 Okay, we're back at Moscone West in San Francisco, the Cube, one of the Cube's favorite locations actually. This is in 2010 we started in Boston, but then VMworld was our big event. We were set up in Moscone South. We were here in Moscone West last year at VMware Explorer. We had two sets. This is a great setup. We're really excited to be here on broadcast row all week RSA 2023. Wendy Whitmore is here. She's the Senior Vice President of Unit 42 at Palo Alto Networks. This came out with a big report, your threat intelligence report. I've been pouring through it, getting all the data, wrote about it for the last couple of weeks. Thank you so much for making some time for us. Oh, you're so welcome. I'm happy to be here and happy to see RSA back what seems like in full force and bigger than ever. Yeah, 2020 was, this was the last event before COVID. Everybody was kind of weird, not really sure whether or not we should mask up and uh-oh, I have a cough or a sneeze. What does that mean? Who knew though, that we were going to be shut down for the better part of two years. So, I mean, this is back, right? Wouldn't you say? It seems like it's as many people as ever, if not more. I mean, you can't even, when you walk from north to south, there's booths in between and- See people everywhere. Well, there's 4,000 plus companies in this business. I mean, it's, wow. It's so wild. Yeah. You're giving a couple talks here at RSA. I am. What are you talking about? So, I've got two panels tomorrow. I'm excited for both of them and they're both very different. So, the first is a crew of leaders from organizations like mine at Palo Alto Networks, but also Red Canary and also Dragos. And then, Lily Heynuman from Wired is going to be moderating the panel. And she's going to be asking us about really just what is life like as a responder? So, we've got the head of incident response from Dragos who specializes in industrial control attacks, head of threat intelligence from Red Canary who sees attacks from all over the world. And then myself who really sees a bit of an intersection of both of those, right? As well as our MDR partners, right? The data that we're seeing from our threat hunters throughout the world. So, we're going to talk about what it's really like. Maybe demystify some of the most exciting topics. Maybe what's some of the more mundane things that we see as well. And then the second panel is really focused on public and private partnerships from the government lens. I'll be working, I'll be co-presenting, excuse me, with Kevin Mandia who's at, you know, Mandiant slash Google. Also the cyber security ambassador, Nathaniel Fick. And then the ambassador of cyber security from the Netherlands. So, really talking about how organizations like ours work together, what we can do to continue information sharing, make it even more effective moving forward. Well, that sounds like, I mean, both, they both sound fantastic. I mean, we've had Kevin on before. You guys both have really good observation spaces, you know, if you will. What's changed since we last talked at Ignite in December? We had you on and you were sharing with us kind of the state of play. What's new, what's changed? Well, you know, it's interesting because I remember when we met in December in Las Vegas and my presentation at that event was focused around the cyber security threat landscape and the things we weren't hearing in the news. And in particular, with this overlay or this perfect storm, if you will, of stories from ransomware, cyber criminal attacks, from lapses to the Russia-Ukraine war, what we were saying was, hey, in the background, we're still seeing a lot of nation-state activity and in particular that coming from China. And if we look at the headlines today, you know, what are we seeing? A tremendous amount of potential diplomatic conflict at least brewing if not actually, you know, occurring between the US and China. And certainly them have taken a stance what's going on between Russia and Ukraine. And I think you're going to continue then to see that emanate in the cyber threat landscape and the headlines on the cyber criminal side. We continue to see a lot of ransomware attacks. Some of them are less successful than they have been in the past, so that's good. And we can talk about why that is if you'd like. But I think also what you're seeing is these threat actors put even more pressure and exert more pressure on their victims. So if I'm going to attack you, your company, for example, I might also figure out, well, who's your spouse? What's their social media account? How can I reach them? And I'm going to personally reach out to them. So we're seeing a 20% increase, or excuse me, 20X increase on what we saw in terms of extortion and threats year over year. So a lot of interesting behavior going on. You mean reaching out to family members to try to get them to put pressure? So just added pressure from- Honey, why haven't you paid the ransomware attacker yet? Because now they're impacting my Instagram account. I mean, this is literally going on and we're not talking just spouses, family members across the board, children. You know, if you're a high profile CEO, or really a CEO of any company, there's probably going