>> Narrator: From theCUBE Studios in Palo Alto and Boston, it's theCUBE, covering IBM Think, brought to you by IBM. >> Hi everybody. Welcome back to theCUBE's continuous coverage of IBM Think 2020, the digital version of IBM Think. Wendi Whitmore is here. She's the vice president of IBM X-Force Threat Intelligence. Wendy, thanks for coming on. >> Thanks for having me. I'm excited to be here. >> Yeah, you're welcome. With a name like X-Force. That is a killer name. Tell us about X-Force. How are you protecting us? >> Yeah, we get a lot of interesting questions. So, my team is responsible for a pretty wide range of things. They range from incident response. So, when you think of data breaches, typically organizations will call an outside firm, and they'll jump on a plane and respond to threats on-site. Obviously right now, we're jumping on a bit fewer planes, but we still are helping our customers investigate data breaches, and we are on-site when needed. We also have a team of threat intelligence analysts and researchers, who are experts in a wide range of fields from geopolitical issues to cyber-related issues to industry specific. And then we've also got a team that does data breach simulations in a very immersive environment. We've got facilities at Cambridge Massachusetts, as well as within Europe, and now of course, we're bringing all those virtual as well. So, really anything that helps our clients respond more effectively to a data breach is something that we do. >> So, X-Force is traveling right now on empty planes, I presume. >> We are as needed. So, many clients have certainly shifted to where their whole environments are off-site and working remote as well, but we still have clients who are asking us to work on-site, and in those cases we have added a new protective gear to our go-backs, which are usually equipped with hard drives and disc imaging software and passports, and now we have some additional equipment to bring as well. >> And that breach simulation that you talked about. So that's what, like a penetration test, or in similar type of activities? >> Yeah, great question. No, it's actually an immersive environment where we go in, and actually simulate an entire breach for our clients. So, everything from the initial attack, how they would do the data analytics, to things like, how do they respond to the press, and inquiries from the press about the breach, how do they do media training, how they work with their legal counsel. So, it's really a comprehensive immersive environment that simulates kind of the heart pounding that occurs when you actually respond to a data breach. >> Oh, that's awesome, so that mean best practices in communications as well and the PR. I mean, that is obviously, maybe something that's often overlooked, but something that you guys are applying best practice to. >> Wendi: It's such a huge piece of it now, right? Our organizations are not always graded just on the breach itself, but more so on how they respond and how they communicate. The good news is, in that scenario that you can communicate effectively about a breach, and you can have something pretty negative that happens to your organization, but if you respond well, and you communicate really effectively to your clients and to the public, we've seen time and again that those brands actually have no reputational damage, and if anything, their clients trust them even more moving forward. >> We were early on when recording the, just trying to measure the budget impact of COVID-19, but we were early in recording the work from home shift. About 20% of the CIO organizations that we surveyed, actually spending more, or planning to spend more, but many weren't prepared for this work from home. They had to really beef up, and not just adding licenses of video collaboration software, but security for sure, a VPN infrastructure, et cetera. So, can you talk a little bit about how clients have responded, how you've helped them respond to that shif? How has the threat matrix changed? >> Well, so in terms of the attack surface, you mentioned there's a lot more people working from home, right? So, what we've got is over 220 million people in the United States, over one billion people in India alone, that are now working from home. So as you can imagine, that attack surface has really increased from an attacker perspective, right? And coupled with that, is that since March 1st, we've already seen a 6000% increase in coronavirus related spam. So, you've now got this larger attack surface that organizations need to protect against, and you've got an increase in threats and threat activity that is attacking them. So, from that perspective, pretty difficult for CIOs who are used to defending an environment that may be more on-site, and now have this really wide range of attack surface certainly more difficult for them to respond to. The other thing that we've seen, so one of the things that's super critical in these types of situations is to have an incident response plan, and to make sure that you're testing it. So, in our work that we've done both with our incident response teams, as well as with the teams that train clients in how to respond to breaches more effectively, we've seen that 76% of organizations don't actually have a consistently tested or applied incident response plan, and one in four have no plan at all. So, I will say that in terms of how we're working with clients, the first thing that any organization can do right now, is actually, have a plan and test it. So, if you're starting from scratch, it's really as simple as putting words on paper, understanding how you're going to get a hold of your critical team members, having a backup plan in place for communication strategies if your primary infrastructure goes offline. So making sure you know how to get a hold of your personnel. If you're more mature, then what we're really encouraging our clients to do is have a variety of scenarios that they're testing against, and make sure that they're running through those. So, a great one to practice right now, would be a ransomware attack. In particular, how does your organization respond effectively to