 Okay, welcome back everyone to theCUBE's coverage at RSA 2023, it's theCUBE. Four days of wall-to-wall coverage, I'm John Furrier, host of theCUBE. Dave Vellante's here, we're breaking it all down from the security changes, it's got cloud, you got network, you got threat detection, all that's happening within platforms and tools. The industry is changing very, very fast. We've got two great guests here to break it down for us. Derek Mankiewicz, the chief security strategist, global VP of threat intelligence with Fortinet's FortiGuard Labs. Great to see you, thanks for coming on Derek. Yeah, it's a pleasure, thanks for having me. John Baker, director and co-founder, Center for Threat-Informed Defense at MITRE and Ingenuity, great to see you. Thanks for coming on. Yeah, thank you, thanks for having me. Hey, you guys are the experts on threat detection, so are we under threat right now? What's happening in the network? Are they all secure right now? So there's been a lot that changes on a daily basis, but if I were to look at what's happening, there's always, that's right, just like we have it in the physical world, it's never going to go away. And in fact, cyber criminals and adversaries are getting more clever, right? We've talked about this before, but what are the innovations? One, we're actually seeing less of a push on volume because it's been all about volume before everyone. You know, you walk around RSA, everybody talks about millions or billions or trillions of attacks. It's not so much about that, but what we're seeing now is attacks becoming much more premeditated, targeted in nature from cyber criminals, right? Focusing on reconnaissance, weaponization techniques, adding new TTPs and tactics, things that might are, you know, tracks through attack as an example. That's really what they're focusing on because it's more efficient going after large enterprise. You know, the profits are higher for cyber criminals. And we're seeing them adopt, when I say that I'm cyber criminals now, adopting or acting very much like APT groups. So yes, I would say we're under threat because the threats are becoming more targeted in nature. For the folks watching, we do a lot of segments with Fortinet. They come out with all kinds of information, always checking in on us, taking care of us. But the big collaboration conversation, John, I want to get into it, is about sharing information, collaboration in the industry is a big part of this RSA. What do you guys do over there? Might I take a minute to explain what you do and then talk about the role of that with people collaborating in security. Yeah, absolutely. So here we are at RSA, the theme stronger together, right? And I think that that theme could eventually be, it could be our tagline at the Center for Threat and Form Defense. At the Center for Threat and Form Defense, what we try to do is bring together sophisticated cybersecurity teams from around the world to identify and solve hard problems. And we do that with, you know, Fortinet and Derek as one of our research partners there. Coming together, bringing in this diversity of perspectives, the challenges we face to hit, what are the most impactful problems that we can solve and how do we do that in a way that helps the entire community, right? You know, Derek was talking about sort of reuse of adversary TTPs. Well, you know, at the same way, we ought to figure out how to defend against those TTPs and have that common library of defensive techniques and enable defenders to leverage that resource. And the relationship between you and Fortinet is what, partners? Oh, okay. So the Center for Threat and Form Defense is a nonprofit. Our mission is to advance Threat and Form Defense globally. We have 30 member organizations, a couple of different tiers. Fortinet is one of our research partners or a member of the Center for Threat and Form Defense. They work with us, you know, I say we collaborate in four ways at the Center for Threat and Form Defense. We collaborate on what we do, how we do it, actually doing the work and actually sharing in the funding for the research program. So Derek has a huge role in that. I want to get your take on this. We've had many chats on theCUBE. You guys are very adamant. You're on the grid. You guys are watching everything, share with publicly. This is a big part of the collaboration, sharing, but also getting the data. Yes, getting the data and getting it right. There's a lot of data out there, right? And so I actually look at the work that we're doing and what the Center is doing is advancing the, it's really the backbone, right? You have to get this right. It has to be structured. It has to be designed, eventually standardized, right? Open source, open to the public, things that are up on GitHub as an example. Make it available to the industry so that it can be adopted because otherwise it's a high barrier, right? I mean, you can give me a data lake and say, Derek, do something with this. I might have my own ideas. You know, it's a game of telephone a lot of the time, right? So without having languages obviously in place and the frameworks and the way to do that, innovative ideas, that's the way we need to move forward. Especially because that data, the contextual data we talk about all the time, it's becoming more vast, right? Because there's more TTPs that we talked about and more techniques, a bigger attack surface. It's not just IPs and your URL addresses. It's gotten complex and you're seeing some of the, even with the AI and the machine learning stuff happening, more advanced stuff there, the attack surface area is changing. What are the current trends that you guys are seeing right now, as we speak, in 2023, where we're in the spring, what's the current state of the art? What are some things out there? Are threats leaving signatures, for instance? With the new AI, you're seeing patterns. What kind of trends are we seeing on the threat landscape? So I'll start with that maybe, John, can you give us some comments after? From my point of view, a couple