to be some information out there about you that I can then tie and do a minimal amount of research to figure out who your family is and go from there and look to exert pressure across the board. Why have ransomware attacks been somewhat less successful? I think it's directly related to a couple things. One relates to what we're seeing in terms of Russia-Ukraine war and organizations sharing information more rapidly. So you've got a lot better threat intelligence. So how that translates into ransomware attack is we have decryptors faster. These attackers have to move more quickly to have the next iteration or variant of the software that they're using before law enforcement, for example, or public companies get access to it and share that pretty rapidly. You're also then seeing organizations who are simply more prepared. They've got their battle and response plans in place. They have backups, they know how to get them. They've exercised and tested their plans so that when these situations occur, they can react very quickly. They're also detecting the activity earlier in the attack, in the lifespan of the attack, which is always better for everyone. Are you seeing backup and recovery, so-called data protection, become a more fundamental part of a cybersecurity strategy? We're almost like the last line of defense. Absolutely, I think it's kind of more now seeing as like a first line of defense, right? In terms of preparation and organizations are allocating budget to do that. So before that was seen more as like a disaster recovery type of last case-needed type of situation. Now that's just a fundamental integrated part of many business practices, which is good news. Somebody told me the other day that the, I wonder if you can confirm this, that the sort of, the playbook has changed somewhat. It used to be that the attackers would encrypt your data, of course they go after the backup corpus and if they get it back you had to pay a ransom. My understanding is now that's somewhat shifted to, it's not even about getting your data back, it's about them not releasing it to the public and maybe it's one of those both situations. Has there been a change there? Is that a misperception or? Absolutely, so a year ago at this time attackers were doing what we would call a quadruple extortion. So looking to, for ransomware attack, looking to essentially get payment for encrypting the data and returning it unencrypted for when they steal it, not extorting it for DDoS attacks and then for giving that same data to your most sensitive clients. What we've seen now is that they've, by and large, stopped doing that first part, which is the encryption piece. So there are certainly still our organizations who are victims of mass encryption, but attackers are seeing that that takes a lot of time and effort. I mentioned that we're able to get decryptors faster so that's starting to encroach in their business market and the effectiveness of that. So they have less ROI on the encryption part. It also takes a lot of time, a lot of energy for them to decrypt it, to make sure it works. So have a customer service elements of, did this, oh, did you have this partition on this hard drive field? Shoot, let's give you another key for it, right? There's a lot of activity there in interaction that if they simply steal the information and then extort you on the back end, much simpler business model. Okay, so it makes it harder for customers. So you can protect yourself with air gaps and immutability and that still might not obviously solve the problem. So you have to figure out that layered approach as well. So you've got to have it both covered. It would be a recommendation, I presume, right? I mean, 100%. Why don't more companies do those types of things like air gapping, like immutability? Is it just because that's a pain as well or it's just an added expense or they don't know how? You know, I think everything is, to be looked at from a business perspective and a risk calculus based on that, right? So there are many organizations who do that, but does that mean that, you know, you're not going to hear a story in the news of an organization who didn't do that and was impacted that way, right? So I think by and large organizations are really taking security serious and we're seeing a lot of them really close the gap, but unfortunately the cost analysis is still heavily weighted in the attacker's favor than it is in the defense favor. Now, I don't know if you know this, Wendy, but AI was invented in late 2022. We're in chapter two, right? It was 150 days ago, AI was invented, but so my question is how much AI activity generally but specifically foundation models like GPT, have you seen in signatures of attackers? Are you seeing obvious evidence of that yet? So we're not seeing it consistently across the board yet. That doesn't mean it's not happening though, right? And I imagine as we continue to move forward, you know, this few months past AI being invented, right? For that lens that we're going to then start to see more and more patterns that are very indicative of it. I think the impact that it's had, just this discussion, right? On like the fact that like we know what generative AI is and what are large language