech enterprise coverage.

>>The pandemic saw a majority of employees working remotely, as we all know, and the world turning to digital services, which caused an uptick in cyber attacks because almost all business was conducted virtually well, the unprecedented events of 2020 led to an enormous and extended upswing in innovation for threat actors. And it's not going away anytime soon. This is according to our colleagues at NetScout and an excerpt from its first half 2021 threat intelligence report. And this event, we're going to unpack Netscout's semi-annual security report for the second half of 2021, which outlines how and why these attacks are carried out and what individuals and businesses can do to prevent attacks. Now, one of the things that NetScout discovered in the second half threat intelligence report is that these cyber attacks, they're not motivated by a single factor on notable example of a recent attack just last month, where government and private websites in Ukraine were knocked offline in a massive distributed denial of service DDoSs attack. >>As Russian troops moved into contested areas in the east of the country. My name is Lisa Martin. And today on this special Q presentation, Richard Hummel joins me manager of threat intelligence at NetScout. He and I are going to explore three of the key findings in the second half of 2021 threat intelligence reports. In the first segment, Richard's going to talk with me about the dark side of DDoS for hire. And one of the things that you're going to learn is that launching DDoS attacks with illicit DDoS for hire services no longer requires a nominal fee in segment two. Richard's going to talk to me about the rise of server class bot net armies. And as Richard will discuss recently, adversaries not only increased the size of IOT botnets, but also conscripted high powered servers into larger button nuts. Then we'll come back for a third and final segment to discuss the vertical industries where attackers really zeroed in for DDoSs attacks in the second half. And here Richard's going to explore some of the verticals that haven't traditionally been in the crosshairs, such as a software publishers and computer manufacturing. All right, guys, let's do this. Here comes our first segment.

(soft upbeat music) >> Hello and welcome to this Cube Conversation I'm Lisa Martin. This is going to be a great conversation about corporate social responsibility, and I'm very pleased to have two great guests here with me today. Karen McCloskey joins us the director of internal communications and corporate philanthropy at NETSCOUT and Professor Sally Eaves is here as well the CEO of Aspirational Futures. She's also a professor of emerging tech and a CTO by background. Ladies welcome to the program it's great to have you on today. >> Thank you. >> Absolute pleasure. Thank you, great to join you both. >> We're going to get some great perspectives here. As I mentioned corporate social responsibility we're seeing that emerge across every industry and every company is really focused on that. Karen I want to start with you where tech companies are concerned we see corporate social responsibility really aligning with STEM and STEAM. Why is that? >> There is probably a couple of reasons, I sort of wrap it up as it's what employees do, it's part of their jobs, so they get excited about it and they want to share what they do with the next generation. And the other aspect that helps it align with tech is it involves the educational aspect. So we're teaching and we need up and coming students and employees and entrepreneurs with those skills. And the other part about STEM is when you think of it, it's typically K to 12 and then it rolls into college and it's working with students and the next generation. So the education and the pipeline or the education and the students speak to the pipeline aspect and then you add in people getting excited about their job and what they do and that's the employee engagement aspect so it really brings the two pieces together. >> I want to dig into that employee engagement in a minute but Sally I would like to get your perspective. Tell us a little bit about Aspirational Futures and then let's talk about the alignment between that and STEM and STEAM. >> Absolutely, so yeah, Aspirational Futures, is a non-profit kind of working across tech education and social impact and really looking at kind of opening up opportunities to the industry to a diversity of experience and using tech and data as a force for good. We do projects locally and across the world I'm kind of breaking down those barriers. It's going to be all about democratization of opportunity I would say. And in terms of STEM to STEAM that's where I see the journey going at the moment and effectively with that STEAM focus you're bringing the arts to an equal stage to the tech skills as well. So for me that's really important because it comes down to curiosity, encouraging people to get into the sector, showing what you can do, building creative confidence, emotional intelligence, those types of skills alongside the tech skills to actually build it. So it's that combination There's complimentary factors that come together. So for me STEAM is a great way to get holistic learning for life With the rate of change we've got at the moment kind of gives you that tool set to work from to be empowered and confident for the future. >> That confidence is so critical. >> Its really. >> For anybody of any age, right? But one of the things that we've seen that is in the inaugural ESG report that NETSCOUT just published is this digital divide. We've seen it for quite a while now but we also saw it grow during the pandemic, Sally from your perspective, what is that and how can tech companies help to fill that gap? >> It's a great point. I think one other thing that the pandemic did was made it more visible as well. So I think particularly we're working in certain spaces we've seen it more, but I think for everybody it's affected our daily lives in education from home, for example for the first time it's made gaps more visible. So absolutely huge to focus on that. And I think we're seeing it from the organizational perspective as well. We're seeing gaps around certain types of roles. We're seeing higher churn because of a lack of data literacy skills. So it's becoming something that's becoming a CUBE Conversation, you know, in day-to-day family life but in organizations across the world as well. And also it's about challenging assumptions. And it just a few weeks ago there was some research that came out at the University of Reading in the UK in conglomerate with other universities as well. And it was kind of showing that actually you can't make the assumption, for example, that teenagers that kind of call digital natures all the time actually have full confidence in using data either, It was actually showing there were gaps there too. So we've got to challenge assumptions. So literacy in all its forms whether it's data, whether it's financial is absolutely key and we've got to start earlier. So what I'm seeing more of is better outreach from tech companies and other organizations in the primary schools through to universities as well kind of internships and placements, but also another really interesting area that we do with the nonprofit is looking at data waste as well. You know, 90% of data there's archive isn't touched again after kind of three months, you think about the amount of data we're producing at the moment how can we reuse that as a force for good as a training opportunity? So let's think creatively let's be pragmatic address some of these data literacy gaps, but we have to do it at all levels of the community and also for adult learners too. That's usually important. >> Right, there's no, it knows no age and you're right that the visibility on it I think it can be a very good thing shining that light finally going we've got to do something. Karen talked to us about what NETSCOUT is doing. The digital divide is there you guys are really focused on helping to mitigate that. >> That's right. That's right. So as guardians of the connected world, that's our job with our customers and our products, but also with our people in our communities is getting people connected and how can we do that? And in what ways are we able to do that? And recently we engaged with Tech Goes Home which is based in Boston and they provide those first three pillars that everybody needs access to a device, access to the internet and skills to use that. And they work with families and students and they say their programs go from nine to 90. So they've got everybody covered. And what's exciting for us is it kind of falls from a volunteer perspective right in our wheelhouse. So they had to transition from in-person to distance learning with the pandemic and suddenly their program materials needed to be online and they needed to get people up and running without the benefit of an in-person class. What NETSCOUT volunteers were able to do was create those tutorials and those programs that they needed and we also have people all over the world and then we translated them into a bunch of different languages and they were able to then move forward with their programs. So Tech Goes Home and programs like that are really that first step in bridging the digital divide. And then once you've got the basics, the toolkit and the skills what else can you do? And Sally mentioned visibility it's what are the opportunities? What can I do now? I didn't realize there was a career path here, I need these skills to build a business help me learn more. So then there's that whole other aspect of furthering what they can do now that they have those skills and the learning and something like a hackathon might be a fun way to engage kids in those skills and help them go a little further with the tools they have. >> And NETSCOUT has done a number of hackathon programs last year I know you had an All-Girls Hackathon virtually in 2020. Talk to me about some of that and then I want to get Sally I'm going to get your perspectives on what you're doing as well. So our hackathons and I'll try and keep this brief because we've done a lot. There were actually brought forward as an employee idea. So that also speaks to our culture. It's like, hey, we should do more of this. We have partner with Shooting Star Foundation and one of our employees is one of their, or is their board chair. And the hackathons what they do and these are beginners hackathons. So we're talking middle high school and the theme is civic. So something good for society. And what we do is over a course of 12 hours not to mention all the pre-planning. When we had the in-person ones they were in our office they got to see employees up close run around the building to the extent that they could and build their project. And Sally I think you had also mentioned that creativity in that confidence. I mean what those kids did in a day was amazing. You know, they came in and they're all kind of looking around and they don't really know what to do. And at the end of the they had made new friends, they were standing up in front of executive judges, presenting their idea, and they all felt really good about it and they had fun. So I think it can be a fun impactful way to both engage employees because it's a heck of a team building experience and sort of bring students in and give them that visibility to what's possible in their tech career. >> And that confidence. Sally talked to me about hackathons from your perspective and what you're involved in? >> Absolutely, funny now I've just come from one. So I'm a Cop 26 at the moment and I've been involved in one with a university again, using that talent and building that empowerment around STG challenges. So in this particular case around sustainability, so absolutely love that and really echo Karen's thoughts there about how this is a reciprocal relationship, it's also super rewarding for all the employees as well, we're all learning and learning from each other's, which I think is a fantastic thing. And also another point about visibility. Now seeing someone in a role that you might want to do in the future, I think is hugely important as well. So as part of the nonprofit I run a series called 365 and that's all about putting visibility on role models in tech every single day of the year. So not for example just like International Women's Day or Girls in ICT Day, but every single day and for a diversity of experience, because I think it's really important to interview people for C-suite level. But equally I just did an interview with a 14 year old. He did an amazing project in their community to support a local hospital using a 3D printer. It makes it relatable, you can see yourself in that particular role in the future, and you can also show how tech can be used for good business, but also for good for society at the same time. I think that can challenge assumptions and show there's lots of different roles, there's lots of different skills that make a difference in a tech career. So coding could be really important but so is empathy, and so is communication skills. So again, going back to that STEAM focus there's something for everyone. I think that's really important to kind of knock down those boundaries, challenge assumptions, and drop the the STEM drop off we say make it a little bit more STEAM focused I think that can help challenge those assumptions and get more people curious, creative, confident about tech. >> I couldn't agree more, curious, creative and confident. The three Cs that will help anyone and also to sell it to your point showing the breadth and diversity of roles within tech coding is one of them. >> Sally: Absolutely. >> As might be the one of the ones that's the most known but there's so many opportunities to allow these kids to be able to see what they can be is game-changing, especially in today's climate. Karen talk to me about you mentioned in the beginning of our interview Karen, the employee engagement, I know that that environmental social governance is core to NETSCOUT's DNA but we're talking over 2,400 employees in 35 countries. Your folks really want to be engaged and have a purpose. Talk to me about how you got the employees together, it sounds like it was maybe from within. >> That's absolutely right. We have a to support employees when they bring forth these good ideas and the hackathon was one example of that. And the cool thing about the hackathons is that it leads to all these other community connections and people bring forth other ideas. So we had an in-person hackathon at our Allen office in 2019. Some of the employees there met staff from Collin College who were said, "Hey, we'd like to bring this hackathon to us." So then the employees said, "Hey, can we do a hackathon with Collin College?" It's so really it's employee driven, employee organized, supported by the company with the resources and other employees love to be part of that. And the event at Collin College brought out all those skills from the students. It was on climate change so relatively hot topic. And they did a fantastic job while they were there, but that employee engagement as you said, it comes from within. So they have the idea we have a way and a path that they can find what is needed in their community and deliver on that. And it really becomes a sense of pride and accomplishment that it wasn't a top-down mandate that you must go volunteer or paint this wall. They identified the need in the community, propose the project, get the volunteers, get the corporate support and go forth and do it. And it's really amazing to see what people do in their community. >> Well, it's incredibly rewarding and fulfilling but also very symbiotic. There's one thing that's great about the students or those that are from nine to 90, like you said, having a mentor or mentors and sponsors but it's also another thing for employees to be even more productive and proud of themselves to be able to mentor and sponsor those folks in the next generations coming up. I can imagine that employee productivity would likely increase because the employees are able to fulfill have something fulfilling or rewarding with these programs. Karen talk to me a little bit about employee productivity as a kind of a side benefit of this. >> Well, I was going to say during the hackathons I don't know how productive we are 'cause there's a lot of planning and pre-work that goes into it. But I think what happens is it's an incredible team building experience across the company. So you reaching out to executives hey would you be a judge for this event? And you know you're explaining what it is and where it is. And you're roping your coworkers into spending 12 hours with you on a Sunday. And then you're finding somebody who has access to a speaker. So you're talking to people about it it's outside your day-to-day job. And then when it's over, you're like, "Oh yeah, hey, I know somebody in that group I worked with them on the hackathon or I can go up and talk to this executive because we hung out in the hackathon room for X many hours on a Saturday." So it's another way to build those relationships which in the end make you more or help you be more productive as a whole across the company. >> Absolutely relationship building, networking, those are all critical components to having a successful career. Whether we're talking about STEAM or not. I want to unpack something Sally that you said in our remaining few minutes you talked about challenging assumptions. And I guess suppose I'm one of those ones that always assumes if I see a gen Z or they're going to know way more about how to use my phone than I do but you bring up a really good point that there are these assumptions that we need to focus on, shine the light on, address them and crack them wide open to show these folks from nine to 90 that there are so many opportunities out there, there are limitless out there I would say. >> Absolutely, it's all about breaking down those barriers. And that research I mentioned something like 43% of teenagers about kind of 16 to 21 years of age we're saying they don't feel data literate. And that assumption is incorrect so gain so making sure we include everyone in this conversation. So going as young as possible in terms of introducing people to these opportunities but making sure we don't leave any particular age group behind it's that breadth of engagement with all ages is absolutely key. But again showing there are so many different routes into tech as a career. There isn't one linear path, you can come from a different area and those skills will be hugely valid in a tech career. So absolutely challenging assumptions, changing the narrative about what a tech career looks like, I think is absolutely hugely important hence why I do that series because you want to see someone that's relatable to you, at your next level potentially, it's something you need a three steps ahead. It just makes it so important. So for me democratization of opportunity, breaking down barriers, showing that you can go around different ways and it's absolutely fine. And you know what that would probably you can learn from that experience, you can learn from mistakes all those things make a difference so don't be put off and don't let anyone hold you back and reach out for mentor. You mentioned sponsorship earlier on as well I think that's another thing as well kind of using the sphere of influence we develop in our careers and maybe through social media and can helping people along the way not just through mentorship but through active sponsorship as well. There's so many things we can do together. I think organizations are really listening to this is better embedding around DEI initiatives now than ever before and as Karen has been describing fantastic outreach into communities through hackathons, through linking up with schools. So I think we're getting a real contagion of change that's positive here. And I think the pandemic has helped. It's helped us all to kind of pause and reflect, what we stand for as people, as organizations all the way through and I'm really excited that we can really harness this energy and take it forward and really make a difference here by coming together. >> And that is such a great silver lining all of those points Sally that you mentioned. Karen, I want to wrap with you. There's great momentum within NETSCOUT I mentioned, over 2,400 employees actively so many people in the employee community actively engaging in the hackathons and the opportunities to show from nine year olds to 90 year olds the opportunities that STEAM delivers. So what's next for NETSCOUT, what can we anticipate? >> More hackathons, more focused on the digital divide. I just want to, as Sally was speaking, something occurred to me when you said it's never a clear path on the tech journey. I would love to be listening to one of those conversations 10 years from now and have somebody say, oh, when you were asked that question that you're always asked what got you on your journey? What started? I'd love to hear someone say, "Oh, I went to this hackathon once "and it is something and ever since then I got interested in it." That would be a lot of fun. I would love to see that. And for NETSCOUT we're going to continue to do what we do best. We focus on where we can make a difference, we go in wholeheartedly, we engage with volunteers and we'll just keep doing what we're doing. >> Excellent ladies what a great conversation. I love the lights that you're shining on these very important topics there. You're right, I talked to a lot of people about their career paths and they're very, zig-zaggy. Its the exception to find one, you know, that we're studying computer science or engineering, but Karen I have no doubt with the focus that NETSCOUT's putting that Sally that your organization is putting on things like hackathons, getting people out there, educated becoming data literate that no doubt that the narrative will change in the next few years that I went to this hackathon that NETSCOUT did and here I am now. So great work, very important work. I think the pandemic has brought some silver linings there to what your organizations are both doing and look forward to seeing the next generation that you're inspiring. >> Thank you so much. >> Thank you. >> Real pleasure. >> Likewise. For Sally Eaves and Karen McCloskey, I'm Lisa Martin you're watching theCUBE Conversation. (soft upbeat music)

(melodic music) >> Welcome to this CUBE conversation, I'm Lisa Martin, Richard Hammel joins me next, manager of threat intelligence at NetScout. Richard, welcome back to theCUBE. >> Thanks Lisa it's nice to be back. Thank you for having me. >> We have a lot to talk about in the next 15 to 20 minutes. We're going to be talking about the NetScout threat intelligence report. The report covers the first half of 2021, January one to June 30th. Unprecedented events of 2020 Richard, spilling into 2021. How have the events of 2020 impacted the threat landscape? What are you seeing? >> I would say that it's significantly impacted it. The COVID pandemic and all that happened with remote work and education moving to remote, all of that had a hand in exponentially increasing the threat landscape that adversaries have at their disposal to compromise unknowing victims, to launch attacks. There's so much more that adversaries are able to really hook into. Just in the first half of 2021, we saw almost 5.4 million DDoS attacks. And if you go back to last year, we broke a record at 10 million, just over 10 million, and we're well on track to hit 11 million at the end of this year. So you can see how it's impacted. And even as much as some things are starting to tail off or taper off a little bit, as things start to get back to normal, we start to resume travel, we resume going to the office. There's still that tail end, we're still seeing this kind of heightened attack landscape, and there's lots of different phenomenon that's happening as a result, which we'll talk about throughout this interview. >> Yeah, we'll dissect that you said on pace for a record breaking 11 million DDoS attacks it by the end of 2021. One of the things I want to talk about is speed. I noticed in the report that seven attack vectors in seven months, which means that threat actors exploited, or weaponized seven, at least seven of the new DDoS specters in just seven months time. Why is that significant? >> You know, I'll even raise the ante a little bit just after the throw report. There's an eight factor. And so this is the nature that we're in. This is, the, really the age of innovation. And we've been in kind of an innovative space in the crime world for a couple of years now, where we continue to see this domino effect for lack of a better way of describing it, where it's just one after the next step to the next. And then you add in this compounding thing where you have more devices than ever before connected to the internet. And I have all that much more exposure for these things to take advantage of you. And so we see adversaries innovating. And one of the ways in which we see that is, they operate like a business enterprise. They have functional components for different things. And as you kind of fragments that business structure in the crime world, you get specialized areas for certain things. And so you have adversaries that are niche in a certain area, whether it's distribution of malware or it's launching a DDoS attack, or maybe it's just finding a reflectors amplifiers to launch those DDoS attacks, you have all of these kind of niche areas and the more you can consolidate or collapsed those different skillsets into different components, you're going to find it, it iterates a much more rapidly. It's the same thing that happens as entrepreneurs in the business enterprise. Do you outsource what you're not the expert at? And you outsource it to somebody who is an expert and we see the same phenomenon happening in the cyber-crime world. >> So the rate of discovery to weaponization is getting shorter. >> Super fast. And we've seen things weaponized, a short as one to two days from the time of proof of concept comes online to when an adversary adopts this into their tools or their toolkits. And so on most often, the way we see this adopted is maybe a bot picks it up. So you have like your Mariah's, your satory's, your dash, all these different IOT related bots out there that have capabilities, but