>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation, >>Everyone. Welcome to this cube conversation. I'm John for host of the Cube here in the Cubes Palo Alto studios during the co vid crisis. Square Quarantine with our crew, but we got the remote interviews. Got great to get great guests here from 44 to guard Fortinet, 40 Guard Labs, Derek Manky chief Security Insights and Global Threat alliances. At 14 it's 40 guard labs and, um, are Lakhani. Who's the lead researcher for the Guard Labs. Guys, great to see you. Derek. Good to see you again. Um, are you meet you? >>Hey, it's it's it's been a while and that it happened so fast, >>it just seems, are say it was just the other day. Derek, we've done a couple interviews in between. A lot of flow coming out of Florida net for the guards. A lot of action, certainly with co vid everyone's pulled back home. The bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security. Uh, in terms of action, bad actors are at all time high new threats here is going on. Take us through what you guys were doing. What's your team makeup look like? What are some of the roles and you guys were seeing on your team? And how's that transcend to the market? >>Yeah, sure, Absolutely. So you're right. I mean, like, you know, like I was saying earlier this this is all this always happens fast and furious. We couldn't do this without, you know, a world class team at 40 guard labs eso we've grown our team now to over 235 globally. There's different rules within the team. You know, if we look 20 years ago, the rules used to be just very pigeonholed into, say, anti virus analysis. Right now we have Thio account for when we're looking at threats. We have to look at that growing attack surface. We have to look at where these threats coming from. How frequently are they hitting? What verticals are they hitting? You know what regions? What are the particular techniques? Tactics, procedures, You know, we have threat. This is the world of threat Intelligence, Of course. Contextualizing that information and it takes different skill sets on the back end, and a lot of people don't really realize the behind the scenes. You know what's happening on bears. A lot of magic happen not only from what we talked about before in our last conversation from artificial intelligence and machine learning, that we do a 40 yard labs and automation, but the people. And so today we want to focus on the people on and talk about you know how on the back ends, we approach a particular threat. We're going to talk to the world, a ransom and ransomware. Look at how we dissect threats. How correlate that how we use tools in terms of threat hunting as an example, And then how we actually take that to that last mile and and make it actionable so that, you know, customers are protected. How we share that information with Keith, right until sharing partners. But again it comes down to the people. We never have enough people in the industry. There's a big shortages, we know, but it it's a really key critical element, and we've been building these training programs for over a decade within 40 guard lab. So you know, you know, John, this this to me is why, exactly why, I always say, and I'm sure Americans share this to that. There's never a dull day in the office. I know we hear that all the time, but I think today you know, all the viewers really get a new idea of why that is, because this is very dynamic. And on the back end, there's a lot of things that doing together our hands dirty with this, >>you know, the old expression started playing Silicon Valley is if you're in the arena, that's where the action and it's different than sitting in the stands watching the game. You guys are certainly in that arena. And, you know, we've talked and we cover your your threat report that comes out, Um, frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware. What's going on? What's the state of the ransomware situation? Um, set the stage because that's still continues to be a threat. I don't go a week, but I don't read a story about another ransomware and then it leaks out. Yeah, they paid 10 million in Bitcoin or something like I mean, this Israel. That's a real ongoing threat. What is it, >>quite a bit? Yeah, eso I'll give sort of the one on one and then maybe capacity toe mark, who's on the front lines dealing with this every day. You know, if we look at the world of I mean, first of all, the concept to ransom, obviously you have people that that has gone extended way, way before, you know, cybersecurity. Right? Um, in the world of physical crime s Oh, of course. You know the world's first ransom, where viruses actually called PC cyborg. This is in 1989. The ransom payment was demanded to appeal box from leave. It was Panama City at the time not to effective on floppy disk. Very small audience. Not a big attack surface. I didn't hear much about it for years. Um, you know, in really it was around 2000 and 10. We started to see ransomware becoming prolific, and what they did was somewhat cybercriminals. Did was shift on success from ah, fake antivirus software model, which was, you know, popping up a whole bunch of, you know said your computer is infected with 50 or 60 viruses. Chaos will give you an anti virus solution, Which was, of course, fake. You know, people started catching on. You know, the giggles up people caught onto that. So they weren't making a lot of money selling this project software. Uh, enter Ransomware. And this is where