>> Welcome to this Cube Conversation, I'm Lisa Martin. I'm joined by Derek Manky next, the Chief Security Insights and Global Threat Alliances at Fortiguard Labs. Derek, welcome back to the program. >> Hey, it's great to be here again. A lot of stuff's happened since we last talked. >> So Derek, one of the things that was really surprising from this year's Global Threat Landscape Report is a 10, more than 10x increase in ransomware. What's going on? What have you guys seen? >> Yeah so this is massive. We're talking over a thousand percent over a 10x increase. This has been building Lisa, So this has been building since December of 2020. Up until then we saw relatively low high watermark with ransomware. It had taken a hiatus really because cyber criminals were going after COVID-19 lawyers and doing some other things at the time. But we did see a seven fold increase in December, 2020. That has absolutely continued this year into a momentum up until today, it continues to build, never subsided. Now it's built to this monster, you know, almost 11 times increase from, from what we saw back last December. And the reason, what's fueling this is a new verticals that cyber criminals are targeting. We've seen the usual suspects like telecommunication, government in position one and two. But new verticals that have risen up into this third and fourth position following are MSSP, and this is on the heels of the Kaseya attack of course, that happened in 2021, as well as operational technology. There's actually four segments, there's transportation, automotive, manufacturing, and then of course, energy and utility, all subsequent to each other. So there's a huge focus now on, OT and MSSP for cyber criminals. >> One of the things that we saw last year this time, was that attackers had shifted their focus away from enterprise infrastructure devices, to home networks and consumer grade products. And now it looks like they're focusing on both. Are you seeing that? >> Yes, absolutely. In two ways, so first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure, and then they can load things like ransomware on there. They can little things like information stealers as an example. The way they do that is through botnets. And what we reported in this in the first half of 2021 is that Mirai, which is about a two to three-year old botnet now is number one by far, it was the most prevalent botnet we've seen. Of course, the thing about Mirai is that it's an IOT based botnet. So it sits on devices, sitting inside consumer networks as an example, or home networks, right. And that can be a big problem. So that's the targets that cyber criminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. And so what that means Lisa, is that cyber criminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to web born threats, right. So they're infecting sites, waterhole attacks, where, you know, people will go to read their daily updates as an example of things that they do as part of their habits. They're getting sent links to these sites that when they go to it, it's actually installing those botnets onto those systems, so they can get a foothold. We've also seen scare tactics, right. So they're doing new social engineering lures, pretending to be human resource departments. IT staff and personnel, as an example, with popups through the web browser that look like these people to fill out different forms and ultimately get infected on home devices. >> Well, the home device use is proliferate. It continues because we are still in this work from home, work from anywhere environment. Is that, you think a big factor in this increase from 7x to nearly 11x? >> It is a factor, absolutely. Yeah, like I said, it's also, it's a hybrid of sorts. So a lot of that activity is going to the MSSP angle, like I said to the OT. And to those new verticals, which by the way, are actually even larger than traditional targets in the past, like finance and banking, is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's, further backed up from what we're seeing on with the, the botnet activity specifically with Mirai too. >> Are you seeing anything in terms of the ferocity, we know that the volume is increasing, are they becoming more ferocious, these attacks? >> Yeah, there is a lot of aggression out there, certainly from, from cyber criminals. And I would say that the velocity is increasing, but the amount, if you look at the cyber criminal ecosystem, the stakeholders, right, that is increasing, it's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record cases year, almost every week we've seen one or two significant, cyber security events that are happening. That is a dramatic shift compared to last year or even, two years ago too. And this is because, because the cyber criminals are getting deeper pockets now. They're becoming more well-funded and they have business partners, affiliates that they're hiring, each one of those has their own methodology, and they're getting paid big. We're talking up to 70 to 80% commission, just if they actually successfully, infect someone that pays for the ransom as an example. And so that's really, what's driving this too. It's a combination of this kind of perfect storm as we call it, right. You have this growing attack surface, work from home environments and footholds into those networks, but you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. >> So what can organizations do to start- to slow down or limit the impacts of this growing ransomware as a service? >> Yeah, great question. Everybody has their role in this, I say, right? So if we look at, from a strategic point of view, we have to disrupt cyber crime, how do we do that? It starts with the kill chain. It starts with trying to build resilient networks. So things like ZTA and a zero trust network access, SD-WAN as an example for protecting that WAN infrastructure. 'Cause that's where the threats are floating to, right. That's how they get the initial footholds. So anything we can do on the preventative side, making networks more resilient, also education and training is really key. Things like multi-factor authentication are all key to this because if you build that preventatively and it's a relatively small investment upfront Lisa, compared to the collateral damage that can happen with these ransomware paths, the risk is very high. That goes a long way, it also forces the attackers to- it slows down their velocity, it forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here, too, that we can talk about because there's things that we can actually do apart from that to really fight cyber crime, to try to take the cyber criminals offline too. >> All right, hit me with the good news Derek. >> Yeah, so a couple of things, right. If we look at the botnet activity, there's a couple of interesting things in there. Yes, we are seeing Mirai rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples, EMOTET, that was one of the most prolific botnets that was out there for the past two to three years, there is a take-down that happened in January of this year. It's still on our radar but immediately after that takedown, it literally dropped to half of the activity it had before. And it's been consistently staying at that low watermark now at that half percentage since then, six months later. So that's very good news showing that the actual coordinated efforts that were getting involved with law enforcement, with our partners and so forth, to take down these are actually hitting their supply chain where it hurts, right. So that's good news part one. Trickbot was another example, this is also a notorious botnet, takedown attempt in Q4 of 2020. It went offline for about six months in our landscape report, we actually show that it came back online in about June this year. But again, it came back weaker and now the form is not nearly as prolific as before. So we are hitting them where it hurts, that's that's the really good news. And we're able to do that through new, what I call high resolution intelligence that we're looking at too. >> Talk to me about that high resolution intelligence, what do you mean by that? >> Yeah, so this is cutting edge stuff really, gets me excited, keeps me up at night in a good way. 'Cause we we're looking at this under the microscope, right. It's not just talking about the what, we know there's problems out there, we know there's ransomware, we know there's a botnets, all these things, and that's good to know, and we have to know that, but we're able to actually zoom in on this now and look at- So we, for the first time in the threat landscape report, we've published TTPs, the techniques, tactics, procedures. So it's not just talking about the what, it's talking about the how, how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system? And exactly how are they doing that? What's the technique? And so we've highlighted that, it's using the MITRE attack framework TTP, but this is real time data. And it's very interesting, so we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defense innovation, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. As an example, lateral movement, there's still a preferred over 75%, 77 I believe percent of activity we observed from malware was still trying to move from system to system, by infecting removable media like thumb drives. And so it's interesting, right. It's a brand new look on these, a fresh look, but it's this high resolution, is allowing us to get a clear image, so that when we come to providing strategic guides and solutions in defense, and also even working on these takedown efforts, allows us to be much more effective. >> So one of the things that you said in the beginning was we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that ceiling yet, but are we at an inflection point? Data showing that we're at an inflection point here with being able to get ahead of this? >> Yeah, I would like to believe so, there is still a lot of work to be done unfortunately. If we look at, there's a recent report put out by the Department of Justice in the US saying that, the chance of a criminal to be committing a crime, to be caught in the US is somewhere between 55 to 60%, the same chance for a cyber criminal lies less than 1%, well 0.5%. And that's the bad news, the good news is we are making progress in sending messages back and seeing results. But I think there's a long road ahead. So, there's a lot of work to be done, We're heading in the right direction. But like I said, they say, it's not just about that. It's, everyone has their role in this, all the way down to