>>The Cube presents Ignite 22, brought to you by Palo Alto Networks. >>Welcome back to Vegas. Guys. We're happy that you're here. Lisa Martin here covering with Dave Valante, Palo Alto Networks Ignite 22. We're at MGM Grand. This is our first day, Dave of two days of cube coverage. We've been having great conversations with the ecosystem with Palo Alto executives, with partners. One of the things that they have is unit 42. We're gonna be talking with them next about cyber intelligence. And the threat data that they get is >>Incredible. Yeah. They have all the data, they know what's going on, and of course things are changing. The state of play changes. Hold on a second. I got a text here. Oh, my Netflix account was frozen. Should I click on this link? Yeah. What do you think? Have you had a, it's, have you had a little bit more of that this holiday season? Yeah, definitely. >>Unbelievable, right? A lot of smishing going on. >>Yeah, they're very clever. >>Yeah, we're very pleased to welcome back one of our alumni to the queue. Wendy Whitmore is here, the SVP of Unit 42. Welcome back, Wendy. Great to have >>You. Thanks Lisa. So >>Unit 42 created back in 2014. One of the things that I saw that you said in your keynote this morning or today was everything old is still around and it's co, it's way more prolific than ever. What are some of the things that Unit 42 is seeing these days with, with respect to cyber threats as the landscape has changed so much the last two years alone? >>You know, it, it has. So it's really interesting. I've been responding to these breaches for over two decades now, and I can tell you that there are a lot of new and novel techniques. I love that you already highlighted Smishing, right? In the opening gate. Right. Because that is something that a year ago, no one knew what that word was. I mean, we, it's probably gonna be invented this year, right? But that said, so many of the tactics that we have previously seen, when it comes to just general espionage techniques, right? Data act filtration, intellectual property theft, those are going on now more than ever. And you're not hearing about them as much in the news because there are so many other things, right? We're under the landscape of a major war going on between Russia and Ukraine of ransomware attacks, you know, occurring on a weekly basis. And so we keep hearing about those, but ultimately these nations aid actors are using that top cover, if you will, as a great distraction. It's almost like a perfect storm for them to continue conducting so much cyber espionage work that like we may not be feeling that today, but years down the road, they're, the work that they're doing today is gonna have really significant impact. >>Ransomware has become a household word in the last couple of years. I think even my mom knows what it is, to some degree. Yeah. But the threat actors are far more sophisticated than they've ever written. They're very motivated. They're very well funded. I think I've read a stat recently in the last year that there's a ransomware attack once every 11 seconds. And of course we only hear about the big ones. But that is a concern that goes all the way up to the board. >>Yeah. You know, we have a stat in our ransomware threat report that talks about how often victims are posted on leak sites. And I think it's once every seven minutes at this point that a new victim is posted. Meaning a victim has had their data, a victim organization had their data stolen and posted on some leak site in the attempt to be extorted. So that has become so common. One of the shifts that we've seen this year in particular and in recent months, you know, a year ago when I was at Ignite, which was virtual, we talked about quadruple extortion, meaning four different ways that these ransomware actors would go out and try to make money from these attacks in what they're doing now is often going to just one, which is, I don't even wanna bother with encrypting your data now, because that means that in order to get paid, I probably have to decrypt it. Right? That's a lot of work. It's time consuming. It's kind of painstaking. And so what they've really looked to do now is do the extortion where they simply steal the data and then threaten to post it on these leak sites, you know, release it other parts of the web and, and go from there. And so that's really a blending of these techniques of traditional cyber espionage with intellectual property theft. Wow. >>How trustworthy are those guys in terms of, I mean, these are hackers, right? In terms of it's really the, the hacker honor system, isn't it? I mean, if you get compromised like that, you really beholden to criminals. And so, you >>Know, so that's one of the key reasons why having the threat intelligence is so important, right? Understanding which group that you're dealing with and what their likelihood of paying is, what's their modus operandi. It's become even more important now because these groups switch teams more frequently than NFL trades, you know, free agents during the regular season, right? Or players become free agents. And that's because their infrastructure. So the, you know, infrastructure, the servers, the systems that they're using to conduct these attacks from is actually largely being disrupted more from law enforcement, international intelligence agencies working together with public private partnerships. So what they're doing is saying, okay, great. All that infrastructure that I just had now is, is burned, right? It's no longer effective. So then they'll disband a team and then they'll recruit a new team and it's constant like mixing and matching in players. >>All that said, even though that's highly