ransomware really started to take hold because it wasn't optional to pay for the software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer the current. Uh, the encryption kind of decrypt it with any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw we've seen things like master boot record nbr around somewhere. This is persistent. It sits before your operating system when you boot up your computer. So it's hard to get rid of, um, very strong. Um, you know, public by the key cryptography that's being so each victim is infected with the different key is an example. The list goes on, and you know I'll save that for for the demo today. But that's basically it's It's very it's prolific and we're seeing shit. Not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted ransom cases that we're going after, you know, critical business. Essentially, it's like a D O s holding revenue streams around too. So the ransom demands were getting higher because of this is Well, it's complicated. >>Yeah, I was mentioning, Omar, I want you to weigh in. I mean, 10 million is a lot we reported earlier this month. Garment was the company that was act I t guy completely locked down. They pay 10 million. Um, garment makes all those devices and a Z. We know this is impacting That's real numbers. So I mean, it's another little ones, but for the most part, it's new. It's, you know, pain in the butt Thio full on business disruption and extortion. Can you explain how it all works before I got it? Before we go to the demo, >>you know, you're you're absolutely right. It is a big number, and a lot of organizations are willing to pay that number to get their data back. Essentially their organization and their business is at a complete standstill. When they don't pay, all their files are inaccessible to them. Ransomware in general, what does end up from a very basic or review is it basically makes your files not available to you. They're encrypted. They have a essentially a pass code on them that you have to have the correct pass code to decode them. Ah, lot of times that's in the form of a program or actually a physical password you have type in. But you don't get that access to get your files back unless you pay the ransom. Ah, lot of corporations these days, they are not only paying the ransom, they're actually negotiating with the criminals as well. They're trying to say, Oh, you want 10 million? How about four million? Sometimes that it goes on as well, but it's Ah, it's something that organizations know that if they don't have the proper backups and the Attackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicate files, so sometimes you don't have a choice, and organizations will will pay the ransom >>and it's you know they're smart. There's a business they know the probability of buy versus build or pay versus rebuild, so they kind of know where to attack. They know the tactics. The name is vulnerable. It's not like just some kitty script thing going on. This is riel system fistic ated stuff. It's and it's and this highly targeted. Can you talk about some use cases there and what's goes on with that kind of attack? >>Absolutely. The cybercriminals are doing reconnaissance. They're trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. Eh? So there's a lot of attacks going on. We usually we're finding now is ransomware is sometimes the last stage of an attack, so an attacker may go into on organization. They may already be taking data out of that organization. They may be stealing customer data P I, which is personal, identifiable information such as Social Security numbers or or driver's licenses or credit card information. Once they've done their entire attack, once they've gone, everything they can Ah, lot of times their end stage. There last attack is ransomware, and they encrypt all the files on the system and try and try and motivate the victim to pay as fast as possible and as much as possible as well. >>You know, it's interesting. I thought of my buddy today. It's like casing the joint. They check it out. They do their re kon reconnaissance. They go in, identify what's the move that's move to make. How to extract the most out of the victim in this case, Target. Um, and it really I mean, it's just go on a tangent, you know? Why don't we have the right to bear our own arms? Why can't we fight back? I mean, the end of the day, Derek, this is like, Who's protecting me? I mean, >>e do >>what? To protect my own, build my own army, or does the government help us? I mean, that's at some point, I got a right to bear my own arms here, right? I mean, this is the whole security paradigm. >>Yeah, so I mean, there's a couple of things, right? So first of all, this is exactly why we do a lot of that. I was mentioning the skills shortage and cyber cyber security professionals. Example. This is why we do a lot of the heavy lifting on the back end. Obviously, from a defensive standpoint, you obviously have the red team blue team aspect. How do you first, Um, no. There is what is to fight back by being defensive as well, too, and also by, you know, in the world that threat intelligence. One of the ways that we're fighting back is not necessarily by going and hacking the bad guys, because that's illegal in jurisdictions, right? But how we can actually find out who these people are, hit them where it hurts. Freeze assets go after money laundering that works. You follow the cash transactions where it's happening. This is where we actually work with key