(dramatic string music) >> Hi I'm Peter Burris and welcome to another theCUBE Conversation from our outstanding studios here in beautiful Palo Alto, California. Like all our CUBE Conversations, we've got a great one today. In this one we're going to talk about some of the trends that people are experiencing in the world of security and threats. And to have that conversation, we've got Tony Giandomenico who's a senior security strategist researcher at Fortinet's FortiGuard Labs. Tony welcome back to theCUBE. >> Hey Peter, how ya doin' man? It's great to be here. >> It's great to see you again Tony. Look, we've had this conversation now for at least four quarters and FortiGuard Labs has published their overall threat analysis for at least the past couple of years and that's what we're going to talk about today. So, give us a little bit of overview of what this report entails. Where does the data come from and how are you using it within Fortinet and FortiGuard Labs? >> Sure, sure, well, so this is a quarterly threat landscape report, right? So obviously, we do it on a quarterly basis and it's really geared towards the IT security professional from the CSO all the way down to, you know, the folks that are actually in the operations, you know, the daily operations. And we're getting billions of events that we're observing in real time production environments and we're looking specifically at application exploits, we're looking at malware, we're looking at botnets, and we hope to be able to identify different trends and then maybe able to translate into that IT security professional to be able to figure out where they should be focusing their security efforts. >> Yeah, and I think that's an important issue because you can't know what you should do next if you don't know what's happening right now or what has happened recently. But you've tried to provide, let's call a more general flavor to the report this year in the sense that you've introduced some indices that shows trends over time. Talk to us a little bit about that. >> Sure yeah, so last quarter we finally introduced what's referred to as our threat index. And what we were trying to do is be able track the ebbs and flows of threats over time and like you know, we always break down our exploits or our threats into application exploits, malware and botnets, so each one of them also have their individual index. Now, although there was some peaks and valleys and application exploits did hit an all-time high, at the end of the quarter, it ended up around the same the threat index did as last quarter, and I think a lot of that may be actually driven by the holiday season. Now, if I had a crystal ball, I would've probably think that the future quarters, the threat index is probably going to continue to increase. >> And I think that there's a couple reasons for that, right? When you say it's the holiday quarter, the overall threat index goes down because as people spend time home for the holidays, take vacation, little less time at work, they're opening fewer malicious files from fewer unknown sources or bad websites. But I think you've made the point multiple times that just because they're not opening a bad file in an email attachment right now, doesn't mean that they're not going to open it when they get back from work. >> Yeah, that is definitely true, but you know what? Maybe they are more focused and they'll be more attentive to looking at their email. I will also say, the bad guys need a break too, right? So, when a holiday season comes around, I mean, they're going to probably slow down some of their malware and some of their exploits and you know, just kind of enjoy the holidays. >> (laughs) Good for them. All right, so let's take a look at each of the different areas. The overall threat index is comprised of, as you said, the application exploits, malware and botnets. So, let's take them one at each. What did we see in the threat index as it pertains to application exploits? What were the big trends? >> Well, of the top 12, six of them, you know Peter, do you know what, the six exploits we're focusing on for the top 12, any idea? >> I read the report so yes, but tell us. >> Okay, yes, IOT. Now, that's not like extremely interesting because we continue to see that a quarter over quarter the adversaries are targeting more on the IOT device, which makes sense, right? I mean, there's a lot of them out there, the volume is there, and of course, they're not as secure as they typically need to be. But what's interesting though, out of those six, four of them happen to be IP cameras, right? So, these monitoring devices that are monitoring your physical security, the adversaries are targeting those a little bit more because they understand that this cyber world and the physical security, they're combining, and when they're combining, if you're bringing over a physical security device that already has vulnerabilities, you're bringing that vulnerability with you, and that would just open up an opportunity for the adversary to be able to penetrate into that particular device and then get access to your internal network. >> Yeah, let me ask you a question Tony because I was very interested in the incidents related to cameras because cameras is kind of one of those domains, one of those technologies, one of those use cases that is somewhere between the old OC world or the OT world, the operational technology world and the IT world or the IOT world where in the OT world folks have spent an enormous amount of time making sure that the devices that they utilize are as secure as they possibly can be. I mean, they've got huge teams devoted to this. In the IOT world, we're working on speed, we're working on software defined, we're working on a little bit more generalization. But this notion of cameras just kind of coming in from an IOT side but hitting the OT side, is that one of the reasons why cameras in particular are vulnerable? And does that tell us something about how IT and OT have to work together based on the data that we're seeing in the report? >> Yeah, I mean, I would totally agree, right? Because