of things. I mentioned, first of all, the targeted attacks. Playbooks like ransomware now incorporating destructive techniques. That's one trend. We issue our threat landscape report and that was one of the highlight trends in it, right? So things that were born out of APT, wiper malware, destructive attacks, particularly an OT, right? That's a big, big thing. We're seeing it all across the boards in healthcare manufacturing. OT was supposed to be locked down, wasn't it? Oh, you got Windows 7 operating system? Well, this is infrastructure issue. Those are the IHMIs and IT, but now those OT networks, it's all, a lot of them are not segmented, they're all connected. So that is a big aspect of threat. Speaking of AI as well too, we have seen some implantations of AI for the use of phishing techniques, social engineering. To be honest, when it comes to things like malware development and stuff like that, a lot of the coding and techniques still work. There's still a lot of that low-hanging fruit out there, but there's most likely going to be some advances. Are you seeing any specific, Dave and I were just riffing on this at our opening yesterday and today. Are there signatures with the AI yet, or is it the same old malware tricks, just ample, easier to code, five versions of malware, see which one sticks, or is there specific AI-like signatures coming in that are now first-generation kind of patterns? Or is it not yet? Yeah, so with machine learning techniques, you can actually do predictive analysis and you can have zero-day mitigation from a defensive point of view. It's a valid way to, again, if you look at things like polymorphism, we call it, virus is changing, right? It's becoming less trivial to detect those, so with machine learning patterns and being able to anticipate even brand new kits that are being developed from borrowed libraries, from passcode techniques. John, what are you seeing? We were talking on the threads earlier about we've got to fight fire with fire, so. Just kind of building off something Derek just said there. One of the projects that we launched recently within the Center for Thart and Form Defense was this project called Attack Flow. And what we're trying to do is over the last few years, you've probably seen this trend of organizations shifting from chasing indicators of compromise or IOCs towards understanding adversary behaviors and trying to figure out how to defend against those behaviors, kind of moving up the pyramid of pain, right? So with Attack Flow, what we've done is we've created a model for you to capture and describe a sequence of adversary behaviors, right? So if you're an incident responder and you're investigating something, you can start to describe exactly what you've seen in that incident. And that then creates this much higher fidelity conversation back with your Intel team. So now instead of talking about several IOCs that you saw, you can talk about the set of behaviors and the details underneath that behavior that they probably do include an IOC, right? And the benefits there is the accelerated prevention, right? Well, what happens is it actually allows you to start to leverage that corpus of flows and do things like predictive intelligence to understand, if I'm doing threat hunting, what should I look for next if I see a behavior and be much smarter about that? It should allow us to create much more resilient detection capabilities. So instead of focusing on detecting a particular IOC or one specific behavior, we can start to focus on detecting sequences of behaviors. And you start to think about other opportunities for automation there. It gives you this foundation for potentially looking into how do we attribute attacks? Does this attack look like other attacks that we've seen? Capabilities and there's so many advantages like from, he mentioned like the SOC and the analyst perspective, but this also goes all the way up. I mean, it's in the names, threat and form defense. That's what it's about. It can go all the way up to the CISO level, right? Saying, okay, now that I know these playbooks or how these adversaries are moving through the networks, given a period of patterns in the past, this is what we can anticipate. And then again, from a CISO hat, do I have gaps, right? What are the assets are most likely to attack? How are they going to do that? Do I have the right preventative measures? I think this is the most important area. This is where the hard work doesn't look sexy, but it really pays off, huge. Because you think about the value of that. Yeah, you know, what I say within the center for our important events, when we're doing really well, we're often building resources, capabilities that kind of lay a foundation for innovation for the whole community. You know, our goal is to essentially make cyber defense more efficient and more effective, right? Something like Attack Flow, it creates this model. There's some immediate value there to individual security teams to be able to communicate more effectively. But it also creates a foundation for cybersecurity companies and security teams to really innovate on top of. Can you give some examples without naming names or name names where you've seen a play out in a positive experience for companies to get more of this? As you're fighting the cyber crime, you got it, you know, you're trying to prevent it. Because it's our most private victories. When you prevent something, it didn't happen. So it's like, you're celebrating something that didn't happen, you know? That's the hardest thing, is capturing those success stories in a way that people are willing to share. We need to get hacked today. Beers for everyone. Yeah, but no, this is work that needs to get done. What does success look like? Just peace and... So we, I'll let you start with that. All right, sure, I'll go for it. You know, like honestly, that's very close to the charter for the Center for Threat and Form Defense. Our mission is to advance threat and form defense globally. Why do we do that? We kind of use this