organizations and end users. If they're doing their part of making their networks more resilient through this, through all of the, increasing their security stack and strategy. That is also really going to stop the- really ultimately the profiteering that wave, 'cause that continues to build too. So it's a multi-stakeholder effort and I believe we are getting there, but I continue to still, I continue to expect the ransomware wave to build in the meantime. >> On the end-user front, that's always one of the vectors that we talk about, it's people, right? There's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the White House, but other organizations like Interpol, the World Economic Forum, Cyber Crime Unit, what are some of the things that governments are doing that you're seeing that as really advantageous here for the good guys? >> Yeah, so absolutely. This is all about collaboration. Governments are really focused on public, private sector collaboration. So we've seen this across the board with Fortiguard Labs, we're on the forefront with this, and it's really exciting to see that, it's great. There's always been a lot of will to work together, but we're starting to see action now, right? Interpol is a great example, they recently this year, held a high level forum on ransomware. I actually spoke and was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world, that public, private sector we need. They actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too. Because it is becoming that much of a problem and that we need to work together to be able to create action, action against this, measure success, become more strategic. The World Economic Forum were leading a project called the Partnership Against Cyber Crime Threat Map Project. And this is to identify, not just all this stuff we talked about in the threat landscape report, but also looking at, things like, how many different ransomware gangs are there out there. What do the money laundering networks look like? It's that side of the supply chain to map out, so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's innovation and there's R&D behind this as well, that's coming to the table to be able to make it impactful. >> So it sounds to me like ransomware is no longer a- for any organization in any industry you were talking about the expansion of verticals. It's no longer a, "If this happens to us," but a matter of when and how do we actually prepare to remediate, prevent any damage? >> Yeah, absolutely, how do we prepare? The other thing is that there's a lot of, with just the nature of cyber, there's a lot of connectivity, there's a lot of different, it's not just always siloed attacks, right. We saw that with Colonial obviously, this year where you have attacks on IT, that can affect consumers, right down to consumers, right. And so for that very reason, everybody's infected in this. it truly is a pandemic I believe on its own. But the good news is, there's a lot of smart people on the good side and that's what gets me excited. Like I said, we're working with a lot of these initiatives. And like I said, some of those examples I called up before, we're actually starting to see measurable progress against this as well. >> That's good, well never a dull day I'm sure in your world. Any thing that you think when we talk about this again, in a few more months of the second half of 2021, anything you predict crystal ball wise that we're going to see? >> Yeah, I think that we're going to continue to see more of the, I mean, ransomware, absolutely, more of the targeted attacks. That's been a shift this year that we've seen, right. So instead of just trying to infect everybody for ransom, as an example, going after some of these new, high profile targets, I think we're going to continue to see that happening from the ransomware side and because of that, the average costs of these data breaches, I think they're going to continue to increase, it already did in 2021 as an example, if we look at the cost of a data breach report, it's gone up to about $5 million US on average, I think that's going to continue to increase as well too. And then the other thing too is, I think that we're going to start to see more, more action on the good side like we talked about. There was already a record amount of takedowns that have happened, five takedowns that happened in January. There were arrests made to these business partners, that was also new. So I'm expecting to see a lot more of that coming out towards the end of the year too. >> So as the challenges persist, so do the good things that are coming out of this. Where can folks go to get this first half 2021 Global Threat Landscape? What's the URL that they can go to? >> Yeah, you can check it out, all of our updates and blogs including the threat landscape reports on blog.fortinet.com under our threat research category. >> Excellent, I read that blog, it's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for us, showing what's going on. Both the challenging things, as well as the good news. I look forward to our next conversation. >> Absolutely, it was great chatting with you again, Lisa. Thanks. >> Likewise for Derek Manky, I'm Lisa Martin. You're watching this Cube Conversation. (exciting music)

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest ransomware trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we worked on some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches that we're seeing which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on paste and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

(upbeat music) >> Welcome to this CUBE conversation. I am Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manky joins me next. Chief security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. >> Yes, it's great to be here and great to see you again, Lisa. Thanks for having me. >> Likewise, yeah, so a lot has happened. I know we've seen you during this virtual world, but so much has happened with ransomware in the last year. It's unbelievable, we had about 14 months ago, this dramatic shift to a distributed workforce, you had personal devices on in network perimeters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and FortiGuard Labs have seen with respect to the evolution of ransomware. >> Yeah, sure, so it's becoming worse, no doubt. We highlighted this in our Threat Landscape Report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, that was very, they relied on snail mail. It was obviously there was no market for it at the time. It was just a proof of concept, a failed experiment if you will. But it really started getting hot a decade ago, 10 years ago but the technology back then wasn't the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from the cyber criminal perspective. That is absolutely not the case today. Now they have very smart cryptography they're experts when say they, the cyber criminals at their game. They know there's a lot of the attack surfaces growing. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our threat landscape group. What we saw at seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about. By the work from anywhere, work from home environment a lot of vulnerable devices unpatched. And these are the vehicles that the ransomware is the payload of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded, there's more vulnerable people and cyber criminals are absolutely capitalizing on that. >> Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an uptick in healthcare threats and activities as well in the last year? >> Yeah, definitely, so I would start to say that first of all, the... Nobody is immune when it comes to ransomware. This is such again, a hot target or a technique that the cybercriminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen, but the key difference is there's two houses here, right? You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns, not through... there's a lot of web traffic out there. We see a lot of things that are used to open playing on that COVID-19 theme we got, right? Emails from HR or taxes and scams. It's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data sorry, pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extortions. They may have photos or video or audio captures. So it's a lot of fear they're trying to steal these people but probably the more concern is just what you talked about, healthcare, operational technology. These are large business revenue streams. These are take cases of targeted ransoms which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind specific social engineering rules. And they know that they're hitting the corporate assets or in the case of healthcare critical systems where it hurts they know that there's high stakes and so they're demanding high returns in terms of ransoms as well. >> With respect to the broad ransomware attacks versus targeted a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What's what are some of the distinctions there besides what you mentioned? >> Yeah, absolutely so the targeted texts are more about execution, right? So if we look at the attack chain and they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collecting and gathering information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting in some cases, terabytes of information, a lot, they're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. They're often, it's essentially a denial of service in some cases of taking a revenue stream or applications offline so a business can't function. And then what they're doing is that they're actually setting up crime services on their end. They, a lot of the the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cybercriminal or one of their associates to be able to negotiate the ransom. And they're trying to have in their point of view they're trying frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example just to prove that we are who we say we are but then they go on to say, instead of $10 million, we can negotiate down to 6 million, this is a good deal, you're getting 30% off or whatever it is but the fact is that they know by the time they've gotten to this they've done all their homework before that, right? They've done the targets, they've done all the things that they can to know that they have the organization in their grasp, right? >> One of the things that you mentioned just something I never thought about as ransomware as a business, the sophistication level is just growing and growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware because that's what it