a lot of those different types of technologies have been isolated, meaning that not everybody had the ability to reach out and touch it, maybe security, you know, wasn't top of mind here, but now that convergence is taking place, it's really top priority to make sure that if you are merging those things together, make sure that those devices are part of your threat and vulnerability management process 'cause now vulnerabilities that may actually be introduced from that particular device can affect your entire cyber assets. >> Yeah, I think it's a great point. The cheap, what one might regard as constrained devices, nonetheless have an awesome processing power and if they're connected can enormous implication. Okay, let's move from the application exploits into the malware world. What was the big trend in malware in this past report? >> Sure, sure, yeah, so what we continue to see, and I think this is great, sharing information, sharing threat information, sharing malware samples, is awesome and we've been doing it for a long time and we continue to see more and more of public available sources for showing exploits, for showing malware, you know, open source malware and that's great because as a cyber defender, it's great that I can research this and I can ensure that I have the right detections and ultimately the right protections against those particular threats. I would also add that we have such a skill shortage, right? I mean, we're trying to build up our future cyber warriors and the way we want to be able to do that obviously is through a lot of training and we can give them great examples that they can actually glean and learn from. And so all of this is good but at the same time, when you have all this information out there, you know, freely available, of course, the adversaries have access, they have access to it as well. So, what that means is, I'll give you an example, Peter. You'll download, let's say there's open source malware that's ransomware. You can download that, modify the bitcoin address of where that victim is supposed to send the ransom, and you just operationalized this ransomware. But then again, you might be saying well, you know, you just said that it's available for us to be able to research and have better detections and you're right, most of the time we'll detect that. But now, you add in the fact that there's a whole bunch of open source evasion tools that you can run your malware through that would obfuscate possibly the malware enough that it can circumvent some of the actual security controls that you have in place. So, it's a good thing but we do continue to see some of the bad guys leverage it as well. >> So, let me see if I can put that in the context of some overall industry trends. Historically, the things that got the greatest install base were the targets that were preferred by bad actors because they could do the most damage in those large numbers and open source, as we improve these toolings, we see more people flock to that set of tools and as those tools become more popular, they both have more value to the enterprise as a protection, but they become increasingly obvious targets to the bad actors. Is that kind of what you're saying? >> Yeah sure, it's almost like the cybercrime ecosystem, the actual tools that are available, the services that are available at your fingertips, no longer do you need to be an expert. Begin a life of cybercrime, you just need to know where to get these resources and that is what's really driving the volume of attacks these days, so you're absolutely right, Peter. >> So, we've talked a little bit about application exploitation, we've talked a little about malware, now these are things that we look at before the system gets compromised. We're really concerned about avoiding them getting a footprint or hold within our system. Now, let's talk about botnets, which are particularly interesting because often the botnet gets turned on and becomes a source of danger after the compromises take place. What do trends in botnets tell us? >> Sure, sure, yeah, so one interesting point in botnets in quarter four was the fact that the initial botnet infections per firm was up 15% from the quarter before, so what that means is, on average, each firm saw about 12 botnet infections for that quarter and that kind of translates into, out of maybe the 91 days that you have in that quarter, 12 of those days, they actually had some type of botnet infection that they had to actually respond to, right? 'Cause they got to respond. Like you said Peter, the infection's already there, somehow the payload circumvented their security defenses, it's on there and it's trying to communicate out to it's command and control infrastructure, whether it's to download other malware, whether it's to actually possibly provide different types of commands to execute their cyber mission, whatever it is, it's there, and that's where we were sort of triggering on it. And I'll add to this, because of this, you got to invoke your instant response process, which means you're taking time, you're taking resources away for folks that are probably working on other projects to be able to help them fortify their overall security program more, which I think underscores the need to be able to ensure that you're leveraging technology to help you make some of these automated decisions, with being able to prevent and ultimately, hopefully, be able to remediate those threats. >> Yeah, so we've seen application exploits down a little bit, malware down a little bit, largely because the fourth quarter's a holiday quarter. We've seen botnets also follow those trends but still we have to be concerned about the number of net new days in which a botnet is operating. Is there something that we started to see in the data that requires new thinking, new approaches? What about all these memes that people are downloading, for example? >> (laughs) Yeah, I tell ya, you know social media, right? Love pictures. You know, whether it's Facebook, whether it's Twitter, you know, Instagram, words are good, but what's even better it seems is pictures. People