 Welcome to the telecom exchange CEO roundtables both for our guests here in the audience at Tech's LA as well as for our viewers joining us as we stream on Facebook and on JSA TV. Our last panel of the day is a topic truly that keeps me up at night and I'm sure many of you guys in the room here today. IOT and cybersecurity risks in the supply chain privacy and defense. The panel is moderated by my friend Ronald Greer. He's the director of emerging telecoms and at Frost and Sullivan. Ron covers topics in his analysis as topics such as 4 and 5G, SDN, NFV, IOT and others and it really makes him just a great fit for this panel. He's a regular speaker at telecom conferences. He's been at telecom exchange previously as well as Mobile World Congress and IT expo. He's also a contributor for Forbes as well as written for the street.com, Silicon Angel, CIO review, Information Week and others. Ron, thank you again for joining us here at Tech's and please welcome Ron Gruya. Thank you. Thank you, Jamie. I just wanted to thank the JSA folks. They put together a quality event and well, you know, it's tough. We had such a great session before. We had all stars but we also have a very distinguished group of panelists here and well, a little bit of a joke here but I'm Brazilian originally. Our flag says order in progress. It should really be order in progress because after so many years we neither have ordered nor do we have progress but I know we're the last session here that stands between you and the cocktail so it's tough but we'll do our best to finish in time. I'm going to go ahead and introduce our distinguished group of panelists and I'll have a chance to first of all let you introduce yourselves a little bit. We have Matthew play from Fortinet. We also have Amitava Mukherjee from Redshift Networks, Rob Barlow from Wired IE and last but not least Leon Kupferman from Zanage. So gentlemen, maybe we'll start from from the top there. Matthew, maybe you could introduce yourselves and tell you a little bit about what your company does. Thank you. Sure, sure. Thanks for having me. So I'm with Fortinet. It's a cybersecurity firm started in 2000. The founders, Kenzy and Michael Z, also found a net screen so they've been in the security game for a while. I've been at Fortinet for eight and a half years, pre-IPO. It's been a definitely an interesting ride and before Fortinet I was with Checkpoint Software so I spent the last 14 years in cybersecurity on the vendor side. For that I was with Cable Wireless on a product side developing security solutions. This is an interesting topic. I feel security is much more a philosophical debate as you heard in the previous panel. There's a lot of opinions about what to do, how to do them. Do you stop them, mitigate them in the beginning or do you do that after the fact and then take action, you know, behind the scenes? So it's kind of a interesting debate and topic so, you know, feedback is definitely welcome. My name is Amitabh Mukherjee. I'm the co-founder and CEO of Redshift Networks. We're focused in the voice security space so specifically working with carriers. It's a combination of security analytics and fraud that we look at. We work a lot of global carriers that are central link frontier, AT&T, Telefonica. We're in multiple geographies around the world. It's a big problem set. My background about 10 years in security in the networking and telecom so Avaya, McAfee, Nortel, so that kind of experience that. So I bring in a breadth of experience from telecom as well as security into play. So look forward to this panel. Thank you. I am Rob Barlow, the founder and CEO of a company called YRE. We're a network operator. We actually look at delivering IoT projects and on our own network that's in throughout the Americas and underserved markets. Large enterprise and government are our main verticals that we focus on. So Internet of Things is something we live and breathe every day and security is something we always are worried about. Hi, my name is Leon Cooperman. I'm the Chief Technology Officer for Accompanienium Zanange. We're a startup, a relatively young startup, a couple years old, growing very rapidly. We specialize in two things, network denial of service, which has been near and dear to everyone's heart. Everyone who's running IP networks in the last several weeks is definitely paying attention. We also have artificially intelligent product for web application security that helps protect probably one of the most important application delivery mechanisms in the world today, which is web applications. So happy to be talking with you guys about this really critical topic of IoT. Great. Okay. So maybe Leon will stick with you and we'll go around the horn. I think the one thing that's been in everyone's mind is the DIN attack that happened a few weeks ago. And what does that say about our current level of vulnerability? You know, was amazing because we read many different reports and still trying to really figure out what happened. But in essence, some people initially thought, wow, you know, that was such a big outage. Must have been some foreign state player. And then later on, it was discovered that maybe it wasn't so complex after all, but it was just some kids that were trying to block out, apparently, you know, the PlayStation site. And because the DNS provider was then they ended up attacking and was almost like a domino chain. So what does that say about our current level of vulnerability? And maybe Leon, we'll start with you. You know, what is what is the state of the union? And you know, where, where, you know, what can we do to avoid this in the future? Sure. Well, just the level said, everyone, it was about two weeks ago. A bot net named Mariah was launched against DIN. It was not the first time we've seen Mariah. It was it was probably made famous back in September when a security analyst named Brian Krebs, who's a colleague of ours, is a journalist that focuses on Internet security. He was he was attacked by the same botnet. So that botnet was a group of tens of thousands of vulnerable IoT devices, mostly IP cameras made in China, unfortunately, that were taken over and programmed to attack various destinations. So the source code for this attack is was leaked back in September. The countermeasures were fairly well known. And the fact that DIN was taken by surprises by this attack is a little bit of an anomaly because a lot of folks had been preparing for Mariah for quite some time. Just to give you the scope of the attack. Officially it was rated. Well, the first one, I don't know if the DIN numbers were fully released, but the first one was rated at about 600 gigabits per second, although we believe that that's just the amount of mitigation that was applied before the site was shut down. So back channel tells us it was about a terror terror