>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

[Music] [Music] [Applause] [Music] me [Music] [Applause] [Music] [Music] so [Music] [Music] [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] me [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] [Music] [Applause] so [Music] [Music] [Music] [Music] so [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] um [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] so so [Applause] so [Music] so welcome to cyber security insights we're excited to talk to you today about some of the key developments in the cyber security area let me start off by saying you know security's always been a board room topic boards care about it but right now it's actually getting even more important given what's happening covered 19 given the risk the world faces the fact that 70 percent of the workforce is now really working from home at vmware we have all of our employees working for we made that a mandate not just required but we're taking a cautious approach as to how they come back that's the reality of many of our customers but the bad guys are not staying still 148 increase in ransomware during this time they're just looking for every way to take advantage of innocent people working at home and then we've seen 52 percent increase of all attacks in the march time frame targeting the financial sector so it's very important that you we have a different approach to security because our belief is the security industry has been broken uh you'll see on this chart 5000 odd vendors 15 or 20 different categories and it's often i described like going to a doctor to stay healthy and she tells you you've got to take 5 000 tablets and you fall off your chest and that's just not possible you know so how do you prevent staying having 5000 tablets taking 5000 tablets to stay healthy you eat your vegetables your fruit your proteins drink your water you make it part of your hygiene and that's what needs to happen in security we've got to move away from this bolted on approach siloed approach where you've got you know various differences feels like even 5000 tablets 5000 security tools are all kind of like healthcare deem themselves very important and also from security that's just focused on threats and the new approach needs to be one that's more built-in intrinsically part of the platform like making a part of your diet more unified as opposed to just siloed across all of the key pillars of security and a lot more context-centric rather than just threat centric to do this we've been looking at kind of the value proposition of vmware we're you know about a 10.8 billion dollar company and have played across these three or four layers off being a digital foundation for the world any cloud any app any device with intrinsic security you've seen this from us several uh over the last several years what we've sought to do is layer into that diagram five or six important control points in security that we think are going to be super important to make security intrinsic let's start off on the bottom right corner of this with network security we think a new approach for network security means that if you look at data center networking or firewalls or load balancing or sd-wan what is a 30 billion dollar opportunity a new approach you know could be one way you could have in one platform all of those capabilities in something that's more software-defined that's what we've been doing uh in with nsx a platform some customers call us sort of the tesla of networking because we're taking a somewhat you know traditional hardware-defined approach to networking and building a more software-defined networking stack for security much the same way a tesla is building a software-defined car if you go to the left-hand side you see kind of the endpoints but it's two different forms of endpoint an endpoint that's on the client side near the device a laptop tablet a phone or a endpoint that's closer to the server a workload or a container and in both areas we believe we have an opposition proposition to really be the best uh security solution for endpoint and workload security identity we think there's a tremendous opportunity to be the best solution that not just some ourselves but also partners with the best of breed players for example um octa or azure active directory in cloud security we're going to do a lot ourselves for example cloud security posture management but we're also going to partner with the likes of well web gateways and and proxies like z scale or netscope and then analytics is the big kahuna because the more data that you have the more equipped you are to prevent breaches and what we believe here is this notion of what the analysts are now calling xdr collecting telemetry from all of these control points which we have exposure to network endpoint workload identity cloud and having one big data lake where you reason over this with a variety of behavioral and ai algorithms and then provide the best way by which you can protect customers from possible future security events this is something we well best because we actually collecting the most telemetry of anybody from disparate different sources and you're gonna only see this increase so vmware's proposition uh as you look at this we today have a billion dollar security business i know you're gonna listen to that and say wow where did that come from some customers call us one of the best kept uh security secrets in the industry uh a significant about that comes from network security a growing part of it now comes from endpoint security we think the opportunity is to take that billion dollar business it's about 20 000 odd customers and double or triple that by really focusing in these five or six control points you're going to see us build the best products in each of these categories but one that's intrinsic and also works between them in ways that are incredible let me give you a couple examples with carbon black we're going to make it agentless on the server side with vsphere nobody else can do that we're going to do that and you're going to see that very soon with carbon black we're going to make it unified with workspace 1 on the console so you have a unified approach there on both the console and the agent something that you also start seeing from us very soon these are things that nobody else in users can do network security you're going to see from one platform data center networking load balancing firewalls and sd-wan beautiful security-centric networking story so this is the approach for folks and now i think as we listen to several of the thought leaders and analysts you're going to hear them get into this story in more detail thank you very much let's continue in this show cyber security insights and now we'd like to explore the unified approach of security and i.t how do you unify them as a foundation for success our special guest today is chris sherman who's senior analyst at forrester and a pretty renowned security uh researcher and thought leader himself chris welcome to the show great to be here with you sanjay you know i'm sitting here in my living room in cleveland ohio as we uh ride down the curve right fighting off a cabin fever and staying healthy hope you're doing the same chris i'm doing well but listen i look at your beautiful looking um you know i can't confess that my background is my natural i've got a virtual background is that actually your living room or is that a virtual background it is this is my living room we built the house last year and it's also my little private iot lab because you know i'm a huge nerd and i love my devices we've been you know kind of a big fan of a lot of the forester research zero trust security you mentioned your research and iot uh i.t security and i'd like to explore this a little further with you chris i'm a big fan of your research read a lot of your stuff uh but let's kind of focus in you know clearly in this time having security strategy and i.t strategy be together in this current climate many organizations have had to pivot uh due to covert 19. you know one example is employees having to work at home which raises a whole host of cyber security issues and you know having reviewed the research results it makes them i think even more relevant the need for security and i.t to join forces i believe right now to defeating the cyber criminals during the pandemic um so that we don't have this risk and quite frankly you know we've been finding the risk is even higher because the bad guys aren't sleeping uh even if there's a crisis going on so maybe you can tell us a little bit more about this research and your findings absolutely yeah so you know i think the genesis of this research really started with a conversation i had with some of your team members back in november uh we talked about you know the high level of friction between these two teams right between i.t and security and frankly the lack of support that a lot of the existing tools in the market really have for you know integrating the two and when you look across the industry