it? What do you do when you get the initial notification? Do you have critical and sensitive data that's backed up offline, and not always connected to the network? If so, you're going to be in a much better spot to effectively defend against those attacks and limit any of the negative impact to them. >> So, a couple things I want to sort of follow up in. So, what I heard was you've got more fragile work-from-home infrastructure, and you've got somewhat, well, significantly more vulnerable users. I've often said, bad user behavior is going to trump good security infrastructure every time. So, you've got many more opportunities for the bad guys to get in. And so, I'm hearing that threat response is now more critical than ever. It's always been critical. The communication to the board has been hey, chances are we're going to get infiltrated. We got to find it fast, and it's really about response, incident response. We can build modes, we can build layers, but we have to put a plan for that response. And so, it sounds like that's something that maybe is heightened as a result of this COVID-19 crisis. >> Wendi: Oh, it absolutely is. I think it's now more critical than ever. I think there's two approaches, right? So, one of them would be improvising through chaos, which we don't necessarily encourage, right? There's a difference between that and really managing through disruption, and that's what we're encouraging our clients to do, is look at how we can create sustainable processes and procedures. You may have a very well-established team that does response, but perhaps they haven't worked remotely before. So, that means testing those procedures, now taking them to a scenario where everyone is remote. What does that mean? It may mean that you need to capture less data over the network, because perhaps you just don't have the bandwidth or the capacity to do it. We've certainly looked at how we do that. How do we answer questions that are critically needed from an investigative perspective, for example, but without maybe all the resources that we would prefer to have. So, what we're really looking at, is kind of shifting in the way that we manage through these. And then, you mentioned that users who maybe sometimes make bad decisions, right? We're all guilty of that, because especially with that increase in spam, there's also been an increase in Nation-State actors who are now sending out new lures and new attempts to get access to environments that are related to coronavirus. So, we've got cyber criminals, Nation-State actors, everyone, and we're now at home looking to effectively defend. So, some things that organizations can do with that, would be insuring that they have multi-factor authentication on all remotely accessible systems. So, devices, applications, anything that can be accessed remotely should have multi-factor authentication. That will help limit some of the impact. As it relates to spam, organizations should really be making sure they've got good email spam-filtering systems in place, and if they have the capability to send out some test emails to their employees, they should do that, right? We are getting numb. I will say, our CIO and their office does it at least once a week where I know I'm getting a very well-crafted email, and I have to really think twice, and it's really made me think differently about opening my email, and making sure that I'm doing some due diligence, to make sure I know where the email's coming from. One of the things we do, is also any external email is labeled external, so that way if it's a lure that appears to be, it's coming from another employee, but it's actually coming from an external email address, that's another way to help users make some good decisions, and really limit your attack surface, and reduce the threat. >> I think the points you're making here are very important, because if you think about the work-from-home cadence, it's a lot different. You're not nine to five. I mean, who works nine to five anyway, but your hours are different. Oftentimes, you got children to hone. You got dogs barking, kids are crawling all over us on the video. And so, oftentimes, of course we're frenzied at work, but there's a different kind of frenzy, so you might not be as in tune. So, you're basically saying, exercise that a little bit to get people, like a fire drill, to really get them tuned to being sensitized to such phishing attack. >> Right, well if you think about this from the viewpoint of an attacker, all of those scenarios that you mentioned, where you have a global pandemic. So, we're not just talking about a regional threat, like a hurricane or a tornado. In a case of a pandemic, or any of these type of situations, people are more likely to be reading the news, be probably checking social media more often, so that they can get an understanding of the latest news and information that may impact them. If you're an attacker, you've got now this kind of environment of global chaos that's been created, and you can use it to your advantage, because the reality is, as long as there's money to be made, attackers are going to want to take advantage of that scenario. So, what we're really talking about is, as you're reading your work email, as you're checking your personal email, taking a step back, slowing things down amidst all the distractions, barking dogs and co-workers now that may be at your house, also known as children, right? So, we need to really take a step back, and make sure that we are slowing things down, reading and doing due diligence in opening emails that will help all of the CIO and CISO type organizations more effectively to protect their organizations and their clients as well. >> When you talked about ransomware earlier, and I inferred from your comments that best practice, create an air gap, but I'm wondering also, can analytics play a role there, just in terms of identifying anomalous behavior? What else can I do to protect myself from ransomware? >> Great question. So, on the visibility side, which I think is what you're talking about, right? How do we detect these types of attacks? There's lots of great software out there. Typically, what