love pictures and adversaries know that, so with an attack called leveraging steganography, I think I spoke about that a couple, maybe it was last year, you know sometime, we talked about that, but if you don't remember, steganography is really the art of hiding something in a picture file, whether it was a message, whether it was a malicious payload or it could even be different types of commands that the adversary wants to do to overall be able to complete their cyber mission, so they hide that information in there. And the adversaries to be able to attack or leverage a steganography attack, they're used in social media as a means of that communication. And what's interesting about that is nowadays, you know, maybe 10 years ago, not as much, but nowadays, social media traffic and apps are kind of acceptable on a network these days, right? The marketing organizations' comms and PR, they leverage these social media sites. It's a key part of their overall plan, so you're going to see a lot of social media traffic in the network, so the adversary, if they can blend in with that normal traffic, they may go unnoticed for quite some time. >> So, as new sources of data are exploited by the business to engage their customers, like social media, new technologies or new concepts like steganography or, steganography's been around for a long time, but its new to a lot of people, becomes something that increasingly has to be observed and tracked and acted upon. >> Yeah, you know I always say this is like, we want to continue to advance technology, right? We want to leverage it, why? Because overall, it makes our society better. Makes my life better, makes your life better, makes everybody, you know, future generations' lives better, but we need to make sure that we are securing the advancement of that actual technology, so it's a constant kind of catch up game for us. >> Yes, I need my cat pictures, Tony. All right, so I want to do one last thing here. We learned a lot in the overall FortiGuard Labs reports over the past few quarters, certainly since you've come on theCUBE, I've learned a lot, and I'm sure everybody who's been watching these CUBE Conversations has learned a lot as well. Let's now think about some recommendations. If we kind of quickly summarize what happened in 2018, what does it tell us about things that people should do differently in 2019? What are the kind of two or three key recommendations that FortiGuard Labs is putting forward right now? >> Yeah, I think one of the things that we continue to see is just how these threats are becoming bigger, faster, stronger, right? And that's really being sort of driven by the cybercrime ecosystem, the advancement of these types of attacks. So, how do you continue to ensure that you can keep up with this sophistication and this volume? And I'll kind of make it simple at a high level, obviously it goes a lot a lot deeper, but the first thing is having awareness. I really feel people don't truly know what they're actually protecting within all of their cyber assets. What are operating systems? What software? Where are they located? Where is their data located? How is their data flowing from system to system? I don't think they have a good understanding of that, so having that awareness, right? It's getting even harder now because it's cloud, right? It's on your workstation It's in the cloud, it's all over the place. So, it's good to get a handle on that, and once you have that, you need to act on it. So, whether it's identifying vulnerabilities that need to be say, patched or whether it's finding some type of threat in your environment and taking action, it's important that we need skilled resources to be able to deal with that. But I would say, once again, look at automation. How can you leverage technology to be able to communicate with each other through open APIs and make some automated decisions for you, isolate those threats, allow you to fight through the attack a little bit more so you can figure out what to do? Ultimately, hopefully it's going to minimize the impact of that one breach. And I would say this, threats are going to get in, but if you can continue to resist that threat before it gets into the core of your network, that's a win for everybody. So, continue to resist is a big one. That initial access, it's going to happen. Continue to resist, so you can ensure the minimization of the actual impact of that risk, of that threat. >> I got two quick comments about that, Tony. Tell me if I can summarize this right. One is that, look, everybody's going to digital, everybody's going through digital transformation, very few firms however have truly adopted an asset-oriented approach to their data. What you're saying is security is how you go about making your data private so that you get value out of it and not bad people. That's I think kind of an overarching statement, that this is a business problem that has to be treated like a business problem and invested in like a business problem. The second thing >> Possible. >> that I would say, and let me see if I got this right, that the idea ultimately, that data stays in one place and is used only in one way is wrong. It's going to change over time, and we have to acknowledge that there's not one approach to how we go about data security and handling these threats. There's differences in application exploitation, differences in malware and as you've said, botnets are indications that something's already happened, so we have to use a more balanced comprehensive view to how we think about handling the threats against us. Have I got that right? >> Yeah, absolutely. And I'll just end it with that, there's a lot of things that you have to deal with, and we have such a cybersecurity shortage, and you can never get to everything, but like you had said, it's a business issue. If you can understand your critical business processes and focus on those things, those assets, that data, that is going to be how you're going to prioritize and ensure that you can minimize the overall impact of an actually threat that may actually enter into your environment. >> Tony Giandomenico, senior security strategist and researcher at FortiGuard Labs at Fortinet. Once again Tony, thanks for being on theCUBE. >> It's always a pleasure Peter. >> And always love having Tony G. on. Hopefully, you've enjoyed this CUBE Conversation as well. Until next time, I'm Peter Burris. Talk to you soon. (upbeat string music)