then you also have these platforms called booter stressors. And adversaries, just continue to add vectors there. There's no reason to remove them because they're still effective. And so we see this continual add of new ways to compromise and new ways to attack somebody that just always goes up into the right. >> Up into the right, in some cases can be good, in this case, it's obviously it's a sign of distress. One of the things the report showed Richard, was the development of adaptive DDoS. Just the name adaptive leads me to think of evasive tactics, you know, that threat actors are employing, talk to us about adaptive DDoS and what the report showed for the first half of 2021. >> Sure. So the biggest thing we saw with adaptive DDoS and I have to preface this by one of the changes that we saw over the first half of 2021. Going into the first half of the year, DNS reflection amplification was kind of the predominant preferred method by adversaries. There's so many DNS servers out there. So it's something they're able to do. Well, we saw a different type of attack called TCP act floods actually surpassed that. And TCP act floods are a little bit different because it uses a different internet protocol. Now what's significant about TCP based connections is it's connection oriented. So requires what we would call a three-way handshake. So there's packets going to the target, they're coming back to the adversary, they're going to the target. And in most cases they're spoofing of IP addresses. So it never really goes to the actual adversary, but somebody else, right? And so it's much more process intensive or network intensive. And so you can basically launch these TCP floods, these scent attacks, these act floods, whatever they might be. And you're creating a bunch of different connections on that targeted entity and you're spoofing the source. So in other words, let's just say, I am victim one and there's an adversary out there that wants to target me. So they're going to actually spoof my IP address and they're going to send a bunch of these syn flood or a sin, you know, acts or TCPI floods or whatever they might be, to all these DNS servers around the world. And so they're all going to reply to their suppose source of those packets, which in fact, a spoofed, right? And so now you're getting all this flood attacks. And so what we're seeing here is a switch. We're moving from kind of the just connection list, the UDP based stuff the DNS reflection amplification to a more niche things such as TCP act floods. And it's the first time we've ever seen TCP act floods take first place. And what's notable about that is that there are certain types of DDoS mitigation that is susceptible to this kind of attack. And so what we see adversaries do is they'll watch that attack and the monitor did the, did my victim go down? If they didn't go down, they'll pivot, they'll try something else. Maybe they'll try typical volumetric attack. If that succeeds what, okay. We took one layer of the defense down. So is there anything else preventing us from taking our target offline? Well, maybe there's a second layer of defense. So now let's try this other thing and see if that works. And so we actually saw this successful against a commercial banks and payment card processors, where they used TCP act floods to bypass one layer. Then they use volumetric bypass the second, and then on a completely different target, we saw it in reverse. And so we see adversaries adapting to how we're putting our security posture is in place. What we're doing to defend our organizations and networks and adversaries are very quickly iterating and pivoting to follow what we're doing and overcome that. >> And when you say quickly, how quickly are we talking? Is this a matter of days? >> Well, in the case of the attacks that we're talking about, we're talking about seconds or minutes because they're actually launching the attack and they're sitting there watching to see if that goes down and if it doesn't go down, they can pivot really, really quickly and launch a secondary attack. And so in these cases it's really, really rapid and really fast. >> Wow. Another thing that I read in the report and that you sort of intimated a minute ago was the amount of collateral damage seems to also be expanding with what you're seeing in the threat landscape. Talk to us about the risks there and the collateral damage and get us some examples of that actually happening. >> So I think that the biggest example of this and this isn't actually DDoS related, but if you look at like the colonial pipeline incident that happened, right? So they didn't actually go after colonial pipeline. They went after a vendor that provides some sort of service to them. And that resulted in Colonial saying, "we got to shut down our pipeline "because now we can't build our customers." So that's like one aspect of collateral damage. Well, let's translate that to the DDoS world. What happens when a DNS server goes offline, that services 1000 different websites. Now you have all of these other websites that can't be accessed. Well, what happens if an adversary goes after a VPN for a prominent enterprise, they successfully take down that VPN concentrator, and now all of their remote workforce can no longer access those sources. In fact, there's something we're calling connectivity supply chain, which is what adversaries are moving to both in the corporate world, as well as commercial. VPNs increasingly used by gamers, for instance, to mask their IPS because DDoS attacks predominantly target gamers, 80, 85% of all attacks are against gamers. And so they're using VPNs to mask their source. Well, an adversary says, well, hey, I can't go after the individual because I don't know their IP, but I know what your VPN are using. So maybe if I target all the VPN nodes that are publicly available for that VPN concentrator or VPN service provider, now I can take them offline. But it as a consequence, you're not just taking off your individual target. You're taking off every single person that's using that VPN. >> Right. >> This is the collateral damage impact we're talking about. It can be very, very far reaching. >> You mentioned the conductivity supply chain. Let's go ahead and dissect that. Cause that was something else that the report showed was that there was vital components of what NetScout calls the conductivity supply chain, which you'll helped define, are under increasing attack, define the connectivity supply chain and tell us what the report is showing. >> So supply chain comes in many forms and fashion. You have your physical supply chain, you have your vendors that provide software. You have actual movers like such as semis and trains, and you have pipelines to get crude oil to places. All of these things are supply chain, but what's the underlying foundation behind these? How do all of these operate? And more and more in today's day and age, you rely on internet connectivity. You rely on that backbone to be able to operate your systems across a remote space, whether that's internationally, or if it's different countries, if it's just different states, you have to have some way of connecting all those things. And we're not often doing things physically in person there, right? We do this by remote access. We do this by having certain websites or controllers. And all of these things rely on a few critical things that if you were to take them offline, it would prevent you from doing this kind of management. So DNS servers, VPNs, I already talked about whether it's commercial or corporate to access your company's assets. And then you have internet exchanges. If any, one of these things went down from a DDoS attack, you're talking about massive collateral damage. And so what we're calling the conductivity supply chain is really just that, what connects all of us together? That's that's the internet and what makes the internet tick? And here at NetScout, we call ourselves guardians of the connected world. And though that might seem a little bit weird to say it that way. It's absolutely true because our primary goal, here at NetScout, is to make sure that organizations maintain that connection that allows them to really just live, breathe, survive, do their business, without that, you can't conduct business. >> Right? And we saw that the rapid pivot last year, and so many businesses and any, every industry had to rapidly pivot and shift to digital, but the risks as the innovation of technology, for use for good, continues do does it's innovation and use for adversarial things. Another thing that report showed, triple extortion. Talk about that. What you saw, what does that mean for businesses? >> So the triple extortion is three pronged attack. And, everybody here is going to know exactly what I'm talking about when I say ransomware, because ransomware is the biggest threat to the cyber world, really not even just the cyber world, just anybody that has a computer or device or anything, right? Whether it's a business, it's a user, it's a school, hospitals. Everybody is at risk for this and adversaries see the success that ransomware is having and more and more operators get involved in this. Well, what we're seeing here is that they are not satisfied with just encrypting your files and getting a one-time payment. No, they've got to take it a step further. And in fact, the double extortion has been ongoing since, as far back as 2013. When a popular, "Gameover Zeus" variant was distributing CryptoLocker ransomware. And so you have like your initial compromise and data theft and wire transfers of bank stuff followed by ransomware. I already stole your money from your bank. And now you're going to pay me a ransomware to decrypt your files. Well, let's move forward to today's day and age. And over the past year, one of the things we've seen is that adversaries are now adding a third tactics to this the DDoS. And so they will encrypt your files. They'll demand. Hey, you're going to pay us this amount of Bitcoin in order to decrypt your files. But you know, we're already in your system. So, you know, let's just steal your data. And then after you pay us for the decryption, we're going to hold your data hostage until you pay us again. Or maybe we're going to use that data as a lever to get you to pay that initial ransomware. Well, that's still not enough because more and more security researchers, like myself say don't pay. And I'm saying that right here, in plain English, do not pay the ransomware because it has detrimental effects. They, you don't even know if they're going to decrypt your files and you don't know if they're going to come back. Maybe you pay them. They never send you a decryption key. You pay them. And lo and behold, they're part of some terrorist organization. So now you're actually complicit in funding these guys, and the more success that these ransom operators have, the more they're going to do it. And so it has a lot of really negative consequences. Well, let's add another lever. Let's add DDoS to this. So it's not enough. We encrypted your files. It's not enough. We stole your data. Let's knock your network offline. So now you have no recourse whatsoever, except to pay us in order to resume services. And we're seeing at least four or five different ransomware groups of gangs actually use this triple extortion to go after their victims. And so it's something that we expect to see down the road and more and more operators continue to kind of adopt this. >> Lisa: Yeah. The report showed that there was a ransomware group that in the first half of 2021 alone, that vetted a hundred million dollars. So ransomware as a service, this is a big business. You say, don't pay, what can organizations do to defend themselves against triple extortion, even single or double? >> Yeah. So I mean, the thing is, preparation is key for a lot of this and not just for the ransomware piece and triple extortion, but DDoS in general preparation goes a long way to mitigating this potential threat. And one of the things we'd like to say here is that 80% of the things you can do to defend against ransomware also works for defending against DDoS. And the key word here is preparation. Making sure that you've done your, initial observations of your network. You understand what is in your network, every device, not just like the core critical systems, because there could be that IOT device sitting there on their fringe somewhere that has, for whatever reason, access to a system that if encrypted would cause detrimental harm to your company. So not only do you want to inventory your system, you also want to figure out, are they pastorally up to date? Do we allow on an authenticated logins? Are there using default usernames and passwords? In fact, the vast majority of ransomware today, the initial infection vector is either going to be some sort of spam messaging or brute forcing RDP, SSH, and Telnet, the tried and true methods that they've been using for five, six, seven years. They are still successful using to get into organizations. And so making sure that you're sufficiently locking those down. Specifically on the ransomware side, if you want to prevent those, not only are you going to do this preparation, but you're going to make sure that you isolate your critical systems. You shouldn't have everything connected to one spot. If somebody compromises one device, they should not be able to encrypt your entire network. They absolutely should never be able to encrypt your backup files and have backup files, right? So there's a lot of different things you can do here. And by practicing a lot of this preparation, this isolation, the segmenting of your networks, you're also helping in the DDoS space because if they go after one network asset, you'll have all this to fall back on. There was one significant difference between ransomware and DDoS. Ransomware, after you've been infected, unless you have backups or you pay the ransomware, your files are pretty much gone. Unless there's some decrypted that can be had, or the government has some sort of campaign that gets you the caption keys and they helped you with the decryption. So in those cases, if you get encrypted, there's often not a whole lot of recourse, unless you have prepared ahead of time. With DDoS, however, the vast majority, 99% of all DDoS attacks can be prevented if you have a mitigation and protection solution in place. And even if you get DDoS, oftentimes they're, short-lived in fact, the vast majority of DDoS attacks last less than 15 minutes. And so it's not like your stuff is going to be encrypted for days on end or weeks on end. You're going to get hits, you might go down for a period of time, but you can recover services. And during that recovery period, you can go and you can seek mitigation protection services. And so there's a big difference between DDoS and ransomware in that regard. >> That's a great way of describing that. And we've talked a lot about ransomware is it's been on the increase the last year and a half. We've talked about how it's not a matter of if we get attacked, it's a matter of when. But your distinction between ransomware and DDoS attacks show that both with preparation and the right tools, are preventable and recoverable provided organizations have put the proper tools and mechanisms in place to do that. And given how quickly we're seeing the adaptation of the threat actors, organizations, if they're not already on that preparation train, need to catch up. >> Absolutely. They need to get busy right away. There's there's really no delay. Like I said, like you said, it's not if, it's when. And so every single person, every organization, I would take a step further, not even organizations, every single individual that has a computer or some sort of internet connection at home needs to realize that they absolutely can be and are the target of these attacks. We've said it now for the past year and a half, that within five minutes of an IOT device going online, you're getting brute force attempts and that's any IOT device. That's something you connect that maybe you never even realize you can log into and change your password. Well, if it's online, then chances are somebody is trying to brute force that to access it and use it in the varies ways. >> And, and as we all sort of anticipate, we're going to be in this hybrid work environment, work from anywhere environment for quite a while longer. One last question want to ask you, when you talk about all the proliferation of IOT devices, and we're still on this work from anywhere situation, botnets? What are some of the things that the report showed and how can organizations protect all in a, you know, growing number of vulnerable IOT devices from botnets? >> So I think the biggest thing to protect against a IOT compromise is just simply patching up that your passwords Mariah has been out there for a long time, 2016. You know, we saw the dine attacks, but it's still using the same usernames and passwords. Sure, they add more to the list, but the predominant ones that are successful in compromised devices have been around for many years, but they're still successful at compromising these IOT devices. In fact, in the report, one of the things we wanted to show is actually, where are these botnets? How are they being used and specifically in a DDoS nature? And so we actually took all of the IP addresses that we're seeing from bots that are either coming back into our honeypot or things that we scan for. You know, and what we've determined. And that is that roughly 200 to 208,000 of the IP addresses. IP addresses that both we collected as well as a new partner of ours called Gray Noise. They've agreed to partner with us on this short report and you'll see that in the, in the report, if you actually read it. We took these lists of nodes and we compare that to what we're seeing in the DDoS attack landscape. And it turns out that approximately 200,000 of these contributed to more than 2.8 million DDoS attacks in the first half of 2021. Now there was 5.4 million tax total. So more than half of those had some form of DDoS botnet IOT representation. And so that should tell you that these botnets are huge and they're everywhere and they're active. And so the report actually walks you through where these are at, where the density zones are in clusters of these botnets, as well as what botnets in those high density zones are using to compromise other IOT devices. And so it's definitely a very informative read. And I think that you'll, you'll figure out that this isn't, something we talk about in the abstract, right? This is a botnet in my backyard, and I should absolutely be concerned of any IOT device in my home. >> Right. And the, the NetScout threat intelligence report, which Richard has just walked us through is not only available online. It's interactive. It's a great report. I've looked at the PDF, but Richard work in folks go to actually interact with the document and actually glean even more information about how they can prepare and defend. >> Yeah. So netscout.com/starreport. And as Lisa said, it is interactive. So you will need to sign up for the site and you can do both. You can either view the interactive webpage, or you can download the PDF, whatever your reading preference is. But I do encourage the interactive portion because for instance, like this botnet density map that I show, or that I that talked about, you can actually page through month over month to see where those density clusters are. And it is very souther animations. There's other maps in there so there's definitely a lot more value to perusing the interactive nature. >> A lot of granularity. Richard, thank you so much for joining me today, talking about what the first half of 2021 showed. And I can't wait to talk to you next year when we're going to be looking at the second half of the year where we are, with respect to that record, breaking 11 million DDoS attacks. Thank you for taking your time to explain the top trends in the report and for showing folks where they can go to interact with it. >> Well, thank you, Lisa. And thank you to theCUBE for hosting the interview. Definitely appreciate it. >> Our pleasure. For Richard Hammel, I am Lisa Martin, you're watching a CUBE conversation. (melodic music)

(upbeat music) (air whooshing) >> Hi everybody. John Walls here continuing our Cube Conversations here focusing on NETSCOUT today and the drawing problem of ransomware. Obviously very much in the news these days for the couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins who is the principal engineer of NETSCOUT's A-CERT team. And Ronald and good to see you today, sir. Thanks for joining us. >> Good to see you as well. And Richard Hummel who's Threat Intelligence research lead for the A-CERT Team. And Richard, thank you for being with us as well here on the Cube. >> Absolutely John, thanks for having us. >> Yeah, let's just jump right in here. Ransomware, obviously we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first, the magnitude and scale of the problem, as it currently exists. And Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenge has become today? >> Actually, John, if you don't mind I'd really like to hand that one to my colleague, Richard because >> By all means, so Richard- he's really has an in-depth background there if that's okay. >> Richard, jump in on that. >> Absolutely. Yeah. And so (clears throat) I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined Eyesight Partners, you know leading premier provider of threat intelligence who was acquired by FireEye and now Mandiat, and now even a conglomerate that just acquired Mandia. So there's been a series of acquisitions here but the reality is this threat intelligence has been pervasive across all of these. And you can see that over time that value hasn't diminished. And you can see that by all of these acquisitions. that are like that's a really good example to show how valuable this is because everybody wants it. And the reality is back then I started tracking ransomware specifically looking at a lot of the CryptoLocker variance, things like CryptoWall, and TorrentLocker, and TeslaCrypt. And there's any number I could go on and on and on about all these different variations, and how ransomware came to be, and what you know, adversaries were using it for. But the reality is ransomware has been around for a long, long time and probably three or four years ago. There was this lull in time where people are like, hey we've got these initiatives like no ransomware.org. We've got the, you know, local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware. And it's going to% be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable, sometimes the keys were stored locally, but a lot of them more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt it. You can't create a decryptor like a lot of these security companies do you would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And you know one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be like ransomware was the name that incited fear but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion. Where they will encrypt your files, they've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look you're going to pay us for this ransomware to decrypt your files, to get those back. But I'll guess what? We also have your sensitive data that we're going to post online and sell and on underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion. That is surging In fact, we did a survey of enterprise internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats, and obviously ransomware was number one but DDoS extortion was number two. And so you have this one, two bang the adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion. And now this triple extortion, in fact going all the way back to the CryptoLocker days you would have banking malware, like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts. There was steal files. And then as a last hurrah they would deploy ransomware and encrypt all your files. And so not only did they steal all your money from the bank. Now, they're going to say, you got to pay us to actually do decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year we started to see this DDoS aspect part of these operations. And so, yeah, that's kind of the history of what we're dealing with here. >> And so, and DDoS distributed denial service, Ronald let you pick up the ball at this point then. Now this evolution you will the triple threat, you know first you were talking about in encryption, in public exposure. And now this DDoS stage, this pillar of the malfeasance, if you will what kind of headaches is this causing in terms of from an engineering perspective from your side of the fence when you're looking at what your clients are dealing with when all of a sudden they have this entirely new plethora of challenges that are confronting them. >> Sure. So DDoS goes back a long ways. So it actually goes back to the late 80s and the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any, criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so in many cases using old modalities just simply transliterated into the new technology space. And that's what we see with (indistinct) extortion. DDOS attacks are attacks against availability. So the idea is to disrupt the access, (indistinct) access to applications, services, servers, data content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hard core of DDoS extortionists that we've seen over the years. And this Richard indicated what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware and it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype, it hadn't been finished, but this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where like Richard said, they, number one, they encrypt the files. Number two, they'll threaten to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic with this wholesale shift to remote work. The attackers for the first time have the ability not only to disrupt the online operations which is bad enough, but they can actually interfere with the ordinary work day activities of the first-line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits, social engineering, along with technological exploits to exploit the confidentiality and the integrity of data, and to restrict that stuff which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and coupled out with a real DDoS