there really aren't a whole lot of resources for buyers or you know technology strategists that you know want to understand these dynamics and you know this is really what led to vmware commissioning forester to uh you know this past february to survey over 1400 security and it ops decision makers across the globe we really wanted to probe those dynamics right you know what's holding companies back from eliminating this friction right this really was actually the largest sample size of any commissioned study that i've been a part of here at forester and it really led to some excellent results and and data as you know from the uh published research i'm looking forward to to reading them and knowing more about it and you know i think if you think about the research and uh you know there's a shift in security driving alignment and collaboration security and it's you know kind of the top initiative we see in the next 12 months uh maybe even tell us about why the relationship between these security and id teams um you know are important whys have been strained across both you know all three of people process and technology yeah i mean so i team security really are two sides of the same coin right but unfortunately their teams have struggled to work well together for many years according to our survey date it's gotten to the point where 83 of both team staff report a negative relationship between the two it's very unfortunate but there are many reasons for this you know many reasons for this friction especially with the vp director and manager roles between the security and the ite teams you know at a high level most of this is driven by the fact that security and i.t have differing priorities right our data backs us up you know you have i.t on one side that's focused on technology efficiency and uptime and from our conversations with it staff it's clear you know they view security as philosophically opposite you know to this right often as roadblocks to accomplishing their goals and then on the other side security's top priority is as you'd expect responding to security events and incidents and preventing compromises and this difference in priorities is the source of a lot of friction also both security and i.t staff are really unhappy with the technology that the tools specifically that they're using or the security tools the c cios and csos you know that we talked to all had the same complaint they have too many disjointed tools in fact the average across our study was 27 security products on average in each organization and even the most established security solutions like take firewalls for example you know it caused some serious angst right we found that only 52 percent of respondents felt that their firewalls were satisfactory in terms of the performance and the security uh efficacy i think you know listen a couple of points i'll point point out from what you talked about that resonate deeply with us one is when you talked about uh i don't know it was 25 or 27 odd tools i'd be surprised the number of csos i talked to who say it's in the dozens one i think i always sort of keep a record for the number of tools i've heard one tell me it was like 100 different security tools i asked you know him was there a hundred different consoles so it's just the number of tools and consoles uh the other one that you resonated with me was even in one of the more mature areas like firewalls you would have thought oh people are really happy there we find the same level of dissatisfaction with people saying listen traditional hardware-based approaches appliance-based approaches lots of policy way way too complicated um now let's talk a little bit about staffing i think it's it's you know listen at the end of the day security is a team sport it does depend on products and processes and technology but there's also people and you know we security teams are understaffed they're increasingly dealing with a complex portfolio of these non-integrated products how uh is this impacting teams and what can companies you do as you advise them to reduce complexity from the plethora of different products that are often point products today well you're right right finding and training the right item security staff is really critical to the success of the respective teams unfortunately this continues to be a major pain point right across the whole industry in fact 64 of the security teams that we surveyed and 53 of the it teams reported they're understaffed but yeah i mean amid this global pandemic when most organizations are focused on surviving and you know maybe keeping the lights on or i guess in this case maybe the vpn's running right and getting by with limited resources and protecting an increasingly remote workforce it's much more difficult to collaborate and work together across teams but our data showed that one of the major results of this you know the formation of communication silos you know teams aren't communicating enough right they're they're communicating within their or organization designed for their particular use case right with very little integration and collaboration across those silos and you know this is where tools could help right most of the time though they the tools actually just reflect or amplify those silos by reinforcing the division right between the two teams ultimately organizations may be looking for technologies that can support the needs of both it and security right this will help alleviate any tension that might arise over things like competition over limited resources right ideally once the teams come together and agree on goals as well as objectives and and measures of success for that matter right they can address their technology stack inherent complexity wisely said listen the security attacks are becoming more sophisticated uh organizations are considering now i think the approach as you've described is a unified strategy to address these critical issues uh can you tell us more about how you've seen these unified approaches to security strategy being effective well so i mean it seems like we've been talking about unifying the tools and strategies by you know i.t ops and security for years right but it's only been recently that we've seen the two sides really demonstrate any appetite to actually do so unfortunately most of the tools again right on the market are focused on one or the other and integrations are only starting to really accelerate to the point where our true unified vision is even possible this not only aligns teams under common goals right having a common tool set but it also aligns workflows between those two teams and helps foster collaboration uh listen uh you mentioned a couple of these these examples are really good for people to kind of grop you know in this have you uh outside of these exams or any other sort of tangible results uh that you think companies can expect uh as they bring together their security and id strategies and make them more unified what are the results from your research you think customers can expect to gain yeah there are several other you know clear benefits right that we identified in this research right the benefits to unifying the tech stacks between it ops and security our research showed that companies with a unified strategy reported fewer security incidents fewer data breaches which makes sense right given how critical endpoint configuration and overall i.t hygiene is to the security posture of an organization also you know building security capabilities directly into the it infrastructure helps to motivate non-security staff to take some ownership right over basic security fundamentals and this all helps speed right this this increases the speed to you know both detect new threats and uh respond once they're you know identified you know time to containment right this was also validated by our survey data a common strategy really can empower both to you know mitigate risk ensure continuous compliance and improve you know their threat response uh workflows you know between the two teams really companies need to find tools that meet the needs of both teams and at the end of the day as you pointed out security is a team sport right we all benefit from working together to protect the business and its employees right from malicious actors especially in these difficult times that's great chris thank you for uh your research um um so i just encourage all of you are listening um if you want to um you know get chris's research um you know go to this url on the screen here and you'll be able to download it uh we're excited about it i mean listen you know personally when i watch it teams and security teams sometimes sort of spar each other um you know i i i think that increasingly whether the security team reports under the cio sometimes that's the case sometimes security teams report into the chief legal officer or they report maybe into the cfo wherever reporting structures are only you have to build a team sport because there's aspect of this that's policy aspects of this that are technology there are