dynamic, one of the other areas that they pride themselves on is customer service. So, and I think it's interesting because, you know, when I said they're not wanting to like do all the decryption? Yeah. Cuz that's like painful techni technical slow work. But on the customer service side, they will create these customer service portals immediately stand one up, say, you know, hey it's, it's like an Amazon, you know, if you've ever had to return a package on Amazon for example, and you need to click through and like explain, you know, Hey, I didn't receive this package. A portal window pops up, you start talking to either a bot or a live agent on the backend. In this case they're hu what appeared to be very much humans who are explaining to you exactly what happened, what they're asking for, super pleasant, getting back within minutes of a response. And they know that in order for them to get paid, they need to have good customer service because otherwise they're not going to, you know, have a business. How, >>So what's the state of play look like from between nation states, criminals and how, how difficult or not so difficult is it for you to identify? Do you have clear signatures? My understanding in with Solar Winds it was a little harder, but maybe help us understand and help our audience understand what the state of play is right now. >>One of the interesting things that I think is occurring, and I highlighted this this morning, is this idea of convergence. And so I'll break it down for one example relates to the type of malware or tools that these attackers use. So traditionally, if we looked at a nation state actor like China or Russia, they were very, very specific and very strategic about the types of victims that they were going to go after when they had zero day. So, you know, new, new malware out there, new vulnerabilities that could be exploited only by them because the rest of the world didn't know about it. They might have one organization that they would target that at, at most, a handful and all very strategic for their objective. They wanted to keep that a secret as long as possible. Now what we're seeing actually is those same attackers going towards one, a much larger supply chain. >>So, so lorenzen is a great example of that. The Hafnia attacks towards Microsoft Exchange server last year. All great examples of that. But what they're also doing is instead of using zero days as much, or you know, because those are expensive to build, they take a lot of time, a lot of funding, a lot of patience and research. What they're doing is using commercially available tools. And so there's a tool that our team identified earlier this year called Brute Rael, C4 or BRC four for short. And that's a tool that we now know that nation state actors are using. But just two weeks ago we invested a ransomware attack where the ransomware actor was using that same piece of tooling. So to your point, yak can get difficult for defenders when you're looking through and saying, well wait, they're all using some of the same tools right now and some of the same approaches when it comes to nation states, that's great for them because they can blend into the noise and it makes it harder to identify as >>Quickly. And, and is that an example of living off the land or is that B BRC four sort of a homegrown hacker tool? Is it, is it a, is it a commercial >>Off the shelf? So it's a tool that was actually, so you can purchase it, I believe it's about 2,500 US dollars for a license. It was actually created by a former Red teamer from a couple well-known companies in the industry who then decided, well hey, I built this tool for work, I'm gonna sell this. Well great for Red teamers that are, you know, legitimately doing good work, but not great now because they're, they built a, a strong tool that has the ability to hide amongst a, a lot of protocols. It can actually hide within Slack and teams to where you can't even see the data is being exfiltrated. And so there's a lot of concern. And then now the reality that it gets into the wrong hands of nation state actors in ransomware actors, one of the really interesting things about that piece of malware is it has a setting where you can change wallpaper. And I don't know if you know offhand, you know what that means, but you know, if that comes to mind, what you would do with it. Well certainly a nation state actor is never gonna do something like that, right? But who likes to do that are ransomware actors who can go in and change the background wallpaper on a desktop that says you've been hacked by XYZ organization and let you know what's going on. So pretty interesting, obviously the developer doing some work there for different parts of the, you know, nefarious community. >>Tremendous amount of sophistication that's gone on the last couple of years alone. I was just reading that Unit 42 is now a founding member of the Cyber Threat Alliance includes now more than 35 organizations. So you guys are getting a very broad picture of today's threat landscape. How can customers actually achieve cyber resilience? Is it achievable and how do you help? >>So I, I think it is achievable. So let me kind of parse out the question, right. So the Cyber Threat Alliance, the J C D C, the Cyber Safety Review Board, which I'm a member of, right? I think one of the really cool things about Palo Alto Networks is just our partnerships. So those are just a handful. We've got partnerships with over 200 organizations. We work closely with the Ukrainian cert, for example, sharing information, incredible information about like what's going on in the war, sharing technical details. We do that with Interpol on a daily basis where, you