models, that's really then crept into the defender's mindset as well in the landscape of technologies we're building moving forward to accelerate some of these manual tasks that we're delivering today to really be able to make a positive impact on response and getting detection measures in place faster. I want to ask you about the public-private partnership. And I know there's sort of a narrative, there's certainly a lot of what I call finger wagging going on from the government, the company's got to do better. It's like, okay, you know, we know, we got to do better. But it seems like, you know, the government in some sectors wants to break up big tech, they block mergers, they're very sort of unfriendly to big tech, there's a real negative narrative, particularly around social media companies, but also other companies. What is the state of the public-private partnership? And you know, my sense is it's not horrible, but it's not great, it could be improved. Do you agree and what could we do to improve that? So I am an optimist by nature, but I would say absent that, I would still give you the same answer that I think that we are in a better spot than we've ever been as it relates to cybersecurity and the information sharing going on between the government and private and public organizations. A few concepts I think that are fundamental there. You know, one, cybersecurity as a field and as an industry in practice has now been around long enough that you have people in the government who have had hands-on experiences, practitioners in the government, but also largely who have been leaders in the private sector and have gone back and then work in the government as well. So they have a really strong understanding that there's not one organization anywhere in the world that has all of the data, right? It really is a combination of great organizations in the public sector, within the government, within the military, and within the private sector. And the ability to infuse all of those elements with data that's enriched is really critical for us being able to compete with attackers. And I think the war in Russia, Ukraine, has really accelerated that in terms of the information sharing component. It's never been better than it is before, not only between public and private entities, but also between organizations like ours who might have traditionally competed with other organizations in our space. We're sharing data much more rapidly than ever before. So I'm pretty optimistic about what we're looking at moving forward. How about sharing data with allies? I heard maybe it was on meet the press, I think. Netanyahu was on, he was doing the tour. And he basically made a similar point. He said, look, because of course, you know, journalists want to poke them. But he basically said the same thing, that the relationship between Israel and the United States has never been better. And he specifically mentioned sharing on cyber data. So that's, you know, Israel, UK, you know, other European nations, et cetera. How are you seeing the data sharing and the collaboration with United States and its allies? You know, I've had multiple meetings today with heads of foreign governments, right? Related to cyber information sharing. I doubt that five years ago even that volume of meetings would have occurred with an organization like Palo Alto Networks, right? So across the board, we're seeing our government really broaden their information sharing capabilities and continue to work with allies throughout the world. But we're then seeing those allies understand the importance of working with organizations that aren't also government or military and making sure that they're infusing those technology capabilities in their landscape. How's that come about? Why do they want to meet with you? What's the, you know, the outreach like, hey, we just want to sort of start a dialogue or as we want specific information or? You know, okay, so that's a great question because the dialogue has, the relationships and the dialogue has already existed for quite some time. And so these are really just natural, organic extensions of the conversations we're already having. We have teams of people, for example, throughout the world in allied countries, not only from Unit 42, but from larger Palo Alto Networks. And so we make sure that we've got those touchpoints existing consistently, that they're aware of what developments we have ongoing with technology, that they're aware for Unit 42, for example, that we're expanding. We had a press release this week that we've expanded into EMEA where we've been now for over a year, but what's new is the JPEC region. So, you know, we now will have capabilities throughout Asia Pacific. So we're really excited about having people on the ground there. Those relationships are really what kind of drives that, the ongoing discussion about, hey, what can we do to help and what can they do to help in reverse? So it was more, hey, we're going to be at RSA, let's get together kind of thing, and then- Certainly, but then to talk some specifics, yeah, about information sharing and what other type of work we can do together. The Unit 42 threat intelligence report came out and there's a great data