law enforcement partners such as Inter Pool is an example. This is the world, the threat intelligence. That's why we're doing a lot of that intelligence work on the back end. So there's other ways toe actually go on the offense without necessarily weaponizing it per se right like he's using, you know, bearing your own arms, Aziz said. There's different forms that people may not be aware of with that and that actually gets into the world of, you know, if you see attacks happening on your system, how you how you can use security tools and collaborate with threat intelligence? >>Yeah, I think that I think that's the key. I think the key is these new sharing technologies around collective intelligence is gonna be, ah, great way to kind of have more of an offensive collective strike. But I think fortifying the defense is critical. I mean, that's there's no other way to do that. >>Absolutely. I mean the you know, we say that's almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cyber criminal to operate. And there's many ways to do that right you could be could be a pain to them by by having a very rigid, hard and defense. That means that if if it's too much effort on their end, I mean, they have roos and their in their sense, right, too much effort on there, and they're gonna go knocking somewhere else. Um, there's also, you know, a zay said things like disruption, so ripping infrastructure offline that cripples them. Yeah, it's wack a mole they're going to set up somewhere else. But then also going after people themselves, Um, again, the cash networks, these sorts of things. So it's sort of a holistic approach between anything. >>Hey, it's an arms race. Better ai better cloud scale always helps. You know, it's a ratchet game. Okay, tomorrow I want to get into this video. It's of ransomware four minute video. I'd like you to take us through you to lead you to read. Researcher, >>take us >>through this video and, uh, explain what we're looking at. Let's roll the video. >>All right? Sure s. So what we have here is we have the victims. That's top over here. We have a couple of things on this. Victims that stop. We have ah, batch file, which is essentially going to run the ransom where we have the payload, which is the code behind the ransomware. And then we have files in this folder, and this is where you typically find user files and, ah, really world case. This would be like Microsoft Microsoft Word documents or your Power point presentations. Over here, we just have a couple of text files that we've set up we're going to go ahead and run the ransomware and sometimes Attackers. What they do is they disguise this like they make it look like a like, important word document. They make it look like something else. But once you run, the ransomware usually get a ransom message. And in this case, the ransom message says your files are encrypted. Uh, please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address that usually they look a little more complicated. But this is our fake Bitcoin address, but you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as the researchers, we see files like this all the time. We see ransomware all the all the time. So we use a variety of tools, internal tools, custom tools as well as open source tools. And what you're seeing here is open source tool is called the cuckoo sandbox, and it shows us the behavior of the ransomware. What exactly is a ransom we're doing in this case? You can see just clicking on that file launched a couple of different things that launched basically a command execute herbal, a power shell. It launched our windows shell and then it did things on the file. It basically had registry keys. It had network connections. It changed the disk. So this kind of gives us behind the scenes. Look at all the processes that's happening on the ransomware and just that one file itself. Like I said, there's multiple different things now what we want to do As researchers, we want to categorize this ransomware into families. We wanna try and determine the actors behind that. So we dump everything we know in the ransomware in the central databases. And then we mind these databases. What we're doing here is we're actually using another tool called malt ego and, uh, use custom tools as well as commercial and open source tools. But but this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking malty, go to look through our database and say, like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system because that helps us identify maybe where the ransom that's connecting to where it's going thio other processes that may be doing. In this case, we can see multiple I P addresses that are connected to it so we can possibly see multiple infections weaken block different external websites. If we can identify a command and control system, we can categorize this to a family. And sometimes we can even categorize this to a threat actor that has claimed responsibility for it. Eso It's essentially visualizing all the connections and the relationship between one file and everything else we have in our database in this example. Off course, we put this in multiple ways. We can save these as reports as pdf type reports or, you know, usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets when we're researching file based attacks when we're researching, um, you know, I P reputation We have a lot of different IOC's or indicators of compromise that we can correlate where attacks goes through and maybe