seems like it really has become. >> Absolutely, it is massively sad. If you look at the cybercrime ecosystem like the way that they're actually pulling this off it's not just one individual or one cyber crime ring that, let's say five to 10 people that are trying to orchestrate this. These are big rings, we actually work closely as an example to, we're doing everything from the FortiGuard Labs with following the latest around some of the trends doing the protection and mitigation but also working to find out who these people are, what are their tactics and really attribute it and paint a picture of these organizations. And they're big, we're working some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind one of these targeted attacks like in terms of ransom demands and the targeted cases they can be an excess of $10 million just for one ransom attack. And like I said, we're seeing a seven times increase in the amount of attack activity. And what they're doing in terms of the business is they've set up affiliate marketing. Essentially, they have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with their ransomware and the people pay then the affiliate in the middle will actually get a commission cut of that, very high, typically 40 to 50%. And that's really what's making this lucrative business model too. >> Wow, My jaw is dropping just the sophistication but also the different levels to which they've put a business together. And unfortunately, for every industry it sounds very lucrative, so how then Derek do organizations protect themselves against this, especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not. The proliferation of devices is only going to continue. So what are organizations start and how can you guys help? >> Start with the people, so we'll talk about three things, people, technology and processes. The people, unfortunately, this is not just about ransomware but definitely applies to ransomware but any attack, humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams all these things, right? But what they're trying to do is to get people to click on that link, still to open up a malicious attachment that will then infect them with the ransomware. This of course, if an employee is up to date and hones their skills so that they know basically a zero trust mentality is what I like to talk about. You wouldn't just invite a stranger into your house to open a package that you didn't order but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training information and security. There is awareness training, we offer that at Fortinet. There's even advanced training we do through our NSC program as an example. But then on top of that there's things like phishing tests that you can do regularly, penetration testing as well, exercises like that are very important because that is really the first line of defense. Moving past that you want to get into the technology piece. And of course, there's a whole, this is a security fabric. There's a whole array of solutions. Like I said, everything needs to be integrated. So we have an EDR and XDR as an example sitting on the end point, cause oftentimes they still need to get that ransomware payload to run on the end point. So having a technology like EDR goes a long way to be able to detect the threat, quarantine and block it. There's also of course a multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. The reality is that we highlight in the threat landscape report the software vulnerabilities that these rats more gangs are going after are two to three years old. They're not breaking within the last month they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control is zero trust, network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IOT devices as launchpads as an example into networks 'cause they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally process, right? So it's always good to have it all in your defense plan training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to identify what your corporate assets are and the likely targets that cyber-criminals are going to go after and make sure that you have rigid security controls and threat intelligence like FortiGuard Labs applied to that. >> Yeah, you talk about the weakest link they are people I know you and I talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a unfortunately a good conversion rate? >> Yeah, so this is what I was talking about earlier that these targeted attacks especially when it comes to spear, when it comes to the reconnaissance they got so clever, it can be can so realistic. That's the, it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you want to have this multilayered approach, right? So if that first line of defense does yield, if they do click on the link, if they do try to open the malicious attachment, first of all again through the next generation firewall Sandboxing solutions like that, this technology is capable of inspecting that, acting like is this, we even have a FortiAI as an example, artificial intelligence, machine learning that can actually scan this events and know is this actually an attack? So that element goes a long way to actually scrub it like content CDR as well, content disarm as an example this is a way to actually scrub that content. So it doesn't actually run it in the first place but if it does run again, this is where EDR comes in like I said, at the end of the day they're also trying to get information out of the network. So having things like a Platinum Protection through the next generation firewall like with FortiGuard security subscription services is really important too. So it's all about that layered approach. You don't want just one single point of failure. You really want it, this is what we call the attack chain and the kill chain. There's no magic bullet when it comes to attackers moving, they have to go through a lot of phases to reach their end game. So having that layer of defense approach and blocking it at any one of those phases. So even if that human does click on it you're still mitigating the attack and protecting the damage. Keep in mind a lot of damages in some cases kind of a million dollars plus. >> Right, is that the average ransom, 10 million US dollars. >> So the average cost of data breaches ever seen which are often related to ransom attacks is close to that in the US, I believe it's around just under $9 million about 8.7 million, just for one data breach. And often those data breaches now, again what's happening is that the data it's not just about encrypting the data, getting access because a lot of organizations part of the technology piece and the process that we recommend is backups as well of data. I would say, organizations are getting better at that now but it's one thing to back up your data. But if that data is breached again, cybercriminals are now moving to this model of extorting that saying, unless you pay us this money we're going to go out and make this public. We're going to put it on piece and we're going to sell it to nefarious people on the dark web as well. >> One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things, and here we are using Zoom to talk to each other, instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected, families businesses. I talked a bit a lot of businesses who initially will say, oh we're using Microsoft 365 and they're protecting the data while they're not or Salesforce or Slack. And that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing it could include PII or IP. We're responsible for that as the customer to protect our data, the vendor's responsible for protecting the integrity of the infrastructure. Share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. >> Yeah, great question, great question tough one. It is so, I mean ultimately everybody has to have, I believe it has to have their position in this. It's not, it is a collaborative environment. Everyone has to be a stakeholder in this even down to the end users, the employees being educated and up-to-date as an example, the IT departments and security operation centers of vendors being able to do all the threat intelligence and scrubbing. But then when you extend that to the public cloud what is the cloud security stack look at, right? How integrated is that? Are there scrubbing and protection controls sitting on the cloud environments? What data is being sent to that, should it be cited center as an example? what's the retention period? How long does the data live on there? It's the same thing as when you go out and you buy one of these IOT devices as an example from say, a big box store and you go and just plug it into your network. It's the same questions we should be asking, right? What's the security like on this device model? Who's making it, what data is it going to ask for me? The same thing when you're installing an application on your mobile phone, this is what I mean about that zero trust environment. It should be earned trust. So it's a big thing, right? To be able to ask those questions and then only do it on a sort of need to know and medium basis. The good news is that a lot of CloudStack now and environments are integrating security controls. We integrated quite well with Fortinet as an example but this is an issue of supply chain. It's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. >> Such interesting information and it's a topic ransomware that we could continue talking about, Derek, thank you for joining me on the program today updating us on what's going on, how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risks. I thank you so much for joining me today. >> All right it's a pleasure, thank you. >> Likewise Derek Manky I'm Lisa Martin. You're watching this CUBE conversation. (upbeat music)