attack, and it can be very, very challenging. But one thing John that we've seen is that organizations if they have prepared to deal with a DDoS attack in form an architectural perspective, from an operational perspective. If they have done the things they need to do, to be able to maintain availability, even in the face of attack. There are about 80% of where they need to be to be to able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they are something that organizations need to be aware of, the good news is that a lot of the planning, and resources, and organizational changes that need to be made to face these threats are in fact very similar. >> Yeah, but (indistinct) mean the challenge is, it's hard work, right? It, there's an enormous amount of preparations got to go into this, and pre-planning, pre-thought, and that's what NETSCOUT is all about obviously is trying to get people onto that journey and getting into this examination of their services, and their networks, and... The fact that this can happen on multiple layers, right? It could be application, be protocols, transport, network, whatever, you know just multiple ways that these DDoS attacks can occur. What kind of I'd say well, challenges again does that present in the fact that it is, there are many doors, right? That these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? >> It's really about business continuity. Now business continuity planning, we used to be called "disaster recovery planning", right? Is something that organizations are very familiar with. It often has executive sponsorship and a lot of planning has gone into it. The thing is DDoS attacks, which were attacks against availability are in fact a manmade disaster, right? And they interrupt the continuity of business. Same thing with the ransomware, and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency and to attack, and the ability to maintain availability and continue with operations in the face of attack is really really key for any organization today which has any kind of significant online presence. And that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint whether we're talking about things like network infrastructure, or DNS, or software applications. It's important from an operational standpoint. So one of the things that we see for example is that many organizations don't really have a good communications plan. They don't have a good internal communications plan nor do they have a good external communications plan for communicating during an event. And they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor, understanding the business, understanding the types of risks to the business's ability to execute on its mission and then doing the things from a technological perspective, from an operational perspective, and from a communications perspective to maintain operations, and communications throughout an event and to be able to emerge on the other side of that agenda successfully. >> So Richard you're in threat intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess getting people's attention that has been accomplished now with obviously some, with some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these. I mean, what's the difference maybe in the mindset now, as opposed to where maybe that conversation was being had a few years ago? >> I think the biggest difference here is a matter of when and not if. It used to be, you could say, "Oh I'm never going to get hit by ransomware or I'm never going to get DDoS attacked." But that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that then they're not going to be able to connect with their consumers, their shoppers, if they're a retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed in an adversary where you can actually find your internet space by doing some forensics, such as network scanning, being able to walk that back like a passive DNS but their historical records use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time you're also exposing yourself to these ransomware operators and really any kind of crime ware operator out there, because they're going to exploit you over the internet. We actually did a case study probably two years ago. Looking at brute forcing on networks and looking at exploitation attempts to figure out like what is the Delta? If you have an online internet presence are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes, from the time a brand new IOT device goes online to the time it starts getting brute force attacked. And within 24 hours you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is not if you're going to get attacked, it's when? And so understanding that is the nature of the threat landscape right now and having this kind of security awareness. Actually another good point that Roland just brought up was that human element. The human element is kind of the linchpin for any security organization. And as part of my master's I had wrote a dissertation about, and I named it as such my professor didn't really care for this, but I said, "The humans are the weakest link." Because in the security posture, that is essentially true. If you don't have the expertise on a team you're not going to be able to get things configured properly. If you don't have the expertise you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations and that manipulates the human element. And so having the security awareness in what we do here, on this cube interview, the threat reports, we publish, the blogs that we do, all the threads summaries, all of that goes hand-in-hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. >> So Roland in your mind and you've already walked us through a little bit of this about certain steps and measures. Do you think that could be taken safeguards basically, that everybody should have in the place? What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces as you see it now, understanding as Richard just told us that it's matter of not if, but when? >> Right. So availability, redundancy these have to be core architectural principles whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access. All of these different elements and many many more have to be designed from the out. All the services in the applications whether they're used internally, whether they are part of service delivery that an organization is doing across the internet, publicly there has to be redundancy and resiliency. There has to be a defense plan in order to defend these assets in these organizations against attack. Whether it's DDoS attack or whether it's a containment plan to deal with a ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it, and deal with it, and restore from backup. These plans have to be continuously updated because IT is not static. There are always noose and nance and changes this organizations provision new services offer new products, move into new markets and new new sub-specializations. And so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphorous somewhere. The plan has to be executed because you're going to find that there's some scenario, some service, or application, or operational process that needs to be updated or that needs to be included in the plan. And this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding. And either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. >> Well, is, you both certainly exhibit the depth and the breadth to fight this issue(chuckles) I certainly appreciate the time, the insights, and the warning is quite clear. Be prepared, do the hard work upfront. It could save you a lot of headache on the backside. And it is a matter of when and not if, these days. Richard Roland, thanks for being with us here on the Cube >> Thank you so much. >> Thank you so much. It's a pleasure. >> All right, talking about the triple threat of extortion, cyber extortion these days, and DDoS, the distributed denial of service in the growing problem. It is, but there is a way that you can combat it. And you just learned about that (indistinct) NETSCOUT here on the Cube. (upbeat music)

(upbeat music) >> Hey, welcome to this Cube conversation with NetScout. I'm Lisa Martin. Excited to talk to you. Richard Hummel, the manager of threat research for Arbor Networks, the security division of NetScout. Richard, welcome to theCube. >> Thanks for having me, Lisa, it's a pleasure to be here. >> We're going to unpack the sixth NetScout Threat Intelligence Report, which is going to be very interesting. But something I wanted to start with is we know that and yes, you're going to tell us, COVID and the pandemic has had a massive impact on DDoS attacks, ransomware. But before we dig into the report, I'd like to just kind of get some stories from you as we saw last year about this time rapid pivot to work from home, rapid pivot to distance learning. Talk to us about some of the attacks that you saw in particular that literally hit close to home. >> Sure and there's one really good prime example that comes to mind because it impacted a lot of people. There was a lot of media sensation around this but if you go and look, just Google it, Miami Dade County and DDoS, you'll see the first articles that pop up is the entire district school network going down because the students did not want to go to school and launched a DDoS attack. There was something upwards of 190,000 individuals that could no longer connect to the school's platform, whether that's a teacher, a student or parents. And so it had a very significant impact. And when you think about this in terms of the digital world, that impacted very severely, a large number of people and you can't really translate that to what would happen in a physical environment because it just doesn't compute. There's two totally different scenarios to talk about here. >> Amazing that a child can decide, "I don't want to go to school today." And as a result of a pandemic take that out for nearly 200,000 folks. So let's dig into, I said this is the sixth NetScout Threat Intelligence Report. One of the global trends and themes that is seen as evidence in what happened last year is up and to the right. Oftentimes when we're talking about technology, you know, with analyst reports up and to the right is a good thing. Not so in this case. We saw huge increases in threat vectors, more vectors weaponized per attack sophistication, expansion of threats and IOT devices. Walk us through the overall key findings from 2020 that this report discovered. >> Absolutely. And if yo glance at your screen there you'll see the key findings here where we talk about record breaking numbers. And just in 2020, we saw over 10 million attacks, which, I mean, this is a 20% increase over 2019. And what's significant about that number is COVID had a huge impact. In fact, if we go all the way back to the beginning, right around mid March, that's when the pandemic was announced, attacks skyrocketed and they didn't stop. They just kept going up and to the right. And that is true through 2021. So far in the first quarter, typically January, February is the down month that we observe in DDoS attacks. Whether this is, you know, kids going back to school from Christmas break, you have their Christmas routines and e-commerce is slowing down. January, February is typically a slow month. That was not true in 2021. In fact, we hit record numbers on a month by month in both January and February. And so not only do we see 2.9 million attacks in the first quarter of 2021, which, I mean, let's do the math here, right? We've got four quarters, you know, we're on track to hit 12 million attacks potentially, if not more. And then you have this normal where we said 800,000 approximately month over month since the pandemic started, we started 2021 at 950,000 plus. That's up and to the right and it's not slowing down. >> It's not slowing down. It's a trend that it shows, you know, significant impact across every industry. And we're going to talk about that but what are some of the new threat vectors that you saw weaponized in the last year? I mean, you talked about the example of the Miami-Dade school district but what were some of those new vectors that were really weaponized and used to help this up and to the right trend? >> So there's four in particular that we were tracking in 2020 and these nets aren't necessarily new vectors. Typically what happens when an adversary starts using this is there's a proof of concept code out there. In fact, a good example of this would be the RDP over UDP. So, I mean, we're all remotely connected, right? We're doing this over a Zoom call. If I want to connect to my organization I'm going to use some sort of remote capability whether that's a VPN or tunneling in, whatever it might be, right? And so remote desktop is something that everybody's using. And we saw actors start to kind of play around with this in mid 2020. And in right around September, November timeframe we saw a sudden spike. And typically when we see spikes in this kind of activity it's because adversaries are taking proof of concept code, that maybe has been around for a period of time, and they're incorporating those into DDoS for hire services. And so any person that wants to launch a DDoS attack can go into underground forums in marketplaces and they can purchase, maybe it's $10 in Bitcoin, and they can purchase an attack. That leverage is a bunch of different DDoS vectors. And so adversaries have no reason to remove a vector as new ones get discovered. They only have the motivation to add more, right? Because somebody comes into their platform and says, "I want to launch an attack that's going to take out my opponent." It's probably going to look a lot better if there's a lot of attack options in there where I can just go through and start clicking buttons left and right. And so all of a sudden now I've got this complex multi-vector attack that I don't have to pay anything extra for. Adversary already did all the work for me and now I can launch an attack. And so we saw four different vectors that were weaponized in 2020. One of those are notably the Jenkins that you see listed on the screen in the key findings. That one isn't necessarily a DDoS vector. It started out as one, it does amplify, but what happens is Jenkins servers are very vulnerable and when you actually initiate this attack, it tips over the Jenkins server. So it kind of operates as like a DoS event versus DDoS but it still has the same effect of availability, it takes a server offline. And then now just in the first part of 2021 we're tracking multiple other vectors that are starting to be weaponized. And when we see this, we go from a few, you know, incidents or alerts to thousands month over month. And so we're seeing even more vectors added and that's only going to continue to go up into the right. You know that theme that we talked about at the beginning here. >> As more vectors get added, and what did you see last year in terms of industries that may have been more vulnerable? As we talked about the work from home, everyone was dependent, really here we are on Zoom, dependent on Zoom, dependent on Netflix. Streaming media was kind of a lifeline for a lot of us but it also was healthcare and education. Did you see any verticals in particular that really started to see an increase in the exploitation and in the risk? >> Yeah, so let's start, let's separate this into two parts. The last part of the key findings that we had was talking about a group we, or a campaign we call Lazarus Borough Model. So this is a global DDoS extortion campaign. We're going to cover that a little bit more when we talk about kind of extorted events and how that operates but these guys, they started where the money is. And so when they first started targeting industries and this kind of coincides with COVID, so it started several months after the pandemic was announced, they started targeting a financial organizations, commercial banking. They went after stock exchange. Many of you would hear about the New Zealand Stock Exchange that went offline. That's this LBA campaign and these guys taking it off. So they started where the money is. They moved to a financial agation targeting insurance companies. They targeted currency exchange places. And then slowly from there, they started to expand. And in so much as our Arbor Cloud folks actually saw them targeting organizations that are part of vaccine development. And so these guys, they don't care who they hurt. They don't care who they're going after. They're going out there for a payday. And so that's one aspect of the industry targeting that we've seen. The other aspect is you'll see, on the next slide here, we actually saw a bunch of different verticals that we really haven't seen in the top 10 before. In fact, if you actually look at this you'll see the number one, two and three are pretty common for us. We almost always are going to see these kinds of telecommunications, wireless, satellite, broadband, these are always going to be in the top. And the reason for that is because gamers and DDoS attacks associated with gaming is kind of the predominant thing that we see in this landscape. And let's face it, gamers are on broadband operating systems. If you're in Asian communities, often they'll use mobile hotspots. So now you start to have wireless come in there. And so that makes sense seeing them. But what doesn't make sense is this internet publishing and broadcasting and you might say, "Well, what is that?" Well, that's things like Zoom and WebEx and Netflix and these other streaming services. And so we're seeing adversaries going after that because those have become critical to people's way of life. Their entertainment, what they're using to communicate for work and school. So they realized if we can go after this it's going to disrupt something and hopefully we can get some recognition. Maybe we can show this as a demonstration to get more customers on our platform or maybe we can get a payday. In a lot of the DDoS attacks that we see, in fact most of them, are all monetary focused. And so they're looking for a payday. They're going to go after something that's going to likely, you know, send out that payment. And then just walk down the line. You can see COVID through this whole thing. Electronic shopping is number five, right? Everybody turned to e-commerce because we're not going to in-person stores anymore. Electronic computer manufacturing, how many more people have to get computers at home now because they're no longer in a corporate environment? And so you can see how the pandemic has really influenced this industry target. >> Significant influencer and I also wonder too, you know, Zoom became a household name for every generation. You know, we're talking to five generations and maybe the generations that aren't as familiar with computer technology might be even more exploitable because it's easy to click on a phishing email when they don't understand how to look for the link. Let's now unpack the different types of DDoS attacks and what is on the rise. You talked about in the report the triple threat and we often think of that in entertainment. That's a good thing, but again, not here. Explain that triple threat. >> Yeah, so what we're seeing here is we have adversaries out there that are looking to take advantage of every possible angle to be able to get that payment. And everybody knows ransomware is a household name at this point, right? And so ransomware and DDoS have a lot in common because they both attack the availability of network resources, where computers or devices or whatever they might be. And so there's a lot of parallels to draw between the two of these. Now ransomware is a denial of service event, right? You're not going to have tens of thousands of computers hitting a single computer to take it down. You're going to have one exploitation of events. Somebody clicked on a link, there was a brute force attempt that managed to compromise a little boxes, credentials, whatever it might be, ransomware gets put on a system, it encrypts all your files. Well, all of a sudden, you've got this ransom note that says "If you want your files decrypted you're going to send us this amount of human Bitcoin." Well, what adversaries are doing now is they're capitalizing on the access that they already gained. So they already have access to the computer. Well, why not steal all the data first then let's encrypt whatever's there. And so now I can ask for a ransom payment to decrypt the files and I can ask for an extortion to prevent me from posting your data publicly. Maybe there's sensitive corporate information there. Maybe you're a local school system and you have all of your students' data on there. You're a hospital that has sensitive PI on it, whatever it might be, right? So now they're going to extort you to prevent them from posting that publicly. Well, why not add DDoS to this entire picture? Now you're already encrypted, we've already got your files, and I'm going to DDoS your system so you can't even access them if you wanted to. And I'm going to tell you, you have to pay me in order to stop this DDoS attack. And so this is that triple threat and we're seeing multiple different ransomware families. In fact, if you look at one of the slides here, you'll see that there's SunCrypt, there's Ragnar Cryptor, and then Maze did this initially back in September and then more recently, even the DarkSide stuff. I mean, who hasn't heard about DarkSide now with the Colonial Pipeline event, right? So they came out and said, "Hey we didn't intend for this collateral damage but it happened." Well, April 24th, they actually started offering DDoS as part of their tool kits. And so you can see how this has evolved over time. And adversaries are learning from each other and are incorporating this kind of methodology. And here we have triple extortion event. >> It almost seems like triple extortion event as a service with the opportunities, the number of vectors there. And you're right, everyone has heard of the Colonial Pipeline and that's where things like ransomware become a household term, just as much as Zoom and video conferencing and streaming media. Let's talk now about the effects that the threat report saw and uncovered region by region. Were there any regions in particular that were, that really stood out as most impacted? >> So not particularly. So one of the phenomena that we actually saw in the threat report, which, you know, we probably could have talked about it before now but it makes sense to talk about it regionally because we didn't see any one particular region, one particular vertical, a specific organization, specific country, none was more heavily targeted than another. In fact what we saw is organizations that we've never seen targeted before. We've seen industries that have never been targeted before all of a sudden are now getting DDoS attacks because we went from a local on-prem, I don't need to be connected to the internet, I don't need to have my employees remote access. And now all of a sudden you're dependent on the internet which is really, let's face it, that's critical infrastructure these days. And so now you have all of these additional people with a footprint connected to the internet then adversary can figure out and they can poke at it. And so what we saw here is just overall, all industries, all regions saw these upticks. The exception would be in China. We actually, in the Asia Pacific region specifically, but predominantly in China. But that often has to do with visibility rather than a decrease in attacks because they have their own kind of infrastructure in China. Brazil's the same way. They have their own kind of ecosystems. And so often you don't see what happens a lot outside the borders. And so from our perspective, we might see a decrease in attacks but, for all we know, they actually saw an increase in the attacks that is internal to their country against their country. And so across the board, just increases everywhere you look. >> Wow. So let's talk about what organizations can do in light of this. As we are here, we are still doing this program by video conferencing and things are opening up a little bit more, at least in the states anyway, and we're talking about more businesses going back to some degree but there's going to still be some mix, some hybrid of working from home and maybe even distance learning. So what can enterprises do to prepare for this when it happens? Because it sounds to me like with the sophistication, the up and to the right, it's not, if we get attacked, it's when. >> It's when, exactly. And that's just it. I mean, it's no longer something that you can put off. You can't just assume that I've never been DDoS attacked, I'm never going to be DDoS attacked anymore. You really need to consider this as part of your core security platform. I like to talk about defense in depth or a layer defense approach where you want to have a layered approach. So, you know, maybe they target your first layer and they don't get through. Or they do get through and now your second layer has to stop it. Well, if you have no layers or if you have one layer, it's not that hard for an adversary to figure out a way around that. And so preparation is key. Making sure that you have something in place and I'm going to give you an operational example here. One of the things we saw with the LBA campaigns is they actually started doing network of conasense for their targets. And what they would do is they would take the IP addresses belonging to your organization. They would look up the domains associated with that and they would figure out like, "Hey, this is bpn.organization.com or VPN two." And all of a sudden they've found your VPN concentrator and so that's where they're going to focus their attack. So something as simple as changing the way that you name your VPN concentrators might be sufficient to prevent them from hitting that weak link or right sizing the DDoS protection services for your company. Did you need something as big as like OnPrem Solutions? We need hardware. Do you instead want to do a managed service? Or do you want to go and talk to a cloud provider because there's right solutions and right sizes for all types of organizations. And the key here is preparation. In fact, all of the customers that we've worked with for the LBA extortion campaigns, if they were properly prepared they experienced almost no downtime or impact to their business. It's the people