>> Announcer: From downtown San Francisco, it's theCUBE. Covering RSA North America 2018. >> Hey welcome back everybody, Jeff Frick here with theCUBE. We're at RSA North America 2018 in San Francisco. 40,000 plus people talking security, enterprise security, cloud security, a lot going on. It just continues to get more and more important. And we're really excited for our next guest who's been playing in the enterprise space for as long as I can remember, which has been a little while. Mike Decesare, he's the CEO and President of ForeScout. Mike, great to see you. >> Started my career off when I was one. (Jeff laughs) So, I've been in this for a long time. >> You have been in it a long time. So you guys now you're all about, right so there's so much stuff going on in security and security is one of these things that I have to look at it as kind of like insurance. You can't put every last nickel in security, but at the same time, you have to protect yourself. The attack surfaces are only growing with IIoT and we were at an autonomous vehicle show, and 5G is just coming around the corner, and all these connected devices and APIs. So you guys have a pretty unique approach to how you top level think about security called visibility. Explain that to us. >> So visibility is the next big thing in the world of cybersecurity and the dynamic is very basic. It's, for 20 plus years, CIOs and CSOs were substantially able to control everything that was on their network. You'd buy your servers and Windows machines and Blackberries for your employees and then there was very little tolerance for other devices being on those organization's networks. And what happened 10 years ago this year, with the birth of the iPhone was that CIOs, those same CIOs now had to deal with allowing things onto their network that don't subscribe to those same philosophies and when you can't buy it and outfit it with security before you put it into the environment. And that's the gap that ForeScout closes for organizations is we have an agentless approach which means we plug into the network infrastructure itself and we give customers visibility into everything that is connected to their network. >> So that begs a question, how do you do that without an agent? I would imagine you would put a little agent on all the various devices. So what's your technique? >> We actually don't. That's the secret sauce of the company is that >> okay >> you know over 10 years ago, we recognized this IoT trend coming because that's, that's the thing in the world of IoT is unlike the first kind o' 20 years of the internet, there was a substantially smaller number of operating systems, most of them open. The different characteristic about the current internet is that many of these use cases are coming online as closed proprietary operating systems. The example I use here is like your home. You know, you get a Nest thermostat and you put in on your network and it monitors, you know, heating and cooling but the device, the operating system, the application is all one consumer device. It doesn't run Windows. You can't install antivirus on you Nest thermostat. So our approach is we plug into the network infrastructure. We integrate to all of the network vendors, the firewall vendors, the wireless controlling vendors and we pull both active and passive techniques for gathering data off those devices and we translate that into a real-time picture of not just everything connected to the network but we know what those devices are without that client having to do anything. >> So you have what you call device cloud or yeah, ForeScout device cloud. So is that, is that a directory of all potential kind of universe of devices that you're querying off of or is that the devices within the realm of control of your of your clients directly? >> It's the second. It's the, so the way that our product works is we plug into the network infrastructure so anything that requests an IP address, whether is wired and wireless in the campus environment, whether it's data center or cloud in the data center environments or even into the OT space, anything that requests an IP address pops onto our radar the second it requests that address. And that cloud that we've built, that we've had for about nine months, we already have three million devices inside, almost three and a half million devices, is a superset of all of the different devices across our entire install base just from the clients that have been willing to share that data with us already. And that gives us optimism because what that becomes is a known set of fingerprints about all known devices so the first time that we discover a Siemens camera that might be a manufacturer, the company might have ten thousand of those in the environment, the first time that we see that device, we have to understand the pattern of traffic off that device, we label that as a security camera and any other customer world-wide that's has that same device connects, we instantaneously know it's a Siemens security camera. So we need the fingerprint of those devices once. >> Right, and so you're almost going to be like the GE Predix of connected devices down the road potentially with this cloud. >> We won't go there on that. >> He won't go there, alright. We've talked to Bill Ruh a lot of times but he does an interesting concept. The nice thing 'cause you can leverage from a single device and knowledge across the other ones which is so, so important on security so you can pick up multiple patterns, repeated patterns et cetera. >> One of the best parts about ForeScout is the fact that we deployed incredibly quickly. We have clients that have almost a million devices that got live in less than three months. And the reason we're able to do that is we plug