aspects of this that are people uh thank you for this research chris as always i'm a fan of uh the stuff as are all of we and what you're right so it's always good to be able to see more this is also much of the other extended uh forest to work like zero trust that have become kind of the things that i've seen now becoming more pervasive in the industry so thank you all for listening to this uh and we hope we'll continue to serve you in the course of this program cyber security insights with more insights like this it's my pleasure right now to also continue this uh cyber security insights series now with a wonderful interview um with the head of security and infrastructure at circle k suzanne hall um i've had a chance to briefly meet her prior to this and she's got an incredible vision of how infrastructure security comes together uh in the context of retail so i'm looking forward to the discussion suzanne thank you for joining us today thanks sanjay glad to be here great hey listen maybe i'll start with um you know circle okay some folks may know you in the locality in the areas where they shop or whatever have you but many folks around the country may not and we're assuming there'll be a very large audience watching this tell us a little bit about the company what you guys do uh what's your vision and how are you serving uh customers and consumers oh terrific oh well yeah so circle k uh many people do not realize it's actually a canadian-owned company we are a global uh convenience and fuel service organization uh with with offices all across north america uh large part of northern europe um and with franchises in a large part of asia as well we're the second largest convenience store company in the world and the 11th largest retailer we yeah we acquired circle k the brand um back in the early 2000's and uh our goals right now over the next five years are to try and double in size um which is a pretty aggressive goal goal considering uh our organization which really is taking a you know 60 billion dollar organization and trying to double that in the next five years so wish us luck let's focus now a little bit more on the infrastructure and security part of it um it's interesting that you own both as you think about those areas um you know how are they linked together and what have you been doing to tie uh infrastructure topics and security topics which are often you know you have a ciso and then a cto owns infrastructure in your case you own both and i think it's a classic way in which you know we're trying to kind of get traditional it teams the security work world to go you're living it then you're breathing and you're implementing your team uh how is it working out and how are you making it work yeah oh sorry it was actually a key part of me being attracted to the to this world i've been here about 18 months um i really feel for certain organizations culturally if you can make it work where security operations can function together um it really empowers your security team to move things quickly and it also gives me the opportunity to take ultimately super scarce resources from the security side and build uh more security acumen within my network teams and my hosting teams and my infra um so that i get actually really smart technologists that also get security collaborating with really great security folks that also get technology there's a lot of synergies that i that i get from that from combining these two organizations and where circle k was before i got here you know we we um did need to rapidly mature a lot of our security program um because it had just um grown uh i think the organization grew beyond the competencies of the security team before i got here and so by having both sides of that house i was really able to move things quickly um kind of i don't have to i don't have to uh negotiate between the network team and the hosting team the security team because they all report up to me and i get i get to pick who wins all the time so it works really well i'd love to talk to you but just cover it it's on on everybody's mind it's changed transformed how we all work you and i are doing this interview work from home uh if we were doing it in different concerts i have to come to you or come to us we have done this in the studio together or in an event um and certainly it's you know kind of changing the ways in which we work and family life and so on and so forth but how is it changing your business how is it changing your i.t organization uh and how have you had to adapt to um you know this time that we're sheltering place work at home yeah well it's really it's changed everything for us as i'm sure for for most of your of your clients as well um you know obviously serp okay being convenience we are uh on the front lines we are open across the globe we may have some small stores that may get closed for periodic periods of time or maybe some shortened hours but we've got convenience workers and gas station workers working around the globe through coven so we've had to change how the stores look and feel um we've had to rapidly deploy things like curbside delivery to really adjust to uh customers um wants and expectations and then we've had to take the entire back office and put people working at home which was not our culture um before this all happened and we had to do that almost like in watching a wave go across the globe as it started uh offices started closing in northern europe first uh and then and then all the way through to ireland and then and then obviously the east coast and canada and all the way through to the west coast so um we actually had a very short period of time to create a remote working uh operation um luckily enough um we had some really talented folks we put a couple different solutions in place and uh within two weeks or so we were able to get everybody working remotely that could work remotely and then that really empowered us to support all those operations folks that needed to get things like plexiglass into the stores hand sanitizers into the stores masks uh um into the stores uh to serve our customers and to serve our staff i'd like to move on um then to the um the kind of the context of this infrastructure and i.t workers and security work i.t teams and security teams working better together one of the things we find often and we did some research with forester that where companies performed well and had great you know security prevention practices breaches places where i t and security work well together and traditionally often csos uh may be separate from the infrastructure team sometimes csos don't even report into ci support elsewhere and that can be uh not intensely so sometimes intentionally but often just a silo or a warring mentality you're good evidence now where you're bringing these together let's talk a little away from technology for a second and the people process collaboration how have you been able to bring these cultures together so that they work together for the common good of either cost saving protection whatever have you yeah you know um and so i've had the benefit of being a cso and a cio and a couple different organizations and also i was in i was in consulting for many years i worked for a big four uh from a letter of cyber practice with one of the big four firms and i'll tell you cyber programs uh move fast forward best when there's a couple of key elements in place and the first one is you have to have shared goals anytime that the cyber team is trying to implement something um in that the network team isn't on board with or the network team picked a tool they don't want to implement the tool that the cyber team is as um and has selected i mean that's that's always a recipe for failure so somehow you have to really work on aligned goals and i do that even though i own the infrastructure teams and the security teams um nobody's successful if we're not all successful together and really focusing on what does success look like for for each one of the each one of our areas and look sometimes you know we do have to take some uh educated risks in the environment you know for responding to things quickly but we also don't take we don't um let those risks sort of linger and and never get remediated right so we really work together to make sure that any new risks that we're taking on we have a focus on how we're going to mitigate that and we hold ourselves accountable and um and the network team is equally accountable for responding to security events as a security team is the key element i also say to my security teams is when you're working with production operations teams and and folks you've got to have skin in the game you've got to recognize that they're trying to keep systems up and running 24 7 you know for the operations of the organization right so we can take credit cards and cash in the stores and make the sales and deliver the goods and services when we need to if the security team isn't seen as fully on board with that mission and that um that responsibility then there's there's a non-equity