like the New Zealand Stock Exchange or their service provider that wasn't prepared to handle the attacks that were sent out them that were crippled. And so preparation is key. The other part is awareness. And that's part of what we do with this threat report because we want to make sure you're aware what adversaries are doing, when new attack vectors are coming out, how they're leveraging these, what industries they're targeting because that's really going to help you to figure out what your posture is, what your risk acceptance is for your organization. And in fact, there's a couple of resources that that we have here on the next slide. And you can go to both both of these. One of them is the threat report. You can view all of the details. And we only scratched the surface here in this Cube interview. So definitely recommend going there but the other one is called Horizon And netscout.com/horizon is a free resource you can register but you can actually see near real-time attacks based on industry and based on region. So if your organization out there and you're figuring, "Well I'm never attacked." Well go look up your industry. Go look up the country where you belong and see is there actually attacks against us? And I think you'll be quite surprised that there's quite a few attacks against you. And so definitely recommend checking these out >> Great resources netscout.com/horizon, netscout.com/threatreport. I do want to ask you one final question. That's in terms of timing. We saw the massive acceleration in digital transformation last year. We've already talked about this a number of times on this program. The dependence that businesses and consumers, like globally in every industry, in every country, have on streaming on communications right now. In terms of timing, though, for an organization to go from being aware to understanding what adversaries are doing, to being prepared, how quickly can an organization get up to speed and help themselves start reducing their risks? >> So I think that with DDoS, as opposed to things like ransomware, the ramp up time for that is much, much faster. There is a finite period of time with DDoS attacks that is actually going to impact you. And so maybe you're a smaller organization and you get DDoS attacked. There's a, probably a pretty high chance that that DDoS attack isn't going to last for multiple days. So maybe it's like an hour, maybe it's two hours, and then you recover. Your network resources are available again. That's not the same for something like ransomware. You get hit with ransomware, unless you pay or you have backups, you have to do the rigorous process of getting all your stuff back online. DDoS is more about as soon as the attack stops, the saturation goes away and you can start to get back online again. So it might not be as like immediate critical that you have to have something but there's also solutions, like a cloud solution, where it's as simple as signing up for the service and having your traffic redirected to their scrubbing center, their detection center. And then you may not have to do anything on-prem yourself, right? It's a matter of going out to an organization, finding a good contract, and then signing up, signing on the dotted line. And so I think that the ramp up time for mitigation services and DDoS protection can be a lot faster than many other security platforms and solutions. >> That's good to know cause with the up and to the right trend that you already said, the first quarter is usually slow. It's obviously not that way as what you've seen in 2021. And we can only expect what way, when we talk to you next year, that the up and to the right trend may continue. So hopefully organizations take advantage of these resources, Richard, that you talked about to be prepared to mediate and protect their you know, their customers, their employees, et cetera. Richard, we thank you for stopping by theCube. Talking to us about the sixth NetScout Threat Intelligence Report. Really interesting information. >> Absolutely; definitely a pleasure to have me here. Lisa, anytime you guys want to do it again, you know where I live? >> Yes. It's one of my favorite topics that you got and I got to point out the last thing, your Guardians of the Galaxy background, one of my favorite movies and it should be noted that on the NetScout website they are considered the Guardians of the Connected World. I just thought that connection was, as Richard told me before we went live, not planned, but I thought that was a great coincidence. Again, Richard, it's been a pleasure talking to you. Thank you for your time. >> Thank you so much. >> Richard Hummel, I'm Lisa Martin. You're watching this Cube conversation. (relaxing music)

(upbeat music) (air whooshing) >> Hi everybody. John Walls here continuing our Cube Conversations here focusing on NETSCOUT today and the drawing problem of ransomware. Obviously very much in the news these days for the couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins who is the principal engineer of NETSCOUT's A-CERT team. And Ronald and good to see you today, sir. Thanks for joining us. >> Good to see you as well. And Richard Hummel who's Threat Intelligence research lead for the A-CERT Team. And Richard, thank you for being with us as well here on the Cube. >> Absolutely John, thanks for having us. >> Yeah, let's just jump right in here. Ransomware, obviously we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first, the magnitude and scale of the problem, as it currently exists. And Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenge has become today? >> Actually, John, if you don't mind I'd really like to hand that one to my colleague, Richard because >> By all means, so Richard- he's really has an in-depth background there if that's okay. >> Richard, jump in on that. >> Absolutely. Yeah. And so (clears throat) I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined Eyesight Partners, you know leading premier provider of threat intelligence who was acquired by FireEye and now Mandiat, and now even a conglomerate that just acquired Mandia. So there's been a series of acquisitions here but the reality is this threat intelligence has been pervasive across all of these. And you can see that over time that value hasn't diminished. And you can see that by all of these acquisitions. that are like that's a really good example to show how valuable this is because everybody wants it. And the reality is back then I started tracking ransomware specifically looking at a lot of the CryptoLocker variance, things like CryptoWall, and TorrentLocker, and TeslaCrypt. And there's any number I could go on and on and on about all these different variations, and how ransomware came to be, and what you know, adversaries were using it for. But the reality is ransomware has been around for a long, long time and probably three or four years ago. There was this lull in time where people are like, hey we've got these initiatives like no ransomware.org. We've got the, you know, local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware. And it's going to% be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable, sometimes the keys were stored locally, but a lot of them more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt it. You can't create a decryptor like a lot of these security companies do you would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And you know one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be like ransomware was the name that incited fear but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion. Where they will encrypt your files, they've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look you're going to pay us for this ransomware to decrypt your files, to get those back. But I'll guess what? We also have your sensitive data that we're going to post online and sell and on underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion. That is surging In fact, we did a survey of enterprise internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats, and obviously ransomware was number one but DDoS extortion was number two. And so you have this one, two bang the adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion. And now this triple extortion, in fact going all the way back to the CryptoLocker days you would have banking malware, like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts. There was steal files. And then as a last hurrah they would deploy ransomware and encrypt all your files. And so not only did they steal all your money from the bank. Now, they're going to say, you got to pay us to actually do decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year we started to see this DDoS aspect part of these operations. And so, yeah, that's kind of the history of what we're dealing with here. >> And so, and DDoS distributed denial service, Ronald let you pick up the ball at this point then. Now this evolution you will the triple threat, you know first you were talking about in encryption, in public exposure. And now this DDoS stage, this pillar of the malfeasance, if you will what kind of headaches is this causing in terms of from an engineering perspective from your side of the fence when you're looking at what your clients are dealing with when all of a sudden they have this entirely new plethora of challenges that are confronting them. >> Sure. So DDoS goes back a long ways. So it actually goes back to the late 80s and the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any, criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so in many cases using old modalities just simply transliterated into the new technology space. And that's what we see with (indistinct) extortion. DDOS attacks are attacks against availability. So the idea is to disrupt the access, (indistinct) access to applications, services, servers, data content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hard core of DDoS extortionists that we've seen over the years. And this Richard indicated what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware and it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype, it hadn't been finished, but this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where like Richard said, they, number one, they encrypt the files. Number two, they'll threatened to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic with this wholesale shift to remote work. The attackers for the first time have the ability not only to disrupt the online operations which is bad enough, but they can actually interfere with the ordinary work day activities of the first-line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits (indistinct), social engineering, along with technological exploits to exploit the confidentiality and the integrity of data, and to restrict that stuff which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and coupled out with a real DDoS attack, and it can be very, very challenging. But one thing John that we've seen is that organizations if they have prepared to deal with a DDoS attack in form an architectural perspective, from an operational perspective. If they have done the things they need to do, to be able to maintain availability, even in the face of attack. There are about 80% of where they need to be to be to able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they are something that organizations need to be aware of, the good news is that a lot of the planning, and resources, and organizational changes that need to be made to face these threats are in fact very similar. >> Yeah, but (indistinct) mean the challenge is, it's hard work, right? It, there's an enormous amount of preparations got to go into this, and pre-planning, pre-thought, and that's what NETSCOUT is all about obviously is trying to get people onto that journey and getting into this examination of their services, and their networks, and... The fact that this can happen on multiple layers, right? It could be application, be protocols, transport, network, whatever, you know just multiple ways that these DDoS attacks can occur. What kind of I'd say well, challenges again does that present in the fact that it is, there are many doors, right? That these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? >> It's really about business continuity. Now business continuity planning, we used to be called "disaster recovery planning", right? Is something that organizations are very familiar with. It often has executive sponsorship and a lot of planning has gone into it. The thing is DDoS attacks, which were attacks against availability are in fact a manmade disaster, right? And they interrupt the continuity of business. Same thing with the ransomware, and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency and to attack, and the ability to maintain availability and continue with operations in the face of attack is really really key for any organization today which has any kind of significant online presence. And that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint whether we're talking about things like network infrastructure, or DNS, or software applications. It's important from an operational standpoint. So one of the things that we see for example is that many organizations don't really have a good communications plan. They don't have a good internal communications plan nor do they have a good external communications plan for communicating during an event. And they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor, understanding the business, understanding the types of risks to the business's ability to execute on its mission and then doing the things from a technological perspective, from an operational perspective, and from a communications perspective to maintain operations, and communications throughout an event and to be able to emerge on the other side of that agenda successfully. >> So Richard you're in threat intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess getting people's attention that has been accomplished now with obviously some, with some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these. I mean, what's the difference maybe in the mindset now, as opposed to where maybe that conversation was being had a few years ago? >> I think the biggest difference here is a matter of when and not if. It used to be, you could say, "Oh I'm never going to get hit by ransomware or I'm never going to get DDoS attacked." But that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that then they're not going to be able to connect with their consumers, their shoppers, if they're a retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed in an adversary where you can actually find your internet space by doing some forensics, such as network scanning, being able to walk that back like a passive DNS but their historical records use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time you're also exposing yourself to these ransomware operators and really any kind of crime ware operator out there, because they're going to exploit you over the internet. We actually did a case study probably two years ago. Looking at brute forcing on networks and looking at exploitation attempts to figure out like what is the Delta? If you have an online internet presence are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes, from the time a brand new IOT device goes online to the time it starts getting brute force attacked. And within 24 hours you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is not if you're going to get attacked, it's when? And so understanding that is the nature of the threat landscape right now and having this kind of security awareness. Actually another good point that Roland just brought up was that human element. The human element is kind of the linchpin for any security organization. And as part of my master's I had wrote a dissertation about, and I named it as such my professor didn't really care for this, but I said, "The humans are the weakest link." Because in the security posture, that is essentially true. If you don't have the expertise on a team you're not going to be able to get things configured properly. If you don't have the expertise you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations and that manipulates the human element. And so having the security awareness in what we do here, on this cube interview, the threat reports, we publish, the blogs that we do, all the threads summaries, all of that goes hand-in-hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. >> So Roland in your mind and you've already walked us through a little bit of this about certain steps and measures. Do you think that could be taken safeguards basically, that everybody should have in the place? What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces as you see it now, understanding as Richard just told us that it's matter of not if, but when? >> Right. So availability, redundancy these have to be core architectural principles whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access. All of these different elements and many many more have to be designed from the out. All the services in the applications whether they're used internally, whether they are part of service delivery that an organization is doing across the internet, publicly there has to be redundancy and resiliency. There has to be a defense plan in order to defend these assets in these organizations against attack. Whether it's DDoS attack or whether it's a containment plan to deal with a ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it, and deal with it, and restore from backup. These plans have to be continuously updated because IT is not static. There are always noose and nance and changes this organizations provision new services offer new products, move into new markets and new new sub-specializations. And so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphorous somewhere. The plan has to be executed because you're going to find that there's some scenario, some service, or application, or operational process that needs to be updated or that needs to be included in the plan. And this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding. And either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. >> Well, is, you both certainly exhibit the depth and the breadth to fight this issue(chuckles) I certainly appreciate the time, the insights, and the warning is quite clear. Be prepared, do the hard work upfront. It could save you a lot of headache on the backside. And it is a matter of when and not if, these days. Richard Roland, thanks for being with us here on the Cube >> Thank you so much. >> Thank you so much. It's a pleasure. >> All right, talking about the triple threat of extortion, cyber extortion these days, and DDoS, the distributed denial of service in the growing problem. It is, but there is a way that you can combat it. And you just learned about that (indistinct) NETSCOUT here on the Cube. (upbeat music)

>> From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hello everyone, this is Dave Vellante with theCUBE and welcome to this conversation. With me is Anil Singhal, who is the CEO of NETSCOUT. Anil, it's a pleasure to speak with you today. Thanks so much for coming on the program. >> Thank you. >> So I want to talk a little bit about NETSCOUT. We're kind of at theCUBE, we're sort of enamored by founder-led companies. I mean, you started NETSCOUT right around the same time that I entered the tech business, and you remember back then it was an industry dominated by IBM, monolithic systems were the norm, in the form of mainframes, you had mini computers, PCs, and things like PC local area networks, they were in their infancy. In fact, most of the PCs, as you remember, they didn't even have hard disks in them. So I want to start with, what was it that you saw 35 years ago that led you to start NETSCOUT and at the time, did you even imagine that you'd be creating a company with a billion dollars worth of revenue and a much larger market cap? >> Well, certainly I had not imagined where we'll be right now, and we didn't know that this'll be the outcome. I mean, we just happened to be at the right place at the right time, but we did have a vision. Some of you had the feeling, we are enamored by networking, and we thought that network will be the business. In fact, our business card in 91 said, "Network is the business." And so somehow we got that right, and we said, these things will be connected. And overall, we found then that the IP convergence first in the enterprise in 90s, and then internet, and carriers moving from analog to digital, (indistinct) talk about digital transformation in last few years, but this has been going on for the last 30 years. And as we add what we were doing, become relevant to more and more people over time. For example, now even power companies use our product. And we have IoT devices coming in. So basically what we do is we said we are going to provide visibility through looking at the traffic, through the lens and the vantage point of the network. A lot of people think we are just doing network monitoring or had been doing that. But actually we use the network as a vantage point, which other people are not doing, most of the people have accidental data from devices as the basis of visibility. And that turned out to be very successful, but at some point, different points in our life, we became responsible for the market, not just for NETSCOUT. And that changed the shape of the company, and what we did and how we drove the innovation. >> I want to get into some of that, but I'm still really enamored of and fascinated by the beginnings. I mean, I worked for a founder-led, a chairman, a guy named Pat McGovern who built a media empire. He had these 10 sort of core principles, he used to test us on 'em, we'd carry around little note cards, things that today still serve us. You know, stay close to the customer, you know, keep the corporate staff lean, promote from within, respect for individuals, things that are drilled into your head. I wonder, you know, what are the principles that, you know, sometimes they become dogma, but they're good dogma. I don't mean that as a pejorative. What are the things that you built your business on, the principles that you're sort of most proud of? >> Well, I think there is, so there are five, in fact, we call some of these tenets our five tenets. We call this high ambition leadership, which is more than just about making money. And just like the US is the leader of the free world, we have a responsibility beyond US. Same way, NETSCOUT has a responsibility beyond our own company and revenue and our stakeholders. So with that in mind, we have these five things, which I think I wouldn't have been able to articulate that 20 years ago, like this. But they were always there. So firstly, there's guardians of the connected world, which you see it on our website, guardians care about their asset, it's not just about money. We are going to solve problems in the connected world, which nobody else is able to solve, or have the passion or have the resources and willpower to do it. So that's the overall theme of the company. Guardians of the connected world, connected world is changing, new problems are coming. Our goal is there are pros and cons of every new thing. Our goal is to remove all the cons so you can enjoy the pros. So that's guardian of the connected world. Then our mission is accelerate digital transformation, meaning remove the roadblocks. People are looking at enablers, but there are barriers also. How do you remove the barriers for our customers, so they can improve the fruits of digital transformation? For example, going to the cloud allows you to outsource some of us, especially in these times of agility and dependency, you can cut your costs, but that comes with a price that you lose control. So our product brings the control back. So now you can enjoy the pros and the cons and I call it sometimes how do you change the wheels of your car while driving? If you change four wheels, then car is going to fall down, but how do you put one wheel in the cloud? Well, that's what our vision is. Visibility without borders. We'll give you the same information, which is the third part. That's why we have this tagline and therefore the company. And then we have the mission, accelerating digital transformation, but our vision is visibility without borders. When you run your application, no matter where you run, we'll give you the same piece of information. That allows the people to make this migration transparent from a monitoring and visibility point of view. And then the fourth area is about our technology. We call it smart data technology, and the whole world is talking about artificial intelligence, machine learning. But what are you going to learn, is your AI really authentic or is it truly artificial? And that comes from smart data. Data is the oil of the new industry. That's the oil, and people are not focusing on that. They're saying, "I have lots of data," but you don't have the data which we have. In the past, we said, we are not going to share the data with third parties. And recently we have changed that, and say, "Yeah, there is a price for that. We'll do that." So we are branding ourselves as a smart data company, where the whole industry is talking about smart analytics. And I said, "We make smart people smarter." And lastly, the value system of NETSCOUT is called lean, but not mean, okay? Anybody can get lean. If you get fat, you can get the operation. But how do you do lean decision making so you never have to be in mean? Like NETSCOUT never had to lay off in the last 35 years, we have ups and down, our stock has gone to $3 and has gone to $40, but companies continued to invest, and that's why we have this reputation we have, whether it's (indistinct). The tenure at NETSCOUT is 10, 15 years minimum, even in sales, and people don't realize the power of that because some of our customers tell us, "Hey, your salespeople are around longer than our employees." And that (indistinct) builds a franchise of loyalty in the customer base. We underestimate that, this continuity part. So that in many aspect of not, what is the definition of not being mean, that lean and mean is sort of people are very proud of that. And I think you can be lean without being mean. And then how do you become lean, is don't hire when in good times, unless you need them. The reason