even detective new types of attacks as well. >>So the bottom line is you got the tools using combination of open source and commercial products. Toe look at the patterns of all ransomware across your observation space. Is that right? >>Exactly. I should you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic that that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At four of our labs intelligence that we acquire that product, that product of intelligence, it's consumed directly by our projects. >>Also take me through what, what's actually going on? What it means for the customers. So border guard labs. You're looking at all the ransom where you see in the patterns Are you guys proactively looking? Is is that you guys were researching you Look at something pops on the radar. I mean, take us through What is what What goes on? And then how does that translate into a customer notification or impact? >>So So, yeah, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be a wear Some of the solutions we talked about before. And if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can't see. So you got to get your hands on visibility. We call these I, O. C s indicators a compromise. So this is usually something like, um, actual execute herbal file, like the virus from the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that seed, we call it a seed. We could do threat hunting from there, so we can analyze that right? If it's ah piece of malware or a botnet weaken do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things and we really you know, it's similar to the world of C. S. I write have these different gods that they're connecting. We're doing that at hyper scale on DWI. Use that through these tools that Omar was talking. So it's really a life cycle of getting, you know, the malware incoming seeing it first, um, analyzing it on, then doing action on that. Right? So it's sort of a three step process, and the action comes down to what tomorrow is saying water following that to our customers so that they're protected. But then in tandem with that, we're also going further. And I'm sharing it, if if applicable to, say, law enforcement partners, other threat Intel sharing partners to And, um, there's not just humans doing that, right? So the proactive peace again, This is where it comes to artificial intelligence machine learning. Um, there's a lot of cases where we're automatically doing that analysis without humans. So we have a I systems that are analyzing and actually creating protection on its own. Two. So it Zack white interest technology. >>A decision. At the end of the day, you want to protect your customers. And so this renders out if I'm afford a net customer across the portfolio. The goal here is to protect them from ransomware. Right? That's the end of game. >>Yeah, And that's a very important thing when you start talking these big dollar amounts that were talking earlier comes Thio the damages that air down from estimates. >>E not only is a good insurance, it's just good to have that fortification. Alright, So dark. I gotta ask you about the term the last mile because, you know, we were before we came on camera. You know, I'm band with junkie, always want more bandwidth. So the last mile used to be a term for last mile to the home where there was telephone lines. Now it's fiber and by five. But what does that mean to you guys and security is that Does that mean something specific? >>Yeah, Yeah, absolutely. The easiest way to describe that is actionable, right? So one of the challenges in the industry is we live in a very noisy industry when it comes thio cybersecurity. What I mean by that is because of that growing attacks for fists on do you know, you have these different attack vectors. You have attacks not only coming in from email, but websites from, you know, DDOS attacks. There's there's a lot of volume that's just going to continue to grow is the world of I G N O T. S O. What ends up happening is when you look at a lot of security operation centers for customers as an example, um, there are it's very noisy. It's, um you can guarantee that every day you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs, and when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually started to say, Hey, this looks like an attack. I'm gonna go investigate it and block it. So this is where the last mile comes in because ah, lot of the times that you know these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because The reality is, if it's just humans, doing it on that last mile is often going back to your bandwidth terms. There's too much too much lately. See right, So how do you reduce that late and see? That's where the automation the AI machine learning comes in. Thio solve that last mile problem toe automatically either protection. Especially important because you have to be quicker than the attacker. It's an arms race like E. >>I think what you guys do with four to Guard Labs is super important. Not like the industry, but for society at large, as you have kind of all this, you know, shadow, cloak and dagger kind of attacks systems, whether it's National Security international or just for, you know, mafias and racketeering and the bad guys. Can you guys take a minute and explain the role of 40 guards specifically and and why you guys exist? I mean, obviously there's a commercial reason you both on the four net that you know trickles down into the products. That's all good for the customers. I get