sort of relationship going on between the two different teams so you really need to bring them all together and make sure that everybody um understands supports each other's wins and goals it's awesome that you've been a cio and a ciso and you've seen all of these in various different companies i'm sure maybe in smaller bigger wherever have you so you're able to really relate to that uh i find the csos i talk to uh most of my relationships in the years past have been with cfos and cios uh i set myself a personal goal this year as we started getting more into security as i've been shaping that strategy of the company to meet a thousand cesars i was 15 years ago at symantec and most of the csos i know are retired and moved on so uh it's a good new way of my understanding and i find as i talk to them so refreshing the ones who are strategic like yourself uh have had tremendous experience in id or are also owned them and are able to paint a vision that's very collaborative as to as opposed to ones who don't then are also able to strategically bring teams together so it's really good to to see that i'd like to kind of just work a little bit more into security because i mean your strategy plays into the reason we're quite carbon black um and you i have some obviously you know knowledge and investment vmware but i'm listening as i was listening to prior to getting on to this you know program together you're probably doing more with carbon black which is awesome i mean it'll probably strengthen our relationship with vmware too and of course but we can talk a little bit about that what's been your history carbon black why you picked them and where do you see that going on the endpoint security um and then i'll talk a little bit about how we're trying to try that into infrastructure too yeah so um so my relationship with carbon black goes back to uh almost right after i first arrived at circle k um obviously i know uh from having come from consulting a number of different uh tools and products out there um although carbon black always had a really good reputation and strength and um i went to carbon black pretty early on and said you know here's my here's my situation i've got a little bit of carbon black and a little bit of other things in different places i really want to standardize on a single tool i really want to get to a better visibility of my overall network and of my of my risks and ultimately i want to have a single pane of glass but um that you know i've got folks working from an eyes on 24 7. um you know carbon black hands a table really quickly and had a great vision uh for how they could get us uh standardized across some different versions that we had um and when i said okay i want to do this in six weeks or fewer um they didn't say we can't make that happen um i think a lot of people on my team wish that they'd said that we can't make that happen but um but now we were able to really rather quickly um deploy and and get up to speed across all of our stores across all of our networks all of our you know we're a very distributed organization i've got offices all across north america and europe um and uh and we were able to in six weeks get get standardized and get things up and running and i had gained great visibility uh in that and i'm a big believer when looking at all sorts of tools whether they're input tools or security tools that you know you can tell whether or not you've picked the right solution if it's fit for purpose relatively quickly if it feels like it's too hard to implement if it just feels like it's you're not getting the value out of out of something in a relatively quick period of time you really do need to look at whether or not the tool you're looking at is fit for purpose in your environment and i would say the carbon black team and the carbon black tool that made it really easy for us and um you know it's giving us great visibility we have been able to uh detect and respond to a number of different instances you know retail is a very uh high threat high target industry these days um so it's been it's been super helpful in us defending um circle k in our environment and with 130 000 employees i suspect your number of endpoints are in the tens of thousands on the client side and probably just as many in terms of server-side endpoints right so your your kind of surface area of potential endpoints is pretty large oh indeed and you know but you know you have over 15 000 stores every store has multiple point of sale systems and at multiple uh computers laptops tablets devices um and that's and that's even before i go out into the uh what we call the forecourt which is where the gas dispensers and pumps are so yeah it's very complex well listen we look forward to that journey together part of what she has talked about here is a key part to our vision uh folks listening to this is to basically bring together security to make it key parts of the infrastructure both in the endpoint the network and the cloud thank you for your partnership i look forward to getting to know you and your team better um thank you also for all you're doing to serve the community during these tough times especially those workers at circle key that are the front line in the stores we appreciate you tremendously and we look forward to continuing this dialogue thank you very much thank you thank you everybody for watching this cyber security insight segments titled security as a team sport we talked about the shift in security and how security is moving to a shared responsibility model in this team sport in this segment we also discussed the benefits of a consolidated security and an i.t strategy that allows for fewer breaches and a faster response to security incidents as key benefits that have implemented a common strategy for those who have done this i encourage all of you to watch this part two of cyber security insights the securities of dual mission and we will have two security leaders discussing how security helps not only protect but help drives the business forward thank you all for watching this segment [Music] you

>> Narrator: Live from San Francisco. It's theCUBE, covering RSA Conference 2020, San Francisco. Brought to you by, SiliconANGLE Media. >> Welcome back everyone. CUBE coverage here in Moscone in San Francisco for RSA, 2020. I'm John Furrier host of theCUBE. We've got a great guest here talking about cybersecurity and the impact with AI and the role of data. It's always great to have Derek Manky on Chief Security Insights Global Threat Alliances with FortiGuard Lab, part of Fortinet, FortiGuard Labs is great. Great organization. Thanks for coming on. >> It's a pleasure always to be here-- >> So you guys do a great threat report that we always cover. So it covers all the bases and it really kind of illustrates state of the art of viruses, the protection, threats, et cetera. But you're part of FortiGuard Labs. >> Yeah, that's right. >> Part of Fortinet, which is a security company, public. What is FortiGuard Labs? What do you guys do, what's your mission? >> So FortiGuard Labs has existed since day one. You can think of us as the intelligence that's baked into the product, It's one thing to have a world-class product, but you need a world-class intelligence team backing that up. We're the ones fighting those fires against cybercrime on the backend, 24/7, 365 on a per second basis. We're processing threat intelligence. We've got over 10 million attacks or processing just per minute, over a hundred billion events, in any given day that we have to sift through. We have to find out what's relevant. We have to find gaps that we might be missing detection and protection. We got to push that out to a customer base of 450,000 customers through FortiGuard services and 5 million firewalls, 5 million plus firewalls we have now. So it's vitally important. You need intelligence to be able to detect and then protect and also to respond. Know the enemy, build a security solution around that and then also be able to act quickly about it if you are under active attack. So we're doing everything from creating security controls and protections. So up to, real time updates for customers, but we're also doing playbooks. So finding out who these attackers are, why are they coming up to you. For a CSO, why does that matter? So this is all part of FortiGuard Labs. >> How many people roughly involved ? Take us a little inside the curtain here. What's going on? Personnel size, scope. >> So we're over 235. So for a network security vendor, this was the largest global SOC, that exists. Again, this is behind the curtain like you said. These are the people that are, fighting those fires every day. But it's a large team and we have experts to cover the entire attack surface. So we're looking at not just a viruses, but we're looking at as zero-day weapons, exploits and attacks, everything from cyber crime to, cyber warfare, operational technology, all these sorts of things. And of course, to do that, we need to really heavily rely on good people, but also automation and artificial