>> Narrator: Live from San Francisco. It's theCUBE, covering RSA Conference 2020, San Francisco. Brought to you by, SiliconANGLE Media. >> Welcome back everyone. CUBE coverage here in Moscone in San Francisco for RSA, 2020. I'm John Furrier host of theCUBE. We've got a great guest here talking about cybersecurity and the impact with AI and the role of data. It's always great to have Derek Manky on Chief Security Insights Global Threat Alliances with FortiGuard Lab, part of Fortinet, FortiGuard Labs is great. Great organization. Thanks for coming on. >> It's a pleasure always to be here-- >> So you guys do a great threat report that we always cover. So it covers all the bases and it really kind of illustrates state of the art of viruses, the protection, threats, et cetera. But you're part of FortiGuard Labs. >> Yeah, that's right. >> Part of Fortinet, which is a security company, public. What is FortiGuard Labs? What do you guys do, what's your mission? >> So FortiGuard Labs has existed since day one. You can think of us as the intelligence that's baked into the product, It's one thing to have a world-class product, but you need a world-class intelligence team backing that up. We're the ones fighting those fires against cybercrime on the backend, 24/7, 365 on a per second basis. We're processing threat intelligence. We've got over 10 million attacks or processing just per minute, over a hundred billion events, in any given day that we have to sift through. We have to find out what's relevant. We have to find gaps that we might be missing detection and protection. We got to push that out to a customer base of 450,000 customers through FortiGuard services and 5 million firewalls, 5 million plus firewalls we have now. So it's vitally important. You need intelligence to be able to detect and then protect and also to respond. Know the enemy, build a security solution around that and then also be able to act quickly about it if you are under active attack. So we're doing everything from creating security controls and protections. So up to, real time updates for customers, but we're also doing playbooks. So finding out who these attackers are, why are they coming up to you. For a CSO, why does that matter? So this is all part of FortiGuard Labs. >> How many people roughly involved ? Take us a little inside the curtain here. What's going on? Personnel size, scope. >> So we're over 235. So for a network security vendor, this was the largest global SOC, that exists. Again, this is behind the curtain like you said. These are the people that are, fighting those fires every day. But it's a large team and we have experts to cover the entire attack surface. So we're looking at not just a viruses, but we're looking at as zero-day weapons, exploits and attacks, everything from cyber crime to, cyber warfare, operational technology, all these sorts of things. And of course, to do that, we need to really heavily rely on good people, but also automation and artificial intelligence and machine learning. >> You guys are walking on a tight rope there. I can only imagine how complex and stressful it is, just imagining the velocity alone. But one of the trends that's coming up here, this year at RSA and is kind of been talking about in the industry is the who? Who is the attacker because, the shifts could shift and change. You got nation states are sitting out there, they're not going to have their hands dirty on this stuff. You've got a lot of dark web activity. You've got a lot of actors out there that go by different patterns. But you guys have an aperture and visibility into a lot of this stuff. >> Absolutely. >> So, you can almost say, that's that guy. That's the actor. That's a really big part. Talk about why that's important. >> This is critically important because in the past, let's say the first generation of, threat intelligence was very flat. It was to watch. So it was just talking about here's a bad IP, here's a bad URL, here's a bad file block hit. But nowadays, obviously the attackers are very clever. These are large organizations that are run a lot of people involved. There's real world damages happening and we're talking about, you look at OT attacks that are happening now. There's, in some cases, 30, $40 million from targeted ransom attacks that are happening. These people, A, have to be brought to justice. So we need to understand the who, but we also need to be able to predict what their next move is. This is very similar to, this is what you see online or CSI. The police trynna investigate and connect the dots like, plotting the strings and the yarn on the map. This is the same thing we're doing, but on a way more advanced level. And it's very important to be able to understand who these groups are, what tools they use, what are the weapons, cyber weapons, if you will, and what's their next move potentially going to be. So there's a lot of different reasons that's important. >> Derek, I was riffing with another guest earlier today about this notion of, government protection. You've got a military troops drop on our shores and my neighborhood, the Russians drop in my neighborhood. Guess what, the police will probably come in, and, or the army should take care of it. But if I got to run a business, I got to build my own militia. There's no support out there. The government's not going to support me. I'm hacked. Damage is done. You guys are in a way providing that critical lifeline that guard or shield, if you will, for customers. And they're going to want more of it. So I've got to ask you the hard question, which is, how are you guys going to constantly be on the front edge of all this? Because at the end of the day, you're in the protection business. Threats are coming at the speed of milliseconds and nanoseconds, in memory. You need memory, you need database. You've got to have real time. It's a tsunami of attack. You guys are the front lines of this. You're the heat shield. >> Yes, absolutely. >> How do you take it to the next level? >> Yeah, so collaboration, integration, having a broad integrated platform, that's our bread and butter. This is what we do. End-to-end security. The attack surface is growing. So we have to be able to, A, be able to cover all aspects of that attack surface and again, have intelligence. So we're doing sharing through partners. We have our core intelligence network. Like I said, we're relying heavily on machine learning models. We're able to find that needle in the haystack. Like, as I said earlier, we're getting over a hundred billion potential threat events a day. We have to dissect that. We have to break it down. We have to say, is this affecting endpoint? Is this effect affecting operational technology? What vertical, how do we process it? How do we verify that this is a real threat? And then most importantly, get that out in time and speed to our customers. So I started with automation years ago, but now really the way that we're doing this is through broad platform coverage. But also machine learning models for and-- >> I want to dig into machine learning because, I love that needle in the haystack analogy, because, if you take that to the next step, you got to stack a needles now. So you find the needle in the haystack. Now you got a bunch of needles, where do you find that? You need AI, you got to have some help. But you still got the human component. So talk about how you guys are advising customers on how you're using machine learning and get that AI up and running for customers and for yourselves. >> So we're technology people. I always look at this as the stack. The stack model, the bottom of the stack, you have automation. You have layer one, layer two. That's like the basic things for, feeds, threat feeds, how we can push out, automate, integrate that. Then you have the human. So the layer seven. This is where our human experts are coming in to actually advise our customers. We're creating a threat signals with FortiGuard Labs as an example. These are bulletins that's a quick two to three page read that a CSO can pick up and say, here's what FortiGuard Labs has discovered this week. Is this relevant to my network? Do I have these protections in place. There's also that automated, and so, I refer to this as a centaur model. It's half human half machine and, the machines are driving a lot of that, the day to day mundane tasks, if you will, but also finding, collecting the needles of needles. But then ultimately we have our humans that are processing that, analyzing it, creating the higher level strategic advice. We recently, we've launched a FortiAI, product as well. This has a concept of a virtual-- >> Hold on, back up a second. What's it called? >> FortiAI. >> So it's AI components. Is it a hardware box or-- >> This is a on-premise appliance built off of five plus years of learning that we've done in the cloud to be able to identify threats and malware, understand what that malware does to a detailed level. And, where we've seen this before, where is it potentially going? How do we protect against it? Something that typically you would need, four to five headcount in your security operations center to do, we're using this as an assist to us. So that's why it's a virtual analyst. It's really a bot, if you will, something that can actually-- >> So it's an enabling opportunity for the customers. So is this virtual assistant built into the box. What does that do, virtual analyst. >> So the virtual analyst is able to, sit on premises. So it's localized learning, collect threats to understand the nature of those threats, to be able to look at the needles of the needles, if you will, make sense of that and then automatically generate reports based off of that. So it's really an assist tool that a network admin or a security analyst was able to pick up and virtually save hours and hours of time of resources. >> So, if you look at the history of like our technology industry from a personalization standpoint, AI and data, whether you're a media business, personalization is ultimately the result of good data AI. So personalization for an analyst, would be how not to screw up their job. (laughs) One level. The other one is to be proactive on being more offensive. And then third collaboration with others. So, you starting to see that kind of picture form. What's your reaction to that? >> I think it's great. There's stepping stones that we have to go through. The collaboration is not always easy. I'm very familiar with this. I mean I was, with the Cyber Threat Alliance since day one, I head up and work with our Global Threat Alliances. There's always good intentions, there's problems that can be created and obviously you have things like PII now and data privacy and all these little hurdles they have to come over. But when it works right together, this is the way to do it. It's the same thing with, you talked about the data naturally when he started building up IT stacks, you have silos of data, but ultimately those silos need to be connected from different departments. They need to integrate a collaborate. It's the same thing that we're seeing from the security front now as well. >> You guys have proven the model of FortiGuard that the more you can see, the more visibility you can see and more access to the data in real time or anytime scale, the better the opportunity. So I got to take that to the next level. What you guys are doing, congratulations. But now the