that, but there's more to the fore to guard than just that. You guys talk about this trend and security business because it is very clear that there's a you know, uh, collective sharing culture developing rapidly for societal benefit. Can you take them into something that, >>Yeah, sure, I'll get my thoughts. Are you gonna that? So I'm going to that Teoh from my point of view, I mean, there's various functions, So we've just talked about that last mile problem. That's the commercial aspect we create through 40 yard labs, 40 yards, services that are dynamic and updated to security products because you need intelligence products to be ableto protect against intelligence attacks. That's just the defense again, going back to How can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that you do. But we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court, and because of that, a lot of these cybercriminals rain free. That's been a big challenge in the industry. So, you know, this has been close to my heart over 10 years, I've been building a lot of these key relationships between private public sector as an example, but also private sector things like Cyber Threat Alliance, where a founding member of the Cyber Threat Alliance, if over 28 members and that alliance. And it's about sharing intelligence to level that playing field because Attackers room freely. What I mean by that is there's no jurisdictions for them. Cybercrime has no borders. Um, they could do a million things, uh, wrong and they don't care. We do a million things right. One thing wrong, and it's a challenge. So there's this big collaboration that's a big part of 40 guard. Why exists to is to make the industry better. Thio, you know, work on protocols and automation and and really fight fight this together. Well, remaining competitors. I mean, we have competitors out there, of course, on DSO it comes down to that last mile problem. John is like we can share intelligence within the industry, but it's on Lee. Intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. And, >>um, are what's your take on this, uh, societal benefit because, you know, I've been saying since the Sony hack years ago that, you know, when you have nation states that if they put troops on our soil, the government would respond. Um, but yet virtually they're here, and the private sector's defend for themselves. No support. So I think this private public partnership thing is very relevant. I think is ground zero of the future build out of policy because, you know, we pay for freedom. Why don't we have cyber freedom is if we're gonna run a business. Where's our help from the government? Pay taxes. So again, if a military showed up, you're not gonna see, you know, cos fighting the foreign enemy, right? So, again, this is a whole new change over it >>really is. You have to remember that cyberattacks puts everyone on even playing field, right? I mean, you know, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that, right? Anyone can basically come up to speed on cyber weapons as long as they have an Internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies, you know, But absolutely that I think a lot of us, You know, from a personal standpoint, a lot of us have seen researchers have seen organizations fail through cyber attacks. We've seen the frustration we've seen. Like, you know, besides organization, we've seen people like, just like grandma's loser pictures of their, you know, other loved ones because they can being attacked by ransom, where I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But But I will add that the least here in the U. S. The federal government actually has a lot of partnerships and ah, lot of programs to help organizations with cyber attacks. Three us cert is always continuously updating, you know, organizations about the latest attacks. Infra Guard is another organization run by the FBI, and a lot of companies like Fortinet and even a lot of other security companies participate in these organizations so everyone can come up to speed and everyone share information. So we all have a fighting chance. >>It's a whole new wave paradigm. You guys on the cutting edge, Derek? Always great to see a mark. Great to meet you remotely looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >>All right. Thank God. Pleasure is always >>okay. Q conversation here. I'm John for a host of the Cube. Great insightful conversation around security Ransomware with a great demo. Check it out from Derek and, um, are from 14 guard labs. I'm John Ferrier. Thanks for watching.

>> live from Orlando, Florida It's the que covering accelerate nineteen. Brought to you by important >> Hey, welcome back to the Cube. We are live at forty nine. Accelerate nineteen in Orlando, Florida I am Lisa Martin with Peter Births, and Peter and I are pleased to welcome one of our alumni back to the program during Mickey, the chief of security insights for forty nine. Derek. It's great to have you back on the program, >> so it's always a pleasure to be here. It's tze always good conversations. I really look forward to it and it's It's never a boring day in my office, so we're than happy to talk about this. >> Fantastic. Excellent. Well, we've been here for a few hours, talking with a lot of your leaders. Partners as well. The keynote this morning was energetic. Talked a lot about the evocation, talked a lot about the evolution of not just security and threat, but obviously of infrastructure, multi cloud