intelligence and machine learning. >> You guys are walking on a tight rope there. I can only imagine how complex and stressful it is, just imagining the velocity alone. But one of the trends that's coming up here, this year at RSA and is kind of been talking about in the industry is the who? Who is the attacker because, the shifts could shift and change. You got nation states are sitting out there, they're not going to have their hands dirty on this stuff. You've got a lot of dark web activity. You've got a lot of actors out there that go by different patterns. But you guys have an aperture and visibility into a lot of this stuff. >> Absolutely. >> So, you can almost say, that's that guy. That's the actor. That's a really big part. Talk about why that's important. >> This is critically important because in the past, let's say the first generation of, threat intelligence was very flat. It was to watch. So it was just talking about here's a bad IP, here's a bad URL, here's a bad file block hit. But nowadays, obviously the attackers are very clever. These are large organizations that are run a lot of people involved. There's real world damages happening and we're talking about, you look at OT attacks that are happening now. There's, in some cases, 30, $40 million from targeted ransom attacks that are happening. These people, A, have to be brought to justice. So we need to understand the who, but we also need to be able to predict what their next move is. This is very similar to, this is what you see online or CSI. The police trynna investigate and connect the dots like, plotting the strings and the yarn on the map. This is the same thing we're doing, but on a way more advanced level. And it's very important to be able to understand who these groups are, what tools they use, what are the weapons, cyber weapons, if you will, and what's their next move potentially going to be. So there's a lot of different reasons that's important. >> Derek, I was riffing with another guest earlier today about this notion of, government protection. You've got a military troops drop on our shores and my neighborhood, the Russians drop in my neighborhood. Guess what, the police will probably come in, and, or the army should take care of it. But if I got to run a business, I got to build my own militia. There's no support out there. The government's not going to support me. I'm hacked. Damage is done. You guys are in a way providing that critical lifeline that guard or shield, if you will, for customers. And they're going to want more of it. So I've got to ask you the hard question, which is, how are you guys going to constantly be on the front edge of all this? Because at the end of the day, you're in the protection business. Threats are coming at the speed of milliseconds and nanoseconds, in memory. You need memory, you need database. You've got to have real time. It's a tsunami of attack. You guys are the front lines of this. You're the heat shield. >> Yes, absolutely. >> How do you take it to the next level? >> Yeah, so collaboration, integration, having a broad integrated platform, that's our bread and butter. This is what we do. End-to-end security. The attack surface is growing. So we have to be able to, A, be able to cover all aspects of that attack surface and again, have intelligence. So we're doing sharing through partners. We have our core intelligence network. Like I said, we're relying heavily on machine learning models. We're able to find that needle in the haystack. Like, as I said earlier, we're getting over a hundred billion potential threat events a day. We have to dissect that. We have to break it down. We have to say, is this affecting endpoint? Is this effect affecting operational technology? What vertical, how do we process it? How do we verify that this is a real threat? And then most importantly, get that out in time and speed to our customers. So I started with automation years ago, but now really the way that we're doing this is through broad platform coverage. But also machine learning models for and-- >> I want to dig into machine learning because, I love that needle in the haystack analogy, because, if you take that to the next step, you got to stack a needles now. So you find the needle in the haystack. Now you got a bunch of needles, where do you find that? You need AI, you got to have some help. But you still got the human component. So talk about how you guys are advising customers on how you're using machine learning and get that AI up and running for customers and for yourselves. >> So we're technology people. I always look at this as the stack. The stack model, the bottom of the stack, you have automation. You have layer one, layer two. That's like the basic things for, feeds, threat feeds, how we can push out, automate, integrate that. Then you have the human. So the layer seven. This is where our human experts are coming in to actually advise our customers. We're creating a threat signals with FortiGuard Labs as an example. These are bulletins that's a quick two to three page read that a CSO can pick up and say, here's what FortiGuard Labs has discovered this week. Is this relevant to my network? Do I have these protections in place. There's also that automated, and so, I refer to this as a centaur model. It's half human half machine and, the machines are driving a lot of that, the day to day mundane tasks, if you will, but also finding, collecting the needles of needles. But then ultimately we have our humans that are processing that, analyzing it, creating the higher level strategic advice. We recently, we've launched a FortiAI, product as well. This has a concept of a virtual-- >> Hold on, back up a second. What's it called? >> FortiAI. >> So it's AI components. Is it a hardware box or-- >> This is a on-premise appliance built off of five plus years of learning that we've done in the cloud to be able to identify threats and malware, understand what that malware does to a detailed level. And, where we've seen this before, where is it potentially going? How do we protect against it? Something that typically you would need, four to five headcount in your security operations center to do, we're using this as an assist to us. So that's why it's a virtual analyst. It's really a bot, if you will, something that can actually-- >> So it's an enabling opportunity for the customers. So is this virtual assistant built into the box. What does that do, virtual analyst. >> So the virtual analyst is able to, sit on premises. So it's localized learning, collect threats to understand the nature of those threats, to be able to look at the needles of the needles, if you will, make sense of that and then automatically generate reports based off of that. So it's really an assist tool that a network admin or a security analyst was able to pick up and virtually save hours and hours of time of resources. >> So, if you look at the history of like our technology industry from a personalization standpoint, AI and data, whether you're a media business, personalization is ultimately the result of good data AI. So personalization for an analyst, would be how not to screw up their job. (laughs) One level. The other one is to be proactive on being more offensive. And then third collaboration with others. So, you starting to see that kind of picture form. What's your reaction to that? >> I think it's great. There's stepping stones that we have to go through. The collaboration is not always easy. I'm very familiar with this. I mean I was, with the Cyber Threat Alliance since day one, I head up and work with our Global Threat Alliances. There's always good intentions, there's problems that can be created and obviously you have things like PII now and data privacy and all these little hurdles they have to come over. But when it works right together, this is the way to do it. It's the same thing with, you talked about the data naturally when he started building up IT stacks, you have silos of data, but ultimately those silos need to be connected from different departments. They need to integrate a collaborate. It's the same thing that we're seeing from the security front now as well. >> You guys have proven the model of FortiGuard that the more you can see, the more visibility you can see and more access to the data in real time or anytime scale, the better the opportunity. So I got to take that to the next level. What you guys are doing, congratulations. But now the customer. How do I team up with, if I'm a customer with other customers because the bad guys are teaming up. So the teaming up is now a real dynamic that companies are deploying. How are you guys looking at that? How is FortiGuard helping that? Is it through services? Is it through the products like virtual assistant? Virtual FortiAI? >> So you can think of this. I always make it an analogy to the human immune system. Artificial neural networks are built off of neural nets. If I have a problem and an infection, say on one hand, the rest of the body should be aware of that. That's collaboration from node to node. Blood