in there. I have to say, I looked at it and said, it's like we're making the same mistakes over and over and over. That one chart that showed 80% of the alerts come from 5% of the rules. And obviously, organizations have trouble prioritizing, but it does seem, when I look at the data and I look at what practitioners are dealing with, it seems like a lot of the same things for years. And so, the more things change, the more things stay the same. It's obviously more complicated. Is that unfair observation? If not, why is that? And how do we move beyond that? Yeah, I don't think it's an unfair observation, right? There is a deluge of data that is occurring that responders need to look through and prioritize and figure out how do I manage my day so that I can effectively protect my organization. I think on the positive side, there are much better technologies in place that are incredibly more effective. So, organizations have the ability to leverage that. We have the ability to view single panes of glass now versus an analyst that is having to do a tremendous amount of manual work of this screen that I'm going to switch to this other. And then this, and I'm going to manually pull this information together. So, from the AI side, I think we're going to see a lot more infusion of that data, a lot more ability for analysts to move faster. So, in terms of being able to respond faster to detect these incidents sooner, those are some real positives. Yeah, one of the things in the threat report, I got, I have it right here, the bar chart that says the time it takes in days for organizations to resolve security alerts. And 60% of the organizations were four days or more. Now, the stat used to be it was 365 days to find, you know, an infant. So, that's getting better, but it's still, you know, not good enough. And so, basically you're envisioning a world where, you know, it's kind of real-time remediation, I guess my question is, will the machines, how far away are we where the machines will actually take action for the practitioners such that, you know, the practitioners actually trust the machines to do that? You know what I mean? Because automation sometimes, it's like unintended consequences. So, where are we in that spectrum? So, a great question. So, that report specific to the cloud, right? And so, what we see there are organizations who are challenged with having multi-cloud environments. They might have, you know, one vendor, one set of data for one part of their business in, you know, Microsoft and one in Amazon, for example. And those are not then coming back to the singular pane of glass that I mentioned. And then you have this hybrid environment where you've got on-premise devices and cloud. And so, all of that adds some complexity and that's relating to what we're seeing which are some slower response times. But to your point, those are fantastically better than what we have seen before, right? None of them though are at the speed of the attack, which, like you mentioned, needs to be a bit more automated in terms of the response pattern. So, that aggregation of the different data sets, being able to pull them in and infuse them together so that then you reserve human brain power for the pattern recognition, the very detailed analysis of is this actually bad or is it not, but you narrow that window down to such a small degree. So, to get to the automated remediation component, we have a lot of clients who are asking about it. Like you said, there are certain pieces of that spectrum which we will deliver, but there are some that you typically still want to make sure you've got human intervention on. I think we're probably still in the year's timeframe before we see just widespread machine decision-making at that scale. Is the state of the art today to take all that disparate, distributed data, I guess it's disparate, but distributed data, put it into a data lake and then be able to analyze it? Is that the, is that state of the art? Because it takes time, right? You got to bring it in, you have to clean it, you have to make sure it's of high quality, you got to ETL it, the whole data pipeline thing. But is that state of the art today? You know, I think it depends on the technology that an organization has. So certainly if they're one who has a huge backend, then that may be their process. What most, though, I think are doing is also analyzing it at the source of the data first. And so they're not having to pull in an entire huge mass of everything and then weed that out, but pulling in information that's most critical and then analyzing and working through that as quickly as possible. That's like you. Okay, so kind of real time, leave the data where it is and real time inferencing of the data in place, okay. So that you're reducing the amount of data that has to be analyzed and charged multiple times. Right, exactly. All right, well good luck with your talks tomorrow. Thank you. I'm so excited for you and thank you so much for spending some time with us, Wendy. It's great to see you again. You're welcome, always great to talk with you, Dave. Cheers. All right, and keep it right there. I'm Furrier, we're back with theCUBE, Dave Vellante. We'll be right back from RSA 2023 at Moscone.