hybrid environment in which we live. You have been with forty girl lives for a long time. Talk to us about the evolution that you've seen of the threat landscape and where we are today. >> Sure, Yeah, so you know? Yeah, I've been fifteen years now, forty guards. So I flashed back. Even a two thousand, for it was a vastly different landscape back there and Internet and even in terms of our security technology in terms of what the attack surface was like back then, you know, Ken Kennedy was talking about EJ computing, right? Because that's what you know. Seventy percent of data is not going to be making it to the cloud in the future. A lot of processing is happening on the edge on DH. Threats are migrating that way as well, right? But there's always this mirror image that we see with the threat landscape again. Threat landscape. Back in nineteen eighty nine, we started with the Morris Worm is very simple instructions. It took down about eighty percent of the Internet at the time, but he was It is very simple. It wasn't to quote unquote intelligence, right? Of course, if we look through the two thousands, we had a lot of these big worms that hit the scene like Conficker. I love you, Anna Kournikova. Blaster slammer. All these famous rooms I started Teo become peer to peer, right? So they were able to actually spread from network to network throughout organizations take down critical services and so forth. That was a big evolutionary piece at the time. Of course, we saw fake anti virus ransomware. Come on stage last. Whereas I called it, which was destructive Mauer That was a big shift that we saw, right? So actually physically wiping out data on systems these air typically in like star but warfare based attacks. And that takes us up to today, right? And what we're seeing today, of course, we're still seeing a lot of ransom attacks, but we're starting to see a big shift in technology because of this edge computing used case. So we're seeing now things like Swarm networks have talked about before us. So these are not only like we saw in the two thousand's threats that could shift very quickly from network to network talk to each other, right? In terms of worms and so forth. We're also seeing now in intelligence baked in. And that's a key difference in technology because these threats are actually able, just like machine to machine. Communication happens through a pea eye's protocols and so forth threats are able to do this a swell. So they ableto understand their own local environment and how to adapt to that local environment and capitalized on that effort on DH. That's a very, very big shift in terms of technology that we're seeing now the threat landscape. >> So a lot of those old threats were depending upon the action of a human being, right? So in many respects, the creativity was a combination of Can you spook somebody make it interesting so that they'll do something that was always creativity in the actual threat itself. What you're describing today is a world where it's almost like automated risk. We're just as we're trying to do automation to dramatically increase the speed of things, reduce the amount of manual intervention. The bad guy's doing the same thing with the swarms there, introducing technology that is almost an automated attack and reconfigures itself based on whatever environment, conditions of encounters. >> Yeah, and the interesting thing is, what's happening here is we're seeing a reduction in what I call a t t be a time to breach. So if you look at the attack lifecycle, everything does doesn't happen in the blink of an instant it's moving towards that right? But if you look at the good, this's what's to come. I mean, we're seeing a lot of indications of this already. So we work very closely with Miter, the minor attack framework. It describes different steps for the attack life cycle, right? You start with reconnaissance weaponization and how do you penetrator system moving the system? Collect data monetize out as a cyber criminal. So even things like reconnaissance and weaponization. So if you look at fishing campaigns, right, people trying to fish people using social engineering, understanding data points about them that's becoming automated, that you sought to be a human tryingto understand their target, try toe fish them so they could get access to their network. There's tool kits now that will actually do that on their own by learning about data points. So it's scary, yes, but we are seeing indications of that. And and look, the endgame to this is that the attacks were happening much, much quicker. So you've got to be on your game. You have to be that much quicker from the defensive point of view, of course, because otherwise, if successful breach happens, you know we're talking about some of these attacks. They could. They could be successful in matter of seconds or or minutes instead of days or hours like before. You know, we're talking about potentially millions dollars of revenue loss, you know, services. They're being taken out flying intellectual properties being reached. So far, >> though. And this is, you know, I think of health care alone and literally life and death situations. Absolutely. How is Fortinet, with your ecosystem of partners poised to help customers mitigate some of these impending risk changing risk >> coverage? Strengthen numbers. Right. So we have, ah, strong ecosystem, of course, through our public ready program. So that's a technology piece, right? And to end security, how