 From Orlando, Florida, it's theCUBE. Covering Accelerate 19, brought to you by Fortinet. Hey, welcome back to theCUBE. We are live at Fortinet Accelerate 19 in Orlando, Florida. I'm Lisa Martin with Peter Burris and Peter and I are pleased to welcome one of our alumni back to the program, Derek Mackey, the Chief of Security Insights for Fortinet. Derek, it's great to have you back on the program. It's always a pleasure to be here. It's always good conversations, I really look forward to it and it's never a boring day in my office, so I'm more than happy to talk about this. Fantastic, excellent. Well, we've been here for a few hours talking with a lot of your leaders, partners as well. The keynote this morning was energetic, talked a lot about, Ken talked a lot about the evolution of not just security and threat, but obviously of infrastructure, multi-cloud hybrid environment in which we live. You have been with FortiGuard Labs for a long time. Talk to us about the evolution that you've seen of the threat landscape and where we are today. Sure, yeah, so I've been 15 years now at FortiGuard, so if I flashback even to 2004, it was a vastly different landscape back then. Even in terms of our security technology, in terms of what the attack surface was like back then, Ken today was talking about edge computing, right? Because that's what 70% of data is not going to be making it to the cloud in the future, a lot of processing is happening on the edge and threats are migrating that way as well, right? There's always this mirror image that we see with the threat landscape. Again, threat landscape, back in 1989, we started with the Morris worm. It was very simple instructions. It took down about 80% of the internet at the time, but it was, it was very simple. It wasn't to, quote unquote, intelligence, right? Of course, if we look through the 2000s, we had a lot of these big worms that hit the scene, like Conficker, I love you, Anacornacova, Blaster, Slammer, all these famous worms that started to become peer to peer, right? So they were able to actually spread from network to network throughout organizations, take down critical services and so forth. That was a big evolutionary piece at the time. Of course, we saw a fake antivirus, ransomware come on stage. Blastware, as I called it, which was destructive malware. That was a big shift that we saw, right? So actually physically wiping out data on systems. These are typically in like cyber warfare based attacks. And that takes us up to today, right? And what we're seeing today, of course, we're still seeing a lot of ransom attacks, but we're starting to see a big shift in technology because of this edge computing use case. So we're seeing now things like swarm networks I've talked about before. So these are not only, like we saw in the 2000s, threats that could shift very quickly from network to network, talk to each other, right? In terms of worms and so forth. We're also seeing now intelligence baked in. And that's a key difference in technology because these threats are actually able, just like machine to machine communication happens through APIs, protocols and so forth. Threats are able to do this as well. So they're able to understand their own local environment and how to adapt to that local environment and capitalize on that effort. And that's a very, very big shift in terms of technology that we're seeing now in the threat landscape. So a lot of those old threats were dependent upon the action of a human being. So in many respects, the creativity was a combination of can you spoof somebody, make it interesting so that they'll do something. And there was always creativity in the actual threat itself. What you're describing today is a world where it's almost like automated risk. Where just as we're trying to do automation to dramatically increase the speed of things, reduce the amount of manual intervention, the bad guys are doing the same thing with these swarms. They're introducing technology that is almost an automated attack and reconfigures itself based on whatever environment conditions and encounters. Yeah, and the interesting thing is, what's happening here is we are seeing a reduction in what I call a TTB, a time to breach. So if you look at the attack lifecycle, everything just doesn't happen in the blink of an instant. It's moving towards that, right? But if you look at the- Oh good. This is what's to come. We're seeing a lot of indications of this already. So we work very closely with MITRE, the MITRE attack framework. It describes different steps for the attack lifecycle, right? You start with reconnaissance, weaponization, how do you penetrate a system, move in the system, collect data, monetize that as a cyber criminal. So even things like reconnaissance and weaponization, so if you look at phishing campaigns, right? People trying to phish people using social engineering, understanding data points about them, that's becoming automated. That used to have to be a human trying to understand their target, trying to phish them so they could get access to their network. There's toolkits now that will actually do that on their own by learning about data points. So it's scary, yes, but we are seeing indications of that. And look, the end game to this is that the attacks are happening much, much quicker. So you got to be on your game. You have to be that much quicker from the defensive point of view, of course. Because otherwise, if a successful breach happens, we're talking about some of these attacks, they could be successful in a matter of seconds or minutes instead of days or hours like before. We're talking about potentially millions of dollars of revenue loss. Services are being taken offline. Intellectual properties being breached and so forth. Oh, and this is, you know, I think of healthcare alone and literally life and death situations. Absolutely, yeah. How is porting that with your ecosystem of partners poised to help customers mitigate some of these impending risk and changing risk? Yeah, coverage, strengthen numbers, right? So we have a strong ecosystem, of course, through our Fabric Ready program. So that's a technology piece, right? End to end security, how we can integrate, how we can use automation to, you know, push security policies instead of having an administrator having to do that. Humans are slow a lot of the time, so you need machine to machine speed. So our Fabric Ready program, you know, we have over 57 partners there. It's a very strong ecosystem. From my side of the house on threat intelligence, I had up our global threat alliances, right? So we are working with other security experts around the world. Cyber threat alliance is a good example. We've created intelligent sharing platforms so that we can share what we call indicators of compromise. So basically blueprints or fingerprints we can call them of attacks as they're happening in real time. We can share that worldwide on a platform so that we can actually get heads up from other security vendors of something that we might not see and we can integrate that into our security fabric in terms of adding new, you know, intelligence definitions, security packages and so forth. And that's a very powerful thing. Beyond that, I've also created other alliances with law enforcement, so we're working with Interpol. That's attribution-based work, right? That's going after the source of the problem. Our end game is to make it more expensive for cyber criminals