attack. So that is two or three times bigger than the last largest amplification attack that we've seen on the Internet. And it was because of IoT devices that it was possible. And just so you guys know a little bit of the backstory, these guys were originally sent to jail. And when they were put out on bail, they launched this first attack against Krebs. So as a little bit of a retribution. So that gives you the kind of backstory, but it shows you the vulnerability that we have in TCP IP or IP and UDP are two fundamentally vulnerable protocols. And we never imagined that if you look back 20 years ago, at the roots of the Internet that this particular protocol would grow in its capacity. And a great example is we're running out of our we've ran out of IPv4 space. I don't think if you asked anyone 20 years ago, if we'd be running out of IP space anytime soon, the answer would be yes. So that kind of gives you the background run and kind of opens the door for the for the baseline discussion if you want. Thank you. Thank you. Great. Okay, Rob, maybe you want to contribute something? Well, I think you probably don't understand the magnitude of the problem we have today. These are devices that aren't built with security first. You know, it's just the nature of the business. When you talk consumer devices, it's all about getting as many devices out there. Because that's their manufacturing model. So then you've actually, you know, you have to make sure that that you're prepared, but you don't really want to be telling people you're prepared for something because that makes you a target. And one of the problems I think we find through our experiences that people have problems and don't tell anybody. And so if we're all working in our own silos, of course, it's harder to put a, you know, finger on where the real real issues are. And we're doing business in a North American way. Other countries, this is big business for them. I mean, you can, you can basically buy someone's, you know, personal information on the dark web for pennies. And it's big business. So, so I think internet of things is something that we need to really understand the attack plane, which is through policy and education. I don't think it's going to ever go away. It's just going to get bigger. We've become more reliant on data for our lives. And Dave, you know, if you as an example, Walmart, when they see a hurricane coming, you know, they know how to stock their shelves before it comes. So, and it's all about big, big data. And the even know your behavior when you go to a kiosk in their store and what you're going to do next. So, from my perspective, this is a great topic. It's something that we all have to be aware of. And education is probably, you know, the main thing that needs to happen. Great. Amitabha. Yeah. So same thing. So we're going to focus more on the voice side of things as far as our company's concerns. So if we look at IoT devices, you have, of course, printers, cameras, etc. But also phones are IoT devices. So physical phones. So we see a lot of attacks on those phone sites. We've seen this all over the world from Russia, from Poland, from Germany, from the US, they're attacking these nodes, they're actually phones that are attacking. So when you see this from the IoT devices, this is not a new surprise. I mean, if you look at the PCs, there's more about two, three, four billion PCs, and you have a well defined market of security for that. If you look at, you know, Android devices, etc. phones, there are about maybe about five, six, seven billion phones out there. There's now starting to get a good set of devices of security for that realm. But IoT devices are unknown. But the protocols in the IoT devices are not common protocols, even though they're pushed to standards and all. So there's not really common architecture for a lot of these IoT devices, because the industrial control devices, there are cameras, etc., which people don't have a lot of understanding. But now you're starting to see some commonalities and people are starting to put technologies in there that can secure these. So a lot of startups that are out there today, of course, the bigger companies do a lot of IoT security. But if you actually wanted to look at security solutions, a lot of the innovative startups out there are building solutions for ZigBee and some of the protocols that are in the IoT space. So yes, so this is a new vector of attack. And the funny thing is that now you're talking about 50 billion IoT devices by 2020, that's what Cisco says. So now suddenly you end from a billion to two billion phones to maybe six billion mobile phones to save seven billion PCs to 50 billion devices. So that's a huge number. So suddenly the threat vector goes and that's what you're looking at. So the attack vectors could be even more aggressive than what we see traditionally in other networks. And that's what was proven a couple of weeks back. Excellent. Okay. Yeah, it's actually to your point. I just read. I think yesterday was on the news that there's a new back back door vulnerability on Android devices that was being explored by Chinese hackers. And apparently people were amazed not to know about this. But I actually knew about this a while way back. But it's true, the even the, you know, the cell phones themselves are in protected. I think even baby monitors, and they also talk even in enterprises, believe it or not, one thing that did come up in our research video conferencing systems, you could actually look at, you know, cameras inside the video video conference room. And, you know, amazingly, the sysops, that's a human emblem, we're going to explore that a little bit later in our conversation. But Matthew, maybe you want to talk a little bit about it. Yes, hard not to be, you know, sort of a doomsday or and these topics and conversations, right? So it's you have to keep the conversations positive, which is very challenging to do. But, you know, you look at consumer side and you say, Yeah, that's important. Actually, the the den attack was simple in its nature, but complicated actually to mitigate. So volumetric DDoS preventions typically wouldn't prevent some of this. And a lot of the devices are just then Android devices. So all the exploits that exist are typically for the most part Android. So that creates a very interesting proposition on the consumer side. But I think if you look on some of the more interesting, the industrial IoT environment, that's where it gets very complicated. Because you look at robotics and how companies use robotics in their companies. You know, there's secret sauce behind there. That's not just about an inconvenience of not being able to reach a website. It's Wow, that manufacturing process we now own. We understand how they do that. And if you look at intuitive medical, they're doing robotic surgery, you