(upbeat music) (air whooshing) >> Hi everybody. John Walls here continuing our Cube Conversations here focusing on NETSCOUT today and the drawing problem of ransomware. Obviously very much in the news these days for the couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins who is the principal engineer of NETSCOUT's A-CERT team. And Ronald and good to see you today, sir. Thanks for joining us. >> Good to see you as well. And Richard Hummel who's Threat Intelligence research lead for the A-CERT Team. And Richard, thank you for being with us as well here on the Cube. >> Absolutely John, thanks for having us. >> Yeah, let's just jump right in here. Ransomware, obviously we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first, the magnitude and scale of the problem, as it currently exists. And Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenge has become today? >> Actually, John, if you don't mind I'd really like to hand that one to my colleague, Richard because >> By all means, so Richard- he's really has an in-depth background there if that's okay. >> Richard, jump in on that. >> Absolutely. Yeah. And so (clears throat) I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined Eyesight Partners, you know leading premier provider of threat intelligence who was acquired by FireEye and now Mandiat, and now even a conglomerate that just acquired Mandia. So there's been a series of acquisitions here but the reality is this threat intelligence has been pervasive across all of these. And you can see that over time that value hasn't diminished. And you can see that by all of these acquisitions. that are like that's a really good example to show how valuable this is because everybody wants it. And the reality is back then I started tracking ransomware specifically looking at a lot of the CryptoLocker variance, things like CryptoWall, and TorrentLocker, and TeslaCrypt. And there's any number I could go on and on and on about all these different variations, and how ransomware came to be, and what you know, adversaries were using it for. But the reality is ransomware has been around for a long, long time and probably three or four years ago. There was this lull in time where people are like, hey we've got these initiatives like no ransomware.org. We've got the, you know, local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware. And it's going to% be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable, sometimes the keys were stored locally, but a lot of them more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt it. You can't create a decryptor like a lot of these security companies do you would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And you know one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be like ransomware was the name that incited fear but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion. Where they will encrypt your files, they've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look you're going to pay us for this ransomware to decrypt your files, to get those back. But I'll guess what? We also have your sensitive data that we're going to post online and sell and on underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion. That is surging In fact, we did a survey of enterprise internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats, and obviously ransomware was number one but DDoS extortion was number two. And so you have this one, two bang the adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion. And now this triple extortion, in fact going all the way back to the CryptoLocker days you would have banking malware, like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts. There was steal files. And then as a last hurrah they would deploy ransomware and encrypt all your files. And so not only did they steal all your money from the bank. Now, they're going to say, you got to pay us to actually do decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year we started to see this DDoS aspect part of these operations. And so, yeah, that's kind of the history of what we're dealing with here. >> And so, and DDoS distributed denial service, Ronald let you pick up the ball at this point then. Now this evolution you will the triple threat, you know first you were talking about in encryption, in public exposure. And now this DDoS stage, this pillar of the malfeasance, if you will what kind of headaches is this causing in terms of from an engineering perspective from your side of the fence when you're looking at what your clients are dealing with when all of a sudden they have this entirely new plethora of challenges that are confronting them. >> Sure. So DDoS goes back a long ways. So it actually goes back to the late 80s and the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any, criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so in many cases using old modalities just simply transliterated into the new technology space. And that's what we see with (indistinct) extortion. DDOS attacks are attacks against availability. So the idea is to disrupt the access, (indistinct) access to applications, services, servers, data content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hard core of DDoS extortionists that we've seen over the years. And this Richard indicated what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware and it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype, it hadn't been finished, but this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where like Richard said, they, number one, they encrypt the files. Number two, they'll threaten to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic with this wholesale shift to remote work. The attackers for the first time have the ability not only to disrupt the online operations which is bad enough, but they can actually interfere with the ordinary work day activities of the first-line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits, social engineering, along with technological exploits to exploit the confidentiality and the integrity of data, and to restrict that stuff which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and coupled out with a real DDoS attack, and it can be very, very challenging. But one thing John that we've seen is that organizations if they have prepared to deal with a DDoS attack in form an architectural perspective, from an operational perspective. If they have done the things they need to do, to be able to maintain availability, even in the face of attack. There are about 80% of where they need to be to be to able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they are something that organizations need to be aware of, the good news is that a lot of the planning, and resources, and organizational changes that need to be made to face these threats are in fact very similar. >> Yeah, but (indistinct) mean the challenge is, it's hard work, right? It, there's an enormous amount of preparations got to go into this, and pre-planning, pre-thought, and that's what NETSCOUT is all about obviously is trying to get people onto that journey and getting into this examination of