into the infrastructure, and then our product kind o' does its own thing with very little effort from the client where we compare what we have in this repository against what they have in their environment. We typically get to an 80 or 90% auto-classification meaning that we know 80 or 90% of the time, not just what's on the network but what that device is and then the other 20% is where we have the implementation where we go through and we look at unique devices. It might be a bank has some model of ATM we've never seen before or a healthcare company has beds or machines on a hospital floor that we haven't recognized before. And the first time that we see each of those devices uniquely, we have to go through the process of fingerprinting it which means that we're looking for the unique pattern of traffic that's coming off a, you know, a router, a switch and a firewall and we're ingesting that and we're tagging that device and saying anytime we see that unique pattern of traffic, that's a certain device, a security camera or what have you. >> Right. >> The reason's that useful is then we get to put a policy in place about how those devices are allowed to behave on the network. So if you take something like the Mirai Botnet which hit about a year ago, was the thing that took down a big chunk of the Northeast, you know, utilities and you know, internet, it infected, it was a bot that infected security cameras predominantly. Nobody thought twice about having security cameras in their environment, but they're the same as they are in your house where you know, you put it online, you hit network pair and it's online. >> Right. >> But that bot was simply trying to find devices that had the default password that shipped from the security manufacturer and was able to be successful millions of time. And with our product in place, that couldn't happen because when you set us up, we would know it's a security camera, we'd put a policy in place that says security camera can speak to one server in the data center called the security camera server. And if that device tries to do anything more criminal, if it tries to dial the internet, if it tries to break into your SAP backend, any of those activities, we would give the customer the ability to automatically to take that device offline in real time. >> Right, so you're... >> And that's why our clients find us to be very useful. >> Right, so you're really segregating the devices to the places they're supposed to play, not letting 'em out of the areas they're supposed to be. Which is the >> Absolutely. >> Which is the classic kind of back door way in that the bad guys are coming in. >> Our philosophy is let everything onto the network. We take a look at that traffic. We give you a picture of all those devices and we allow each customer to put an individual policy in place that fences that in. If you take the other extreme like a Windows machine in a corporate environment, our typical policy will be you know, do you have Windows 2009 or later? 'Cause most customers have policies they don't want XP in their environments anymore. But we enforce it. So if an XP device hits the network, we can block that device or we can force a new version down. If you have Symantec, has it got a dat file update? If you've got Tenable, has it had a scan recently? If you've got, you know, any of the other products that are out there that are on those machines, our job is to enforce that the device actually matches the company's policy before that device is allowed in. >> Before you let it. Alright. >> And if at any time that it's on that network, it becomes noncompliant, we would take that device offline. >> You know, with the proliferation of devices and continuation growth of IoT and then industrial IoT, I mean, you guys are really in a good space because everything is getting an IP address and as you said, most of them have proprietary operation systems or they have some other proprietary system that's not going to allow, kind o' classic IT protections to be put into place. You've really got to have something special and it's a pretty neat approach coming at it from the connectivity. >> It's the secret sauce of the company is we recognized many years ago that the the combination of not just there being very few operating systems but they were all open. Windows, Lennox, right? I mean, you can buy a Windows machine and you can install any product you want on it. But we saw this trend coming when the next wave of devices was going to be massively heterogeneous and also in many cases, very closed. And you know, you mentioned the example of the OT space and that's one of the other, the third biggest driver for us in our business is the OT space because when you looking a WanaCry or a NotPetya and you see companies like Maersk and FedEx and others that are, that are publicly talking about the impact of these breaches on their earnings calls. What those companies are waking up and realizing is they've got 25 year old systems that have run, you know, an old version of Microsoft that's been end-of-life decades ago and the bad actors have proven very adept at trying to find any entry point into an organization, right, and the great news for ForeScout is that really lends itself very much towards our age-endless approach. I mean, many of these OT companies that we're in, devices that are in their manufacturing facilities don't even have an API. There were built so long ago so there's no concept of interacting with that machine. >> Right >> So for us, allowing that device to hit the Belden switches and then be able to interrogate the traffic coming off those switches let's us do the same thing that we do in the campus world over in the OT world as well. >> Good spot to be. So RSA 2018, what are ya looking forward to for this week? >> This is just massive in size. It's like speed dating. From a customer's perspective too, I mean, I meet so many customer's that come here and able to meet with 30 or 40 vendors in a single week and it's no different, you know, for the providers themselves so. You know, we've got some really, kind o' really high