know, over the internet, which is kind of scary in a way, right? Thinking about all this. And really, what are the preventions behind it? Are we really thinking about no security in the front of the conversation? And I kind of laughed about this today. I said, How come security wasn't the first presentation going into this? Because it's typically a bolt on, right? We bolt on security expecting to work in these environments. And I think that's the wrong approach. We really have to change the mindset behind it. Excellent. All right. So maybe we'll start in the middle now. Maybe with Robin and Amitav and go, you know, because we talked about actually was brought up in previous sessions. Today, we're talking we had a session on IoT and the proliferation of IoT devices. And I know the Cisco forecast 20 million needs to match the Ericsson and I think Ericsson revised that a little bit downwards, but whatever the number is, what do you believe that number or not? There's a lot of discussion of whether or not those are all vulnerable endpoints and who is going to really own the security of this IoT devices, especially when there's no uniform standard, because there's really this multidisciplinary type of approach. If you're talking about like, let's say, building where you have Johnson's controls, you have a Cisco, you have all these vendors, they're not really talking to each other and we don't know is it going to be an ITF driven thing? Is it going to be an IEEE different thing? Which organization will be driving this? I know Rob answered this question earlier, but maybe for the benefit of those of you who weren't earlier this morning on this, maybe we'll start with you, you know, the onslaught of IoT devices and who really owns that aspect of the security? Well, I think standards are a big issue we face today. There's a couple of organizations that are working towards standards for technology, the same ones that actually helped with our cellular network, which is really an internet of things. We've got MEF, which is the Metro Ethernet Forum, that's working on standards across carriers that allows us to kind of expose the network through a software delivery framework and network framework for virtualization and stuff like that. And then you have IEEE, which is part of the whole standards body, but I think it is a, it needs to be a joint effort. I think if you look at who has exposed the most right now, it's probably network operators. That's the first, you know, when there was when there was that attack, the first thing they did was got every CEO and CIO from every US tier one telco on the phone and said, how are we going to plan to stop this from happening again? We're only, you know, network operators are accountable for using communications when the government needs it. It's really it's law, actually. So organizations like Metro Ethernet Forum, which is kind of carrier-driven as a start, they've got an IEEE and UN, but I think I think the big thing is standards is what we need because there is so many organizations doing their own thing and have their different different flavors. So it's been done before. I think it'll actually escalate now based on some of the things we've seen. Excellent. Thank you. Amitabha, you want to contribute? Yes, sure. So I'd agree that. So basically there are standards out there that have been developed for the security side. I think there's an internet IoT working group that has really focused on a couple of different vendors, but Vodafone was one of the precursors of that. So they will drive a lot of these standards on how to approach security for IoT devices. Also there's a lot of these managed service providers that provide IoT security functionality. So they'll be there. What we see actually all the vendors, of course, will do their part to promote the functions and requirements out there. But I think there the interesting thing out there is that as all these devices become more IP-enabled than as I was saying there is a lot of Android-based systems. So you're moving from industrial grade to more IP environments. It becomes more and more dangerous. So we saw in an analogy to voice applications, right? So you had phones. So phones were running in different protocols. So SIP is now the normal protocol that's being used for a lot of these phone devices for communications today. So fixed line and Comcast, AT&T providing home services, your Volte mobile phones are all, there's a common protocol called SIP. And so everyone thought that having a standard for this is nice and easy because then you can interrupt all these devices. What happened was because of that use, you'll be good at use. It was easy for attackers. So hackers latched on to it and say, okay, I create one hack and I can attack all these different phones from different vendors. So that's one of the dangers you have of this is that as you have standards, and not to say standards are bad, but as you have standards, you also have hackers that can now generate these attacks and attack multiple systems because they're all following the quote-unquote same standard. So there's a lot of challenges in that. And I think all these organizations, as I said, that have to really look into that and figure out how to really protect and secure all these environments. Excellent. Okay. Matthew? Yeah. So I think, you know, standards exist. The standards exist in networking. There's protocols and we understand IP traffic and it has the payload and the header. It looks according, but people can still off-escape that. So the question is, if we make a standard for IoT, won't people just do the same that they've done to TCPIP? Yeah. Right. So I think, you know, like you said, I mean, I think a lot of people said this earlier, but it's not people in a basement hacking away. It's pretty intelligent people. Figure out how to make these, you know, really well-funded people. So I think, you know, really, it's it's inherently secure. I think is really the mindset we really have to have is I think there's a lot of operating systems, a lot of versions to control. There's vulnerabilities are discovered after the fact. So a standard can help. But really, I think mitigation in the beginning is the most critical part. Excellent. So I'm not a I'm not a huge believer in government into intervention and almost anything. But this is this is one area where government, I think, can help to an extent. And, you know, we used to have a problem with with electrical systems, you know, that go back 100 years ago, people's houses would burn down when their life problems exploded. So, you know, we had a standard that kind of created safety around that. And so the problem here isn't so much the protocol or the standard. The problem here is there's no level set of security for basic IoT devices that get onto an IP network and then start communicating