cells to blood cells, if you will. It's the same thing with employees. If a network admin sees a potential problem, they should be able to go and talk to the security admin, who can go in, log into an appliance and create a proper response to that. This is what we're doing in the security fabric to empower the customer. So the customer doesn't have to always do this and have the humans actively doing those cycles. I mean, this is the integration. The orchestration is the big piece of what we're doing. So security orchestration between devices, that's taking that gap out from the human to human, walking over with a piece of paper to another or whatever it is. That's one of the key points that we're doing within the actual security fabric. >> So that's why silos is problematic. Because you can't get that impact. >> And it also creates a lag time. We have a need for speed nowadays. Threats are moving incredibly fast. I think we've talked about this on previous episodes with swarm technology, offensive automation, the weaponization of artificial intelligence. So it becomes critically important to have that quick response and silos, really create barriers of course, and make it slower to respond. >> Okay Derek, so I got to ask you, it's kind of like, I don't want to say it sounds like sports, but it's, what's the state of the art in the attack vectors coming in. What are you guys seeing as some of the best of breed tax that people should really be paying attention to? They may, may not have fortified down. What are SOCs looking at and what are security pros focused on right now in terms of the state of the art. >> So the things that keep people up at night. We follow this in our Threat Landscape Report. Obviously we just released our key four one with FortiGuard Labs. We're still seeing the same culprits. This is the same story we talked about a lot of times. Things like, it used to be a EternalBlue and now BlueKeep, these vulnerabilities that are nothing new but still pose big problems. We're still seeing that exposed on a lot of networks. Targeted ransom attacks, as I was saying earlier. We've seen the shift or evolution from ransomware from day to day, like, pay us three or $400, we'll give you access to your data back to going after targeted accounts, high revenue business streams. So, low volume, high risk. That's the trend that we're starting to see as well. And this is what I talk about for trying to find that needle in the haystack. This is again, why it's important to have eyes on that. >> Well you guys are really advanced and you guys doing great work, so congratulations. I got to ask you to kind of like, the spectrum of IT. You've got a lot of people in the high end, financial services, healthcare, they're regulated, they got all kinds of challenges. But as IT and the enterprise starts to get woke to the fact that everyone's vulnerable. I've heard people say, well, I'm good. I got a small little to manage, I'm only a hundred million dollar business. All I do is manufacturing. I don't really have any IP. So what are they going to steal? So that's kind of a naive approach. The answer is, what? Your operations and ransomware, there's a zillion ways to get taken down. How do you respond to that. >> Yeah, absolutely. Going after the crown jewels, what hurts? So it might not be a patent or intellectual property. Again, the things that matter to these businesses, how they operate day to day. The obvious examples, what we just talked about with revenue streams and then there's other indirect problems too. Obviously, if that infrastructure of a legitimate organization is taken over and it's used as a botnet and an orchestrated denial-of-service attack to take down other organizations, that's going to have huge implications. >> And they won't even know it. >> Right, in terms of brand damage, has legal implications as well that happened. This is going even down to the basics with consumers, thinking that, they're not under attack, but at the end of the day, what matters to them is their identity. Identity theft. But this is on another level when it comes to things to-- >> There's all kinds of things to deal with. There's, so much more advanced on the attacker side. All right, so I got to ask you a final question. I'm a business. You're a pro. You guys are doing great work. What do I do, what's my strategy? How would you advise me? How do I get my act together? I'm working the mall every day. I'm trying my best. I'm peddling as fast as I can. I'm overloaded. What do I do? How do I go the next step? >> So look for security solutions that are the assist model like I said. There's never ever going to be a universal silver bullet to security. We all know this. But there are a lot of things that can help up to that 90%, 95% secure. So depending on the nature of the threats, having a first detection first, that's always the most important. See what's on your network. This is things where SIM technology, sandboxing technology has really come into play. Once you have those detections, how can you actually take action? So look for a integration. Really have a look at your security solutions to see if you have the integration piece. Orchestration and integration is next after detection. Finally from there having a proper channel, are there services you looked at for managed incident response as an example. Education and cyber hygiene are always key. These are free things that I push on everybody. I mean we release weekly threat intelligence briefs. We're doing our quarterly Threat Landscape Reports. We have something called threat signals. So it's FortiGuard response to breaking industry events. I think that's key-- >> Hygiene seems to come up over and over as the, that's the foundational bedrock of security. >> And then, as I said, ultimately, where we're heading with this is the AI solution model. And so that's something, again that I think-- >> One final question since it's just popped into my head. I wanted, and that last one. But I wanted to bring it up since you kind of were, we're getting at it. I know you guys are very sensitive to this one topic cause you live it every day. But the notion of time and time elapsed is a huge concern because you got to know, it's not if it's when. So the factor of time is a huge variable in all kinds of impact. Positive and negative. How do you talk about time and the notion of time elapsing. >> That's great question. So there's many ways to stage that. I'll try to simplify it. So number one, if we're talking about breaches, time is money. So the dwell time. The longer that a threat sits on a network and it's not cleaned up, the more damage is going to be done. And we think of the ransom attacks, denial-of-service, revenue streams being down. So that's the incident response problem. So time is very important to detect and respond. So that's one aspect of that. The other aspect of time is with machine learning as well. This is something that people don't always think about. They think that, artificial intelligence solutions can be popped up overnight and within a couple of weeks they're going to be accurate. It's not the case. Machines learn like humans too. It takes time to do that. It takes processing power. Anybody can get that nowadays, data, most people can get that. But time is critical to that. It's a fascinating conversation. There's many different avenues of time that we can talk about. Time to detect is also really important as well, again. >> Let's do it, let's do a whole segment on that, in our studio, I'll follow up on that. I think it's a huge topic, I hear about all the time. And since it's a little bit elusive, but it kind of focuses your energy on, wait, what's going on here? I'm not reacting. (laughs) Time's a huge issue. >> I refer to it as a latency. I mean, latency is a key issue in cybersecurity, just like it is in the stock exchange. >> I mean, one of the things I've been talking about with folks here, just kind of in fun conversation is, don't be playing defense all the time. If you have a good time latency, you going to actually be a little bit offensive. Why not take a little bit more offense. Why play defense the whole time. So again, you're starting to see this kind of mentality not being, just an IT, we've got to cover, okay, respond, no, hold on the ballgame. >> That comes back to the sports analogy again. >> Got to have a good offense. They must cross offense. Derek, thanks so much. Quick plug for you, FortiGuard, share with the folks what you guys are up to, what's new, what's the plug. >> So FortiGuard Labs, so we're continuing to expand. Obviously we're focused on, as I said, adding all of the customer protection first and foremost. But beyond that, we're doing great things in industry. So we're working actively with law enforcement, with Interpol, Cyber Threat Alliance, with The World Economic Forum and the Center for Cyber Security. There's a lot more of these collaboration, key stakeholders. You talked about the human to human before. We're really setting the pioneering of setting that world stage. I think that is, so, it's really exciting to me. It's a lot of good industry initiatives. I think it's impactful. We're going to see an impact. The whole goal is we're trying to slow the offense down, the offense being the cyber criminals. So there's more coming on that end. You're going to see a lot great, follow our blogs at fortinet.com and all-- >> Great stuff. >> great reports. >> I'm a huge believer in that the government can't protect us digitally. There's going to be protection, heat shields out there. You guys are doing a good job. It's only going to be more important than ever before. So, congratulations. >> Thank you. >> Thanks for coming I really appreciate. >> Never a dull day as we say. >> All right, it's theCUBE's coverage here in San Francisco for RSA 2020. I'm John Furrier, your host. Thanks for watching. (upbeat music)