profile big wins, you know, it's very coming for us to be doing deals at this point that get up over a million devices so they're very high profile so it's a great chance to reconnect with customers. You know, one of the things I didn't mention to you is that kind o' the, the whole thing that we do of identifying devices and then understanding what they are and allowing those policies to get put in places, that's fundamentally done with our own IP, and the connections into the switch and firewall vendors. But we've built this whole other ecosystem of applications in the world of orchestration that set on top of our products. We integrate the firewall vendors, the vulnerability management vendors, the EDR vendors, the AV vendors, so it's a great chance for us to reconnect with you know, those vendors as well. In fact, we're doing a dinner tonight with CrowdStrike. They're one of our newer partners. Very excited about this week. It brings a lot of optimism. >> Well, great story Mike and excited to watch it to continue to unfold. >> We appreciate you giving us some time. >> Alright, thanks for stopping by. That's Mike Decesare. I'm Jeff Frick. You're watching theCUBE from RSA North America 2018. Thanks for watchin'. Catch you next time. (techno music)

>> Narrator: Live from Las Vegas, Nevada, it's the Cube, covering accelerate 2017, brought to you by Fortinet. Now here are your hosts, Lisa Martin and Peter Burris. >> Hi, welcome back to the cube, we are live in Las Vegas at Fortinet Accelerate 2017. I'm you host , Lisa Martin, joined by my cohost, Peter Burris, and we're really excited about or next guest. We are talking next with Derek Manky. Derek, you are-- first of all, welcome to the cube. >> Thank you very much, I'm excited to be here. >> You have a really important role in Fortinet, you are the Global Security Strategist. >> Correct, yes. >> You have a... Established yourself as a thought leader with over 15 year of cyber security expertise, and your goal is to make a positive impact towards the global war on cyber-crime, that's a big goal. >> That's a very, very big goal, but it's a big hairy goal, but it's... Critically important, I believe, I firmly believe this over my whole career, and I'm starting to see some good traction with the efforts that we're doing too. >> And it's becoming more, and more, critical every day as breaches, and hacks, are a daily occurrence, you're also the leader of FortiGuard Labs, you've got a team of over 200, tell our viewers that can't be here today, what is FortiGuard Labs, what are you doing to leverage threat intelligence to help Fortinet's customers. >> Sure, so we're trying to manage complexity, cause that's always the enemy of security, and we're trying to make it simple across the board, so we're managing security for all of our customers, 300 000 customers plus. That's a big deal, so we had to invest a lot into that in terms of how we can do that to make it simple to the end users. So what FortiGuard Labs is, is it's services we deliver to the end user, protection services across the spectrum, our whole product portfolio. So we have world-class expertise as a security vendor, 200 plus people on the team, experts in each domain. We have researchers, and experts, looking at things like industrial attacks, mobile problems, malicious websites, ripping apart, what we call reverse engineering, malware samples to find out digital fingerprints of who's creating these attacks, so we can work also in partnerships with that too. At the end of the day, we have the humans working on that, but we've also invested a ton into artificial intelligence, and machine learning, we have to comb through over 50 billion attacks in a day, and so the machines are also helping us to create a lot of this automated protection, that's all driven by our patents, by our world-class development teams, that gets down to the end user, so that they don't have to invest as much into their own security operations centers, cause that's a big OpEx, expansions to the expenditure, so we're helping to alleviate that issue, especially with this, as everybody knows, today, the big gap in cyber security, professionals, so that helps to alleviate that issue too. >> You said 50 billion attacks a day. >> That's correct sir, yes. Potential attacks. >> Oh, potential attacks. Clearly that means that increasing percentages of the total body of attacks are no longer coming from humans, they're coming from other things, >> Derek: Absolutely. >> And how's that playing out? >> It's a fascinating landscape right now. With every legitimate model, there's an illegitimate model to follow, especially with cyber crime, and what we see in the digital underground, dark web, all these sorts of things, you rewind back to the 90s, your opportunistic hacker was just trying to plot, plot, plot, a message bar on a Windows 95, or Windows 98 system at the time. Nowadays, of course, the attack surface has grown tremendously. You look back to DARPA, back in 1989, it had 60 000 system connected on the Internet, now we have IPv6, 20 plus billions connected devices, everything is a target now, especially with the Internet of Things. Smart televisions-- >> Peter: And a potential threat. >> Exactly, and a weapon. >> Exactly, and so to capitalize on that, what we're seeing now is cyber criminals developing automated systems of their own, to infect these systems, to report back to them, so they're doing a lot of that heavy work, to the heavy lifting, using their own machines to infect, and their own algorithms to infect these systems, and then from there, it'll escalate back up to them to further capitalize, and leverage those attacks. On any given minute, we're seeing between 500 000 to 700 000 hacking attempts across, and this is our own infrastructure, so we're leading in terms of firewalls in units shipped so we're able to get a good grasp on intelligence out there, what's happening, and in any given minute, well over 500 000 hacking attempts on systems worldwide. >> So every hour, 30 million. >> Derek: Yeah that's some quick math. >> Yeah, I'm amazing at multiplication. I