we can integrate how we can use automation to, you know, push security policies instead of having an administrator having to do that. Humans are slow a lot of the time, so you need machine to machine speed. It's our fabric ready program. You know, we have over fifty seven partners there. It's very strong ecosystem. From my side of the House on Threat Intelligence. I had up our global threat alliances, right? So we are working with other security experts around the World Cyberthreat Alliance is a good example. We've created intelligence sharing platforms so that we can share what we call indicators of compromise. So basically, blueprints are fingerprints. You can call them of attacks as they're happening in real time. We can share that world wide on a platform so that we can actually get a heads up from other security vendors of something that we might not see on. We can integrate that into our security fabric in terms of adding new, new, you know, intelligence definitions, security packages and so forth. And that's a very powerful thing. Beyond that, I've also created other alliances with law enforcement. So we're working with Interpol that's attribution Base work right that's going after the source of the problem. Our end game is to make it more expensive for cyber criminals to operate. And so we're doing that through working with Interpol on law enforcement. As an example, we're also working with national computer emergency response, so ripping malicious infrastructure off line, that's all about partnership, right? So that's what I mean strengthen numbers collaboration. It's It's a very powerful thing, something close to my heart that I've been building up over over ten years. And, you know, we're seeing a lot of success and impact from it, I think. >> But some of the, uh if you go back and look at some of the old threats that were very invasive, very problematic moved relatively fast, but they were still somewhat slow. Now we're talking about a new class of threat that happens like that. It suggests that the arrangement of assets but a company like Ford and that requires to respond and provide valued customers has to change. Yes, talk a little about how not just the investment product, but also the investment in four guard labs is evolving. You talked about partnerships, for example, to ensure that you have the right set of resources able to be engaged in the right time and applied to the right place with the right automation. Talk about about that. >> Sure, sure. So because of the criticality of this nature way have to be on point every day. As you said, you mentioned health care. Operational technology is a big thing as well. You know, Phyllis talking about sci fi, a swell right. The cyber physical convergence so way have to be on our game and on point and how do we do that? A couple of things. One we need. People still way. Can't you know Ken was talking about his his speech in Davos at the World Economic Forum with three to four million people shortage in cyber security of professionals There's never going to be enough people. So what we've done strategically is actually repositioned our experts of forty guard labs. We have over two hundred thirty five people in forty guard lab. So as a network security vendor, it's the largest security operation center in the world. But two hundred thirty five people alone are going to be able to battle one hundred billion threat events that we process today. Forty guard lab. So so what we've done, of course, is take up over the last five years. Machine learning, artificial intelligence. We have real practical applications of a I and machine learning. We use a supervised learning set so we actually have our machines learning about threats, and we have our human experts. Instead of tackling the threat's one on one themselves on the front lines, they let them in. The machine learning models do that and their training the machine. Just it's It's like a parent and child relationship. It takes time to learn a CZ machines learn. Over time they started to become more and more accurate. The only way they become more accurate is by our human experts literally being embedded with these machines and training them >> apart for suspended training. But also, there's assortment ation side, right? Yeah, we're increasing. The machines are providing are recognizing something and then providing a range of options. Thie security, professional in particular, doesn't have to go through the process of discovery and forensics to figure out everything. Absolution is presenting that, but also presenting potential remedial remediation options. Are you starting to see that become a regular feature? Absolutely, and especially in concert with your two hundred thirty five experts? >> Yeah, absolutely. And that's that's a necessity. So in my world, that's what I refer to is actionable intelligence, right? There's a lot of data out there. There's a lot of intelligence that the world's becoming data centric right now, but sometimes we don't have too much data. Askew Mons, a CZ analysts administrators so absolutely remediation suggestions and actually enforcement of that is the next step is well, we've already out of some features in in forty six two in our fabric to be able to deal with this. So where I think we're innovating and pioneering in the space, sir, it's it's ah, matter of trust. If you have the machines O R. You know, security technology that's making decisions on its own. You really have to trust that