their services, and their networks, and... The fact that this can happen on multiple layers, right? It could be application, be protocols, transport, network, whatever, you know just multiple ways that these DDoS attacks can occur. What kind of I'd say well, challenges again does that present in the fact that it is, there are many doors, right? That these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? >> It's really about business continuity. Now business continuity planning, we used to be called "disaster recovery planning", right? Is something that organizations are very familiar with. It often has executive sponsorship and a lot of planning has gone into it. The thing is DDoS attacks, which were attacks against availability are in fact a manmade disaster, right? And they interrupt the continuity of business. Same thing with the ransomware, and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency and to attack, and the ability to maintain availability and continue with operations in the face of attack is really really key for any organization today which has any kind of significant online presence. And that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint whether we're talking about things like network infrastructure, or DNS, or software applications. It's important from an operational standpoint. So one of the things that we see for example is that many organizations don't really have a good communications plan. They don't have a good internal communications plan nor do they have a good external communications plan for communicating during an event. And they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor, understanding the business, understanding the types of risks to the business's ability to execute on its mission and then doing the things from a technological perspective, from an operational perspective, and from a communications perspective to maintain operations, and communications throughout an event and to be able to emerge on the other side of that agenda successfully. >> So Richard you're in threat intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess getting people's attention that has been accomplished now with obviously some, with some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these. I mean, what's the difference maybe in the mindset now, as opposed to where maybe that conversation was being had a few years ago? >> I think the biggest difference here is a matter of when and not if. It used to be, you could say, "Oh I'm never going to get hit by ransomware or I'm never going to get DDoS attacked." But that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that then they're not going to be able to connect with their consumers, their shoppers, if they're a retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed in an adversary where you can actually find your internet space by doing some forensics, such as network scanning, being able to walk that back like a passive DNS but their historical records use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time you're also exposing yourself to these ransomware operators and really any kind of crime ware operator out there, because they're going to exploit you over the internet. We actually did a case study probably two years ago. Looking at brute forcing on networks and looking at exploitation attempts to figure out like what is the Delta? If you have an online internet presence are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes, from the time a brand new IOT device goes online to the time it starts getting brute force attacked. And within 24 hours you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is not if you're going to get attacked, it's when? And so understanding that is the nature of the threat landscape right now and having this kind of security awareness. Actually another good point that Roland just brought up was that human element. The human element is kind of the linchpin for any security organization. And as part of my master's I had wrote a dissertation about, and I named it as such my professor didn't really care for this, but I said, "The humans are the weakest link." Because in the security posture, that is essentially true. If you don't have the expertise on a team you're not going to be able to get things configured properly. If you don't have the expertise you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations and that manipulates the human element. And so having the security awareness in what we do here, on this cube interview, the threat reports, we publish, the blogs that we do, all the threads summaries, all of that goes hand-in-hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. >> So Roland in your mind and you've already walked us through a little bit of this about certain steps and measures. Do you think that could be taken safeguards basically, that everybody should have in the place? What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces as you see it now, understanding as Richard just told us that it's matter of not if, but when? >> Right. So availability, redundancy these have to be core architectural principles whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access. All of these different elements and many many more have to be designed from the out. All the services in the applications whether they're used internally, whether they are part of service delivery that an organization is doing across the internet, publicly there has to be redundancy and resiliency. There has to be a defense plan in order to defend these assets in these organizations against attack. Whether it's DDoS attack or whether it's a containment plan to deal with a ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it, and deal with it, and restore from backup. These plans have to be continuously updated because IT is not static. There are always noose and nance and changes this organizations provision new services offer new products, move into new markets and new new sub-specializations. And so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphorous somewhere. The plan has to be executed because you're going to find that there's some scenario, some service, or application, or operational process that needs to be updated or that needs to be included in the plan. And this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding. And either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. >> Well, is, you both certainly exhibit the depth and the breadth to fight this issue(chuckles) I certainly appreciate the time, the insights, and the warning is quite clear. Be prepared, do the hard work upfront. It could save you a lot of headache on the backside. And it is a matter of when and not if, these days. Richard Roland, thanks for being with us here on the Cube >> Thank you so much. >> Thank you so much. It's a pleasure. >> All right, talking about the triple threat of extortion, cyber extortion these days, and DDoS, the distributed denial of service in the growing problem. It is, but there is a way that you can combat it. And you just learned about that (indistinct) NETSCOUT here on the Cube. (upbeat music)