customer. How do I team up with, if I'm a customer with other customers because the bad guys are teaming up. So the teaming up is now a real dynamic that companies are deploying. How are you guys looking at that? How is FortiGuard helping that? Is it through services? Is it through the products like virtual assistant? Virtual FortiAI? >> So you can think of this. I always make it an analogy to the human immune system. Artificial neural networks are built off of neural nets. If I have a problem and an infection, say on one hand, the rest of the body should be aware of that. That's collaboration from node to node. Blood cells to blood cells, if you will. It's the same thing with employees. If a network admin sees a potential problem, they should be able to go and talk to the security admin, who can go in, log into an appliance and create a proper response to that. This is what we're doing in the security fabric to empower the customer. So the customer doesn't have to always do this and have the humans actively doing those cycles. I mean, this is the integration. The orchestration is the big piece of what we're doing. So security orchestration between devices, that's taking that gap out from the human to human, walking over with a piece of paper to another or whatever it is. That's one of the key points that we're doing within the actual security fabric. >> So that's why silos is problematic. Because you can't get that impact. >> And it also creates a lag time. We have a need for speed nowadays. Threats are moving incredibly fast. I think we've talked about this on previous episodes with swarm technology, offensive automation, the weaponization of artificial intelligence. So it becomes critically important to have that quick response and silos, really create barriers of course, and make it slower to respond. >> Okay Derek, so I got to ask you, it's kind of like, I don't want to say it sounds like sports, but it's, what's the state of the art in the attack vectors coming in. What are you guys seeing as some of the best of breed tax that people should really be paying attention to? They may, may not have fortified down. What are SOCs looking at and what are security pros focused on right now in terms of the state of the art. >> So the things that keep people up at night. We follow this in our Threat Landscape Report. Obviously we just released our key four one with FortiGuard Labs. We're still seeing the same culprits. This is the same story we talked about a lot of times. Things like, it used to be a EternalBlue and now BlueKeep, these vulnerabilities that are nothing new but still pose big problems. We're still seeing that exposed on a lot of networks. Targeted ransom attacks, as I was saying earlier. We've seen the shift or evolution from ransomware from day to day, like, pay us three or $400, we'll give you access to your data back to going after targeted accounts, high revenue business streams. So, low volume, high risk. That's the trend that we're starting to see as well. And this is what I talk about for trying to find that needle in the haystack. This is again, why it's important to have eyes on that. >> Well you guys are really advanced and you guys doing great work, so congratulations. I got to ask you to kind of like, the spectrum of IT. You've got a lot of people in the high end, financial services, healthcare, they're regulated, they got all kinds of challenges. But as IT and the enterprise starts to get woke to the fact that everyone's vulnerable. I've heard people say, well, I'm good. I got a small little to manage, I'm only a hundred million dollar business. All I do is manufacturing. I don't really have any IP. So what are they going to steal? So that's kind of a naive approach. The answer is, what? Your operations and ransomware, there's a zillion ways to get taken down. How do you respond to that. >> Yeah, absolutely. Going after the crown jewels, what hurts? So it might not be a patent or intellectual property. Again, the things that matter to these businesses, how they operate day to day. The obvious examples, what we just talked about with revenue streams and then there's other indirect problems too. Obviously, if that infrastructure of a legitimate organization is taken over and it's used as a botnet and an orchestrated denial-of-service attack to take down other organizations, that's going to have huge implications. >> And they won't even know it. >> Right, in terms of brand damage, has legal implications as well that happened. This is going even down to the basics with consumers, thinking that, they're not under attack, but at the end of the day, what matters to them is their identity. Identity theft. But this is on another level when it comes to things to-- >> There's all kinds of things to deal with. There's, so much more advanced on the attacker side. All right, so I got to ask you a final question. I'm a business. You're a pro. You guys are doing great work. What do I do, what's my strategy? How would you advise me? How do I get my act together? I'm working the mall every day. I'm trying my best. I'm peddling as fast as I can. I'm overloaded. What do I do? How do I go the next step? >> So look for security solutions that are the assist model like I said. There's never ever going to be a universal silver bullet to security. We all know this. But there are a lot of things that can help up to that 90%, 95% secure. So depending on the nature of the threats, having a first detection first, that's always the most important. See what's on your network. This is things where SIM technology, sandboxing technology has really come into play. Once you have those detections, how can you actually take action? So look for a integration. Really have a look at your security solutions to see if you have the integration piece. Orchestration and integration is next after detection. Finally from there having a proper channel, are there services you looked at for managed incident response as an example. Education and cyber hygiene are always key. These are free things that I push on everybody. I mean we release weekly threat intelligence briefs. We're doing our quarterly Threat Landscape Reports. We have something called threat signals. So it's FortiGuard response to breaking industry events. I think that's key-- >> Hygiene seems to come up over and over as the, that's the foundational bedrock of security. >> And then, as I said, ultimately, where we're heading with this is the AI solution model. And so that's something, again that I think-- >> One final question since it's just popped into my head. I wanted, and that last one. But I wanted to bring it up since you kind of were, we're getting at it. I know you guys are very sensitive to this one topic cause you live it every day. But the notion of time and time elapsed is a huge concern because you got to know, it's not if it's when. So the factor of time is a huge variable in all kinds of impact. Positive and negative. How do you talk about time and the notion of time elapsing. >> That's great question. So there's many ways to stage that. I'll try to simplify it. So number one, if we're talking about breaches, time is money. So the dwell time. The longer that a threat sits on a network and it's not cleaned up, the more damage is going to be done. And we think of the ransom attacks, denial-of-service, revenue streams being down. So that's the incident response problem. So time is very important to detect and respond. So that's one aspect of that. The other aspect of time is with machine learning as well. This is something that people don't always think about. They think that, artificial intelligence solutions can be popped up overnight and within a couple of weeks they're going to be accurate. It's not the case. Machines learn like humans too. It takes time to do that. It takes processing power. Anybody can get that nowadays, data, most people can get that. But time is critical to that. It's a fascinating conversation. There's many different avenues of time that we can talk about. Time to detect is also really important as well, again. >> Let's do it, let's do a whole segment on that, in our studio, I'll follow up on that. I think it's a huge topic, I hear about all the time. And since it's a little bit elusive, but it kind of focuses your energy on, wait, what's going on here? I'm not reacting. (laughs) Time's a huge issue. >> I refer to it as a latency. I mean, latency is a key issue in cybersecurity, just like it is in the stock exchange. >> I mean, one of the things I've been talking about with folks here, just kind of in fun conversation is, don't be playing defense all the time. If you have a good time latency, you going to actually be a little bit offensive. Why not take a little bit more offense. Why play defense the whole time. So again, you're starting to see this kind of mentality not being, just an IT, we've got to cover, okay, respond, no, hold on the ballgame. >> That comes back to the sports analogy again. >> Got to have a good offense. They must cross offense. Derek, thanks so much. Quick plug for you, FortiGuard, share with the folks what you guys are up to, what's new, what's the plug. >> So FortiGuard Labs, so we're continuing to expand. Obviously we're focused on, as I said, adding all of the customer protection first and foremost. But beyond that, we're doing great things in industry. So we're working actively with law enforcement, with Interpol, Cyber Threat Alliance, with The World Economic Forum and the Center for Cyber Security. There's a lot more of these collaboration, key stakeholders. You talked about the human to human before. We're really setting the pioneering of setting that world stage. I think that is, so, it's really exciting to me. It's a lot of good industry initiatives. I think it's impactful. We're going to see an impact. The whole goal is we're trying to slow the offense down, the offense being the cyber criminals. So there's more coming on that end. You're going to see a lot great, follow our blogs at fortinet.com and all-- >> Great stuff. >> great reports. >> I'm a huge believer in that the government can't protect us digitally. There's going to be protection, heat shields out there. You guys are doing a good job. It's only going to be more important than ever before. So, congratulations. >> Thank you. >> Thanks for coming I really appreciate. >> Never a dull day as we say. >> All right, it's theCUBE's coverage here in San Francisco for RSA 2020. I'm John Furrier, your host. Thanks for watching. (upbeat music)