people are able to do it, is because they think "I can fire anytime, so let's build up the fat." So there a lot of decision-making we do around this, and that's what I talk about in the book, it's not about technology, and this is, I would say is just one of the five tenets, but it's probably one of the most important ones. And it's one of the biggest differentiators of NETSCOUT. >> Well, it's obviously served you well, I mean, no layoffs in 35 years, the retention metric is very impressive. I mean, again, I go back to my experience. I was at IDG for 15 years. My passion was always to start my own company, but I didn't want to leave 'cause it was such a great culture, and it seems like you've created something similar. You know, I talk to CIOs and CTOs a lot too about, it's always people, process, technology. And of course we want to talk about tech 'cause we love talking about tech, but they always tell me, "Look, tech comes and goes," it's the processes that you put in place, the culture that you have in place, we could deal with the tech, and it sounds like you've created a similar dynamic. And I think back again, when you started, there were proprietary networks, it was IBM SNA, DEC network, every mini computer had its own network. Then, you know, TCP/IP came in and the whole world changed and exploded. But yet you said guardians of the connected world, and that's kind of been your focus from really day one. You know, I loved what you said about the business. The network is the business. Remember the network is the computer that Scott McNealy popularized. So really kind of a similar dynamic there. So it seems, Anil, that that framework that you just laid out, those core principles, have actually allowed you to ebb, to flow, to deal with stock prices and still retain people for very long periods of time. >> Maybe one more thing to add there is that on the lean but not, many talk about generalities. We don't look any different. Like everyone cares about happy customers. They care about happy employees and they care about happy stakeholders, shareholders. Everyone, including us. But what's the order? Where do you start? So we start with employees. We say happy employees, then we get happy customers. And then because of that, they buy more stuff and we create happy shareholders. Whereas if you start with happy shareholders, you may not get happy employees. And so all I'm saying is that everyone probably believes in what we are saying or what I'm saying, but how they implement it, and then like really walking the talk is the most important part. >> Well, I think you're right. I mean, I think the financials is a by-product of happy employees, which drive happy customers. If you take care of employees and customers, then good things will happen. If you start with trying to micromanage the finances. Of course, we all attempted to do that. I wonder if we could talk a little bit about, so just to bring it forward a little bit, we're talking about how NETSCOUT has essentially from a cultural standpoint, been able to withstand the ups, the downs, I mean, you've seen since, you know, it's over 35 years, a lot of the downturns and the tech softness, the tech bubbles, the great recession. Obviously now we're in the middle of a pandemic. And I wonder if you could talk to that specifically. So the data that we have from our survey partner, ETR, Enterprise Technology Research, shows that before the pandemic around 16% of employees worked from home, we're talking about truly remote workers, not, you know, a couple of days a week. And when we talk to CIOs today, they tell us it's well over 70% now, but they fully expect that when, you know, the world comes back to the new abnormal, I call it, that number's going to, that 16% is going to double to, more than double to 34%. So it puts stress on the network. It changes the direction of the traffic. It changes the security emphasis. Maybe you could talk a little bit about that just in terms of how you are helping your customers respond, specifically. >> So I always talk about like, is this a new problem or is the bad problem getting worse? So I contend that bad problem getting worse. So if you make the bad to zero, then you can't multiply. So I think it's highlighting some of the problems which are already there, are being highlighted by, a lot of people are telling, "Are you seeing more attacks?" No, we are becoming more conscious of the attacks we always had. We have more time, by the way, hackers have more time too, because they're also sitting at home doing things. So what I feel is that, two parts. One is that I think people should not, when the new normal comes, or new abnormal, then I think people should not make people work from home for the wrong reason. Certain people are saying, "Oh, I can save money." That's the wrong reason. But if it's efficient, we should do that. So we are doing some interesting things for home users to feel how they can feel that they're really working from the office. And so, yeah, there are some new challenges on how we monitor, because when the user complains now about the performance to IT, because they can't get their work, they don't know whether it's our network or is the ISP, or is their wifi network. So we try to provide the root cause analysis as quickly as possible, which we call mean time to know. And one of the things I didn't mention earlier, about what is the uniqueness of our technology when we use the network vantage point to drive visibility, it's almost like the blood test. When you have a problem, if you tell the doctor, I say "Hey, what is my problem?" And they start looking at all kinds of things. It's going to take forever. But if I take the blood test, I will know what the next thing to do. So in a way, we are doing the blood test of the user experience, security problems. And when we do that, we can come up with some very unique things. So we think that we'll be moving on into other areas, or the visibility is the means to an end, the end could be performance management, could be visibility, troubleshooting, and could be security forensics. Like blood tests can be used for DNA evidence also. And so we have all the technology, so we are moving on, as we move to the home user, we are applying that our techniques, not just for service assurance or end user experience monitoring, but also for security forensics. And one example I give you the, I always talk more than you'll see that in my book, being different before being better. First be different, get the ear flecks out of the ideas before you tell the story. And you don't do that, even though we are very big, we are very small compared to a lot of companies in the industry, compared to big players like Cisco, IBM, and all those. So the new thing which we are looking at in security is, the security industry is catching the act. We are going to catch the actors. If I can get into the, what they were doing before the act, before they did the ransomware, what were they doing? Well, that requires continuous monitoring of the traffic. And that's what we do. So when we do catch the actor, catching the thief, not what they're stealing, then you're preventing tomorrow's attack. And that's basically the innovation part of NETSCOUT, which we have been pushing for. But we somehow decided not to apply that to security because we had other problems to be solved as guardians of the connected world from a monitoring point of view. And so those are some of the things we'll be applying as we move forward. And I feel that those are equally applicable before the pandemic and after the pandemic. And it's just polarized more, because more people are working from home. >> It's interesting what you're saying about the blood test. That's a great analogy because it kind of eliminates the guesswork, and removes the opaqueness. It goes right to sort of the heart of the matter, you called it mean time to know. And it's interesting too, to look at productivity. I mentioned some of the survey work, when we talk to organizations, they say to us that actually productivity has gone up since the pandemic. And my response to that is, "Yeah, no kidding. 'Cause people are working 15 hour days." You can't keep that up. And the silent killer of productivity is the not, having an elongated mean time to know, and having to guess. And so my premise is that this productivity gain, if in fact it exists, is not sustainable because we're doing it on the backs of our employees and it's going to burn 'em out. >> I'm not sure whether it's real also, see, there are both sides. It's not possible, practical, as you are saying, because for example, you are a salesperson and you are working six, seven hours and you're traveling six hours. You can't be on the phone for 12 hours with a customer right now. So I don't talk and then be productive, there are both sides going, some people are overworked. And so definition of productivity itself is in question. And how do you measure that? And so that's what we'll have to look, I think basically all I'm saying is we should do it, whatever we do after the pandemic is over, about how many people work from home, should be based on your business model, your expectation, not just based on cost. And a lot of people are looking at once again, "Oh, this is another cost saving exercise." And that should not be the reason, that's the wrong reason, because then they're measuring the productivity in terms of reduced cost, not everything else. Plus at least in NETSCOUT, is a company which, I mean, every meeting I go to, I use chalkboard, and it's very very hard for other companies, somebody like IBM, where most of the people work, there are 50 offices. What is the easy transition? It's not easy for NETSCOUT. And so right now we focus on safety, but we need to come up with a good hybrid model later on, and different people will set up differently. But what we do will be relevant in all cases. >> Yeah, but I think you're making a good point that it's not some kind of mandate to drive costs down. Or we saw last decade, there were a couple of prominent companies that were mandating actually working in the office, eliminating work from home. So obviously the wrong side of history, you know, they didn't know a pandemic was coming, but so how will you make that decision? Will you, is it really a discussion case by case with the employees or what's the framework for you guys to decide that? >> Well, I think so right now, our focus is on safety. So it's completely optional. In fact, we don't even allow more than 20%, and that's only in the headquarters, other places, we have less than 5% people coming, and only essential workers, manufacturing and all those. So right now it's completely optional. But my personal preference when there is no risk is people should come to work like they were coming before. We like to make it as close as possible to the old normal, but that's not going to be the case for other companies because they're bigger in size, they have other things at play, but certainly we are not going to do it, "Oh, because it's cheaper for NETSCOUT, when people work from home." And so we we'll see how it goes. I think it will be a transition, but I can see going back to new normal in a year from now, if things start winding down in six months, within a year or so, we should be getting back to some normalcy. But that doesn't mean going to be true for our customers. So from a product point of view, we are doing several things so we can help the customer through this transition. And by the way, one other thing I wanted to mention earlier, when we talk about the blood test, how does it relate to guardians of the connected world? If you believe in that, what did the industry do? They made sure needles were not painful. That blood test was reliable. There is no hygiene issues or no issues like that. The cost has come down. As the guardian of the connected world, because we do that, that's what we have been doing. We are removing the barriers to a great idea, but not all other companies give up. And then they have different strategies and some of them are successful, some are not. So as the guardian of the connected world, our goal is to continue to make this practical use. Imagine if blood test industry had not done that, where we'll be right now. And that's what I meant by guardian of the connected world. This is not easy to do and sustain that for a period of 20, 30 years. But we have been able to do that, and we get a lot of challenges from naysayers, "Oh, this will not work at high speed." When I started NETSCOUT, it was 10 megabit internet. Now we have 100 gig internet, and we are still able to handle it. And nobody had thought in those days that you can even get to 100 megs. People were questioning us. But what happens is other things keep working in the market. Intel is making improvements, lot of people are doing work to solve the problem, and we leverage that. And that's how we are able to sort of sustain this guardian of the connected world team. >> The other key aspect of the guardian of the connected world, and again, not to overdo the blood test analogy, but the time to results is very important. If you have an issue and you have to wait weeks for the results and your doctor, you can't get ahold of her. And so you're successfully dealing with that in real time or near real time, and that to me is critical. >> Very important point, thanks for reminding because I forgot today, that's one of the things I say all the time, "Hey, this one of the big thing we have done, and blood test industry has done it. How long take to get results?" Nowadays you can get results done in like two hours, and doctors can get a report in couple of hours. That's what we had done. That's like mean time to know, which we talked about. With our technology, I think we had basically all the issues, you can't even breathe without doing something on the network. So if you're listening to the traffic or hearing what the conversation, you can form an independent view of what is happening. And that's the smart data, which then becomes the basis of analytics, whether analytics in the security space or not. And so that one thing we have not changed, this technique. Now, the outcomes are different. What are we doing with our visibility is different. Is keep changing the number of customers and the type of customers are different. But ultimately that part interestingly has not changed. >> I wonder if I could ask you, I'd like to ask CEOs, especially those that are technologists and business leaders, their thoughts on the cloud. I mean, our data shows that the public cloud is growing in the 30% plus range annually, the big three public cloud players now account this year, probably for close to $75 billion in revenue, maybe even a little bit more, what do you see driving this growth? What does it mean for your customers? >> I think first of all, we have a big announcement coming out called smart cloud monitoring to address this. But what's the meaning of that? I think what our customers are looking for is that it's not all or nothing. It's not that everything is in the cloud or everything is in the on-prem, it could be private cloud, public cloud, (indistinct), the way VPNs are laid out. So they want to make sure that they can use our technology to do this (indistinct) and analytics, regardless of what decision they make. And even five years from now, there'll be enough non-cloud stuff, okay? So that's what we are striving to do. That's what is visibility without borders, and when they do that, they're saying that helps them decide what's the best mode of operation for them, for what application. Moving blindly to the cloud is a problem. Not going into that area is also a problem. But I think this, the two new things that have happened recently, I will say one is sort of, because of this crisis, people don't want to own, like the hospitality industry. This would, I mean, they're obviously having big issues with them, but if they own a lot of the infrastructure, they could have turned off some of that. And so that's driving more movement to the cloud, but I think there is now other choices available, about a year or two ago, I think affordable pricing model, multiple choices, not just AWS, and technology maturing where you can really implement and have a good experience. I think those have become big enablers. And so I think now it is possible to get to massive movement to the cloud, but then they want to make sure that I'm outsourcing my problem, but I'm not outsourcing my vision to the cloud vendors, because previously the way in the IT industry, a lot of problems were solved is, it was called the war room. Let's get everyone who reports to me and everyone who reported to you, but now everyone doesn't report to you. So how do you maintain the control? Man, I complain to my CIO, "Hey, my WebEx is slow," or "Office (indistinct)," and how do they resolve that problem? Because they cannot tell me, "Oh, we outsourced them, so I can't tell you that," well, we should not have outsourced them to the cloud. So how do you drive this collaboration between the providers and the consumers? Is going to be key to accelerating this transformation. Because otherwise the cost of CapEx cost of a deduction of moving to the cloud will be offset by the increase in OpEx and customer satisfaction for the customer. And so if we can help deal with one of the parts, industry is already doing the other big part of making cloud work, I think then we'll have the best chance of success. >> Yeah. And of course the security has implications on the security model. You were talking earlier about that, as an opportunity, people sometimes think, "Oh yeah, I put my data in the cloud. I'm good on security." But there's a shared responsibility. Again, we talked about different traffic patterns. You've got work from home going on. And it's interesting when you juxtapose the sort of industry narrative on security, which is it gets harder and harder and harder, and you hear some of the cloud players say, "Hey, the state of security is really good," but when you talk to CISOs, they'll talk about the lack of talent, the challenges they have, the tools creep, the fact that they spend more, but the adversaries just keep getting stronger and stronger and stronger. It's a really serious problem. I mean, maybe we close there. I mean kind of, how do you see it from your vantage point? >> Let's look at the blood test. So I look at, if you do the technique which we are talking about, at least in the dimension of security monitoring, then you are going to do a lot of little things, because you're doing little things, you're going to be (indistinct) tool creep, and because of that, you have a talent issue. And I think if we can make the right stuff work, then you will not have this talent issue, and I feel that we are always looking at solving yesterday's problem, okay? Because we are not watching what led to the attack. We are just dealing with the attack as an incident, a security issue. So I think continuous monitoring of traffic allows you to look at the deviation of the normal. So signature-based security is a big portion, but how do you know the signature of tomorrow? And while you know that because you know the normal, but the only way you know normal is if you have been monitoring what was going on, not for a specific event, but deviation from normal. That's what our approach is going to be, anomalous behavior detection through our smart data. And then you apply machine learning and AI algorithms to that. I think that would be Nirvana. But we don't have all the smart people for analytics, but we can feed our data to those smart people. And that's something we are going to bring up, and the reason I feel it will be successful because this idea has been wildly successful for NETSCOUT in the non-security space. >> Yeah. I think you're bringing up another point that I've talked about a lot, which is the industry has gone from sort of an industry of products to platforms, and now ecosystems is really driving a lot of the innovation. That's exactly what you're talking about. Feeding data to other partners, data partners. Now you start thinking about IoT and the edge, and machines talking to machines. I mean, I put video cameras up in my house to make my environment more secure, but of course I'm scared to death that those things could get hacked. It's a very complicated situation, and the power of many is going to trump the resources of one. And so I'm glad you brought that out. Maybe give us your final thoughts, Anil. It really has been a pleasure talking to you. >> Well, I think one of the things people ask me is, "Why didn't you start another company?" Especially in Silicon Valley, I say, "We did start many companies, but they all happen to be called NETSCOUT." NETSCOUT 1.0 or 2.0 or 3.0, actually, we are into the 4.0. I sometimes say, "You know George Foreman's four sons, they're all called George Foreman." So every time we do something different, and now we are in the process of launching NETSCOUT 5.0, it was partly because, maybe accelerated because of what's going on with the pandemic, because there are some new challenges which (indistinct), and we are entering the security space. So I'm very excited about repeating what we did in the traditional monitoring space, service insurance space, both for enterprise and carriers, to the security space. And people will question us how come it took so long. Well, we were solving other problems, which are more interesting than this for NETSCOUT. And now we want to bring that technology and all of our tenets, guardian of the connected world, smart data, to the security space. And also, I mean, people are around for long term, we are also building the next generation of leaders at NETSCOUT. And so we have our hands full over the next two, three years, in building the next generation of NETSCOUT, solving some of the problems the industry is facing, without abandoning our tenets and the culture. And if we can do that, I think there'll be, we'll be going to the next level, in terms of NETSCOUT branding and leadership. >> Well, given the guiding principles that you shared with us earlier, the fundamental technology that you have around visibility, I think that's served you very well. And I think there's no shortage of opportunity for NETSCOUT. So, Anil, thanks so much for sharing your story and coming on theCUBE. >> Good. Thank you. >> And thank you for watching everybody. This is Dave Vellante for theCUBE. We'll see you next time. (calm music)