trust doesn't happen overnight. That's why for us, we have been investing in this for over six years now for our machine learning models that we can very accurate. It's been a good success story for us. I think. The other thing going back to your original question. How do we stack up against this? Of course, that whole edge computing use case, right? So we're starting to take that machine learning from the cloud environment also into local environments, right? Because a lot of that data is unique, its local environments and stays there. It stays there, and it has to be processed that such too. So that's another shift in technology as we move towards edge computing machine learning an artificial intelligence is absolutely part of that story, too. >> You mentioned strengthen numbers and we were talking about. You know, the opportunity for Fortinet to help customers really beat successful here. I wanted to go back to forty guard labs for a second because it's a very large numbers. One hundred billion security events. Forty Guard labs ingests and analyzes daily. Really? Yes, that is a differentiator. >> Okay, that that's a huge huge differentiator. So, again, if I look back to when I started in two thousand four, that number would have been about five hundred thousand events today, compared to one hundred billion today. In fact, even just a year ago, we were sitting about seventy five to eighty billion, so that numbers increased twenty billion and say twenty percent right in in just a year. So that's that's going to continue to happen. But it's that absolutely huge number, and it's a huge number because we have very big visibility, right. We have our four hundred thousand customers worldwide. We have built a core intelligence network for almost twenty years now, since for Deena was founded, you know, we we worked together with with customers. So if customers wish to share data about attacks that are happening because attackers are always coming knocking on doors. Uh, we can digest that. We can learn about the attacks. We know you know what weapons that these cybercriminals they're trying to use where the cybercriminals are. We learned more about the cyber criminals, so we're doing a lot of big data processing. I have a date, a science team that's doing this, in fact, and what we do is processes data. We understand the threat, and then we take a multi pronged approach. So we're consuming that data from automation were pushing that out first and foremost to our customers. So that's that automated use case of pushing protection from new threats that we're learning about were contextualizing the threat. So we're creating playbooks, so that playbook is much like football, right? You have to know your your your offense, right? And you have to know how to best understand their tactics. And so we're doing that right. We're mapping these playbooks understanding, tactics, understanding where these guys are, how they operate. We take that to law enforcement. As I was saying earlier as an example, we take that to the Cyber Threat Alliance to tow our other partners. And the more that we learn about this attack surface, the more that we can do in terms of protection as well. But it's it's a huge number. We've had a scale and our data center massively to be able to support this over the years. But we are poised for scale, ability for the future to be able to consume this on our anti. So it's it's, um it's what I said You know the start. It's never a boring day in my office. >> How can it be? But it sounds like, you know, really the potential there to enable customers. Any industry too convert Transport sees for transform Since we talked about digital transformation transformed from being reactive, to being proactive, to eventually predictive and >> cost effective to write, this's another thing without cybersecurity skills gap. You know this. The solution shouldn't be for any given customer to try. Toe have two hundred and thirty people in their security center, right? This is our working relationship where we can do a lot of that proactive automation for them, you know, by the fabric by the all this stuff that we're doing through our investment in efforts on the back end. I think it's really important to and yeah, at the end of the day, the other thing that we're doing with that data is generating human readable reports. So we're actually helping our customers at a high level understand the threat, right? So that they can actually create policies on their end to be able to respond to this right hard in their own security. I deal with things like inside of threats for their, you know, networks. These air all suggestions that we give them based off of our experience. You know, we issue our quarterly threat landscape report as an example, >> come into cubes. Some of your people come in the Cuban >> talk about absolutely so That's one product of that hundred billion events that were processing every day. But like I said, it's a multi pronged approach. We're doing a lot with that data, which, which is a great story. I think >> it is. I wish we had more time. Derek, Thank you so much for coming by. And never a dull moment. Never a dull interview when you're here. We appreciate your time. I can't wait to see what that one hundred billion number is. Next year. A forty nine twenty twenty. >> It will be more. I can get you. >> I sound like a well, Derek. Thank you so much. We appreciate it for Peter Burress. I'm Lisa Martin. You're watching the Cube?