>> from our studios in the heart of Silicon Valley, Palo Alto, California It is a cute conversation. >> Well, the Special Cube conversation. We are here in Palo Alto, California, Cube studios here. Tony, Gino, Domenico, Who's the senior security strategist and research at for Net and four to guard labs live from Las Vegas. Where Black Hat and then Def Con security activities happening, Tony, also known as Tony G. Tony G. Welcome to this cube conversation. >> Hey, Thanks, John. Thanks for having me. >> So a lot of action happening in Vegas. We just live there all the time with events. You're there on the ground. You guys have seen all the action there. You guys are just published. Your quarterly threat report got a copy of it right here with the threat index on it. Talk about the quarterly global threats report. Because the backdrop that we're living in today, also a year at the conference and the cutting edge is security is impacting businesses that at such a level, we must have shell shock from all the breaches and threats they're going on. Every day you hear another story, another story, another hack, more breaches. It said all time high. >> Yeah, you know, I think a lot of people start to get numb to the whole thing. You know, it's almost like they're kind of throwing your hands up and say, Oh, well, I just kind of give up. I don't know what else to do, but I mean, obviously, there are a lot of different things that you can do to be able to make sure that you secure your cybersecurity program so at least you minimize the risk of these particular routes is happening. But with that said with the Threat Landscape report, what we typically dio is we start out with his overall threat index, and we started this last year. If we fast forward to where we are in this actual cue to report, it's been one year now, and the bad news is that the threats are continuing to increase their getting more sophisticated. The evasion techniques are getting more advanced, and we've seen an uptick of about 4% and threat volume over the year before. Now the silver lining is I think we expected the threat volume to be much higher. So I think you know, though it is continuing to increase. I think the good news is it's probably not increasing as fast as we thought it was going to. >> Well, you know, it's always You have to know what you have to look for. Blood. People talk about what you can't see, and there's a lot of a blind spot that's become a data problem. I just want to let people know that. Confined the report, go to Ford Nets, ah website. There's a block there for the details, all the threat index. But the notable point is is only up 4% from the position year of a year that the attempts are more sophisticated. Guys gotta ask you, Is there stuff that we're not seeing in there? Is there blind spots? What's the net net of the current situation? Because observe ability is a hot topic and cloud computing, which essentially monitoring two point. Oh, but you gotta be able to see everything. Are we seeing everything? What's what's out there? >> Well, I mean, I think us as Ford, a guard on Darcy, have cyber threat in challenges. I think we're seeing a good amount, but when you talk about visibility, if you go back down into the organizations. I think that's where there's There's definitely a gap there because a lot of the conversations that I have with organizations is they don't necessarily have all the visibility they need from cloud all the way down to the end point. So there are some times that you're not gonna be able to catch certain things now. With that said, if we go back to the report at the end of the day, the adversaries have some challenges to be able to break into an organization. And, of course, the obvious one is they have to be able to circumvent our security controls. And I think as a security community, we've gotten a lot better of being able to identify when the threat is coming into an organization. Now, on the flip side, Oh, if you refer back to the minor Attack knowledge base, you'll see a specific tactic category called defense evasions. There's about 60 plus techniques, evasion techniques the adversary has at their disposal, at least that we know may there may be others, but so they do have a lot of opportunity, a lot of different techniques to be able to leverage with that, said There's one technique. It's, ah, disabling security tools that we started seeing a bit of an increase in this last cue to threat landscape report. So a lot of different types of threats and mile where have the capability to be ableto one look at the different processes that may be running on a work station, identifying which one of those processes happen to be security tools and then disabling them whether they're no, maybe they might just be able to turn the no, the actual service off. Or maybe there's something in the registry that they can tweak. That'll disable the actual security control. Um, maybe they'll actually suppress the alerts whatever. They conduce you to make sure that that security control doesn't prevent them from doing that malicious activity. Now, with that said, on the flip side, you know, from an organization for perspective, you want to make sure that you're able to identify when someone's turning on and turning off those security control to any type of alert that might be coming out of that control also. And this is a big one because a lot of organizations and this certainly do this minimize who has the ability to turn those particular security controls on and off. In the worst cases, you don't wanna have all of your employees uh, the you don't want to give them the ability to be able to turn those controls on and off. You're never gonna be ableto baseline. You're never gonna be able to identify a, you know, anomalous activity in the environment, and you're basically gonna lose your visibility. >> I mean, this increase in male wearing exploit activity you guys were pointing out clearly challenge the other thing that the report kind of She's out. I want to get your opinion on this. Is that the The upping? The ante on the evasion tactics has been very big trend. The adversaries are out there. They're upping the ante. You guys, we're upping the guarantees. This game you continue this flight will continues. Talk about this. This feature of upping the ante on evasion tactics. >> Yes. So that's what I was that I was kind of ah, referring to before with all the different types of evasion techniques. But what I will say is most of the all the threats these days all have some type of evasion capabilities. A great example of this is every quarter. If you didn't know. We look at different types of actors and different types of threats, and we find one that's interesting for us to dig into and where create was called an actual playbook, where we want to be able to dissect that particular threat or those threat actor methodologies and be able to determine what other tactics and corresponding techniques, which sometimes of course, includes evasion techniques. Now, the one that we focused on for this quarter was called His Ego's Was Ego, says a specific threat that is an information stealer. So it's gathering information, really based on the mission goals off, whatever that particular campaign is, and it's been around for a while. I'm going all the way back to 2011. Now you might be asking yourself, Why did we actually choose this? Well, there's a couple different reasons. One happens to be the fact that we've seen an uptick in this activity. Usually when we see that it's something we want to dive into a little bit more. Number two. Though this is a tactic of the of the adversary, what they'll do is they'll have their threat there for a little while, and then local doorman. They'll stop using that particular malware. That's no specific sort of threat. They'll let the dust settle that things die down. Organizations will let their guard down a little bit on that specific threat. Security organizations Ah, vendors might actually do the same. Let that digital dust kind of settle, and then they'll come back. Bigger, faster, stronger. And that's exactly what Z ghosted is. Ah, we looked at a specific campaign in this new mall where the new and improved Mauer, where is they're adding in other capabilities for not just being able to siphon information from your machine, but they're also now can capture video from your webcam. Also, the evasion techniques since Iran that particular subject, what they're also able to do is they're looking at their application logs. Your system logs your security logs, the leading them making a lot more difficult from a forensic perspective. Bill, go back and figure out what happened, what that actual malware was doing on the machine. Another interesting one is Ah, there. We're looking at a specific J peg file, so they're looking for that hash. And if the hash was there the axle? Um, our wouldn't run. We didn't know what that was. So we researched a little bit more on What we found out was that J Peg file happened to be a desktop sort of picture for one of the sandboxes. So it knew if that particular J pick was present, it wasn't going to run because it knew it was being analyzed in a sandbox. So that was a second interesting thing. The 3rd 1 that really leaned us towards digging into this is a lot of the actual security community attribute this particular threat back to cyber criminals that are located in China. The specific campaign we were focused on was on a government agency, also in China, So that was kind of interesting. So you're continuing to see these. These mile wears of maybe sort of go dormant for a little bit, but they always seem to come back bigger, faster, stronger. >> And that's by design. This is that long, whole long view that these adversaries we're taking in there as he organized this economy's behind what they're doing. They're targeting this, not just hit and run. It's get in, have a campaign. This long game is very much active. Howto enterprises. Get on, get on top of this. I mean, is it Ah, is it Ah, people process Issue is it's, um, tech from four to guard labs or what? What's what's for the Nets view on this? Because, I mean, I can see that happening all the time. It has >> happened. Yeah, it's It's really it's a combination of everything on this combination. You kind of hit like some of it, its people, its processes and technology. Of course, we have a people shortage of skilled resource is, but that's a key part of it. You always need to have those skills. Resource is also making sure you have the right process. Is how you actually monitoring things. I know. Ah, you know, a lot of folks may not actually be monitoring all the things