welcome everyone to thecube virtual i am your host rebecca knight today we are talking about cyber security and health care our guest is ken checker he is a problem solver at netscout thanks so much for coming on the show ken oh my pleasure thank you for having me i love your job title a problem solver tell our viewers a little bit about netscout and about your role there sure no i appreciate that uh yeah netscout's been around since 1984 uh and the the gentleman starter company two gentlemen starter company uh anil sengal is still our ceo he's very passionate about what we do believes in what we do and our focus really is is really service triage and making sure that important customer services and none more important than health care are are up and running and functional and so our focus is really they're really protecting we call ourselves guardians of the connected world uh we take that very seriously uh because when you think about the the technology uh the complexity and how we all really the reliance on everything that we do and how we uh rely on technology as a just a society um we really our focus is protecting that so the applications the services the network uh that's all part of the the service chain for that well we know that healthcare organizations and hospitals are under tremendous strain and pressure because of the covet-19 pandemic but also recently hospitals all over the country have been hit and targeted in a scourge of ransomware attacks can you tell our viewers a little bit about what you're seeing and what's what's happening right now oh yes it's uh it's really sad uh it's just an interesting uh it's an interesting time in the world obviously uh but we are seeing a very heavy increase in the number of attacks on from a cyber security perspective really an extortion and ransomware and there's a there's a slight difference between the two um but effectively what's happening the we'll call them the uh the bad guys are going after healthcare organizations that have some some vulnerabilities uh where you know they have some they have some areas where they can be attacked and effectively what happens is they will either launch a denial of service attack which is really a lot of robot type computers launching just directed attacks at these particular caregiving organizations these hospitals uh and then so they're trying to take down services um and that's one thing and so that's really more of a ransomware where they hey we showed you we can do it now we're going to extort money from you until you pay the other one is more of a ransomware where they've already penetrated the what we'll call defenses of the of the hospital and then now they're they're saying okay we've already we've already taken control of your system and they lock you out until you pay the ransom both we're seeing lots of attacks in that realm so what is the upshot in terms of patient care i mean this this sounds awful what are patients seeing what are doctors seeing well it's a really good point uh especially in today's world with the pandemic but really any time for health care we all have you know children aunts uncles moms dads nobody wants to be in the hospital for extended periods of time and when they're in the hospital we want to make sure that you know from a healthcare organization they want to make sure they give the best care possible and the caregiver so the nurse the doctor has the opportunity to do what they do and focus on what their their caregiving and not on the technology so when things like ransomware extortion or any particular uh impact on performance for a particular application it just impacts the caregiver which is you know and it affects us because these are people that you care about you don't want them in the hospital you don't want them in pain and the caregivers there you know these are passionate people that do what they do obviously they're dedicated to it so when there's an impact from a cyber security perspective or a application or network issue that affects health care that affects our loved ones and you just you know you really put yourself in that position we uh especially netscout we like to view we partner with our customers so and we don't take that lightly that's something that we mean and it's heartfelt and the reason for that is we look at ourselves as an extension of their team this is what healthcare organizations offer to their to their patients and they're there for for care to get well we want to make sure they have every opportunity to do that and because those healthcare organizations rely so much on technology networks applications and really protection from bad guys in cyber security uh we just want to make sure that those services are assured and that's why that's where our focus is so this i mean there are lives in the balance as you're describing this is a technical challenge but it's also one of resources a lot of these organizations just simply do not have the resources to deal with these problems effectively great point that's a great point i mean especially in today's world the the actual industry for healthcare has really taken a beating because it really had to focus their their whole uh all of their funds frankly and all of their uh the resources towards the pandemic which would be personal equipment mobile hospitals and that's that's taken a tremendous toll and they've also from just a revenue perspective they've really taken a beating frankly on on what happens from their revenue cycles because elective surgeries are way down so when you start looking at you take that into consideration so they've got very very tight resources and cyber security in general is a just a thankless job they're under attack every single day no matter what their industry is so when you look at the at the current situation to get tight resources cyber security is under a lot of stress and oh by the way here come the ransomware and extortion attacks it's just it's just a it's terrible what's going on but this is an area where where we feel this is a spot where we can really help number one our focus is really on network and service assurance so the applications in the network and that's what we're very good at and been doing it for many years but the the upside and the place where we really feel we can help uh is really twofold and that is that same solution the same deployment that we have for network and application really can be leveraged by cyber security folks as well mainly towards the areas of denial of service mainly towards areas of voice over ip we think of telecommunications and telemedicine that's all being leveraged and heavily leveraged right now specifically by healthcare organizations well again if i'm a bad guy and i know you're trying to use your telemedicine to take care of your patients and have that interaction with the doctor and the patient and i take those services down well now i've impacted patient care though that all runs over unified communications protocols voice and video things that we can monitor not only for performance but also when we see cyber type issues and that's a it's a really big uh i would call it a bit of a hole at the moment because that's a spot where cyber security teams are so strapped so resource strapped as well uh from from what they're trying to deal with every day that's a spot we can help with and help with immediately and as i mentioned the other part is really the denial of service pieces which is that's part of what we do as part of our our framework of what we deliver for services so you're describing an exceedingly complex caregiver chain on so many different levels in terms of cyber security in terms of telemedicine um and you also said that netscout really partners with its clients talk a little bit about netscout solution and how it helps clients and or healthcare organizations grapple with these challenges no that's a great question well the the one thing uh right off the bat is we look at network traffic and that means application traffic so while we plug in on the network and take traffic from taps and spans and whatnot we take traffic into our appliances so that we can then we crunch that the data through our smart data we call adaptive service intelligence that's our patent and we run it through that engine and that creates smart data and that smart data then can be leveraged for muji is my problem with my network is my problem with my application is it something like a service enabler like dns or dhcp or ldap which is really the basic uh basic building box for active directory for authentication uh so when you look at a complete as you mentioned a complex chain uh an electronic medical records application uh an emr that's really the that's really the go-to application for for a hospital uh because it's scheduling that's billing that's diagnosis that's that's history that's patient history it's just so it's so integral to what they do and when there's an impact with that that affects patient care and no one ever wants to hear oh my goodness we we log we had a bad outcome with the patient because of a complete a computer glitch you know network application what have you uh and so what we do is the ability to take all that data in crunch it through our engine and then and then display that in dashboards that are very easily consumable by not just network people but really application even management cyber security unified communications folks and and the focus here is we want to get the problem set we know they're going to be problems it happens every day and you know networks and applications are complex the idea is when we have an issue like that let's get the problem to the right team so that they can then go through their service restoration process and again the whole point here is keep services up and running but the the challenge becomes in a complex application team set up where you've got dns dhcp ldap radius so you've got service enablers then you've got web servers application server database servers load balancers firewalls when somebody says oh my goodness the emr is down or we're having issues with our network that's a very tough chain to try and pinpoint it's almost needle in a haystack so what we do and this is kind of our our bailiwick in the world is really we take all of that different traffic and we expose uh where where the hot spots where's the latency where are the error codes where do we see protocols that aren't behaving well where are we seeing things that are we're seeing authentication failures and the big win for the for the healthcare organization on that and that standpoint is i can see all of my traffic all of my applications and then i can pinpoint where i'm having issues so that i can restore services very quickly what are some of the best practices that have emerged in terms of the company in terms of the organizations and hospitals that are doing this well what would you say that they're doing right one thing they want a partner so they recognize the fact that number one you know they've got limited staff uh and they actually want to partner with netscout and what that means is we actually go in and we'll design solutions that will address their specific requirements that's that's very important what we do but when we do so we take uh you know we different product sets but our infinite stream our infinite stream next generation isng is our data collector and that's really the the workhorse of our solution it processes all the packets from you know we'll get technical here for a second one gig to 100 gig and that's a lot of data to to to process and because we can just get to the point with the process to the smart data engine and get to the problem show me where my latency is show where my problems are showing my protocols uh pulling that up through our packet flow which engine which kind of facilitates us collecting from multiple hops of the network uh a lot of times uh iit folks will ask us well we want hop to hop views of this i'm like great let's do that we can do it right now we just need to sit down design it but we really design towards their their use cases and in healthcare it's very common you can have dmz's you're going to have people accessing their electronic medical records through their dmz uh and things like that and as it goes through the back end services we basically take a traffic feed from all those different hops of the network or in cases there that make the most sense uh the primary spartan choke points and then take that data in and then we do what we do we expose the data and expose the performance information and most customers and it's like this in the world people usually don't call you up to say hey rebecca you're doing a great job today i want to buy you a cup of coffee especially in i.t they call up to say hey things aren't working hey fix it hey i can't do something and so our our job is to help facilitate with those customers and really partner with them to design solutions so that they can not only view that information uh but also triage it really quick and the word triage makes a great deal of uh sense in health care for example if you have a you know you hurt your finger they're not going to take an x-ray of your foot it makes no sense because they've already triaged that that's not your problem we do the same thing but we do it more from the network and application side to see where the hot spots are you are the it triage so talk a little bit about about this you are a problem solver and so right now we have a crisis on our hands of monumental proportions do you think that it has forced healthcare organizations and hospitals to innovate more quickly at this time or do you think that there is still just so much uncertainty taking place right now that it is hard to see the forest for the trees what what are you seeing that's a that's a really good question uh we're seeing both uh just to put it just very so one of the biggest changes that really the the pandemics had on everybody is the switch to everybody went from i have 10 maybe 20 of my workers working remotely over vpn contractors uh things like people are there just can't be in the office for a reason they switched from 10 to 20 to 70 80 90 percent so it was an overnight change so think of the impact on that the caregivers are at the hospital they're actually you know the frontline workers they're at the hospital you know serving their p their their patients but people in the administration accounting i.t other things that are important to the organization all had to switch to work from home obviously for safety reasons so the impact on just the internet link number one huge impact before it was used for outbound hey i'm gonna go check you know i'm gonna go do some research i'm gonna go check a website i'm gonna you know see what's what's uh what sports activities going on today now all the traffic is coming inbound on the internet and number so that's number one number two big change vpns vpns took an enormous beating that maybe they were size for for that type of scalability overnight and maybe they weren't so the organizations that were kind of prepped for it not such a big change and we've seen some good results from that but there are also organizations that immediately had to switch to oh my goodness i need to upgrade my vpns and my internet links because i wasn't prepared for this um so the the larger organizations sometimes have a little more uh capabilities to make that change quick the smaller organizations that's a tough call so they really have had to innovate quite a quite a bit on that side of it but when you add the that stress on things that also puts shows that the internet and the vpn is really points where the bad guys are going to target which again we're seeing we're starting to see that in the ransomware and the extortion attacks so it has forced innovation certainly um but you bring it to the point of force through the trees uh there's still a lot of work to be done uh so that's that's where we're really uh putting a lot of our focus especially in health care right now because it's got the the biggest impact uh well frankly to society right now and the religious uh the companies so as company as healthcare organizations are navigating this period of new normal and of course we've had some positive vaccine news so we can say that that perhaps there is going to be an end to this pandemic uh in the coming year but how are they planning ahead i want you to close us out here with how healthcare organizations are thinking about the next 12 to 24 months and if you have any advice for them i'm sure they would be all ears uh yeah i think we could all use some good advice right now on that one short answer is you know i don't know either right now in healthcare it is a big challenge because of that as mentioned earlier the impact on on on the personal protection equipment mobile hospitals and and frankly where they've had in the revenue laws so it's become a you basically have to do more with less right now uh which is one of the things that we do uh and really it's kind of our message for customers anyway i'm a big proponent of use what we have what if you have our solution use what you have and use it to its fullest extent uh especially while times are lean you know we just don't the wallets aren't as big right now so we're gonna have to really focus yet i mean has there been a bigger time in healthcare ever than right now i can't think of one so our focus right now and our message to our customers and anyone else is if you've got our types of solution use it to its fullest capability so that you can triage and so that you can you know not have patient impacting issues and on top of all the other things you have to deal with you bring up the point about the vaccines one of the things that we've seen especially for what's called healthcare organizations that are more research focused is um the bad guys aren't very nice so the bad guys are going to go after organizations where they can have a big we'll call it splash or they can steal something so research hospitals that that are working on vaccines or something in that realm have been huge targets again ddos for ransomware and extortion my message for anyone in healthcare right now is you know bless you first of all and second of all use what you have to its fullest extent which means a solution like ours yes use it for network monitor use it for application monitoring but but please use it to protect yourself for cyber security type visibility uh we typically in a lot of cases uh we'll see uh traffic that that some cyber security tools don't and not because they're bad tools but because we're installed in places that they sometimes aren't so that might be uh where they're typically installed maybe on the perimeters of network and endpoints we actually are instrumented through that service chain so not only the outbound internet the wide area network links the vpns and dmzs and and vdi and all those acronyms that i'm throwing out those are typical spots for us as well as though virtualization so that can be cloud or private cloud so effectively we have areas of visibility that can be leveraged in big bigger and better ways even really on the cyber security and unified communication sides of the fence so my message would be to be just use the what you have to its fullest capability uh especially when times are lean and uh keep up the good fight excellent leverage what you got ken checkout problem solver at netscout thank you so much for coming on thecube thank you for having me been a pleasure i'm rebecca knight stay tuned for more of the cube virtual you

>> Narrator: From around the globe, It's the Cube. With digital coverage of AWS reinvent 2020. Sponsored by Intel, AWS, and our commudity partners. >> Okay, Welcome back. You're ready. Jeff Frick here with the cube. We are, coming to you from our Palo Alto studio with our continuing coverage of AWS reinvent 2020 digital this year, like everything in 2020 but we're excited to welcome back to The Cube. He's been on a number of times, he's Russ Currie. The vice president enterprise strategy for Netscout systems. Russ great to see you. >> Great to see you, Jeff. Thank you. >> Absolutely. So before we jump into there's so(laughs), so many things going on in 2020. What I do want to do is, is reflect back a little bit. You were first on The Cube at AWS reinvent 2017. So it's been about three years. And I remember, one of the lines you had said, I believe that was your guys' first, AWS show as well. So I wonder if you could reflect on kind of how the world has changed in terms of your business, and the importance of AWS and public cloud within the infrastructure systems of your clients. >> Yeah, well, it was interesting, right? We were just getting our feet wet at that point, and had just introduced some of our technology for use in AWS, and it was kind of a interesting little adventure. So we were looking at it and saying, okay where's this going to lead us? And ultimately now we're just really waist deep in it, and really having a great partnership with AWS, and delivering new technologies, new capabilities, and our customer base also is becoming so much more reliant on public cloud in particular AWS and the services that they can provide. So as we've gone and they've gone it's been a journey that we've taken together, and it's been quite, fruitful and exciting. >> Right, right. And it really reinforces this concept of I think you'd mentioned it before, a blended, you know kind of a blended infrastructure approach. So there's a lot of conversations about public cloud, hybrid cloud, multicloud, et cetera, et cetera. But at the, at the end of the day from a customer perspective, as you've mentioned it's really kind of a blended network, right. And it's really application centric, and you put the applications where those applications need to be to be the most appropriate, and that might even change over time from, from test dev to really roll out to, to scale. So you're seeing that consistency. Consistency, >> Absolutely. Yeah. The, the blended environment that in it it's so incredibly complex of our customers. As they take a look at the way that the world has changed, right? When we take a look at what has happened with people working remotely, working from home and having to come into access services in such a, a completely blended and hybrid environment as you say, not only the move to the cloud, but the move to Colo, and bringing all of this together for interconnect, it's definitely a complex environment that they have to have their fingers on the pulse of. Right? >> Yep, yep. And then of course there was this little thing that happened this year with COVID. And really right in March, April timeframe light switch moment, everybody worked from home, whether you're ready or not. And that was a very different kind of situation. Cause we had to get people secure and safe, and get them up and operating. So I'm sure you(laugh) saw a lot of interesting stuff at your business there, but I'm even more interested in how that's evolved over time. Here we are at the end of 2020, there's going to be you know, some version of this for the foreseeable future. And a lot of companies are saying that, you know there'll be a lot of, kind of work from anywhere pieces that continue forward. So again, with your customers and looking kind of the change between what happened in the spring, and now what's happening as they really of kind of put in the systems that'll enable them to continue to support, you know people working from anywhere, not even really working from home, but working from anywhere. >> Right. Exactly. I mean, as our customers had to bring up more connectivity, new connectivity, and start to add licenses for virtual desktop or for their VPN connectivity ultimately how they got it done, most of our customers said, you know we're running hot, but stable. And I think that that was, that was great for most folks. But now they're leaning into it and saying, okay how do we continue to make this happen? And how do we provide the visibility that we need to ensure that the services that we're delivering are, making it possible for their users to be productive and successful. A user doesn't want to feel that they're not contributing as much as someone else that may be able to make it into the office. And, it's a, it's a challenging time, but with that being said, technology has really stepped up, and in particular, the way that they're able to stand up services in the cloud, and the automation, and potential cost savings that they get from standing up in the cloud has really been a bood for most of our users. And some of the users, you know, the high end enterprise that we're a little bit slow to adopt, now are just turning it on as fast as they possibly can. >> Yeah, it's pretty wild. And then, we had another representative from Netscout on earlier this year. One of the, the kind of recurring themes that we've seen is you know, changes in the threat landscape. So clearly the increased attack surfaces as more and more people are working from home. They're not working from the secure environment at the office. But you guys notice some interesting things about what's happening, and we've, we've seen a little bit too in terms of kind of, ransomware and the increase in ransomware as a particular type of attack that, that seems to be growing in popularity. And these, these people are a little bit more thorough in the badness that they caused before they, they throw in the ransom request, and that they're looking for a little bit more fundamental disruption to enable them to basically extract that ransom is which they hope to do. >> Yeah. I mean the amount of DDoS attacks that we've seen has just grown incredibly over the past several months. And these extortion attacks they come in and they often hit the customer quickly and hard, and then say, turn it back for a bit and say, pay us, or we're going to shut you down. And they're really coming in more towards the back office aspects of things. So, going in and attacking that part of the business is kind of a new environment for a lot of folks. But one of the other interesting(laughs) challenges here with us is that, oftentimes those extortion notes don't make it through to the people that really need to act on them because they get caught in spam filters or they like so they're finding these DDoS attacks, and don't necessarily understand that they're under an extortion attack. So it's a real challenge for folks. And we've seen a good uptake with our on-prem capabilities to provide that kind of protection, right at the top of the security stack with our Arbor edge defense products. So it's been something that we're trying to get out there and help our customers as much as we can. And even that new, folks. >> Yeah. It's a, it's an interesting environment. And we found out from somebody too that sometimes if you actually pay the bad guys you can be breaking other rules for doing business with countries >> Yeah. >> Or people that we're not supposed to be doing business with. Like, that's the last thing you need to think about when you're trying to get all your data, and your company back online. >> Right, yeah, I mean, are you trying to make sure that you're keeping yourself stood up right? And, it's tough and you know kind of the rule one is never pay the extortion right? But you kind of got to take a look at it and say, hey, you know, what do I do? >> Right, right. So, you guys been around for a while. I wonder if we could dive in a little bit, we're at reinvent. Some of the things you guys are doing specifically on the product side to, basically increase your, your AWS capabilities. >> Sure. Thanks, yeah. We've been working really closely with AWS as they start to roll out new technologies. Last year, we were fundamental in the VPC ingress routing announcement that they have. We've been working with them with their traffic mirroring capabilities. So technology-wise, we keep in close touch with them in terms of everything that they are delivering. But also on the business side of it, we have our networking competency and just last week got our migration competency. So what we're really doing is, trying to both work the technical and the business relationship, as much as we can to try and expand our overall capabilities of book print with AWS. And, having that visibility and being able to kind of provide that same level of control and capability that you had, on-prem in your enterprise network as you move into the public cloud is a great benefit to a lot of our customers. They really have the ability now, to deliver services the way they have been delivering it for years and years. >> Now, what do you mean specifically, when you say migration competency or networking competency? >> So, they have these different competency programs for their technology partners. And the networking competency is, that you've demonstrated capabilities in your ability to provide network monitoring, or network management capabilities, or network connectivity. In the applica--, migration side you've really provided the ability to show that you have the tools, and solution set to drive, and help people become successful migrations into AWS. As you can imagine right now, a lot of folks are just lifting and shifting, putting stuff into AWS as quickly as they can to try and take advantage of the automation and the operational efficiencies that you get when you move into public cloud settings. As you make those migrations, you want to ensure that you're not either leaving something behind, that needed to move with it, or building a dependency onto something that's in the background that's going to have an adverse effect on, user experience. And ultimately, it really all comes down to the user experience that are, delivering to your customers and or your user base. Right? >> Right. Right. So what are the things you talked about in a prior interview was kind of the shifting dynamic in terms of network traffic. As there's more and more, you know kind of SAS based applications, and there's more kind of an application centric, and in this kind of API interface between all the applications that, you know the North-south is still significant, but the growth in the East-west traffic, meaning, you know kind of inside, if you will. And that some of the unique challenges that come from that