image. Imagine the sort of mitre attack knowledge base, that matrix that everybody's familiar with is like the game board for the adversary. We want to take safe spaces off the game board. We want to make it harder for adversaries to achieve their goals. We want to, as we go, create risk for the adversary. So ultimately it's about trying to bring balance to that equation between defense and adversaries. And being informed is critical. Exactly. And to me, success is growing that ecosystem of industry adoption, including ourselves, right? At Fortinet, but really leading the charge, moving the needle as an industry, because stronger together, like the theme that we have at the conference, that's how we do it, right? I describe this as literally the backbone of how we do this, right? So that's one step. But then how do you transport that? How do you get implementation of that? How do you get all that messaging going up to CISOs worldwide? You know, that's success, right? Well, we have to get you on our podcast. Dave and I have a new podcast that's on our eighth episode. We're trying to bring guests in after 10 episodes. But this is one that we've been ranting about. Public, private partnerships in action that actually helps society, not just our political check boxes. And our government is failing at many levels. So we go on the rant, so we have to get you guys in. But let's talk about the partnership because this has to happen. We've got to get more sharing, not get dogmatic around the islands everyone lives in, the unification of the data being super critical. Can you share your thoughts on this important item? It's critically important. I think so from a sharing perspective, as I said, you got to get it right. Everybody has different use cases, right? You have to be able to articulate that. You have to be flexible. You have to respect privacy, of course, through all those things in, but we need to break down silos, right? There's a lot of silos, siloed sharing efforts that are happening out there. So we need to enable private to private sector sharing. We do that through our fabric ecosystem, as an example of Fortinet, but public private as well too, right? All the way up to law enforcement, prosecutions. We've said we can't arrest her way out of this problem, but it's all part of the ecosystem. And guess what? All of that has a direct impact on the citizen, on the consumer as well too, right? And in fact, the consumer also, if you think about these networks and implementing a good security stack, resilient networks, that's all part of that as well too. I had a huge argument with the New York Times cyberwriter who covers the cyber security. And I'm like, hey, and her whole thing is, nobody died, but well, you can't measure, just let someone drop the missile. The cyber war is under the red line. They're operating freely. There are people dying from starvation because they got laid off or whatever. I mean, there's all kinds of impact downstream that there's not yet, the doctrine is not yet solved. I think we need more, I'm a hawk on this, I'm like more private public conversations around the benefit of protection, you know? So people- I think this is other thing too, that's actually, I think incredibly simple. We want to make cyber defense more efficient and more effective, right? And if you want to become more efficient, you need to kind of recognize that, you don't need to have a half dozen or hundreds of teams solving the same problem in isolation, right? Within the Center's Research Program, that was kind of one of our motivators. We had organizations reaching out to us saying, we're looking at this particular problem, is anybody else doing it, and we knew of others? And we'll let's get together and solve that together once benefit from each other's perspective to hopefully solve it better, right? And let's make that available for the whole community. And so some of the stuff we've done, it's created a foundational resource that's used by literally thousands of security teams around the world. They don't have to go do that work. They can go focus on defense now, rather than creating some of these foundational resources. And it's a game changer. And the productivity too, Jared, we were talking earlier many times on your thing about cyber crime as a service, how the actors are highly motivated, highly funded, highly technical, and they're constantly innovating, and they're good, they're motivated, there's money involved, so how do you make it tougher? Exactly, this has got to break that. We have to lower the barrier on our side and raise the barrier on their side. That's how we do it, right? That's how we make it tougher. And by the way, this isn't a one shot thing. It's not like, okay, we had a great conversation. Let's revisit this in a year. This has to be literally a five to 10 plus year roadmap things that we're in the long haul for. How do people get involved? Because I know a lot of security professionals and network professionals, the two hardest personalities to work with, frankly, in the industry. No, I'm only kidding. But they're all very open. But then operations gets paranoia around operations. How much do I want to share? So they're very shareable in sharing culture. Open source has been very sharing culture. We're now in an era where the sharing is the critical piece. How do people get involved and how do they move the needle? Yeah, well, so within the Center for Threat and Formal Defense, one of the reasons we built ourselves and kind of designed the business model the way we did was we wanted to kind of identify the barriers to collaboration and kind of knock all of those down. So our kind of motto is we kind of deal with that pain up front. We have a membership agreement. You join as a member. And that handles how do you handle intellectual property? How do you deal with sharing sensitive information? And so if you join as a member, you're now under this common framework for doing collaborative R&D so that we can then instead of worrying about legal ways and that sort