that they need to be monitoring from, Ah, what is really happening out there on the internet today? So making sure you have clear visibility into your environment and you can understand and maybe getting point in time what your situational awareness is. You you, for my technology perspective, you start to see and this is kind of a trend. We're starting the leverage artificial intelligence, automation. The threats are coming, and it's such a high volume. Once they hit the the environment, instead of taking hours for your incident response to be about, at least you know not necessarily mitigate, but isolate or contain the breach. It takes a while. So if you start to leverage some artificial intelligence and automatic response with the security controls are working together. That's a big that's a big part of it. >> Awesome. Thanks for coming. This is a huge problem. Think no one can let their guard down these days? Certainly with service, they're expanding. We're gonna get to that talk track in the second. I want to get quickly. Get your thoughts on ransom, where this continues to be, a drum that keeps on beating. From a tax standpoint, it's almost as if when when the attackers need money, they just get the same ransomware target again. You know, they get, they pay in. Bitcoin. This is This has been kind of a really lucrative but persistent problem with Ransomware. This what? Where what's going on with Ransomware? What's this state of the report and what's the state of the industry right now in solving that? >> Yeah. You know, we looked into this a little bit in last quarter and actually a few quarters, and this is a continuous sort of trend ransom, where typically is where you know, it's on the cyber crime ecosystem, and a lot of times the actual threat itself is being delivered through some type of ah, phishing email where you need a user to be able to click a langur clicking attachment is usually kind of a pray and spray thing. But what we're seeing is more of ah, no sort of ah, you know, more of a targeted approach. What they'll do is to look for do some reconnaissance on organizations that may not have the security posture that they really need. Tohave, it's not as mature, and they know that they might be able to get that particular ransomware payload in there undetected. So they do a little reconnaissance there, And some of the trend here that we're actually seeing is there looking at externally RTP sessions. There's a lot of RTP sessions, the remote desktop protocol sessions that organizations have externally so they can enter into their environment. But these RTP sessions are basically not a secure as they need to be either week username and passwords or they are vulnerable and haven't actually been passed. They're taking advantage of those they're entering and there and then once they have that initial access into the network, they spread their payload all throughout the environment and hold all those the those devices hostage for a specific ransom. Now, if you don't have the, you know, particular backup strategy to be able to get that ransom we're out of there and get your your information back on those machines again. Sometimes you actually may be forced to pay that ransom. Not that I'm recommending that you sort of do so, but you see, or organizations are decided to go ahead and pay that ransom. And the more they do that, the more the adversary is gonna say, Hey, I'm coming back, and I know I'm gonna be able to get more and more. >> Yeah, because they don't usually fix the problem or they come back in and it's like a bank. Open bank blank check for them. They come in and keep on hitting >> Yeah >> same target over and over again. We've seen that at hospitals. We've seen it kind of the the more anemic I t department where they don't have the full guard capabilities there. >> Yeah, and I would have gone was really becoming a big issue, you know? And I'll, uh, ask you a question here, John. I mean, what what does Microsoft s A N D. H s have in common for this last quarter? >> Um, Robin Hood? >> Yeah. That attacks a good guess. Way have in common is the fact that each one of them urged the public to patch a new vulnerability that was just released on the RTP sessions called Blue Keep. And the reason why they was so hyped about this, making sure that people get out there and patch because it was were mobile. You didn't really need tohave a user click a link or click and attachment. You know, basically, when you would actually exploit that vulnerability, it could spread like wildfire. And that's what were mobile is a great example of that is with wannacry. A couple years ago, it spread so quickly, so everybody was really focused on making sure that vulnerability actually gets patched. Adding onto that we did a little bit of research on our own and ransom Internet scans, and there's about 800,000 different devices that are vulnerable to that particular ah, new vulnerability that was announced. And, you know, I still think a lot of people haven't actually patched all of that, and that's a real big concern, especially because of the trend that we just talked about Ransomware payload. The threat actors are looking at are Rdp as the initial access into the environment. >> So on blue Keep. That's the one you were talking about, right? So what is the status of that? You said There's a lot of vulnerable is out. There are people patching it, is it Is it being moving down, the down the path in terms of our people on it? What's your take on that? What's the assessment? >> Yeah, so I think some people are starting to patch, but shoot, you know, the scans that we do, there's still a lot of unpacked systems out there, and I would also say we're not seeing what's inside the network. There may be other RTP sessions in the environment inside of an organization's environment, which really means Now, if Ransomware happens to get in there that has that capability than to be able to spread like the of some RTP vulnerability that's gonna be even a lot more difficult to be able to stop that once it's inside a network. I mean, some of the recommendations, obviously, for this one is you want to be able to patch your RTP sessions, you know, for one. Also, if you want to be able to enable network authentication, that's really gonna help us. Well, now I would also say, You know, maybe you want a hard in your user name and passwords, but if you can't do some of this stuff, at least put some mitigating controls in place. Maybe you can isolate some of those particular systems, limit the amount of AH access organizations have or their employees have to that, or maybe even just totally isolated. If it's possible, internal network segmentation is a big part of making sure you can. You're able to mitigate some of these put potential risks, or at least minimize the damage that they may cause. >> Tony G. I want to get your thoughts on your opinion and analysis expert opinion on um, the attack surface area with digital and then ultimately, what companies can do for Let's let's start with the surface area. What's your analysis there? Ah, lot of companies are recognizing. I'll see with Coyote and other digital devices. The surface area is just everywhere, right? So I got on the perimeter days. That's kind of well known. It's out there. What's the current digital surface area threats look like? What's your opinion? >> Sure, Yeah, it's Ah, now it's funny. These days, I say no, Jenna tell you everything that seems to be made as an I P address on it, which means it's actually able to access the Internet. And if they can access the Internet, the bad guys can probably reach out and touch it. And that's really the crux of the problem of these days. So anything that is being created is out on the Internet. And, yeah, like, we all know there's really not a really rigid security process to make sure that that particular device as secure is that secure as it actually needs to be Now. We talked earlier on about You know, I ot as relates to maybe home routers and how you need to be ableto hard in that because you were seeing a lot of io teapot nets that air taking over those home routers and creating these super large I ot botnets on the other side of it. You know, we've seen ah lot of skate of systems now that traditionally were in air gapped environments. Now they're being brought into the traditional network. They're being connected there. So there's an issue there, but one of the ones we haven't actually talked a lot about and we see you're starting to see the adversaries focus on these little bit more as devices in smart homes and smart buildings in this queue to threat landscape report. There was a vulnerability in one of these you motion business management systems. And, you know, we looked at all the different exploits out there, and the adversaries were actually looking at targeting that specific exploit on that. That's smart management building service device. We had about 1% of all of our exploit, uh, hits on that device. Now that might not seem like a lot, but in the grand scheme of things, when we're collecting billions and billions of events, it's a fairly substantial amount. What, now that we're Lee starts a kind of bring a whole another thought process into as a security professional as someone responds double for securing my cyber assets? What if I include in my cyber assets now widen include all the business management systems that my employees, Aaron, for my overall business. Now that that actually might be connected to my internal network, where all of my other cyber assets are. Maybe it actually should be. Maybe should be part of your vulnerability mentioned audibly patch management process. But what about all the devices in your smart home? Now? You know, all these different things are available, and you know what the trend is, John, right? I mean, the actual trend is to work from home. So you have a lot of your remote workers have, ah, great access into the environment. Now there's a great conduit for the obvious areas to be ableto break into some of those smart home devices and maybe that figure out from there there on the employees machine. And that kind of gets him into, you know, the other environment. So I would say, Start looking at maybe you don't wanna have those home devices as part of, ah, what you're responsible for protecting, but you definitely want to make sure your remote users have a hardened access into the environment. They're separated from all of those other smart, smart home devices and educate your employees on that and the user awareness training programs. Talk to them about what's happening