almost got it wrong though, I have to say. 30 million hacks an hour. >> Yeah, and so our job is to identify that, we don't want to block things we shouldn't be, so there has to be a very big emphasis on quality of intelligence as well, we've done a lot with our machines to validate attacks, to be able to protect against those attacks, and not, especially when it comes to these attacks like intrusion prevention, that attack surface now, we got to be able to not just look at attacks on PCs now, so that's why that number keeps ticking up. >> Lisa: Right, proliferation of mobile, IoT. >> Derek: It's directly related, absolutely. >> So, this is clearly something that eyeballs are not going to solve. >> Not alone, so I'm very, very big advocate saying that we cannot win this war alone, just relying even on the brightest minds on the world, but we can also not just rely a hundred percent on machines to control, it's just like autonomous vehicles. You look at Tesla, and these other vehicles, and Google, what they're doing, it's a trust exercise again, you can never pass a hundred percent control to that automation. Rather you can get up to that 99 percent tile with automation, but you still need those bright minds looking at it. So to answer your questions, eyeballs alone, no, but the approach we've taken is to scale up, distribute, and use machines to identify it, to try to find that needle in a haystack, and then, escalate that to our bright minds, when we need to take a look at the big attacks that matter, and solve some more of the complex issues. >> Speaking of bright minds, you and your team, recently published an incredible blog on 2017 predictions. Wow, that's on the Fortinet blog? >> Derek: Yeah, that's correct >> We can find that? Really incredibly thorough, eye-opening, and there were six predictions, take us through maybe the top three. We talked about the proliferation of devices, the attack surface getting larger, more and more things becoming potential threats, what are the top three, maybe biggest threats that you were seeing, and is there any industry, in particular, that pops up as one of the prime targets? >> Absolutely. I'll get into some buckets on this, I think first, and foremost, what is primary now in what we're seeing is, what we're calling, autonomous malware, so this is the notion of, basically what we're just talking about to your question on what's driving this data, what's driving all these attack points. First of all, the Internet's been seeded with, what I call, ticking time bombs right now, we have 20 plus, whatever the number's going to be, all of these billions of devices that are connected, that are inherently, in my professional opinion, insecure. A lot of these devices are not following proper security development life cycles. >> Lisa: Is there accountability to begin with? >> No, not at this point. >> Right. >> Right. And that's something that DHS, and NIST, just released some guidelines on, at the end of last year, and I think we're going to see a lot of activity on accountability for that, but that has to be taken care of. Unfortunately right now, it's been seeded, this attack surfaces there, so we already have all these open avenues of attack, and that's why I call it a ticking time bomb, because it's been seeded, and now these are ripe for attack, and we're seeing attackers capitalize on this, so what we're seeing is the first indications of autonomous malware, malware that is capable of mapping out these vulnerable points. The machine's doing this, and the machine's attacking the other machines, so it's not just the eyeballs then, and the cyber criminals doing this. We saw last year, unprecedented DDoS attacks, this is directly related to Mirai BotNet. We had gone from a 600 gig to terabit plus DDoS attacks, that was unheard of before. They are leveraging all of these different IoT devices as a horsepower to attack these systems in a massive distributed denial-of-service attack. The interesting part about Mirai is that it's also using open-source intelligence as well, so this is something that humans, like a black hat attacker, would typically have to do, they would have to get reports back from one of their systems, and say, "okay, now I've found all these vulnerable systems, I'm going to attack all these systems.", but they're the glue, so they're now removing themselves as the glue, and making this completely automated, where a BotNet like Mirai is able to use Shodan, as an example, it's an open-source database, and say, "here are a whole bunch of vulnerable systems, I'm going to go attack it, and so that's to my point of view, that's the first indication of the smart-malware, because malware has always been guided by humans. But now, I think, we're starting to see a lot of, more of that intelligent attack, the offense, the intelligent offense being baked in to these pieces of malware. So I think it's going to open this whole new breed of attacks and malware, and obviously, we're in a whole new arms race when it comes to that. How can we get ahead of the bad guys, and so this is obviously what Fortinet instituting on the autonomous defense, our Security Fabric, and Fabric-ready approach, that's all about, beating them to the punch on that, having our machines, the defensive machines talk to each other, combine world-class intelligence like FortiGuard so that it can defend against those attacks, it's a though task, but I really firmly believe that this year is a year that we have the advantage, we can have the advantage as white hats to get one leg up on the black hat attackers. As I said, for 15 years at FortiGuard Labs, we have invested a ton into our AI machine, learning intelligence, so we're experts on the automation, I don't believe the black hat attackers are experts on automation. So I think for that reason, we have a really good opportunity this year, because you always hear about the black hats, another data breach, and all these things happening, they're always had the advantage, and I think, we can really turn the tables this year. >> You have some great experience working, not just in the private