we would want our visibility at the endpoints. So, usually some sort of EDR tool, which is an endpoint detection and response tool. That's going to allow us to capture things. In the old days, we would talk about antivirus software, and now you really have kind of next generation of antivirus software, which also gives you behavioral analytics and actions on the keyboard. We want to be able to detect that in any size environment. So, the more visibility we have into that, the better, but aside from just adopting new technology, potentially, there are best practices steps that we can take, and I mentioned earlier about making sure that you understand what is your most critical and sensitive data, and that you've got it backed up, and a lot of times we go into environments, and they say, "Well yeah, we have backups." This is great, but what they're not realizing, is that oftentimes those backups are connected to the network at all times, and in the case of a ransomware breach, you typically then will see those backups corrupted as well, and organizations will find themselves in a position where they say, "Well, we don't have any valid backups now "that we can restore from, in order to make sure "that we have a safe environment." And so, it's important that organizations understand and do a survey of what is their most critical and sensitive data, and then make sure that's backed up offline, and I say that, because it's not usually viable for organizations to have all of their data backed up offline. That costs a lot of money. That requires a lot of storage, but to look at really prioritizing their environment, their data within it, and making sure that they can have access to that which is needed, and then ultimately that's going to prevent you even needing to have the conversation about ransomware, because you still have access to that data. >> Yeah Wendi, I think you're making some really important points there. The tech obviously, is critical. People shifting to SD-WAN, securing endpoints, securing gateways, but really the processes are very very important, and I'll just throw out an example. If I'm making a snapshot of the Cloud, I'm not backed up. You better make sure that you understand how to recover from that backup, because just that copy is not a backup. You need the proper type of recovery software. You need to test that. Your thoughts on that. >> Yeah, that's absolutely true. So, what we want to make sure is that during the course of a potential ransomware attack, that the email's critical sensitive data is available offline. So, I mentioned earlier that testing is one of the best things that we're recommending. One of the most effective preparations is having an incident response plan, testing it for particular scenarios, and so in this case, one of the other things that we talk about a lot is limiting the impact of a breach. Every organization is going to get attacked, especially in today's day and age where you've got a larger attack surface. The win is really limiting the impact of that attack, and limiting the cost, and having an incident response plan, and having a team of people, whether they're internal or external that are responsible for responding to attacks, is the number one cost management. The number one decrease in cost is having access to that team. Typically, it will save an organization over a million dollars when the average cost of a data breach is about $4 million. So, that's pretty significant, and ultimately, if we can test, as you mentioned, those backups, that they are available in an offline scenario. In the course of one of those IR program plans or tests, that's great. It's a win for the organization. They can ensure that that data is going to be available, and it really helps them exercise that muscle memory in advance of an actual attack. >> Yeah, so the backup corp is actually becomes a really even more important component now. This has been great information. Where can people go specifically as it relates to COVID-19? I want to go look up a checklist to make sure. I've been scrambling to get my homeworkers up and running, get them productive, but boy, I really want to focus now on the things that I should be doing to button up my organization. Where can I go to learn more about this? >> Yeah, so there's so much great information out there, from everyone in the industry, but IBM is clearly no different. So, what we've done is action repurpose at IBM.com homepage where we've got a tremendous amount of information on COVID-19, and then IBM Security.com as well. Our team that focuses on breach response, has in particular, a site called X-Force Exchange, where we're sharing indicators, and we have a particular component that's related to COVID-19 specifically, and then lastly, we've got a free service, which is a threat intelligence enclave that we are hosting with our partner TruSTAR, that is specific to COVID-19 where industry organizations can sign up and then share in real time, threat indicators related to this, and have really that intelligence that's been also qualified by their peers, and many large organizations are using that to defend their environments. So, a lot of great resources out there. >> Wendy, you're an amazing source of knowledge. Thanks so much for coming on the theCUBE, and thanks to the X-Force team, doing some travel when necessary, and helping people really get a handle on this in this crazy crisis time. So, thank you very much. I really appreciate it. >> You're welcome, and certainly stay safe, and thanks for having me on. >> Back at you. All right, and thank you everybody. This is Dave Vellante for theCUBE. You're watching our continuous coverage of IBM Think 2020 Digital Think. Be right back right after this short break. (uplifting music)