know, we're sharing information. Just last week the Africa cyber surge operation was announced where millions of nodes were taken down that were part of these larger, you know, system of C2 channels that attackers are using to conduct exploits and attacks throughout the world. So super exciting in that regard and it's something that we're really passionate about at Palo Alto Networks in terms of resilience, a few things, you know, one is visibility, so really having a, an understanding of in a real, as much of real time as possible, right? What's happening. And then it goes into how you, how can we decrease operational impact. So that's everything from network segmentation to wanna add the terms and phrases I like to use a lot is the win is really increasing the time it takes for the attackers to get their work done and decreasing the amount of time it takes for the defenders to get their work done, right? >>Yeah. I I call it increasing the denominator, right? And the ROI equation benefit over or value, right? Equals equals or benefit equals value over cost if you can increase the cost to go go elsewhere, right? Absolutely. And that's the, that's the game. Yeah. You mentioned Ukraine before, what have we learned from Ukraine? I, I remember I was talking to Robert Gates years ago, 2016 I think, and I was asking him, yeah, but don't we have the best cyber technology? Can't we attack? He said, we got the most to lose too. Yeah. And so what have we learned from, from Ukraine? >>Well, I, I think that's part of the key point there, right? Is you know, a great offense essentially can also be for us, you know, deterrent. So in that aspect we have as an, as a company and or excuse me, as a country, as a company as well, but then as partners throughout all parts of the world have really focused on increasing the intelligence sharing and specifically, you know, I mentioned Ukrainian cert. There are so many different agencies and other sorts throughout the world that are doing everything they can to share information to help protect human life there. And so what we've really been concerned with, with is, you know, what cyber warfare elements are going to be used there, not only how does that impact Ukraine, but how does it potentially spread out to other parts of the world critical infrastructure. So you've seen that, you know, I mentioned CS rrb, but cisa, right? >>CISA has done a tremendous job of continuously getting out information and doing everything they can to make sure that we are collaborating at a commercial level. You know, we are sharing information and intelligence more than ever before. So partners like Mania and CrowdStrike, our Intel teams are working together on a daily basis to make sure that we're able to protect not only our clients, but certainly if we've got any information relevant that we can share that as well. And I think if there's any silver lining to an otherwise very awful situation, I think the fact that is has accelerated intelligence sharing is really positive. >>I was gonna ask you about this cause I think, you know, 10 or so years ago, there was a lot of talk about that, but the industry, you know, kind of kept things to themselves, you know, a a actually tried to monetize some of that private data. So that's changing is what I'm hearing from you >>More so than ever more, you know, I've, I mentioned I've been in the field for 20 years. You know, it, it's tough when you have a commercial business that relies on, you know, information to, in order to pay people's salaries, right? I think that has changed quite a lot. We see the benefit of just that continuous sharing. There are, you know, so many more walls broken down between these commercial competitors, but also the work on the public private partnership side has really increased some of those relationships. Made it easier. And you know, I have to give a whole lot of credit and mention sisa, like the fact that during log four J, like they had GitHub repositories, they were using Slack, they were using Twitter. So the government has really started pushing forward with a lot of the newer leadership that's in place to say, Hey, we're gonna use tools and technology that works to share and disseminate information as quickly as we can. Right? That's fantastic. That's helping everybody. >>We knew that every industry, no, nobody's spared of this. But did you notice in the last couple of years, any industries in particular that are more vulnerable? Like I think of healthcare with personal health information or financial services, any industries kind of jump out as being more susceptible than others? >>So I think those two are always gonna be at the forefront, right? Financial services and healthcare. But what's been really top of mind is critical infrastructure, just making sure right? That our water, our power, our fuel, so many other parts of right, the ecosystem that go into making sure that, you know, we're keeping, you know, houses heated during the winter, for example, that people have fresh water. Those are extremely critical. And so that is really a massive area of focus for the industry right now. >>Can I come back to public-private partnerships? My question is relates to regulations because the public policy tends to be behind tech, the technology industry as an understatement. So when you take something like GDPR is the obvious example, but there are many, many others, data sovereignty, you can't move the data. Are are, are, is there tension between your desire as our desire as an industry to share data and government's desire to keep data private and restrict that data sharing? How is that playing out? How do you resolve that? >>Well I think there have been great