from kind of a network monitoring. I wonder if you can share a little bit more color on that, as to, and are you continuing to see this increase in East West relative to North-south, and what kind of special opportunities and challenges that that presents? >> Yeah, absolu--. There is an absolute growth in terms of the East-west connectivity and, traffic that exists out there. In particular, when we take a look at the way that people are implementing software defined networks, NSX, for example NSXT has now provided the ability to blend your environment whether you're going to any cloud, any vendor as you move between these environments having that ability to deliver network services under the same framework is really beneficial to our customer base. And we've also been partnering very closely with VM-ware, and a lot of our customers are implementing VMware cloud on AWS. So, they have that ability to stand up services in a consistent manner whether it be in their legacy environments, or into the public cloud environments, and have that same ability to provide visibility down into the East-west traffic so that you can see that. So when you're part of the NSX framework, what you're able to do is really leverage the service framework that they have the service and search it, and be part of the clusters and host groups that are exchanging traffic East-west. And our ability to see into that really exposes chall--, not, exposes challenges but exposes potential issues that(laughs) our customers might be having in delivering high quality services. So that visibility is really what we've been keying on. >> Right. I'm just curious to get your take, you know as people kind of, as you said, make this move to public cloud, and, you know, you talked about wholesale migrations, and wholesale lifts and shifts. You know, there, there's kind of a couple trains of thought. One is, you know, using cloud for just pure economics, and trying to save money, and the flexibility. The second one is, is to is to add this automation as things grow in this, these great opportunities to automate, and try to reduce air. But the third one, right, the big one is to drive innovation, and to unlock innovation enable better innovation, and speed of delivery, and, you know, moving at the speed of business, pick your favorite buzzword. I'm curious whether your customers, as you have you seen them all jumping in? How much of it is still, you know, to save money or to, or to, you know, kind of use the basic, you know cost saving economics versus people really embracing the opportunity to use this as a method to drive innovation, and change within their own business? >> So I, I think the realities of 2020 have been forcing people to look at primarily from operational and cost efficiency perspectives, however with an eye towards innovation, and as they start to get themselves into a, zone where they're comfortable, they look to see how they can leverage the cloud to provide new services, and new ways in which they provide their services, and avail themselves of, the underlying technologies that are there to build something that's new and exciting in their overall portfolio. So, I think that 2021 is probably going to be a little bit more of where can I innovate as opposed to, how do I get there? (Jeff laughs) >> It's probably an unfair question here at 2020 cause priorities certainly got turned upside down in the middle of the year. So maybe, maybe innovation got pushed down a little bit from, you know, let's get people up, let's get people safe, and let's make sure they can access all the systems and all this crazy stuff that we've got available to them from wherever they are. >> Yeah, yeah. >> Not just within the, within the home office. >> I was listening to a, panel from federal government a couple of weeks ago, and it was really the way the they've adopted kind of commercial cha-- commercial capabilities to meet some of these challenges things that they wouldn't normally look at. But now it's a set of innovation that they're looking at, to try and make sure that they can avail themselves of the services that are out there and available in the public cloud. >> Yeah. Well, that's great, Russ. It's great to catch up. I'm sure you must be as amazed as anybody as the rapid acceleration of this, you know since the short time you went to your first re-invent and, >> Yeah. >> And clearly AWS and Amazon generally is an execution we're seeing. So, I think they'll keep doing it. So I think you're, you're probably sitting in a good spot. >> I think so. (Jeff laughs) Thank you. (Russ laughs) >> All right. Thank you Russ for, for stopping by and sharing your insight. Look forward to catching up next time. >> Thanks a lot, Jeff. Really appreciate it. >> Alrighty. He's Russ, I'm Jeff. You're watching The Cube's, continuous coverage of AWS reinvent 2020, the virtual event. Thanks for watching and we'll see you next time. (bright music)

from the cube studios in palo alto in boston connecting with thought leaders all around the world this is a cube conversation [Music] hello everyone this is dave vellante with the cube and welcome to this conversation with me is anil singal who is the ceo of netscout anil it's a pleasure to speak with you today thanks so much for coming on the program thank you so i want to talk a little bit about uh netscout we're kind of at the cube we're sort of enamored by founder-led companies i mean you started net scout right around the same time that i entered the tech business and you remember back then it was an industry dominated by ibm monolithic systems were then with a norm in the form of mainframes you had mini computers pcs and things like pc local area networks they were in their infancy in fact most of the pcs as you remember they didn't have hard disks in them so i want to start with what was it that you saw 35 years ago to let you let that led you to start net scout and at the time did you even imagine that you'd be creating a company with a billion dollars worth of revenue and a much larger market cap well certainly i'd not imagine where we'll be right now and uh we didn't need we didn't know that this will be the outcome where i mean we just happened to be at the right place at the right time but we did have a vision some of you had the feeling we are enamored by networking and we thought that network will be the business in fact our business card in 91 said network is the business and so somehow we got that right and and we said these things will be connected and overall we found then that with the ip convergence first in the enterprise in 90s and then internet and then carriers moving from analog to digital we call talk about digital transformation in last few years but this has been going on for the last 30 years and as we add what we were doing become relevant to more and more people over time for example right now even power companies use our product okay and we have iot devices coming in so so basically what we do is we we said we're going to provide visibility through looking at the traffic through the lens and the vantage point of the network a lot of people think we're just doing network monitoring or have been doing that but actually we use the network as the vantage point which is other people are not doing most of the people have accidental data from devices at the basis of visibility and that turned out to be a very successful and but at some point different points in our life we became responsible for the market not just for netscope and that changed the shape of the company and what we did and how we drove the innovation yeah now i want to get into some of that but i i i'm still really enamored of and and fascinated by by the beginnings i worked for a founder led a chairman a guy named pat mcgovern who built the media empire he had these 10 sort of core principles we he used to test us on him we'd carry him around a little little note card things that today still serve us you know stay close to the customer uh you know keep the corporate staff lean promote from within respect for individuals the things that are drilled into your head i wonder you know what are the principles that you know sometimes they come become dogma but they're good dogma i don't mean that as a pejorative what are the things that that you built your business on the principles that you're sort of most proud of well i think there is so there are five in fact we call um uh some of the standards so five tenants we have we call we call this high ambition leadership which is more than just about making money and as just like the us is the leader of the free world we have a responsibility beyond u.s same way netscout has a responsibility beyond our own company and and revenue and our stakeholders so with that in mind we have these five things which i think i wouldn't have been able to articulate that 20 years ago like this and but they were always there so first is this guardians of the connected world which you see it on our website guardians care about their asset it's not just about money we are going to solve problems in the connected world which nobody else is able to solve or have the passion or have the resources and willpower to do it so that's that's the overall theme of the company guardians of the connected world connected world is changing broad new problems are coming our goal is there are pros and cons of every new thing our goal is to remove all the cons so you can enjoy the pros so that's guardian of the connected world then our mission is accelerate digital transformation meaning remove the road blocks people are looking at enablers but there are barriers also how do you remove the barriers for our customers so they can improve the fruits of digital transformation for example going to the cloud allows you to outsource some of the stuff especially in this time of agility and and dependency you can cut your cost but that comes with the price that you lose control so our product big bring the control back so now you can enjoy the pros and the cons and i call it sometime how do you change the wheels of your car while driving well if you change the four wheels then carve is going to fall down but how do you put one wheel in the cloud well that's what the our vision is visibility without water we'll give you the same information which is the third part so we have this uh tagline and for the company and then we have the mission accelerating digital transformation our vision is visibility without border when you run your application no matter where you run we'll give you the same piece of information that allows the people to make this transparent transparent migra that's migration transparent from a monitoring and visibility point of view then the fourth area is about a technology we call it smart data technology the whole world is talking about artificial intelligence machine learning but who are you going to learn for is your ai really authentic or is it truly artificial and that comes from smart data data is the oil of the new industry that's the oil and and people are not focusing on that they're saying i have lots of data but you don't have the data which we have in the past we said we are not going to share the data with third parties so in recently we have changed that you say yeah we'll there is the price for that we'll do that so we are branding ourselves as a smart data company where the whole industry is talking about smart analytics and i said we make smart people smarter and lastly uh the the value system of netscout is called lean but not mean okay and uh anybody can get lean if you get fat you can get your operation but how do you do lean decision making so you never have to be in me like net score never had delay in the last 35 years we have ups and down our stock has gone to three dollars and has gone to forty dollars but company continued to invest and uh and that's why we have this reputation we have with this tom here or steve here the tenure at netscout is 10 15 years minimum even in sales and people don't realize the power of that because some of our customers tell us hey your sales people are around longer than our employees and that how it builds a franchise of loyalty in the customer base we underestimate that this continuity part so there are many aspects of not what is the definition of not being mean the lean and mean is is sort of people are very proud of that and i think you can be lean without being mean and how do you become lean is don't hire when in good times unless you need them the reason people are able to do it is because they think i can fire any time so let's build up the fact so there are a lot of decision making we do around this and that's what i talk about in the book it's not about technology and this is i would say it's just one of the five diamonds but it's probably one of the most important ones and is one of the biggest differentiator of netscope well it's obviously served you well i mean no layoffs in 35 years the the retention metric is is very impressive i mean again i go back to my experience i was at idg for 15 years my passion was always to start my own company but i didn't want to leave because it was such a great culture and it seems like you've created something similar you know i talk to cios and ctos a lot too about about you know it's always people process technology and of course we want to talk about tech because we love talking about tech but they always tell me look tech comes and goes it's the processes that you put in place the culture that you have in place we could deal with the tech and it and it sounds like you've created a similar dynamic and i think back again when you started there were proprietary networks it was ibm sna dec network every mini computer had its own network then you know tcpip came in the whole world it changed and exploded but yet you said guardians of the connected world and that's kind of been your your focus from really day one you know i i loved what you said about the business the the network is the business remember the network is the computer that scott mcneely popularized so really kind of a similar dynamic there so it seems anneal that that framework that you just laid out those core principles have actually allowed you to ebb to flow to deal with stock prices and still retain people for very long periods of time maybe one more thing to add there is that on the lean but not when you talk about generalities we don't look any different like everyone cares about happy customers they care about happy employees and they care about happy stakeholders shareholders everyone including us but what's the order what's uh what's where do you start so we start with employees we say if they're happy employees they create success happy customers and then because of that they drive they buy more stuff and we create happy shareholders whereas if you start with happy shareholders you may not get happy employees and so and so all i'm saying is that everyone probably believes in what what we are saying or what i'm saying but how they implement it and then like really walking the talk is the most important part well i think you're right i mean i think you know the financials is a byproduct of happy employees which drive happy customers if you take care of employees and customers then good good things will happen uh if you start with trying to micromanage the finances of course we all attempted to to do that um i i wonder if we could talk a little bit about so just to bring it forward a little bit we're talking about how netscout has essentially from a cultural standpoint been able to withstand the ups the downs i mean you've seen since since you know over 35 years a lot of the the the downturns and the the tech softness the tech bubbles the great you know recession obviously now we're in the middle of the pandemic um i and i wonder if you could talk to that specifically so the data that we have from our survey partner etr enterprise technology research shows that before the pandemic around 16 of employees worked from home we're talking about truly remote workers not you know a couple days a week and when we talked to cios today they tell us it's you know well over 70 percent now but they fully expect that when you know the world comes back to the new abnormal i call it that it's it's that number is going to that 16 is going to double to more than double the 34 so it's it puts stress on on the the network it changes the the direction of the traffic it changes the security uh emphasis maybe you could talk a little bit about that just in terms of how you you are helping your customers respond specifically so i always talk about like is this a new problem or is the bad problem getting worse and so i put it in that bad problem getting worse so if you make the bad to zero then you can't multiply it so i think it's highlighting some of the problems which are already there are being highlighted by a lot of people are telling are you seeing more attacks no we are becoming more conscious of the attacks we always had we have more time by the way hackers have more time too because they are also sitting at home doing things so what i'm saying what i feel is that two parts one is that i think people should not in the when the new normal comes or new abnormal then i think people should not make people work from her for the wrong reason certain people are saying oh i can save money that's the wrong reason but if it's efficient we should do this so we are doing some interesting things for home users to feel how they can feel that they're really working from the office and so yeah there are some new challenges on how we monitor because when a user complains now about a performance to it because they can't get their work they don't know whether it's our network or is the isp or is their wi-fi network so we try to provide the root cause analysis as quickly as possible which we call mean time to know and one of the things i didn't mention earlier about the what is the uniqueness of our technology when we use the network vantage point to drive visibility it's almost like the blood test when you have a problem if you tell the doctor i said hey what is my problem and they start looking at all kinds of things it's going to take forever but if i take the blood test i'll be able to do the i will know what the next thing to do so in a way we are doing the blood test of the user experience security problems and when we do that we can come up with some very unique things so in the we think that we'll be moving on into other areas so the visibility is the means to an end the end could be performance management could be visibility troubleshooting uh and could be security forensics like blood tests can be used for dna evidence also and so we have all the technology so we are moving on as we move to the home user we are applying that our techniques not just for service assurance or end user experience monitoring but also for security financing and one example i give you the i always talk about and you'll see that in my book being different before being be better first be different get the earplugs out of the audience before you tell the story and you don't do that even though we are very big we are very small compared to a lot of companies in the industry compared to big players like cisco ibm and all those so the new thing which we are looking at in security is the security industry is catching the act we are going to catch the actor if i can get into the what they were doing before the act before they did the ransomware what were they doing well that required continuous monitoring of the traffic and that's what we do so when we do catch the actor catching the thief not what they're stealing then you're preventing tomorrow's attack and that's basically the innovation part of netscout which we have been pushing for but we somehow decided not to apply that to security because we had enough problems to be sold as guardians of the connected world from a monitoring point of view and so those are those are some of the things we'll be applying as as we move forward and i feel that those are equally applicable before the pandemic and after the pandemic and it's just polarized more because more people are working from home it's interesting what you're saying about the blood test uh that's a great analogy because it kind of eliminates the guesswork uh and and removes the opaqueness uh goes right to sort of the hard heart of the matter you call it mean time to know um and and it's interesting too to look at productivity i i mentioned some of the survey work when we talked to organizations they say to us that actually productivity has gone up since the the pandemic and my response to that is yeah no kidding because people are working 15-hour days you can't keep that up and and the silent killer of productivity is is the the not has having an elongated mean time to know um and having to to guess and so my premise is that this productivity gain if in fact it exists is not sustainable because we're doing it on the backs of our employees and it's going to it's going to burn them out i'm not sure whether it's real also see there are both sides it's not possible practical as you are saying because for example you're a sales person and you're working six seven hours and you're traveling six hours you can't be on the phone for 12 hours with the customer right now right how can they be productive is there both sides going some people are overworked and so definition of productivity itself is in question and how do you measure that and so that's what we'll have to look i think basically what i'm saying is we should do it whatever we do after the pandemic is over about how many people work from home should be based on your business model your expectation not just based on cost and a lot of people are looking at once again oh this is another cost saving exercise and that should not be the reason that's the wrong reason because then they're measuring the productivity in terms of reduced cost not everything else plus at least in net stock is a company which i mean every meeting i go to i use chalkboard and it's very very hard as a for our company like somebody like ibm where most of the people were there 50 offices they were remote is the easy transition it's not easy for netscout and so right now we focus on safety but we need to come up with a good hybrid model later on and different people will set up differently but what we do will be relevant in all cases yeah but i think you're making a good point that it's not some kind of mandate to drive your costs down or we saw last decade there were a couple of prominent companies that were mandating actually working in the office eliminating work from home so obviously the wrong side of history you know who they didn't know a pandemic was coming but so so how how will you make that decision uh will you is it really a discussion case by case with the employees or how what's the framework for you guys to decide that well i think so right now our focus is on safety so it's completely optional in fact we don't even allow more than 20 percent and that's only in the headquarters other places we have less than five percent people coming right and only essential workers manufacturing and all those so right now is completely optional but my personal preference when there is no risk these people should come to work like they were coming before we like to make it as close as possible to the old normal but that's not going to be the case for other companies because they're bigger in size they have other things at play but certainly we are not going to do it or because it's cheaper for net scores because we when people work from home and so we will see how it goes i think it will be a transition but i can see we going back to new normal in a year from now if the things start winding down in six months within a year or so we should be getting back to uh some normalcy and but that doesn't mean it's going to be true for our customers so from a product point of view we are doing several things so we can help the customer through this transition and by the way one other thing i wanted to mention earlier when we talk about the blood test how does it relate to guardians of the connective connected world if you believe in that what did the industry do they made sure needles were not painful that blood test was reliable you could there is no hygiene issues or no issues like that the cost has come down as a guardian of the connected world because we do that that's what we have been doing we are removing the banners to a great idea but lot of other companies gave up and then they have different strategy and some are successful some are not so as a guardian of the connected wall our goal is to continue to make this practical use imagine if blood test industry has not done that where we'll be right now and that's what what i meant by guardian of the connected world this is not easy to do and sustain that in for a period of 20 30 years but we have been able to do that and we get a lot of challenges from naysayers or this will not work at high speed when i started mad scout it was 10 megabit ethernet now we have 100 gigs 100 gig ethernet and we are still able to handle it and nobody thought in those days that you can even get 200 likes people were questioning us but what happens is other things keep working in the market intel is making improvements a lot of people are doing work to solve the problem and we leverage that and and that's how we are able to uh sort of sustain this guardian of the connected world team yeah you know the other key aspect of the guardian of the connected world again not to overdo the blood test analogy but the time to results is very important if you if you have an issue and you have to wait wait weeks for the results and your doctor you can't get a hold of her and so you're you're successfully dealing with that in real time or near real time and that that to me is is critical a very important point thanks for reminding me because i forgot today that's one of the things i say all the time hey this one of the big things we have done if blood test industry has done it how long take to get results nowadays you can get results done in in like two hours and doctors can get a report in couple of hours that's what we have done that's like mean time to know which we talked about with our technology i think we're basically the all the issues that you can't even breathe without