(upbeat jazz music) [Woman] - From our Studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE conversation. >> Hello and welcome to theCUBE Studios in Palo Alto, California, for another CUBE conversation, where we go in depth with thought leaders driving innovation across tech industry. I'm your host Peter Burris. Almost everybody's heard of the term black-hat and white-hat. And it constitutes groups of individuals that are either attacking or defending security challenges. It's been an arms race for the past 10, 20, 30 years as the worlds become more digital. And an arms race that many of us are concerned that black-hats appear to have the upper hand. But there's new developments in technology and new classes of tooling that are actually racing to the aid of white-hats and could very well upset that equilibrium in favor of the white-hats. To have that conversation about the ascension of the white-hats, we're joined by Derek Manky, who's the Chief Security Insights & Global Threat Alliances lead at Fortinet. Derek, thanks for joining us for another CUBE conversation. >> It's always a pleasure speaking with you. [Peter] - All right. [Derek] - Happy to be here. >> Derek, let's start, what's going on at FortiLabs at Fortinet? >> So 2019, we've seen a ton of development, a lot pretty much on track with our predictions when we talked last year. Obviously a big increase in volume, thanks to offensive automation. We're also seeing low volume attacks that are disrupting big business models. I'm talking about targeted ransom attacks, right. But, you know, criminals that are able to get into networks, cause millions of dollars of damages thanks to critical revenue streams being held. Usually in the public sector we've seen a lot of this. We've seen a rise in sophistication's, the adversaries are not slowing down. AET's, the mass evasion techniques are on the rise. And so, you know, to do this on FortiGaurd Labs, to be able to track this and map this, we're not just relying on logs anymore and, you know, 40, 50 page white papers. So, we're actually looking at that playbooks now, mapping the adversaries, understanding their tools, techniques, procedures, how they're operating, why they're operating, who are they hitting and what might be their next moves. So that's a bit development on the intelligence side too. >> All right, so imagine a front this notion that the white-hats might be ascending. I'm implying a prediction here. Tell us a little bit about what we see on the horizon for that concept of the white-hats ascending and specifically, why is a reason to be optimistic? >> Yeah, so it's been gloomy for decades like you said. And for many reasons, right, and I think those reasons are no secrets. I mean, cyber criminals and black-hats have always been able to move very, you know, with agility right. Cyber crime has no borders. It's often a slap on the wrist that they get. They can do a million things wrong, they don't care, there's no ethics and quite frankly no rules binding them right. On the white-hand side, we've always had rules binding us, we've had to take due care and we've had to move methodically, which slows us down. So, a lot of that comes in place because of frameworks, because of technology as well, having to move after it's enabled to with frameworks, specifically with making corrective action and things like that. So, those are the challenges that we faced against. But you know like, thinking ahead to 2020, particularly with the use of artificial intelligence, everybody talks about AI, it's impacted our daily lives, but when it comes to cyber security, on the white-hat side a proctor AI and machine learning model takes times. It can take years. In fact in our case, our experience, about four to five years before we can actually roll it out to production. But the good news is, that we have been investing, and when I say we, I'm just talking to the industry in general and white-hat, we've been investing into this technology because quite frankly we've had to. It takes a lot of data, it takes a lot of smart minds, a lot of investment, a lot of processing power and that foundation has now been set over the last five years. If we look at the black-hats, it's not the case. And why? Because they've been enjoying living off the land on low hanging fruit. Path of least resistance because they have been able to. >> So, what are the things that's changing that, equilibrium then, is the availability of AI and as you said, it could take four, five years to get to a point where we've actually got useful AI that can have an impact. I guess that means that we've been working on these things for four, five years. What's the state of the art with AI as it pertains to security, and are we seeing different phases of development start to emerge as we gain more experience with these technologies? >> Yeah, absolutely. And it's quite exciting right. AI isn't this universal brain that solves the worlds problems that everyone thinks it might be right. It's very specific, it relies on machine learning models. Each machine learning model is very specific to it's task right, I mean, you know, voice learning technology versus autonomous vehicle jobbing versus cyber security, is very different when it comes to these learning purposes. So, in essence the way I look at it, you know, there's three generations of AI. We have generation one, which was the past. Generation two, which is the current, where we are now and the generation three is where we're going. So, generation one was pretty simple right. It was just a central processing alert machine learning model that will take in data, correlate that data and then take action based off of it. Some simple inputs, simple output right. Generation two where we're currently sitting is more advanced. It's looking at pattern recognition, more advanced inputs, distributed models where we have sensors lying around networks. I'm talking about even IoT devices, security appliances and so forth, that still record up to this centralized brain that's learning it and acting on things. But where things get really interesting moving forward in 2020 gets into this third generation where you have especially moving towards cloud computer, sorry, edge computing, is where you have localized learning nodes that are actually processing and learning. So you can think of them as these mini brains. Instead of having this monolithic centralized brain, you have individual learner nodes, individual brains doing their own machine learning that are actually connected to each other, learning from each other, speaking to each other. It's a very powerful model. We actually refer to this as federated machine learning in our industry. >> So we've been, first phase we simply used statistics to correlate events, take action, now we're doing acceptions, pattern recognition, or acceptions and building patterns, and in the future we're going to be able to further distribute that so that increasingly the AI is going to work with other AI so that the aggregate, this federated aggregate gets better, have I got that right? >> Yeah absolutely. And what's the advantage of that? A couple of things. It's very similar to the human immune system right. If you have, if I were to cut my finger on my hand, what's going to happen? Well, localized white blood cells, localized, nothing from a foreign entity or further away in my body, are going to come to the rescue and start healing that right. It's the same, it's because it's interconnected within the nervous system. It's the same idea of this federated machine learning model right. If a security appliance is to detect a threat locally on site, it's able to alert other security appliances so that they can actually take action on this and learn from that as well. So connected machine learning models. So it means that by properly implementing these AI, this federated AI machine earning models in an organization, that that system is able to actually in a auto-immune way be able to pick up what that threat is and be able to act on that threat, which means it's able to respond to these threat quicker or shut them down to the point where it can be you know, virtually instantaneous right, before the damage is done and