out. And if there was a bare minimum threshold that you if you wanted to build an IP camera, and you were trying to sell it for $8 a piece, right? And that's really the race to the bottom that we're looking at. And you had a and you had a bare minimum security certification that that IP camera had to kind of pass in order to be allowed into the US market for example. That would create enough. I believe that would that would create enough of a barrier that the government could enforce some type of certification where we wouldn't have rogue devices all over the place, running Linux or Android and absolutely no security on those to open. You Ron, you mentioned the fact that you can basically see people's baby cams online. And that's true. And that and that was an exposed and exploited standard. So home routers have this thing called UPNP universal plug and play. And so the first thing that that camera does when it enters your network is it advertises to your router. Hey, I want access to the outside world. I want to take part in that I in that one IP address. And so that's an example of a standard that was horrible and created a much bigger security problem for us than than it solved. And so yeah, certification is one way to approach the problem from your perspective. I'll just add one thing seems Leon so eloquently put I this is back in the days when I had more and more hair than money, I was still a grad student, I actually set on the IEEE committee for 802.11. And you know, this is one of the problems with with standards. Sometimes they move so slowly because you have all this different competing vendors and interests. And then by the time you have a standard ratified is suboptimal by definition. So if you look at the IEEE 802.11, I remember for security, they had a wired equivalent privacy web. And you know there's a whole bunch of packages Google going download these days Air Snort, etc. It's very, very easy to to hack attack. If you see any, that's, there's few and fewer, you know, Wi-Fi hotspots that are using web. Of course, the industry went beyond that with WPA, but now you could even crack WPA. You may require a couple of hours, but you could do brute force attacks on WPA. Anyway, let's move on. This is, but this is fascinating. I think we'll start with you, Leon. You know, the next question is, you know, what are some of the protection mechanisms that are available over the internet for a person and our business? Like, is there some ideas that what can we do to protect ourselves, you know? Yeah, that's a great question, Ron. As businesses, I, you know, I think, you know, companies like Fortinet and their peers are doing a great job in terms of putting up unified protection mechanisms to at least help shape the problem of corporate security. And I think corporations are fortunate because they have staff and means and the ability to hire and the ability to expand capital to build a security framework. And then there are also standards in and government. So for example, payment card industry is a great framework around which to protect credit card data. And it's a pretty good standard although a lot of people gripe about it. The home is a much bigger problem. So when you look at home carriers and folks that are trying to deliver high degrees of bandwidth to over fiber. And I've just heard a story that Comcast is planning and delivering, you know, one gig to the home up and down, which is crazy to me that we could give. There's never a need for any home user to have that much bandwidth. But what do you do in that least protect the part of our society? And so there are fortunately, I think there are some startups that are starting to come up with some great home solutions for IoT security that includes standards like that includes ZigBee and Z-Wave and other radio frequencies. I don't know if you guys saw this, by the way, there was a last week, there was a drone that flew by an office building and was able to turn its lights on and off based on an insecure ZigBee set of light bulbs. And then last year, we saw car hacks, same idea, completely unsecure mesh. These these people and that was based on an 8 bit bus that was completely unsecured for the last 20 years. But was just exposed now. So there are startups and enterprises that are starting to address home security. I know Bitdefender is coming out with a home security appliance. There's a startup called Kujo, which is doing amazing things in home security. So, you know, there is some light at the end of the tunnel, but the problem is daunting. Right. Matthew, maybe you want to. So I disagree. I love having gigabit internet at home. You know, it's completely useless, but it's nice to have, right? So I think, you know, on the business side of things, we are doing a lot to prevent. But, you know, we get in this vicious cycle. It's like once we deploy something, okay, we're good for locks. People in the enterprise don't want to face change too often. So then we have this really challenging position of, well, the threat intelligence is really the most important part and really staying current with your security products is really important. Enterprises don't evolve that way. There's a very much a legacy IT sort of mindset around, I think, security where it's, you know, a lot of businesses run six and eight year old code very commonly in their infrastructure. So we have a subset of features that are turned on in these environments. And it creates a massive problem. So even if you have all that, you bought all the right tools at one point, if it's not up to date, it's not going to help. So that's a major challenge. So we have to get, I think, you know, some of the products that we produce and those mechanisms in place quicker and more effectively, that's less cumbersome to operationalize. The home is a very challenging one. I think behavior is the driving factor at the house, right, and education. I mean, I think I talked to my mom and she's doing bad behavior, going to websites and things. It's hard to stop, right, because they don't really understand the implications behind them. So you always have to make it. That's, that's, you know, a process in which that is simple to use and understand because security now today, we're hard pressed in this industry to really find great engineers and security to be effective. So how is the consumer going to do that? Right. Okay, Amitabha. Yeah, so basically in the IoT realm, there's, you know, companies that are focused on specific problem sets, right? So they're focusing on heating systems, lighting systems, the others are focusing on washing machines, there are others that are focused on industrial controls, others that are focused in the automobile space. So there are different solutions out there that are attacking specific segments. I mean, of course, the segment is interesting as a