(upbeat music) (air whooshing) >> Hi everybody. John Walls here continuing our Cube Conversations here focusing on NETSCOUT today and the drawing problem of ransomware. Obviously very much in the news these days for the couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins who is the principal engineer of NETSCOUT's A-CERT team. And Ronald and good to see you today, sir. Thanks for joining us. >> Good to see you as well. And Richard Hummel who's Threat Intelligence research lead for the A-CERT Team. And Richard, thank you for being with us as well here on the Cube. >> Absolutely John, thanks for having us. >> Yeah, let's just jump right in here. Ransomware, obviously we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first, the magnitude and scale of the problem, as it currently exists. And Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenge has become today? >> Actually, John, if you don't mind I'd really like to hand that one to my colleague, Richard because >> By all means, so Richard- he's really has an in-depth background there if that's okay. >> Richard, jump in on that. >> Absolutely. Yeah. And so (clears throat) I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined Eyesight Partners, you know leading premier provider of threat intelligence who was acquired by FireEye and now Mandiat, and now even a conglomerate that just acquired Mandia. So there's been a series of acquisitions here but the reality is this threat intelligence has been pervasive across all of these. And you can see that over time that value hasn't diminished. And you can see that by all of these acquisitions. that are like that's a really good example to show how valuable this is because everybody wants it. And the reality is back then I started tracking ransomware specifically looking at a lot of the CryptoLocker variance, things like CryptoWall, and TorrentLocker, and TeslaCrypt. And there's any number I could go on and on and on about all these different variations, and how ransomware came to be, and what you know, adversaries were using it for. But the reality is ransomware has been around for a long, long time and probably three or four years ago. There was this lull in time where people are like, hey we've got these initiatives like no ransomware.org. We've got the, you know, local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware. And it's going to% be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable, sometimes the keys were stored locally, but a lot of them more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt it. You can't create a decryptor like a lot of these security companies do you would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And you know one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be like ransomware was the name that incited fear but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion. Where they will encrypt your files, they've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look you're going to pay us for this ransomware to decrypt your files, to get those back. But I'll guess what? We also have your sensitive data that we're going to post online and sell and on underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion. That is surging In fact, we did a survey of enterprise internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats, and obviously ransomware was number one but DDoS extortion was number two. And so you have this one, two bang the adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion. And now this triple extortion, in fact going all the way back to the CryptoLocker days you would have banking malware, like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts. There was steal files. And then as a last hurrah they would deploy ransomware and encrypt all your files. And so not only did they steal all your money from the bank. Now, they're going to say, you got to pay us to actually do decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year we started to see this DDoS aspect part of these operations. And so, yeah, that's kind of the history of what we're dealing with here. >> And so, and DDoS distributed denial service, Ronald let you pick up the ball at this point then. Now this evolution you will the triple threat, you know first you were talking about in encryption, in public exposure. And now this DDoS stage, this pillar of the malfeasance, if you will what kind of headaches is this causing in terms of from an engineering perspective from your side of the fence when you're looking at what your clients are dealing with when all of a sudden they have this entirely new plethora of challenges that are confronting them. >> Sure. So DDoS goes back a long ways. So it actually goes back to the late 80s and the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any, criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so in many cases using old modalities just simply transliterated into the new technology space. And that's what we see with (indistinct) extortion. DDOS attacks are attacks against availability. So the idea is to disrupt the access, (indistinct) access to applications, services, servers, data content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hard core of DDoS extortionists that we've seen over the years. And this Richard indicated what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware and it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype, it hadn't been finished, but this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where like Richard said, they, number one, they encrypt the files. Number two, they'll threatened to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic with this wholesale shift to remote work. The attackers for the first time have the ability not only to disrupt the online operations which is bad enough, but they can actually interfere with the ordinary work day activities of the first-line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits (indistinct), social engineering, along with technological exploits to exploit the confidentiality and the integrity of data, and to restrict that stuff which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and coupled out with a real DDoS attack, and it can be very, very challenging. But one thing John that we've seen is that organizations if they have prepared to deal with a DDoS attack in form an architectural perspective, from an operational perspective. If they have done the things they need to do, to be able to maintain availability, even in the face of attack. There are about 80% of where they need to be to be to able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they are something that organizations need to be aware of, the good news is that a lot of the planning, and resources, and organizational changes that need to be made to face these threats are in fact very similar. >> Yeah, but (indistinct) mean the challenge is, it's hard work, right? It, there's an enormous amount of preparations got to go into this, and pre-planning, pre-thought, and that's what NETSCOUT is all about obviously is trying to get people onto that journey and getting into this examination