bleeding starts happening. >> So the common baseline is continuously getting better even as we're giving opportunities for local managers to perform the work in response to local conditions. So that takes us to the next notion of, we've got this federated AI on the horizon, how are people, how is the world of people, security professionals going to change? What kind of recipes are they going to follow to insure that they are working in a maximally productive way with these new capabilities, these new federated capabilities, especially as we think about the introduction of 5G and greater density of devices and faster speeds in the relatancies? >> Yeah so, you know the world of cyber computer, cyber security has always been incredibly complex. So we're trying to simplify that and that's where again, this federated machine learning comes into place, particularly with playbooks, so if we look at 2019 and where we're going in 2020, we've put a lot of groundwork quite frankly and so pioneering the work of playbooks right. So when I say playbooks I'm talking about adversary playbooks, knowing the offense, knowing the tools, techniques, procedures, the way that these cyber crime operations are moving right and the black-hats are moving. The more that we can understand that, the more we can predict their next move and that centralized language right, once you know that offense, we can start to create automated blue team playbooks, so defensive playbooks. That security technology can automatically integrate and respond to it, but getting back to you question, we can actually create human readable CECO guides that can actually say, "Look, there's a threat," "here's why it's a problem," "here are the gaps in your security that we've identified," "here's some recommended course of action as an idea too." Right, so that's where the humans and the machines are really going to be working together and quite frankly moving at speed, being able to that at machine level but also being able to simplify a complex landscape, that is where we can actually gain traction right. This is part of that ascendancy of the white-hat because it's allowing us to move in a more agile nature, it's allowing us to gain ground against the attackers and quite frankly, it allows us to start disrupting their business model more right. It's a more resilient network. In the future this leads to the whole notion of self-healing that works as well that quite frankly just makes it a big pain, it disrupts your business model, it forces them to go back to the drawing board too. >> Well, it also seems as though, when we start talking about 5G, that the speeds, as I said the speeds, the dentancy, the reduced latency, the potential for a bad thing to propagate very quickly, demands that we have a more consistent, coherent response, at both the the machine level but also the people level. We 5G into this conversation. What's, what will be the impact to 5G on how these playbooks and AI start to come together over the next few years? >> Yeah, it's going to be very impactful. It is going to take a couple of years and we're just at the dawn of 5G right now. But if you think of 5G, your talking about a lot more volume, essentially as we move to the future, we're entering into the age of 5G and edge computing. And 5G and edge computing is going to start eating the cloud in a sense that more of that processing power that was in the cloud is starting to shift now towards edge computing right. This is at on Premis.it So, A; it is going to allow models like I was talking about, federated machine learning models and from the white-hats point of view, which again I think we are in the driver seat and a better, more advantageous position here, because we are more experienced again like I said, we've been doing this for years with black-hats quite frankly haven't. Yes, they're toying with it, but not in the same level and skill as we have. But, you know, (chuckles) I'm always a realist. This isn't a completely realsy picture, I mean, it is optimistic that we are able to get this upper hand. It has to be done right. But if we think about the weaponisation of 5G, that's also a very large problem right. Last year we're talking about swarm networks right, the idea of swarm networks is a whole bunch of devices that can connect to each other, share intelligence and then act to do something like a large scale DDoS attack. That's absolutely in the realm of possibility when it comes to the weaponisation of 5G as well. >> So one of the things, I guess the last question I want to ask you is, is you noted that these playbooks incorporate the human element in ways that are uniquely human. So, having CECO readable recipes for how people have to respond, does that also elevate the conversation with the business and does, allows us to do a better job of understanding risk, pricing risk and appropriately investing to manage and assure the business against risk in the right way? >> Absolutely. Absolutely it does, yeah. Yeah, because the more you know about going back to the playbooks, the more you know about the offense and their tools, the more you know about how much of a danger it is, what sort of targets they're after right. I mean if they're just going trying to look to collect a bit of information on, you know, to do some reconnaissance, that first phase attack might not cause a lot of damage, but if this group is known to go in, hit hard, steal intellectual property, shut down critical business streams through DoS, that in the past we know and we've seen has caused four, five million dollars from one breach, that's a very good way to start classifying risk. So yeah, I mean, it's all about really understanding the picture first on the offensive, and that's exactly what these automated playbook guides are going to be doing on the blue team and again, not only from a CoC perspective, certainly that on the human level, but the nice thing about the playbooks is because we've done the research, the threat hunting and understood this, you know from a machine level it's also able to put a lot of those automated, let's say day-to-day decisions, making security operation centers, so I'm talking about like SecDevOps, much more efficient too. >> So we've talked about more density at the edge amongst these devices, I also want to bring back one last thought here and that is, you said that historically some of the black-hats have been able to access with a degree of impunity, they have necessarily been hit hard, there's been a lot of slapping on the wrist as I think you said. Talk about how the playbooks and AI is going to allow us to more appropriately share data with others that can help both now but also in some of the forensics and the enforcement side, namely the legal and policing world. How are we going to share the responsibility, how is that going to change over the next few years to incorporate some of the folks that actually can then turn a defense into a legal attack? >> Threat elimination is what I call it right. So again, if we look at the current state, we've made great strides, great progress, you know, working with law enforcement, so we've set up public private sector relationships, we need to do that, have security experts working with law enforcement, law enforcements working on their end to train prosecutors to understand cyber crime and so forth. That foundation has been set, but it's still slow moving. You know, there's only a limited amount of playbooks right now. It takes a lot of work to unearth and do, to really move the needle, what we need to do, again like we're talking about, is to integrate a artificial intelligence with playbooks. The more that we understand about groups, the more that we do the threat illumination, the more that we uncover about them, the more we know about them, and by doing that we can start to form predictive models right. Based, I always say old habits die hard. So you know, if an attacker goes in, hits a network and their successful following a certain sequence of patterns, they're likely going to follow that same sequence on their next victim or their next target. So the more that we understand about that, the more that we can forecast A; from a mitigation standpoint, but the, also by the same token, the more correlation we're doing on these playbooks, the more machine learning we're doing on these playbooks, the more we're able to do attribution and attribution is the holy grail, it's always been the toughest thing to do when it comes to research. But by combing the framework that we're using with playbooks, and AI machine learning, it's a very very powerful recipe and that's what we need to get right and forward in the right direction. >> Derek Manky, Fortinet's Chief of Security Insights & Threat Alliances, thanks again for being on theCUBE. >> It's a pleasure. Anytime. Happy to talk. >> And I want to thank you for joining us for another CUBE conversation. I'm Peter Burris, see you next time. (upbeat jazz music) >> Yeah I thought it was pretty good. [Man] - That was great. [Derek] - Yeah, yeah.