>> Announcer: Live from Las Vegas, it's The Cube. Covering IBM Think 2018, brought to you by IBM. >> Welcome back to IBM Think 2018. My name is Dave Vellante and you're watching The Cube, the leader in live tech coverage. This is IBM's inaugural Think event. Companies consolidated about six major events into one We're trying to figure it out, 30-40,000 people there's too many people to count, it's just unbelievable. Mary O'Brien is here, she is the vice president of research and development at IBM in from Cork, Ireland. Mary, great to see you, thanks for coming on The Cube. >> Thank you, Dave. >> So tell us a little bit more about your role at IBM as head of research and development. >> Okay so I'm head of research and development for IBM Security explicitly so in that capacity I manage a worldwide team of researchers and developers and we take products from, you know, incubation, initial ideas all the way through to products in the field. Products that help defend businesses against cyber crime. >> So, Jenny was talking today about, you know, security is one of the tenants of your offerings at the core. >> Mary: Yes. >> So, everybody talks about security. >> You can't bolt it on, you know, there's a lot of sort of conversations around that. What does that mean, security at the core from a design and R & D perspective? >> That actually means that the developers of applications are actually aware of security best practices as they design, as they architect and design their applications. So that they don't deliver applications to the field that have vulnerabilities that can be exploited. So, instead of trying to secure a perimeter of an application or a product or, you know, a perimeter full stop they actually design security into the application. It makes it a much more efficient, much cheaper way to deliver security and also, you know, much stronger security base there. >> So, I wonder if you could relate, sort of, what you guys are doing in security with what's happened in the market over the last 10 or 15 years. So, it used to be security was, you know, hacktivists and you know throw some malware in and maybe do some disruption has become cyber criminals, you know, big business now and then of course you've got nation states. >> Mm-hmm How have you had to respond specifically within the R & D organization to deal with those threats? >> So, you know, you have described the evolution of cyber crime over the last years and for sure it's no longer kids in a basement you know, hacking to, for the fun of it. Cyber crime is big business and, you know, there's money to be made for cyber criminals. So, as a result they are looking to hack in and get high value assets out of enterprises, and of course, we as an organization and as a security business unit have had to respond to that. By really understanding, you know, what constitutes a very mature set of security competencies and practices and you know how we break down this massive problem into you know, bite sized consumable pieces that any business can consume and work into their enterprise in order to protect them. So, we have developed a portfolio of products that look at protecting all parts of your enterprise. You know, by infusing security everywhere, you know, on your devices, on the, you know, the perimeter of your business. Protecting your data, protecting all sorts, and we also have developed a huge practice of security professionals who actually will go out and do it for you or will, you know, assess your security posture and tell you where you've got problems and how to fix them. >> I remember a piece that our head of research, >> Peter Burris, wrote years ago and it was entitled something like "Bad User Behavior will Trump Good Security Every Time" and so my understanding is phishing is obviously one of the big problems today. How do you combat that, can you use machine intelligence to help people, you know, users that aren't security conscious sort of avoid the mistakes that they've been making? >> So, before I get into the, the complicated, advanced, you know, machine learning and artificial intelligence practices that we are bringing to bear now, you know, it's important to be clear that you know, a vast number of breaches come from the inside. So, they come from either the sloppy employee who doesn't change their password often or uses the same password for work and play and the same password everywhere. Or, you know, the unfortunate employee who clicks on a malicious link and you know, takes in some malware into their devices and malware that can actually you know, move horizontally through the business. Or it can come from you know, the end user or the insider with malicious intent. Okay, so, it's pretty clear to all of us that basic security hygiene is the fundamental so actually making sure that your laptop, your devices are patched. They have the latest security patches on board. Security practices are understood. Basic password hygiene and et cetera, that's kind of the start. >> Uh oh. >> Okay keep going. >> Okay, so-- >> I'm starting to sweat. >> So, you know, and of course, you know, in this era of cyber crime as we've seen it evolve in the last few years, the security industry has reached a perfect storm because it's well known that by 2020 there will be 1.2 million unfilled security professional roles, okay? Now, couple that with the fact that there are in the region, in the same time frame, in the region of 50 billion connected devices in the internet of things. So what's happening is the attack landscape and you know, the attack surface is increasing. The opportunity for the cyber criminalist to attack is increasing and the number of professionals available to fight that crime is not increasing because of this huge shortage. So, you know, you heard Jenny this morning talking about the era of man assisted by machine so infusing artificial intelligence and machine learning into security products and practices is another instantiation of man being assisted by machine and that is our, our tool and our new practice in the fight against cyber crime. >> So when I talk to security professionals consistently they tell us that they have more demand for their services than supply to chase down, you know, threats. They have, they struggle to prioritize. They struggle with just too many false positives and they need help. They're not as productive as they'd like to be. Can machine intelligence assist there? >> Absolutely, so computers, let's face it, computers are ideally placed to pour over vast quantities of data