of their services, and their networks, and... The fact that this can happen on multiple layers, right? It could be application, be protocols, transport, network, whatever, you know just multiple ways that these DDoS attacks can occur. What kind of I'd say well, challenges again does that present in the fact that it is, there are many doors, right? That these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? >> It's really about business continuity. Now business continuity planning, we used to be called "disaster recovery planning", right? Is something that organizations are very familiar with. It often has executive sponsorship and a lot of planning has gone into it. The thing is DDoS attacks, which were attacks against availability are in fact a manmade disaster, right? And they interrupt the continuity of business. Same thing with the ransomware, and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency and to attack, and the ability to maintain availability and continue with operations in the face of attack is really really key for any organization today which has any kind of significant online presence. And that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint whether we're talking about things like network infrastructure, or DNS, or software applications. It's important from an operational standpoint. So one of the things that we see for example is that many organizations don't really have a good communications plan. They don't have a good internal communications plan nor do they have a good external communications plan for communicating during an event. And they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor, understanding the business, understanding the types of risks to the business's ability to execute on its mission and then doing the things from a technological perspective, from an operational perspective, and from a communications perspective to maintain operations, and communications throughout an event and to be able to emerge on the other side of that agenda successfully. >> So Richard you're in threat intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess getting people's attention that has been accomplished now with obviously some, with some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these. I mean, what's the difference maybe in the mindset now, as opposed to where maybe that conversation was being had a few years ago? >> I think the biggest difference here is a matter of when and not if. It used to be, you could say, "Oh I'm never going to get hit by ransomware or I'm never going to get DDoS attacked." But that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that then they're not going to be able to connect with their consumers, their shoppers, if they're a retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed in an adversary where you can actually find your internet space by doing some forensics, such as network scanning, being able to walk that back like a passive DNS but their historical records use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time you're also exposing yourself to these ransomware operators and really any kind of crime ware operator out there, because they're going to exploit you over the internet. We actually did a case study probably two years ago. Looking at brute forcing on networks and looking at exploitation attempts to figure out like what is the Delta? If you have an online internet presence are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes, from the time a brand new IOT device goes online to the time it starts getting brute force attacked. And within 24 hours you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is not if you're going to get attacked, it's when? And so understanding that is the nature of the threat landscape right now and having this kind of security awareness. Actually another good point that Roland just brought up was that human element. The human element is kind of the linchpin for any security organization. And as part of my master's I had wrote a dissertation about, and I named it as such my professor didn't really care for this, but I said, "The humans are the weakest link." Because in the security posture, that is essentially true. If you don't have the expertise on a team you're not going to be able to get things configured properly. If you don't have the expertise you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations and that manipulates the human element. And so having the security awareness in what we do here, on this cube interview, the threat reports, we publish, the blogs that we do, all the threads summaries, all of that goes hand-in-hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. >> So Roland in your mind and you've already walked us through a little bit of this about certain steps and measures. Do you think that could be taken safeguards basically, that everybody should have in the place? What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces as you see it now, understanding as Richard just told us that it's matter of not if, but when? >> Right. So availability, redundancy these have to be core architectural principles whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access. All of these different elements and many many more have to be designed from the out. All the services in the applications whether they're used internally, whether they are part of service delivery that an organization is doing across the internet, publicly there has to be redundancy and resiliency. There has to be a defense plan in order to defend these assets in these organizations against attack. Whether it's DDoS attack or whether it's a containment plan to deal with a ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it, and deal with it, and restore from backup. These plans have to be continuously updated because IT is not static. There are always noose and nance and changes this organizations provision new services offer new products, move into new markets and new new sub-specializations. And so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphorous somewhere. The plan has to be executed because you're going to find that there's some scenario, some service, or application, or operational process that needs to be updated or that needs to be included in the plan. And this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding. And either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. >> Well, is, you both certainly exhibit the depth and the breadth to fight this issue(chuckles) I certainly appreciate the time, the insights, and the warning is quite clear. Be prepared, do the hard work upfront. It could save you a lot of headache on the backside. And it is a matter of when and not if, these days. Richard Roland, thanks for being with us here on the Cube >> Thank you so much. >> Thank you so much. It's a pleasure. >> All right, talking about the triple threat of extortion, cyber extortion these days, and DDoS, the distributed denial of service in the growing problem. It is, but there is a way that you can combat it. And you just learned about that (indistinct) NETSCOUT here on the Cube. (upbeat music)