whole, but it's a 50 billion IoT devices segment. So it's a massive segment until there's some commonality between, as I said, protocols, etc. It's harder to do. So you have security devices that you can actually go after that protect specific areas. So if you're a carrier, if you're a home user, etc., you should go and look for those. So you want to, you know, protect your Nest device. So look for security solutions that have that because there are solutions out there because there are again startups that are segment those target those segments, right? Of course, out of that, you've got to also see about how these sewer devices are managed, right? So how are they developed? How are they managed by the carriers? A lot of these carriers develop solutions to manage these sewer devices. So I think the key is making sure that these sewer devices are managed well, provided by the carrier themselves. We work with the same thing we see in a lot of these phone devices. So the phones, they may not patch the phone, right? So that's one of the things we say what you mentioned, patching the phone. There is a lot of weak password controls. So same thing with passwords. So that's a very big weakness in IoT devices because a lot of people use, you know, standard passwords to get into IoT devices. There's what type of data are you bringing from these IoT devices? What type of data they interact? Is that important data? So that's another way. So whatever you have as far as security standards when you're actually deploying a security mechanism, whether it be for email or whether it be for firewall, for your network, whether it be for your voice services, you've got to use those same mechanisms for your IoT devices. So looking at all the different things that you would go through, and we talk about something called defense in depth. So, you know, when you approach IoT, you've got to do the same thing. You just can't have one thing that says, okay, I've got a patch control and I'm all set. No, you have to look at this as a holistic problem set, and you have to have solutions that are looking at patch control, looking at password control and looking at vulnerabilities on data, looking at analytics, all these different things. And that's why you can that's how you can actually start building a real framework to protect those devices. If you're looking at IoT, of course, a home user is different from an enterprise user. Home users are much less sophisticated. So I'm sure the McAfee and all those will acquire smaller companies that can do those kind of solutions. But for a large enterprise, you definitely have to use the same practice that you use for typical security functions now to approach IoT devices. Excellent. Thank you. Okay. So, Rob, let's complete the second one. Oh, yeah. So all the good responses have been taken. But one thing I think it's important is that we understand I'm going to talk about it from an enterprise and network operator perspective. First off, I never really like to tell anybody that I have a secure network because that just means, you know, it's open for someone to try to prove you wrong. And in fact, you probably never do have a secure network at any time. I think a lot of it is policy that you just talked about, which is, which is really, you know, how we do things and how we implement them in an IT environment. But also, you know, having, you know, test runs and and and trying to get into your own network to prevent, like, you know, to find out how you're going to respond. And doing that through a regular program is is something that we do seriously. There's a lot of great companies out there that are very good at mimicking what can happen to your network. And really the only way to figure it out is by having it happen to you before it's like in an environment that you can control. So it's really about risk and managing that risk in your business as an as an enterprise and and making sure that you don't have, you know, industrial Internet of things on a public network, you want to have it on a private network just as a simple rule, but you would be surprised, right? So there's a lot of large retail organizations that are national that pretty well are using consumer devices. And, you know, so there's a lot of there's a lot of education that needs to go around and it even starts at the HR departments educating educating people. In fact, I don't know how true it is, but, you know, the British Secret Service was infiltrated by a LinkedIn phishing attack. Somebody, you know, was doing some work and, you know, connected to somebody and they got in and they ended up getting key phone numbers from from from people. So education is a huge thing. And really, I think you know, my company builds networks across Canada and the US and in the Americas, and I'm always about safety first, but I think security first should also be done in the same way. I mean, and it's it's really just a mindset of the changing times that we're in the Internet and Internet of Things are powerful. And so we just have to be intelligent about it. Great. I have one final question and then we'll open up for a Q&A from the audience because we have the coming up on the hour. So we're going to have drinks pretty soon. So I guess where do you see us adding one to three years from now? And, you know, what do you think we have to build in the future for added protection in terms of, let's say, private networks, et cetera. So maybe Rob will start with you and maybe just take just one quick minute because I still want to give, you know, the audience a chance to ask one question. Thank you. So in the future, I think it's going to be a lot. There's going to be a lot more analysis done before you implement something. You're going to be probably paying more for things. I think, you know, on the business side of things is, you know, you can't afford to have a problem at all. And there's a lot of work being done to communicate what is actually happening to each other. There's people out there that are actually trying to bridge the gap between the big major enterprises and to try to learn from each other. So you're going to see a lot of that. And the whole problem is not going to go away. It's just going to get worse, which means that we're just going to have to educate ourselves and be prepared. And as far as the consumer thing is, like, the attack plane is easier as we go about this whole evolution, I mean, your fridge can be attacked. So, you know, and the home is probably, from a consumer perspective, the place to have the most risk. So, okay, so maybe we'll go this way now just for diversity. Leon, you want to? Yeah. So I kind of, I have two kind of major predictions. The first one is I think we will have a major state-sponsored incident in the next kind of one to three years. That is going to change the geopolitical landscape. And