strides right in each of those areas. So in terms of regulation when it comes to breaches there, you know, has been a tendency in the past to do victim shaming, right? And for organizations to not want to come forward because they're concerned about the monetary funds, right? I think there's been tremendous acceleration. You're seeing that everywhere from the fbi, from cisa, to really working very closely with organizations to, to have a true impact. So one example would be a ransomware attack that occurred. This was for a client of ours within the United States and we had a very close relationship with the FBI at that local field office and made a phone call. This was 7:00 AM Eastern time. And this was an organization that had this breach gone public, would've made worldwide news. There would've been a very big impact because it would've taken a lot of their systems offline. >>Within the 30 minutes that local FBI office was on site said, we just saw this piece of malware last week, we have a decryptor for it from another organization who shared it with us. Here you go. And within 60 minutes, every system was back up and running. Our teams were able to respond and get that disseminated quickly. So efforts like that, I think the government has made a tremendous amount of headway into improving relationships. Is there always gonna be some tension between, you know, competing, you know, organizations? Sure. But I think that we're doing a whole lot to progress it, >>But governments will make exceptions in that case. Especially for something as critical as the example that you just gave and be able to, you know, do a reach around, if you will, on, on onerous regulations that, that ne aren't helpful in that situation, but certainly do a lot of good in terms of protecting privacy. >>Well, and I think there used to be exceptions made typically only for national security elements, right? And now you're seeing that expanding much more so, which I think is also positive. Right. >>Last question for you as we are wrapping up time here. What can organizations really do to stay ahead of the curve when it comes to, to threat actors? We've got internal external threats. What can they really do to just be ahead of that curve? Is that possible? >>Well, it is now, it's not an easy task so I'm not gonna, you know, trivialize it. But I think that one, having relationships with right organizations in advance always a good thing. That's a, everything from certainly a commercial relationships, but also your peers, right? There's all kinds of fantastic industry spec specific information sharing organizations. I think the biggest thing that impacts is having education across your executive team and testing regularly, right? Having a plan in place, testing it. And it's not just the security pieces of it, right? As security responders, we live these attacks every day, but it's making sure that your general counsel and your head of operations and your CEO knows what to do. Your board of directors, do they know what to do when they receive a phone call from Bloomberg, for example? Are they supposed supposed to answer? Do your employees know that those kind of communications in advance and training can be really critical and make or break a difference in an attack. >>That's a great point about the testing but also the communication that it really needs to be company wide. Everyone at every level needs to know how to react. Wendy, it's been so great having, >>Wait one last question. Sure. Do you have a favorite superhero growing up? >>Ooh, it's gotta be Wonder Woman. Yeah, >>Yeah, okay. Yeah, so cuz I'm always curious, there's not a lot of women in, in security in cyber. How'd you get into it? And many cyber pros like wanna save the world? >>Yeah, no, that's a great question. So I joined the Air Force, you know, I, I was a special agent doing computer crime investigations and that was a great job. And I learned about that from, we had an alumni day and all these alumni came in from the university and they were in flight suits and combat gear. And there was one woman who had long blonde flowing hair and a black suit and high heels and she was carrying a gun. What did she do? Because that's what I wanted do. >>Awesome. Love it. We >>Blonde >>Wonder Woman. >>Exactly. Wonder Woman. Wendy, it's been so great having you on the program. We, we will definitely be following unit 42 and all the great stuff that you guys are doing. Keep up the good >>Work. Thanks so much Lisa. Thank >>You. Day our pleasure. For our guest and Dave Valante, I'm Lisa Martin, live in Las Vegas at MGM Grand for Palo Alto Ignite, 22. You're watching the Cube, the leader in live enterprise and emerging tech coverage.

>> Narrator: From theCUBE Studios in Palo Alto and Boston, it's theCUBE, covering IBM Think, brought to you by IBM. >> Hi everybody. Welcome back to theCUBE's continuous coverage of IBM Think 2020, the digital version of IBM Think. Wendi Whitmore is here. She's the vice president of IBM X-Force Threat Intelligence. Wendy, thanks for coming on. >> Thanks for having me. I'm excited to be here. >> Yeah, you're welcome. With a name like X-Force. That is a killer name. Tell us about X-Force. How are you protecting us? >> Yeah, we get a lot of interesting questions. So, my team is responsible for a pretty wide range of things. They range from incident response. So, when you think of data breaches, typically organizations will call an outside firm, and they'll jump on a plane and respond to threats on-site. Obviously right now, we're jumping on a bit fewer planes, but we still are helping our customers investigate data breaches, and we are on-site when needed. We also have a team of threat intelligence