of thing, we can focus on what's the next problem to solve and put our resources and effort there, right? And so we've tried to create this very scalable model so we can continually tackle the next hard problem, continually release that resource as a public good that all cybersecurity teams can leverage and build upon. Yeah, and I would say it depends, right? Like if we're talking about, it depends on the resource. So going back to the skills gap, right? There's ways to solve this. We don't want to create redundancy. If we're talking about SMB, right? That doesn't have a SOC in place. They can get involved just simply by signing up to like SOC as a service or working with MSSPs and they don't have to get involved in, you know, intense data sharing and trying to set up APIs and model that because there's resources available. So that's part of SMB, one of the most vulnerable areas for ransomware right now. And they don't usually have that support and they need to have that. It's expensive. What's the cost structure around SMBs? Is there services out there? Yes, yeah, there's a lot of services. Yeah, absolutely. SOC is a service we have. There's a lot of cloud service models, network detection response, a lot of things available that you don't have to go and make a huge apex about it, right? And hiring 10 headcount in your SOC is an example. But then going to the large enterprise, mature SOC that do have resource and headcount, they can get involved. We do this, right? We have a lot of one-to-one relationships and they're all different, right? Saying, and there's scoping calls saying, how would you like to share what kind of information do you have? What's going to be actionable on your side? Identifying that and be flexible with it. Those are the, they're conversations you have to have. John, I got to ask you over there in the threat detection department. What's the coolest thing you're working on right now from a technology or threat research? Cause you know, the stakes are high. And adrenaline must get pumping big time when you're in these moments. So I'm really lucky. I think that we've built this model that allows us to kind of continually tackle the next problem, right? So today we're running seven projects actively that eventually will result in some public resource, right? And so just that in itself is really fun and energizing for me. I think the project that I'm most excited about, it's a project that we've called CTI blueprints or cyber threat intel blueprints. What we're trying to do is work kind of upstream to help all of those organizations that create excellent threat intel products, make those much more actionable and easier for consumers downstream to actually do something with. And so the project puts together some guidance, some templates, some tooling to help threat intel producers create those actionable resources. I really hope that that'll be the start of sort of a larger change towards making threat intel easier to operationalize across all security teams. I mean, the trusted intelligence coming out is key. Put a plug in for the organization. What are you looking for? Take a minute to put a plug in for what you're working on. So yeah, we're a nonprofit. We work together with our members to advance threat informed events across the globe, right? And we're looking for a set of very sophisticated security teams to come work with us. I'm very much looking to increase our sector and geographic diversity. If people are, you know, you kind of think about yourselves as a very sophisticated team that's interested in supporting, you know, public interest research. We'd love to talk with you. And then the thing is we've also released 24 different projects at this point. Those are out and freely available. I very much want people to take them, use them. That's what makes our work impactful is when people pick them up and use them. Well, I would just put it in my own personal opinion. I think communities, when they come together, have common intelligence and with AI, I'm sure you'll power a lot of core data, blueprints, policies, workflows that can be leveraged in with industry. And it's a, I think this is going to be the beginning of what I would call the open sharing culture that's going to be on open source software, which we know a lot about. I like the word community. I also, I want to highlight that there's, there's a good track record here. There's hope, right? Because we look at our attack. It's implemented worldwide and pervasive. It's pervasive, right? And this is something that it's a model that that showing to work, it's adopted. And these, everything we've been talking about is all building on top of that, right? I think, I think the idea, the public private part and being open is the future. We've seen it with software. We've seen it with security now. You guys are doing it. This is the right direction. It's the only way to go because think about the collective intelligence of the community working together. Let's, let's come together. We're, as you know, stronger together, work together, we can identify and solve the right and most pressing problems, do it better and have a much greater impact. And this, this is something that has been core to us with Fortygarde Labs as well. We've been doing public private partnerships for well over a decade. And the good news is it's continuing to get stronger now, right? There's more stakeholders. There's more interest. There's more tools and technologies and frameworks to help with that. And your Fortygarde report is legendary and we appreciate your quarterly updates on theCUBE. Yes, absolutely. Yes, and we'll keep them coming. We have a lot of that data. Absolutely, let's get it out there. Thanks for coming on theCUBE, Derek. John, thanks for sharing all the metadata here on theCUBE for you to enjoy. There's more coverage tomorrow, I'd say. Threat detection, actionable, trust, community, this is the code words for, better together as theCUBE, better together here. And our stay will be right back after this short break.