out there, how the adversaries air starting to compromise, or at least focus on some of them smart devices in their home environment. >> These entry points are you point out, are just so pervasive. You have work at home totally right. That's a great trend that a lot of companies going to. And this is virtual first common, a world. We build this new new generation of workers. They wanna work anywhere. So no, you gotta think about all that. Those devices that your son or your daughter brought home your husband. Your wife installed a new light bulb with an I peed connection to it fully threaded processor. >> I know it. Gosh, this kind of concern me, it's safer. And what's hot these days is the webcam, right? Let's say you have an animal and you happen to go away. You always want to know what your animals doing, right? So you have these Webcams here. I bet you someone might be placing a webcam that might be near where they actually sit down and work on their computer. Someone compromises that webcam you may be. They can see some of the year's name and password that you're using a log in. Maybe they can see some information that might be sensitive on your computer. You know, it's the The options are endless here. >> Tony G. I want to get your thoughts on how companies protect themselves, because this is the real threat. A ni O t. Doesn't help either. Industrial I ot to just Internet of things, whether it's humans working at home, too, you know, sensors and light bulbs inside other factory floors or whatever means everywhere. Now the surface area is anything with a knife he address in power and connectivity. How do companies protect themselves? What's the playbook? What's coming out of Red hat? What's coming out of Fort Annette? What are you advising? What's the playbook? >> Yeah, you know I am. You know, when I get asked this question a lot, I really I sound like a broken record. Sometimes I try to find so many different ways to spin it. You know, maybe I could actually kind of say it like this, and it's always means the same thing. Work on the fundamentals and John you mentioned earlier from the very beginning. Visibility, visibility, visibility. If you can't understand all the assets that you're protecting within your environment, it's game over. From the beginning, I don't care what other whiz bang product you bring into the environment. If you're not aware of what you're actually protecting, there's just no way that you're gonna be able to understand what threats are happening out your network at a higher level. It's all about situational awareness. I want to make sure if I'm if I'm a C so I want my security operations team to have situational awareness at any given moment, all over the environment, right? So that's one thing. No grabbing that overall sort of visibility. And then once you can understand where all your assets are, what type of information's on those assets, you get a good idea of what your vulnerabilities are. You start monitoring that stuff. You can also start understanding some of different types of jabs. I know it's challenging because you've got everything in the cloud all the way down to the other end point. All these mobile devices. It's not easy, but I think if you focus on that a little bit more, it's gonna go a longer way. And I also mentioned we as humans. When something happens into the environment, we can only act so fast. And I kind of alluded to this earlier on in this interview where we need to make sure that we're leveraging automation, artificial in intelligence to help us be able to determine when threats happened. You know, it's actually be in the environment being able to determine some anomalous activity and taking action. It may not be able to re mediate, but at least it can take some initial action. The security controls can talk to each other, isolate the particular threat and let you fight to the attack, give you more time to figure out what's going on. If you can reduce the amount of time it takes you to identify the threat and isolate it, the better chances that you're gonna have to be able to minimize the overall impact of that particular Reno. >> Tony, just you jogging up a lot of memories from interviews I've had in the past. I've interviewed the four star generals, had an essay, had a cyber command. You get >> a lot of >> military kind of thinkers behind the security practice because there is a keeping eyes on the enemy on the target on the adversary kind of dialogue going on. They all talk about automation and augmenting the human piece of it, which is making sure that you have as much realty. I'm information as possible so you can keep your eyes on the targets and understand, to your point contextual awareness. This seems to be the biggest problem that Caesar's heir focused on. How to eliminate the tasks that take the eyes off the targets and keep the situational winners on on point. Your thoughts on that? >> Yeah, I have to. You know what, son I used to be? Oh, and I still do. And now I do a lot of presentations about situational awareness and being ableto build your you know, your security operations center to get that visibility. And, you know, I always start off with the question of you know, when your C so walks in and says, Hey, I saw something in the news about a specific threat. How are we able to deal with that? 95% of the responses are Well, I have to kind of go back and kind of like, you don't have to actually come dig in and, you know, see, and it takes them a while for the audio. >> So there's a classic. So let me get back to your boss. What? Patch patch? That, um Tony. Chief, Thank you so much for the insight. Great Congressional. The Holy Report. Keep up the good work. Um, quick, Quick story on black hat. What's the vibe in Vegas? Def con is right around the corner after it. Um, you seeing the security industry become much more broader? See, as the industry service area becomes from technical to business impact, you starting to see that the industry change Amazon Web service has had an event cloud security called reinforce. You starting to see a much broader scope to the industry? What's the big news coming out of black at? >> Yeah, you know, it's it's a lot of the same thing that actually kind of changes. There's just so many different vendors that are coming in with different types of security solutions, and that's awesome. That is really good with that, said, though, you know, we talked about the security shortage that we don't have a lot of security professionals with the right skill sets. What ends up happening is you know, these folks that may not have that particular skill, you know, needed. They're being placed in these higher level of security positions, and they're coming to these events and they're overwhelmed because they're all they'll have a saw slight. It's all over a similar message, but slightly different. So how did they determine which one is actually better than the others? So it's, um, I would say from that side, it gets to be a little bit kind of challenging, but at the same time, No, I mean, we continued to advance. I mean, from the, uh, no, from the actual technical controls, solutions perspective, you know, You know, we talked about it. They're going, we're getting better with automation, doing the things that the humans used to do, automating that a little bit more, letting technology do some of that mundane, everyday kind of grind activities that we would as humans would do it, take us a little bit longer. Push that off. Let the actual technology controls deal with that so that you can focus like you had mentioned before on those higher level you know, issues and also the overall sort of strategy on either howto actually not allow the officer to come in or haven't determined once they're in and how quickly will be able to get them out. >> You know, we talked. We have a panel of seashells that we talk to, and we were running a you know, surveys through them through the Cube insights Most see says, we talk Thio after they won't want to talk off the record. I don't want anyone know they work for. They all talked him. They say, Look, I'm bombarded with more and more security solutions. I'm actually trying to reduce the number of suppliers and increase the number of partners, and this is nuanced point. But to your what you're getting at is a tsunami of new things, new threats, new solutions that could be either features or platforms or tools, whatever. But most si SOS wanna build an engineering team. They wanna have full stack developers on site. They wanna have compliance team's investigative teams, situational awareness teams. And they want a partner with with suppliers where they went partners, not just suppliers. So reduce the number suppliers, increase the partners. What's your take on that year? A big partner. A lot of the biggest companies you >> get in that state spring. Yeah. I mean, that's that's actually really our whole strategy. Overall strategy for Ford. Annette is, and that's why we came up with this security fabric. We know that skills are really not as not as prevalent as that they actually need to be. And of course, you know there's not endless amounts of money as well, right? And you want to be able to get these particular security controls to talk to each other, and this is why we built this security fabric. We want to make sure that the controls that we're actually gonna build him, and we have quite a few different types of, you know, security controls that work together to give you the visibility that you're really looking for, and then years Ah, you know, trusted partner that you can actually kind of come to And we can work with you on one identifying the different types of ways the adversaries air moving into the environment and ensuring that we have security controls in place to be able to thwart the threat. Actor playbook. Making sure that we have a defensive playbook that aligns with those actual ttp is in the offensive playbook, and we can actually either detect or ultimately protect against that malicious activity. >> Tony G. Thanks for sharing your insights here on the cube conversation. We'll have to come back to you on some of these follow on conversations. Love to get your thoughts on Observe ability. Visibility on. Get into this. What kind of platforms are needed to go this next generation with cloud security and surface area being so massive? So thanks for spending the time. Appreciate it. >> Thanks a lot, Right. We only have >> a great time in Vegas. This is Cube conversation. I'm John for here in Palo Alto. Tony G with Fortinet in Las Vegas. Thanks for watching