analysts and researchers, who are experts in a wide range of fields from geopolitical issues to cyber-related issues to industry specific. And then we've also got a team that does data breach simulations in a very immersive environment. We've got facilities at Cambridge Massachusetts, as well as within Europe, and now of course, we're bringing all those virtual as well. So, really anything that helps our clients respond more effectively to a data breach is something that we do. >> So, X-Force is traveling right now on empty planes, I presume. >> We are as needed. So, many clients have certainly shifted to where their whole environments are off-site and working remote as well, but we still have clients who are asking us to work on-site, and in those cases we have added a new protective gear to our go-backs, which are usually equipped with hard drives and disc imaging software and passports, and now we have some additional equipment to bring as well. >> And that breach simulation that you talked about. So that's what, like a penetration test, or in similar type of activities? >> Yeah, great question. No, it's actually an immersive environment where we go in, and actually simulate an entire breach for our clients. So, everything from the initial attack, how they would do the data analytics, to things like, how do they respond to the press, and inquiries from the press about the breach, how do they do media training, how they work with their legal counsel. So, it's really a comprehensive immersive environment that simulates kind of the heart pounding that occurs when you actually respond to a data breach. >> Oh, that's awesome, so that mean best practices in communications as well and the PR. I mean, that is obviously, maybe something that's often overlooked, but something that you guys are applying best practice to. >> Wendi: It's such a huge piece of it now, right? Our organizations are not always graded just on the breach itself, but more so on how they respond and how they communicate. The good news is, in that scenario that you can communicate effectively about a breach, and you can have something pretty negative that happens to your organization, but if you respond well, and you communicate really effectively to your clients and to the public, we've seen time and again that those brands actually have no reputational damage, and if anything, their clients trust them even more moving forward. >> We were early on when recording the, just trying to measure the budget impact of COVID-19, but we were early in recording the work from home shift. About 20% of the CIO organizations that we surveyed, actually spending more, or planning to spend more, but many weren't prepared for this work from home. They had to really beef up, and not just adding licenses of video collaboration software, but security for sure, a VPN infrastructure, et cetera. So, can you talk a little bit about how clients have responded, how you've helped them respond to that shif? How has the threat matrix changed? >> Well, so in terms of the attack surface, you mentioned there's a lot more people working from home, right? So, what we've got is over 220 million people in the United States, over one billion people in India alone, that are now working from home. So as you can imagine, that attack surface has really increased from an attacker perspective, right? And coupled with that, is that since March 1st, we've already seen a 6000% increase in coronavirus related spam. So, you've now got this larger attack surface that organizations need to protect against, and you've got an increase in threats and threat activity that is attacking them. So, from that perspective, pretty difficult for CIOs who are used to defending an environment that may be more on-site, and now have this really wide range of attack surface certainly more difficult for them to respond to. The other thing that we've seen, so one of the things that's super critical in these types of situations is to have an incident response plan, and to make sure that you're testing it. So, in our work that we've done both with our incident response teams, as well as with the teams that train clients in how to respond to breaches more effectively, we've seen that 76% of organizations don't actually have a consistently tested or applied incident response plan, and one in four have no plan at all. So, I will say that in terms of how we're working with clients, the first thing that any organization can do right now, is actually, have a plan and test it. So, if you're starting from scratch, it's really as simple as putting words on paper, understanding how you're going to get a hold of your critical team members, having a backup plan in place for communication strategies if your primary infrastructure goes offline. So making sure you know how to get a hold of your personnel. If you're more mature, then what we're really encouraging our clients to do is have a variety of scenarios that they're testing against, and make sure that they're running through those. So, a great one to practice right now, would be a ransomware attack. In particular, how does your organization respond effectively to it? What do you do when you get the initial notification? Do you have critical and sensitive data that's backed up offline, and not always connected to the network? If so, you're going to be in a much better spot to effectively defend against those attacks and limit any of the negative impact to them. >> So, a couple things I want to sort of follow up in. So, what I heard was you've got more fragile work-from-home infrastructure, and you've got somewhat, well, significantly more vulnerable users. I've often said, bad user behavior is going