sector, but in the public sector as well, you've done work with NATO, with Interpol, with SERT, what is your perspective on public sector, and private sector, working together, is that essential to win this war on cyber crime? >> Absolutely, we need everybody at the table, we cannot win it, as one single vendor alone, a good example of that is, we're starting to do across the board, this is something, I firmly believe in, it's really near and dear to my heart, I've worked on it for the course of, well over six years now, and we have a lot of the existing partnerships, across organizations, so other security vendors, and experts, Cyber Threat Alliance is an excellent example, we're a founding member of that, and these are competitors, but security vendors getting together to level the playing field on intelligence, we can still really remain competitive on the solutions, and how we implement that intelligence, but at least-- it's like a Venn diagram, you look at that attack surface out there, you want to try to share all that information, so that you can deliver that to security controls, and protect against it. So, the Cyber Threat Alliance is a good example, but that's private sector. If you look at National Computer Emergency Response, law enforcement, we have made great inroads into that working with the likes of Computer Emergency Response, to give them intel. If we find bad stuff happening somewhere, we're not law enforcement, we can't go take the server down, and disrupt campaign, we can't arrest, or prosecute people, but they can, but they don't have all that expertise, and intelligence that we do, all the data points, so this is, you're starting to see a lot of this string up, and we're doing a lot of leadership in this area, and I think, it's absolutely essential. President Obama last year mentioned it, the Cyber Threat Alliance, and the public-private sector, needing to work together in one of his speeches at Stanford, and I believe it's the only way we can win this. You have to go up to the head of the snake too, if we just are always on the defense, and we're always just trying to disrupt cyber criminals, it's a slap on the wrist for them, they're going to go set up shop somewhere else. We need to be able to actually go and prosecute these guys, and we had a really good case last year, we took down, working with Interpol, and the EFCC, a 62 million dollar crime ring in the US. They went, and prosecuted the kingpin of this operation, out of Nigeria. It's an unprecedented random example, but we need to do more of that, but it's a good example of a healthy working public-private sector relationship >> What an incredible experience that you have, what you have achieved with FortiGuard Labs, what excites you most, going forward, we're just at the beginning of 2017, with what's been announced here, the partnerships that you guys have formed, what excites you most about this year, and maybe... Some of the key steps you want to take against cyber crime as Fortinet. >> Sure, so I think we want to, so Cyber Threat Alliance is a very big machine, there's a lot of exciting things happening, so that's going to be a really good initiative, that's going to carry forward momentum this year. What excites me most? Well, it's not always a good thing I guess, but if you look at all the bad news that's out there, like I said, I think it's just going to be, there's so much fuel, that's being thrown on the fire when it comes to attacks right now. Like I said, these time bombs that have been planted out there. We're going to see the year of IoT attacks for sure, a new version of Marai has already come out, they're starting to sell this, commercialize this, and it's even more advanced in terms of intelligence than the previous one, so that sort of stuff. It depends on your definition of the word, excites, of course, but these are the things that we have opportunity, and again I think going back to my first point, the white hats having, for the first time in my point of view, a leg up on the black hats, that opportunity, that really excites me. When we look at what's happening, moving forward in 2017, healthcare, I think, is going to be a very big thing in terms of attack targets, so we're going to be focused on that, in terms of attacks on, not just healthcare records, which are more valuable than financial records as an example, but medical devices, again the IoT play in healthcare, that's a big deal, we're starting to already see attacks on that. Smart cities as well, you look forward to the next three years, building management systems, a lot of people talk about SCADA industrial control, this is definitely a big attack target to a certain... Attack surface, obviously, power plants, electrical grids, but building management systems, and these automated systems that are being put in, even smart vehicles, and smart homes is another big target that's unfolding over the next year. >> Hard to air gap a home, and certainly not a city. >> Absolutely, yeah, and again it goes back to the point that a lot of these devices being installed in those homes are inherently, insecure. So that's a big focus for us, and that's a big thing FortiGuard is doing, is looking at what those attacks are, so we can defend against that at the network layer, that we can work with all of our business partners that are here at Accelerate this year, to deliver those solutions, and protect against it. >> Wow, it sounds like, and I think Peter would agree, your passion for what you do is very evident, as those bad actors are out there, and as the technologies on the baton are getting more advanced, and intelligent, as you say, it's great to hear what you, and your team are doing to help defend against that on the enterprise side, and one day on the consumer side as well. So Derek Manky, Global Security Strategist for Fortinet, thank you so much cube and sharing your expertise with us. >> It's my pleasure, any time, thank you very much. >> Well, on behalf of my cohost, Peter Burris, I'm Lisa Martin, you've been watching the Cube, and stick around, we'll be right back. (electronic music)