it will be architected by a superpower. I think Stuxnet was the first glimpse of that, which if you guys don't know what Stuxnet was, it was a joint effort between Israeli and apparently American intelligence to blow up Iran's nuclear program by spinning their centrifuges too fast. It was an extremely effective mechanism. And the second kind of prediction that I'll make is that the home will become the battleground. So I think that's where everyone's focused. And the carrier specifically, I think a lot of folks woke up in the last little while. Carriers specifically woke up to this amazing network that's been built in our country and others, but also the weapon that's been built inside of that network. Yeah. Okay, great. So maybe Amitabh, I will go to you and then Matt. Yeah. So on the IT devices, so, you know, what we see, as I said, I use a number, you know, Cisco and Ericsson, they're always fighting about how big it will be, but maybe 50 billion is the number, which is a nice round number. So you can imagine 50 billion devices, that's a huge vector of attacks, right? So you suddenly went threefold, fourfold, fivefold the number of existing, suppose IP devices out there to this 50 billion number. So what we also saw in supposing if you look at security in general, if you look at the Internet, right? So the Internet penetration, when it hit about 30, 40 percent in maybe 99, 2000, 2001, that's when you start seeing the massive code, code red, Anacorpova, email, all that stuff started hitting at that time. So there's an inflection point when these devices start getting mass adoption and there's actually an ability for these attackers, because of course, the hackers are either kids or space state sponsored, which I'm definitely just sure there'll be a massive attack very soon. They're looking for that, you know, network effect, as they say, right? So when you start hitting a 40, 30 percent Y2 device implemented with IP enabled, you start seeing massive attacks out there on the Internet. Of course, there's already, you know, indication of it with your sync printers and all that cameras attack these networks. But as you go into industrial controls, as you go into all the other devices, you start seeing massive attacks. And we've seen that in voice. So voice, today voice for IP SIP is about maybe 30, 42 percent penetration. We're seeing massive attacks in SIP. They're attacking these networks aggressively. Every carrier network is getting attacked. And if a SIP device is getting attacked, even if you see you have a Comcast modem at home, you'll see 50 percent of the attacks are SIP attacks. So that 50 percent is the inflection point. 40 to 50 percent is when your device has become IP enabled, IOT become IP enabled, then you'll see these massive attacks. And outside of course, the state sponsored who are more focused on other things, but definitely you see a lot of those attacks coming in more aggressively. Great, Matthew. So I think, you know, let's rewind three years. If you look at IOT, it was kind of an idea. It was a concept. It wasn't like self-driving cars that you get out of here, right? It wasn't like you can go pick one up from Tesla today. It was kind of like an idea or concept. And I think that's kind of where we're going, is that these multiplying effects of how technology is moving so quickly, it's really hard to keep up with pace. And as these IOT devices evolve, I think, you know, the home is going to be used as a pawn, really, what I think to do bad things to motivate, right? I mean, it's inconvenient when your identity gets stolen and all those sorts of things. But really, what is the business exposure behind this and using it like DYN and all the businesses that were on this attack for DDoS on the DNS service? How much was really truly lost from that? Right. And that's really where my brain goes. It's, you know, it's inconvenient at the home, but really IOT is not the scariest thing. It's, I think, is that, you know, in the next one to three years, how do we really fix the approach? Excellent. Okay. We have time for one question from the audience. Okay. Okay. Maybe the lady here. No, I haven't heard you talk about some of the technologies that are maybe on the forefront. And we talked, are you seeing innovation around maybe AI or machine learning that can predict and prevent as opposed to mitigating and having that then deployed in IOT devices as agents or any of you starting to get involved in futuristic technologies? No, it's an excellent question. So for the benefit of everybody else, the question was about AI machine learning to to prevent use analytics to prevent attacks before they actually happen. So maybe Matthew, we'll start with you. Yes. So great question. Right. So we have developed technology. I think it's been out for like three years, right? The problem is the standards. Right. So if you don't know what kind of of the good kind of traffic is happening, it's really hard to stop the quote, quote, back, right? So the standard is really important. So we have that for most of networking. We understand, you know, what the payloads and traffic looks like. And so we can say yes or no to that and make decisions. So as these things are starting to spin up, we can kind of see that people aren't unhearing to the RFCs behind some of these these products. So kind of creating these self repairing networks is really hard to do, especially in V six, because there's so many of them, the traffic. And most IOT devices are very chatty. So they create lots of sessions and they're just kind of all over the place, right? And because there's really no thought behind them. So I think when you look at the scope of one device and you see how much it's doing, how do you really make threat intelligence to mitigate that? So that's a great question. Collecting a lot of data. We are. Yeah. So what we do is, you know, what's normal driving versus what's attack traffic? Absolutely. But then how do you sift through that and see what is the known good traffic and what is the known bad traffic? And it's sort of a manual process today. So we have tons of engineers who all they do is look for zero day attacks. There's about 400 of those guys looking for zero day at our company. And that's pretty unique. But even them, it's a very manual sift process to really look behind traffic patterns. OK, someone else wants to take a stab at that. So OK, sorry. Yeah. So what we did on an approach, so with machine learning and AI, so definitely that's, you know, something you've got to use. And it's being used right now in security across the board. So from data security to voice security to IoT. So what we're seeing is that the more data you have about the device, so like in voice, right? So in voice, we do. We look at SIP, which is the protocol, right? But also outside of SIP, you got to look at