doing something on the network so if you're listening to the traffic or hearing that uh what the conversation you can form an independent view of what is happening and that could be the that's the smart data which then becomes the basis of analytics whether analytics in the security space or not and so that's uh and that one thing we have not changed this technique now the outcomes are different what are we doing with the visibility is different is keep changing the number of customers and the type of customers are different but ultimately that part has interestingly has not changed i wonder if i could ask you i'd like to ask ceos especially those that are technologists and business leaders you know their thoughts on on the cloud i mean our data shows that the public cloud is growing in the 30 plus range annually the big three cloud public cloud players now account this year probably for close to 75 billion dollars in revenue maybe even a little bit more you know what what do you see driving this growth what does it mean for your customers well i think so forth we have a big announcement coming out called smart cloud monitoring to address this but what's the meaning of that i think what our customers are looking for is that it's it's not all or nothing it's not that everything is in the cloud or everything is in the program it could be private cloud public cloud colos the way vpns are laid out so they want to make sure that they can use our technology to do this react and analytics regardless of what decision they make and even five years from now there'll be enough non-cloud stuff okay so that's what we are trying to do we want to that's what is visibility without water and when they do that they say that helps them decide what's the best mode of operation for them for what application moving blindly to the cloud is a problem not going into that area is is also a problem but i think this the two new things have happened recently i would say one is sort of because of this crisis people don't want to own uh like hospitality industry okay this would i mean they're obviously having a big big issues with them but if they want a lot of the infrastructure they could have turned off some of that and so that's driving more movement to the cloud but i think there is a lot of choices available about a year or two ago i think affordable pricing model multiple choices not just aws and technology maturing where you can you can really implement and have a good experience i think those have become big enablers and so i think now it is possible to get to massive movement to the cloud but then they want to make sure that i'm now i'm outsourcing my problems but i'm not also outsourcing my vision to the cloud vendors because previously the way in the iit industry a lot of problems were solved is it was called the war rule let's get everyone who reports to me and everyone who reported to you but now that everyone doesn't report to you so how do you maintain the control when i complain to my ci hey my webex is slow or office three seriously and how does it resolve that problem because they cannot tell me oh we outsource them so i can't tell you that well we should not have outsourced them to the cloud so how do you drive this collaboration between the providers and the consumers is going to be key to accelerating this transformation because otherwise the cost of capex cost of reduction of moving to the cloud will be offseted by the increase in operax and customer satisfaction for the customer and so if we can help deal with one of the parts industry is already doing the other big part of making cloud work i think then we'll have the best chance of success yeah and of course the security has implications on the security model you were talking earlier about that as an opportunity people sometimes think oh yeah i put put my data in the cloud i'm good on security but there's there's a shared responsibility uh again we talked about different traffic patterns uh you've got work from home going on uh so and it's interesting when you juxtapose a sort of industry narrative on security which is it's it gets harder and harder and harder and you hear some of the cloud players say hey the state of security is really good uh but when you talk to csos you know they'll talk about the lack of talent uh the challenges they have the tools tools creep the fact that they spend more but the adversaries just keep getting stronger and stronger and stronger it's a really serious problem i mean maybe we close there i mean kind of how do you see it from your your vantage point let's look at the blood test so i look at if you don't the technique which we are talking about at least in the dimension of security monitoring then you are going to a lot of little things because you are doing little things you are going to be do a tool creep and because of that you have a like a talent issue and i think if you can make the right stuff work then you will not have this this talent issue and i feel that we are always looking solving yesterday's problem okay because we are not watching what led to the attack we are just dealing with the attack as an incident a security issue so i think continuous monitoring of deviation traffic allows you look at the deviation of the north so signature based security is a big portion but how do you know the signature of tomorrow and well you know that because you know the normal but only way you know normal is if you have been monitoring what was going on not for a specific event but deviation from normal that's what our approach is going to be anomalous behavior detection through our smart data and then you apply machine learning and ai algorithms to that i think that could be nirvana and but we don't have all the smart people for analytics but we can feed our data to those smart people and that's something we are going to bring up and the reason i feel it will be successful because this idea has been widely successful for netscout in the non-security space yeah i think you're bringing up another point that i've talked about a lot which is we've the industry has gone from sort of an industry of products to platforms and now ecosystems is really driving a lot of the innovation it's exactly what you're talking about feeding data to other partners data partners and now you start thinking about iot and the edge and machines talking to machines i mean i put you know video cameras up in my house to to make my environment more secure but of course i'm scared to death that those things can get hacked um it's a very complicated situation and the the power of many is going to trump the the the resources of one and so i'm glad you you brought that out um maybe give us your final thoughts anil it really has been a pleasure talking to you well i think the vr one of the things people have asked me is uh is why did you start another company especially in silicon valley i said with this spot many companies but they all happened to be called netstar netscout 1.0 2.0 3.0 actually we we are into the 4.0 i sometimes say you know george foreman's four sons they're all called george foreman so it's like one and so every time we do something different and now we are in the process of launching netscore 5.0 it was partly because maybe accelerated because of what's what's going on with the pandemic because there are some new challenges which we then here for and we are entering the security space so i'm very excited about repeating what we did in the traditional monitoring space service assurance space both for enterprise and carriers to the security space and people will question us how come it took so long while we were solving other problems which were more interesting than this for netscout and now we're going to bring that technology and all the tenants guardian of the connected world smart data to the security space and also i mean people are around for a long time we are also building the next generation of leaders at netstar and and so we have our hands full over the next two three years in uh building the next generation of net scout solving some of the problems which industry is facing without abandoning our tenants and the culture and if we can do that i think uh there'll be uh we'll be going to uh to the next level in terms of netscore branding and leadership well given given the guiding principles that you shared with us earlier the the the fundamental technology that you have around visibility uh i think that's served you very well and i think there's no shortage of of opportunity uh for netscout so neil thanks so much for sharing your story and coming on thecube good thank you all right and thank you for watching everybody this is dave vellante for the cube we'll see you next time [Music] you

>> Announcer: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, I'm Stu Miniman, and this is a special CUBE Conversation coming to us from our Boston area studio. We know that so much has changed in 2020 with the global pandemic on, with people working from home, staying safe is super important, and that especially is true when it comes to the threats that are facing us. So really happy to welcome to the program Hardik Modi, we're going to be talking about the NETSCOUT threat intelligence report for the first half of 2020. Hardik's the AVP of engineering for threat and mitigation products. Hardik, thanks so much for joining us. >> Thanks Stu, it's great to be here. Thanks for having me. >> Alright, so first set this up. This is NETSCOUT does these threat reports and on a pretty regular cadence, I have to think that the first half of 2020, we'll dig into this a little bit, is a little different because I know everybody when they had their plans at the beginning of 2020, by the time we got to March, we kind of shredded them and started over or made some serious adjustments. So why don't you introduce us to this? And then we'll talk specifically about the first half 2020 results. >> Right, thanks, Stu. So I'm here to speak about the fifth NETSCOUT threat intelligence report. So this is something that we do every six months in my team, in particular, the NETSCOUT threat intelligence organization, we maintain visibility across the internet and in particular threat activity across the internet, and very specifically with a strengthened DDoS activity. And so, you know, there's a lot of data that we have collected. There's a lot of analysis that we conduct on a regular basis. And then every six months, we try to roll this up into a report that gives you a view into everything that's happened across the landscape. So this is our report for the first half of the year. So through June 2020, and yes, you know, as we came into March 2020, everything changed. And in particular, when, you know, the pandemic kind of set upon us, you know, countries, entire continents went into lockdown and we intuited that this would have an impact on the threat landscape. And you know, this is even as we've been reporting through it, this is our first drill of roll up and look at really everything that happened and everything that changed in the first half of 2020. >> Yeah. It absolutely had such a huge impact. You know, my background, Hardik, is in networking. You think about how much over the last decade we've built out, you know, those corporate networks, all the Wi-Fi environments, all the security put there, and all of a sudden, well, we had some people remote, now everybody is remote. And you know, that has a ripple on corporate IT as well as, you know, those of us at home that have to do the home IT piece there. So why don't you give us a look inside the report? What are some of the main takeaways that the report had this time? >> No, so you're right, the network became everything for us and the network became how we, how our students attended school, right? And how we did our shopping, you know, how we did certainly finance and most definitely how for a lot of us how we did work, and suddenly the network, which, you know, certainly was a driver for productivity, and just business worldwide suddenly became that much more central. And so, we tend to look at the network, both sort of at the enterprise level, but then also a lot of what we get to see is at the service provider level. So what's happening on the big networks worldwide, and that's what we've rolled up into this report. So a few things that I want to kind of highlight from the report, the first thing is there were a lot of DDoS attacks. So we recorded through our visibility, 4.83 million DDoS attacks in the first six months of the year. That's almost 30,000 attacks a day. And you know, it's not like we hear about 30,000 outages every day. Certainly aren't 30,000 outages every day, but you know, this is an ongoing onslaught, for anybody who exists on the internet, and this didn't update at all through the first half of the year. If you kind of go like, just look at the numbers, it went up 15% for the same period year on year. But then as you enter into March, and in particular, the date when the WHO sort of announced the global pandemic, that's essentially the start that we marked. From that day onwards, the rise in attacks year on year for the same period, you know, a year ago was 25%. So that really, just in sheer numbers a lot changed. And then, you know, as we go a level deeper, and we look at like the nature of these attacks. You know, a lot of that actually has evolved considerably, over the past few years. And then in particular, like we're able to highlight a few stats in the first half of the year, and certainly like a lot of the drivers for this, the technical drivers are understood. And then there's just the human drivers for this, right? And we understand that a lot more people are at home. A lot more people are reliant on the internet and, you know, just sad to say, but you know, certainly also a lot more people aren't as engaged with school, with work, with society at large. And these tend to have knock on effects across large, a lot of things that we do in life, but also in like cyber crime and in particular, like in the DDoS space. >> Maybe if you could for our audience, I think they're in general familiar with DDoS, it's typically when, you know, sites get overwhelmed with traffic, different from say, everybody working at home is it'd be a little bit more cautious about phishing attacks. You're getting, you know, links and tax links in email, "Super important thing, please check this," please don't click those links. Does this impact, you know, those workers at home or is it, you know, all the corporate IT and all the traffic going through those that there's ways that they can stop, halt that, or, you know, interfere, get sensitive data? >> That's a really good point. And in large parts, I mean, and like with a lot of other kind of cyber crime activity, this is primarily felt inside the enterprise. And so the, as far as like, you know, companies are concerned and people who are using VPN and other kinds of remote access to get to critical resources, the key challenge here is the denial of availability. And so, okay. So you're right. Let's take a step back. DDoS, distributed denial of service. This is typically when like a large polarity of devices are used to direct traffic towards a device on the internet. And we typically think of this as a site. And so maybe, your favorite newspaper went down because of a DDoS attack, or you couldn't get to your bank or your retail, you know, e-commerce as a result of the DDoS attack, but this plays out in many different ways, including the inability for people to access work, just because their VPN concentrators have been DDOSed. I think, you know, just coming back to the split between people who work for a company and the company themselves, ultimately it's a shared responsibility, there's some amount of best practices that employees can follow. I mean, a lot of this enforcement and, you know, primarily ensuring that your services are running to expectation, as always, there's going to be the responsibility of the enterprise and something that enterprise security typically will want to cater for. >> All right. And how are these attacks characterized? You said it was up significantly 15% for the half year, overall, 25% overall, anything that differentiates big attacks, small attacks? Do we know how many of them actually freeze a site or pause how much activity is going on? >> Right, so what I will say is that within just those numbers, and we're simply just counting attacks, right? Even within those numbers, a key aspect that has changed is the rise in what we call multi-vector attacks. And so these are attacks in which they're, you go back maybe five years, certainly like going back further, typically a DDoS attack would involve a single technique that was being used to cause damage. And then over time, as many techniques were developed and new vulnerable services are discovered on the internet, what we find is that there's, you know, occasionally there would be a combination of these vectors, as we call them, being used against the target. And so a big thing that has changed within the last two years is what we think of as the rise in multi-vector attacks. And what we are seeing is that attacks that involve even 15 separate vectors are up considerably, over 1000% compared to the same time last year, and correspondingly attacks that involve a single vector are down in a really big way. And so we're just seeing a shift in the general, the techniques that are used within these attacks, and, you know, that has been considerable over certainly, you know, the same time 2019. But if you go back two years, even, it would seem like a complete sea change. >> What other key things, key learnings did you have from the survey this year that you can share? >> Yeah, so one thing I want to highlight that, you know, we kind of, and I think it's been implicit in some of your questions, certainly in many conversations that I have, like, what is the cost of these attacks? You know, what is ultimately the impact of these attacks on society? And one of the ways in which we tend to think of the impact is in simply like outages, like an e-commerce site that does a certain amount of business every day, you know, they can easily recognize that "All right, if I'm off for a day, for two days, for seven days, here's the impact to my business." So that tends to be understood at the individual enterprise level. Another cost that that often is well recognized as like the cost of mitigating attacks. And so now there's, whether it's the service provider, the enterprise themselves, other forms of business or other entities who will invest in mitigation techniques and capacity, those costs tend to kind of rack up. What we have done, and thanks to our kind of really unique visibility into service provider networks worldwide. What we've been able to do is extract essentially the, what we call the DDoS attack coefficient. And this is, think of it as like, here's how much DDoS attack traffic is going on worldwide or across any set of networks at any given time. So if you had zero DDoS in the world, that number will be zero, but it most definitely is not. You know, there's, we have represented numbers for different parts of the world. This can be many, many, many gigabits per second, many terabits per second. And essentially there's a, even just a transit cost for carrying this traffic from one point to another. And that is actually like the, you know, what we call the DDoS attack coefficient. And that cost is something that I want to highlight is being borne by everyone. So this ultimately is what shows up in your internet bills, whether you're a residential subscriber, whether you're using your phone and paying for internet through your phone, or you're an enterprise, and now you have network connections for your service providers, because ultimately this is a cost that we're bearing as a society. This is the first time that we've actually conducted research into this phenomenon. And I'm proud to say that we've captured this split across multiple geographies of the world. >> Yeah. It's been a big challenge these days. The internet is a big place, there's worry about fragmentation of the internet. There's worry about some of the countries out there, as well as some of the large, multinational global companies out there, really are walling our piece of the internet. Hardik, one thing I'm curious about, we talked about the impact of work from home and have a more distributed workforce. One of the other big mega trends we've been seeing even before 2020 is the growth of edge computing. You talk about the trillions of IOT devices that will be out there. Does DDoS play into this? You know, I just, the scenario runs through my mind. "Okay, great. We've got all these vehicles running that has some telemetry," all of a sudden, if they can't get their telemetry, that's a big problem. >> Yeah. So this is both the, this is the devices themselves and the, basically the impact that you could see from an attack on them. But more often what we see on the internet in the here and now is actually the use of these devices to attack other more established entities on the internet. So then, so for us now, for many years, we've been talking about the use of IOT devices in attacks, and simply the fact that so many devices are being deployed that are physically, they're vulnerable from the get-go, insecure at birth, essentially, and then deployed across the internet. You know, even if they were secure to start, they often don't have update mechanisms. And now, they, over a period of time, new vulnerabilities are discovered in those devices and they're used to attack other devices. So in this report, we have talked about a particular family of malware called Mirai, and Mirai has been around since 2016, been used in many high profile attacks. And over time there have been a number of variations to Mirai. And, you know, we absolutely keep track of the growth in these variations and the kinds of devices where they attack. Sorry, that they compromise, and then use to attack other targets. We've also kind of gone into another malware family that has been talked about a bit called Lucifer, and Lucifer was another, I think originally more Microsoft Windows, so you're going to see it more on your classic kind of client and server kind of computing device. But over time, we've seen, we have reported on Linux variants of Lucifer that not only can be installed on Linux devices, but also have DDoS capabilities. So we're tracking like the emergence of new botnets. Still, Stu, going straight back to your question. They are, this is where IOT, you know, even for all the promise that it holds for us as society, you know, if we don't get this right, there's a lot of pain in our future just coming from the use of these devices in attacks. >> Well, I thought it was bad enough that we had an order of magnitude more surface area to defend against on, I hadn't really thought about the fact that all of these devices might be turned into an attack vector back on what we're doing. Alright, Hardik. So you need to give us some, the ray of hope here. We've got all of these threats out here. How's the industry doing overall defending against this, what more can be done to stop these threats? What are some of the actions people, and especially enterprise techs should be doing? >> Yeah, so I absolutely start with just awareness. This is why we publish the report. This is why we have resources like NETSCOUT Cyber Threat Horizon that provides continuous visibility into attack activity worldwide. So it absolutely just starts with that. We're actually, this is not necessarily a subject of the report because it's happened in the second half of the year, but there have been a wave of high profile attacks associated with extortion attempts, over the past month. And, these attacks aren't necessarily complex, like the techniques being used aren't novel. I think in many ways, these are the things that we would have considered maybe run of the mill, at least for us on the research side and the people who live this kind of stuff, but, they have been successful, and a number of companies right now, a number of entities worldwide right now are kind of rethinking what they're doing in particular DDoS protection. And for us, you know, our observation is that this happens every few years, where every few years, there's essentially a reminder that DDoS is a threat domain. DDoS typically will involve an intelligent adversary on the other side, somebody who wants to cause you harm. To defend against it, there are plenty of well known kind of techniques and methodology, but that is something that enterprises, all of us, governments, service providers, those of us on the research side have to kind of stay on top of, keep reminding ourselves of those best practices and use them. And, you know, I'll say that again, for me, the ray of hope is that we haven't seen a new vector in the first six months of the year, even as we've seen a combination of other known vectors. And so for these, just from that perspective, there's these attacks we should be able to defend against. So that's essentially where I leave this, in terms of the hope for the future. >> Alright, Hardik, what final tips do you have? How do people get the report itself and how do they keep up? Where do you point everyone to? >> Yes, so the report itself is going to be, is live on the 29th of September 2020. It will be available at NETSCOUT.com/threatreport. I'll also point you to another resource, Cyber Threat Horizon, that gives you more continuous visibility into a tech activity, and that's NETSCOUT.com/horizon. And so these are the key resources that I leave you with, again, this is, there's plenty to be hopeful about. As I said, there hasn't been a new vector that we've uncovered in the first six months of the year, as opposed to seven vectors in the year 2019. So, that is something that certainly gives me hope. And, for the things that we've talked about in the report, we know how to defend against them. So, this is something that I think with action, we'll be able to live through just fine. >> Well, Hardik, thanks so much for sharing the data, sharing the insight, pleasure catching up with you. >> Okay. Likewise, Stu, thank you. >> All right, and be sure to check out theCUBE.net for all of the videos we have, including many of the upcoming events. I'm Stu Miniman and thank you for watching theCUBE. (calm music)