to trump good security infrastructure every time. So, you've got many more opportunities for the bad guys to get in. And so, I'm hearing that threat response is now more critical than ever. It's always been critical. The communication to the board has been hey, chances are we're going to get infiltrated. We got to find it fast, and it's really about response, incident response. We can build modes, we can build layers, but we have to put a plan for that response. And so, it sounds like that's something that maybe is heightened as a result of this COVID-19 crisis. >> Wendi: Oh, it absolutely is. I think it's now more critical than ever. I think there's two approaches, right? So, one of them would be improvising through chaos, which we don't necessarily encourage, right? There's a difference between that and really managing through disruption, and that's what we're encouraging our clients to do, is look at how we can create sustainable processes and procedures. You may have a very well-established team that does response, but perhaps they haven't worked remotely before. So, that means testing those procedures, now taking them to a scenario where everyone is remote. What does that mean? It may mean that you need to capture less data over the network, because perhaps you just don't have the bandwidth or the capacity to do it. We've certainly looked at how we do that. How do we answer questions that are critically needed from an investigative perspective, for example, but without maybe all the resources that we would prefer to have. So, what we're really looking at, is kind of shifting in the way that we manage through these. And then, you mentioned that users who maybe sometimes make bad decisions, right? We're all guilty of that, because especially with that increase in spam, there's also been an increase in Nation-State actors who are now sending out new lures and new attempts to get access to environments that are related to coronavirus. So, we've got cyber criminals, Nation-State actors, everyone, and we're now at home looking to effectively defend. So, some things that organizations can do with that, would be insuring that they have multi-factor authentication on all remotely accessible systems. So, devices, applications, anything that can be accessed remotely should have multi-factor authentication. That will help limit some of the impact. As it relates to spam, organizations should really be making sure they've got good email spam-filtering systems in place, and if they have the capability to send out some test emails to their employees, they should do that, right? We are getting numb. I will say, our CIO and their office does it at least once a week where I know I'm getting a very well-crafted email, and I have to really think twice, and it's really made me think differently about opening my email, and making sure that I'm doing some due diligence, to make sure I know where the email's coming from. One of the things we do, is also any external email is labeled external, so that way if it's a lure that appears to be, it's coming from another employee, but it's actually coming from an external email address, that's another way to help users make some good decisions, and really limit your attack surface, and reduce the threat. >> I think the points you're making here are very important, because if you think about the work-from-home cadence, it's a lot different. You're not nine to five. I mean, who works nine to five anyway, but your hours are different. Oftentimes, you got children to hone. You got dogs barking, kids are crawling all over us on the video. And so, oftentimes, of course we're frenzied at work, but there's a different kind of frenzy, so you might not be as in tune. So, you're basically saying, exercise that a little bit to get people, like a fire drill, to really get them tuned to being sensitized to such phishing attack. >> Right, well if you think about this from the viewpoint of an attacker, all of those scenarios that you mentioned, where you have a global pandemic. So, we're not just talking about a regional threat, like a hurricane or a tornado. In a case of a pandemic, or any of these type of situations, people are more likely to be reading the news, be probably checking social media more often, so that they can get an understanding of the latest news and information that may impact them. If you're an attacker, you've got now this kind of environment of global chaos that's been created, and you can use it to your advantage, because the reality is, as long as there's money to be made, attackers are going to want to take advantage of that scenario. So, what we're really talking about is, as you're reading your work email, as you're checking your personal email, taking a step back, slowing things down amidst all the distractions, barking dogs and co-workers now that may be at your house, also known as children, right? So, we need to really take a step back, and make sure that we are slowing things down, reading and doing due diligence in opening emails that will help all of the CIO and CISO type organizations more effectively to protect their organizations and their clients as well. >> When you talked about ransomware earlier, and I inferred from your comments that best practice, create an air gap, but I'm wondering also, can analytics play a role there, just in terms of identifying anomalous behavior? What else can I do to protect myself from ransomware? >> Great question. So, on the visibility side, which I think is what you're talking about, right? How do we detect these types of attacks? There's lots of great software out there. Typically, what we would want our visibility at the endpoints. So, usually some sort