behaviors of users. What are they calling? Who are they calling? So that's all analytics, deep analytics, so above and beyond just protocol, right? And the patches, right? So definitely the patches are very important. The protocol is important, but also the analytics behind that, right? So what we see is what's interesting in the IoT device is doing that analytics. So figuring out, okay, is my fridge off and what's the temperature of my fridge? It's zero degrees or is it minus 10 or, you know, my thermostat, it's 60 degrees or is it 20 degrees? It's wrong, right? So you need that kind of information to do real deep analytics. So yes. So I think, you know, you do need to do AI. You have to do machine learning, but you have to have context of that. So how does it apply to that specific device? And what is that inputting? You know, it's a heater, it's an HVAC, it's a car. So you have to have context to it. So we do a lot of context in our voice platform because we understand call flows and user patterns, which are different from, you know, talking to an HTTP server or an email server. So yes, so you will build intelligence, but initially there will be use case based, as you mentioned, because it's harder to do AI. But then once the standard has become, then you start building this more machine learning functionality that can actually do more intelligent things, right? Okay, absolutely. Leon. Yeah, like 30 seconds. So this is a passionate topic for me. It's my academic background and it's also the core of our products. I think there's a lot of misnomers about artificial intelligence and people use intermix machine learning and artificial intelligence. A lot of the time, artificial intelligence, what you guys would typically think of general AI, which is a thinking like human like machine. We're very, very far off that, unfortunately. But machine learning, which is one subset, which is pattern under pattern analysis and understanding is very promising. And like you guys were talking about, it's being used in cybersecurity all over the place. And in fact, it's our only answer. So because we're about, you know, there was a Cisco report that came out a few months ago that said we're about a million cybersecurity specialists short in 2016. The only way we close that gap is by getting human beings to stop doing the grunt work, if you will, elevate their level of thinking and allow machines to do the stuff that can be done in an automated fashion. And machine learning is a key part of it. One key point there is we use two different types of machine learning in cybersecurity. One's called anomaly detection. Another one is called supervised learning. There are a lot of products that use anomaly detection. The big problem with it is it's super noisy. You get all these false positives and then you need humans to figure it out at the other end. So as we move to what's called supervised machine learning, our accuracy level is going to skyrocket. But that label data and that labeling of the data is not easy. OK, great. Maybe, I don't know, is there anything Rob, you want to contribute to this? Oh, well, no. Like, I mean, my esteemed panelists here. All right, we have time for one more or one more question. There was a lady in the back. Sorry, she had her hand raised. So today we have computers, phones, and enabling devices. And when I heard from all of you guys on the panel, all of you offered an opportunity to say something about the protection software. How do we combine this software together to be able to be able to either the carrier or the enterprise or the user, the ability to have one focal point beyond what the standards are. The standards are already set. Now, how do we make intercompatibility or commonality of services to offer better solutions? I think Rob should take this one. OK, so who wants to take this one? Do you want to start? OK. Can you summarize your question? Yes, actually, I mean, so if I walk into my house today, we should have been slowly upgrading and making sure that everything works with the exception of the washing machine that might go up. Is that Samson? That we're getting them to talk to each other. The thought process here is that I'm sitting here in a panel and listening to someone tell me that my carrier can't protect me. What can I do to protect myself? Now I run two different browsers and have two different types of servers and have five computers. Can't get my husband to really stay off of things that he shouldn't be looking at. But they're not bad. I think they're wrong. Still shouldn't be looking at. And how do we make that more into a network? And what software do all of you guys entertain that an end user or that I should tell my provider that I should be able to get from them or from us to be able to make my house secure and know that my provider's off from that? So in a nutshell, the question is, you know, is there any software package or any sort of simplified solution to allow the home user to secure their networks at home? Talk about standards. But are you talking about the ability to meet usually meet agreements that I would use something from on top of the software from what Leon has and make those things melt into something that would work for me? Is there going to be something like that? For the consumer market, yeah. I think that's a nice question. Okay. And just before Rob James and I disagree that the networks can't do it. The carriers cannot do anything about it. I fundamentally believe this is a carrier responsibility. And yeah, and the solutions will be driven probably from newer technologies that carriers will adopt over time because they cannot leave the whole in the network the way it is. Okay. Yeah, so it's kind of a tricky response, really. So, I mean, the reason that you're buying these things is they're a commodity, right? Right, they're being made by manufacturers and outside of the US and they're being made by the number of them. So, you're going to pump those out as fast as you can and sell them as fast as you can. You and I have four TVs. So, that's one of the issues we have. So, we've also seen all kinds of softwares that are supposed to, you know, you're supposed to, when Wi-Fi came out of your home, it was like, you put on this software and boom, your Wi-Fi network's up and running, but then a phone call came to a call center for an operator and he's like, wow, I'm going to start charging you every time you phone me now, right? Because it didn't work the first time, you're okay. And so, basically I think that if operators become involved, they're going to want money for it because every time you pick up a phone, that costs them money. So, they're driven by average revenue per user. That's their cost model. So, they really don't have much control, only the fact that they want you to be a loyal customer. So, there's all types of, there