looking for trends, anomalies, and really finding the needle in the haystack. They have such a vast capacity to do this that's way out, you know, that really surpasses what a human can do and so you know, with, in this era of machine learning you can actually you know, equip a computer with a set of basic rules and you know, set it loose on vast quantities of data and let it test and iterate those rules with this data and become increasingly knowledgeable you know, about the data. The trends in the data, what the data, what good data looks like, what anomalous data looks like and at speed point out the anomalies and find that needle in the haystack. >> So, there's a stat, depending on which, you know, firm you look at or which organization you believe, but it's scary none the less. That the average penetration is only detected 250 or 350 days after the infiltration, and that is a scary stat, it would take a year to find out that somebody has infiltrated my organization or whatever it is, 200 days. Is that number shrinking, is the industry as a whole, not just IBM, attacking that figure? First of all, is it a valid figure, and are you able to attack that? >> Well, the figure is definitely scary. I don't know whether your figure is exactly >> Yeah, well the latest figure but it's a scary figure >> Yeah. and it's well known that attackers will get in. So, of course, there's, uh there's the various phases of, you know, protecting yourself. So, you're going to try to avoid the attackers getting in in the first place. Using the various hygienic means of you know, keeping your devices, you know, clean and free from vulnerabilities and so on. But you've also got to be aware that the attacker does get in so now you've got to make sure that you limit the damage that they can cause when they're in. So, of course, you know security is a, you know you can take a layered approach to security. So you've got to firstly understand what is your most valuable data, where are your most valuable assets and layer up the levels of security around those first. So you make sure that if the attacker gets in, they don't get there and you limit the damage they can do and then of course you limit their ability to exfiltrate data and get anything out of your organization. Because I mean if they are just in there, of course they can do some damage. But, the real damage happens when they can manage to exfiltrate data and do something with that. >> So again Mary, it make sense that artificial intelligence or machine intelligence could help with this but specifically what do you see as the future role of Watson as it relates to cyber security? >> So, I mentioned the shortage of security professionals and that growing problem, okay so Watson in our cyber security space acts as an assistant to the security analyst. So, we have taught Watson the language of cyber security, and Watson manages to ingest vast troves of unstructured security data, that means blogs and you know, written text of security data from, that's available on the internet and out there all day, everyday. It just ingests this and fills a corpus of knowledge with this, with these jewels of information. And, basically that information and that corpus of knowledge is now available to a security analyst who, you know, a junior security analyst could take years to become very efficient and to really be able to recognize the needle in the haystack themselves. But with the Watson assistant they can embellish their understanding and what they see and all of the, all of the relationships and the data that augments the detail about a cyber incident you know, fairly instantaneous. And it, you know, really augment their own knowledge with the knowledge that would take years to generate, you know. >> So, I wonder if we could talk about collaboration a little bit because this is good versus evil. You guys are like one of the super heroes and your competitors are also sort of super heroes. >> Of course. >> You got Batman, you got Superman, Catwoman, and Spiderman, et cetera. How do you guys collaborate and share in a, highly competitive industry? Well, they're vary as far as you know, appearing for sharing okay, so firstly you absolutely nailed the importance for sharing because you know, the cyber criminals share on the dark web. They actually share, they sell their wares, they trade, you know so very important for us to share as well. So, you know, there are various industry forum for sharing and also organizations like IBM have created collaborative capabilities like we have our X-force Exchange which is basically a sharing portal. So, any of our competitors or other security organizations or interested parties can create you know, a piece of work describing a particular incident that they are investigating or a particular event that's happening and others can add to it and they can share information. Now, historically people have not been keen to share in this space so it is an evolving event. >> So speaking of super heroes I got to ask ya, a lot of security professionals that I talk to say well when I was a kid I read comic books. You know, I envisioned saving the world. So, how did you, how did you get into this, and was that you as a kid? Did you like-- >> No, it wasn't. I'm not a long term security professional. But, I've been in technology and evolving products for, you know, in the telecommunication business and now security over many years. So, I got into this to bring that capability of delivering quality software and hardware products to the field back in 2013 when a part of our IBM security business needed some leadership. So, I had the opportunity to take my family to Atlanta, Georgia to lead a part of the IBM security business then. >> Well, it's a very challenging field. It's one of those, you know, never ending, you know, missions so thank you for your hard work and congratulations on all the success. >> Thank you David. >> Alright, appreciate you coming on The Cube, Mary. >> Thank you. >> Keep it right there everybody, we will be back with our next guest, you're watching The Cube. We're live from IBM Think 2018 in Las Vegas, be right back. (pleasant music)