of EDR tool, which is an endpoint detection and response tool. That's going to allow us to capture things. In the old days, we would talk about antivirus software, and now you really have kind of next generation of antivirus software, which also gives you behavioral analytics and actions on the keyboard. We want to be able to detect that in any size environment. So, the more visibility we have into that, the better, but aside from just adopting new technology, potentially, there are best practices steps that we can take, and I mentioned earlier about making sure that you understand what is your most critical and sensitive data, and that you've got it backed up, and a lot of times we go into environments, and they say, "Well yeah, we have backups." This is great, but what they're not realizing, is that oftentimes those backups are connected to the network at all times, and in the case of a ransomware breach, you typically then will see those backups corrupted as well, and organizations will find themselves in a position where they say, "Well, we don't have any valid backups now "that we can restore from, in order to make sure "that we have a safe environment." And so, it's important that organizations understand and do a survey of what is their most critical and sensitive data, and then make sure that's backed up offline, and I say that, because it's not usually viable for organizations to have all of their data backed up offline. That costs a lot of money. That requires a lot of storage, but to look at really prioritizing their environment, their data within it, and making sure that they can have access to that which is needed, and then ultimately that's going to prevent you even needing to have the conversation about ransomware, because you still have access to that data. >> Yeah Wendi, I think you're making some really important points there. The tech obviously, is critical. People shifting to SD-WAN, securing endpoints, securing gateways, but really the processes are very very important, and I'll just throw out an example. If I'm making a snapshot of the Cloud, I'm not backed up. You better make sure that you understand how to recover from that backup, because just that copy is not a backup. You need the proper type of recovery software. You need to test that. Your thoughts on that. >> Yeah, that's absolutely true. So, what we want to make sure is that during the course of a potential ransomware attack, that the email's critical sensitive data is available offline. So, I mentioned earlier that testing is one of the best things that we're recommending. One of the most effective preparations is having an incident response plan, testing it for particular scenarios, and so in this case, one of the other things that we talk about a lot is limiting the impact of a breach. Every organization is going to get attacked, especially in today's day and age where you've got a larger attack surface. The win is really limiting the impact of that attack, and limiting the cost, and having an incident response plan, and having a team of people, whether they're internal or external that are responsible for responding to attacks, is the number one cost management. The number one decrease in cost is having access to that team. Typically, it will save an organization over a million dollars when the average cost of a data breach is about $4 million. So, that's pretty significant, and ultimately, if we can test, as you mentioned, those backups, that they are available in an offline scenario. In the course of one of those IR program plans or tests, that's great. It's a win for the organization. They can ensure that that data is going to be available, and it really helps them exercise that muscle memory in advance of an actual attack. >> Yeah, so the backup corp is actually becomes a really even more important component now. This has been great information. Where can people go specifically as it relates to COVID-19? I want to go look up a checklist to make sure. I've been scrambling to get my homeworkers up and running, get them productive, but boy, I really want to focus now on the things that I should be doing to button up my organization. Where can I go to learn more about this? >> Yeah, so there's so much great information out there, from everyone in the industry, but IBM is clearly no different. So, what we've done is action repurpose at IBM.com homepage where we've got a tremendous amount of information on COVID-19, and then IBM Security.com as well. Our team that focuses on breach response, has in particular, a site called X-Force Exchange, where we're sharing indicators, and we have a particular component that's related to COVID-19 specifically, and then lastly, we've got a free service, which is a threat intelligence enclave that we are hosting with our partner TruSTAR, that is specific to COVID-19 where industry organizations can sign up and then share in real time, threat indicators related to this, and have really that intelligence that's been also qualified by their peers, and many large organizations are using that to defend their environments. So, a lot of great resources out there. >> Wendy, you're an amazing source of knowledge. Thanks so much for coming on the theCUBE, and thanks to the X-Force team, doing some travel when necessary, and helping people really get a handle on this in this crazy crisis time. So, thank you very much. I really appreciate it. >> You're welcome, and certainly stay safe, and thanks for having me on. >> Back at you. All right, and thank you everybody. This is Dave Vellante for theCUBE. You're watching our continuous coverage of IBM Think 2020 Digital Think. Be right back right after this short break. (uplifting music)