probably is already a software that somebody's already developing or going to be developed to kind of mesh things together and telecommunications companies and network operators are large entities who have to productize these things to make them work. But sometimes, what happens is, there's too many options, right? And so, it takes a while. I would say, if I was a consumer, which I am, I try to keep things simple. I still look at the fact that if you have a play button, that's all you probably use on your VCR, PVR. And so, but there is a lot of users that the carriers have that are very sophisticated technology-wise, and so I think that there's a huge business opportunity for somebody to build software like that. Okay, how we know? So, in the valley, we call it the Borg, right? So, what happens is that you have all these startups, they develop technologies from different companies, different technologies, and then they get acquired by Cisco, or they're acquired by McAfee or Symantec, one of the big guys, right? And the Symantecs of the world, McAfee's the world, this is the big guys, will offer you something for everything, right? So, that's how it happens in the valley, it's an ecosystem, right? So, the Borg is that the Star Trek analogy, and reasons is that it will eventually be a simulator. I'm sorry. Yeah, no, no, that's fine. Some of you may not be Trekkie fans like us, no, it's here, but it's okay, yeah. So, that's what happens, right? So, there are individual problem sets, and there are companies that are solving those problem sets, people are trying holistically to solve it, but there's a lot of fluff, I'd say, right? So, Cisco, and they don't want to say it's a Cisco people, they'll tell you they do IOT security, or it's a very broad based statement, right? We actually go to startups that are in security, they'll actually be doing some solutions for ZigBee and others, right? And the Cisco will acquire them, then they can tell a real true story. I'm not, I'm trying to quote it with sugar, but it's actually true, right? You look at every single security segment from email to HTTP to web services to DDoS, they're all startups, and then they get acquired by the Borg, right? And then they offer the service. So, yes, that'll evolve as companies and new technologies come, they'll be acquired by bigger players who will have offerings for consumers, more broad based offerings, right? That's just the way the ecosystem goes, right? But I actually agree with Rob, I think that carriers in this, to break that chain, that historical chain, I think carriers have a real opportunity to take some thought leadership here, and say, look, we own this problem, how can we, let's not wait for this, this goes to the McAfees of the world, let's figure out how to solve it and become thought leaders here. And we kind of see that's the direction, like we're talking to companies that historically would have never been at the front of the security problem that are really taking an active approach, so it may happen that way. Right, right, right. Or the revenue opportunity that carriers are looking at, the revenue and opportunity cost, as well as the potential disaster that could occur, may drive these bigger carriers to take action. Well, he was talking about the Cisco Borg, it's a different Borg. It's a different Borg. It's a similar Borg. It seems to me, yeah. I think Clean Pipe is gonna happen. It has to. It's saturating networks. It's driving down, actually, the good stuff in their networks. Carriers have always been saying, good or bad traffic, it's your responsibility, it's not ours. But I think that's the requirement now. We are working on projects like that with big carriers and these types of conversations to say, how can we get down market in consumer to offer these things? Are you willing to pay for it is the question. Great, okay. I knew that. Strange. All the time. Or maybe, one last. Okay, well, we're in overtime, but I guess. You're holding this. Okay, all right. My question is, how do you expect a carrier to take responsibility for something like that when every end user is downloading something to their device and giving unlimited permissions for whatever app it is to find their information on their device? Correct. That's why they don't want part of it. But the carrier offers a router today, right? And you could offer, I don't know if you're with a carrier, but just using one kind of analogy to that is, do you have to offer the lowest common denominator unsecure router, or can it be something a little bit more sophisticated and capable? I use a session for a controller. It's a controller like the attack going into that down-shoot number. He's talking about inside an hour. Oh, inside? Yeah. I mean, that's the most basic form of security that I have, but I'm not responsible for end users. Yeah, the carrier doesn't necessarily have to take that responsibility, but I think some of the carriers that are gonna be thought leaders in this space are going to try to ensure that their consumer base feels secure and safe. And if they can solve the problem, they're gonna have a tactical, as well, strategic advantage in their markets. And they'll go with vendors, so you have domain expertise, right? So, you mean you're kind of saying the carrier is kind of broad-shrow. You got a fixed-line carrier, you got a wireless carrier. You just can't control what the end users are doing now. Correct. Because they don't want to be controlled. They want to have access to everything. That's right, right. The best of both worlds, privacy and security, and they want both, right? That's the challenge. That's why it's not an easy problem to solve. Right, and the carriers, of course, I mean, I understand the ability for them to offer all these services, but it is a challenge because you have to have domain expertise, right? So, in other words, you were talking about all these different security problems, and you have to have domain expertise to solve one by one. So, the SBCs, like, we offer a product that protects above and beyond SBCs, right? It's supposed to voice security, right? So, you have to have domain expertise. So, that's the challenge. So, there is a mix of vendors, managers, providers, and carriers to get together and then work on these problems and offer different solutions for different sets, right? Okay. Well, with that, I think we're gonna conclude. I wanted to take a moment here to thank the panelists. I mean, this is a great event. I wanted to thank Jamie for the opportunity. This wouldn't be what it is without the contribution of great panelists like these and the ones we had earlier. So, just wanted to thank you for the opportunity and I hope to see you in the cocktail reception and other future events as well. Awesome. Thank you. Thank you. Thank you, Ron. Thank you. Thank you. Thank you. Thank you.