to operate. And so we're doing that through working with Interpol and law enforcement as an example. We're also working with national computer emergency response, so ripping malicious infrastructure offline. That's all about partnership, right? So that's what I mean, strength and numbers, a collaboration, it's a very powerful thing. Something close to my heart that I've been building up over 10 years and, you know, we're seeing a lot of success and impact from it, I think. Some of the, if you go back and look at some of the old threats that were, you know, very invasive, very problematic, moved relatively fast, but they were still somewhat slow. Now we're talking about a new class of threat that happens like that. It suggests that the arrangement of assets that a company like Fortinet requires to respond and provide value to customers has to change. So talk a little bit about how, not just the investment product, but also the investment in Fortiguard Labs is evolving. You talked about partnerships, for example, to ensure that you have the right set of resources able to be engaged in the right time and applied to the right place with the right automation. Talk a little bit about that. Sure, sure. So because of the criticality of this nature, we have to be on point every day. As you said, you mentioned healthcare, operational technology is a big thing. As well, you know, Phil was talking about sci-fi as well, right, the cyber physical convergence. So we have to be on our game and on point and how do we do that? A couple of things. One, we need people still. We can't, you know, Ken was talking about his speech in Davos at the World Economic Forum of three to four million people shortage in cybersecurity of professionals. There's never going to be enough people. So what we've done strategically is actually repositioned our experts at Fortiguard Labs. We have over 235 people in Fortiguard Labs. As a network security vendor, it's the largest security operation center in the world. But 235 people alone aren't going to be able to battle 100 billion threat events that we process a day at Fortiguard Labs. So what we've done, of course, is take up over the last five years machine learning, artificial intelligence. We have real practical applications of AI and machine learning. We use a supervised learning set. So we actually have our machines learning about threats and we have our human experts instead of tackling the threats one-on-one themselves on the front lines, they let the machine learning models do that and they're training the machine learning. Just, it's like a parent and child relationship. It takes time to learn. As machines learn over time, they start to become more and more accurate. The only way they become more accurate is by our human experts literally being embedded with these machines and training them. Yeah, part of participating in training, but also there's this augmentation side, right? Yeah. We're increasing the machines are providing or recognizing something and then providing a range of options so that the security professional in particular doesn't have to go through the process of discovery and forensics to figure out everything. Absolutely. The machine's presenting that, but also presenting potential remediation options. Are you starting to see that become a regular feature? Absolutely. Especially in concert with your 235 experts. Yeah, absolutely. And that's a necessity. So in my world that's what I refer to as actionable intelligence, right? There's a lot of data out there. There's a lot of intelligence. The world's becoming data-centric right now, but sometimes we can have too much data as humans, as analysts, as administrators. So absolutely, remediation suggestions and actually enforcement of that is the next step as well. We've already added some features in 40OS 6.2 and in our fabric to be able to deal with this. So I think we're innovating and pioneering in the space, sir. It's a matter of trust, right? If you have the machines or security technology that's making decisions on its own, you really have to trust that. And trust doesn't happen overnight. That's why for us, we have been investing in this for over six years now for our machine learning models. They've become very accurate. It's been a good success story for us, I think. The other thing, going back to your original question, how do we stack up against this? Of course, that whole edge computing use case, right? So we're starting to take that machine learning from the cloud environment also into local environments, right? Because a lot of that data is unique. It's local in environments. It stays there. It stays there and it has to be processed as such too. So that's another shift in technology as we move towards edge computing, machine learning and artificial intelligence is absolutely part of that story too. You mentioned strength and numbers and we were talking about the opportunity for Fortinet to help customers really be successful here. I wanted to go back to FortiGuard Labs for a second because it's a very large number. 100 billion security events, FortiGuard Labs ingests and analyzes daily. Daily, yes. Talk about that as a differentiator. Okay, yeah, that's a huge, huge differentiator, right? So again, if I look back to when I started in 2004, that number would have been about 500,000 events a day compared to 100 billion today. In fact, even just a year ago, we were sitting about 75 to 80 billion. So that number has increased almost 20 billion in, let's say 20%, right, in just a year. So that's going to continue to happen. But it's an absolutely huge number and it's a huge number because we have very big visibility, right? We have over 400,000 customers worldwide. We have built a core intelligence network for almost 20 years now since Fortinet was founded. We work together with customers. So if customers wish to share data about attacks that are happening because attackers are always coming knocking on doors, we can digest that, we can learn about the attacks. We know what weapons that these cybercriminals are trying to use, where the cybercriminals are. We learn more about the cybercriminals. So we're doing a lot of big data processing. I have a data science team that's doing this, in fact. And what we do is process this data, we understand the threat, and then we take a multi-prong approach. So we're consuming that data from automation. We're pushing that out first and foremost to our customers. That's that automated use case of pushing protection from new threats that we're learning about. We're contextualizing the threat. So we're creating playbooks. So a playbook is much like football, right? You have to know your offense, right? And you have to know how to best understand their tactics. And so we're doing that, right? We're mapping these playbooks, understanding tactics, understanding where these guys are, how they operate. We take that to law enforcement, as I was saying earlier, as an example. We take that to the cyber threat alliance, to our other partners. And the more that we learn about this attack surface, the more that we can do in terms of protection as well. But it's a huge number. We've had a scale in our data center massively to be able to support this over the years, but we are poised for scalability for the future to be able to consume this on our end too. So it's why I said, you know, the start is never a boring day in my office. How can it be? But it sounds like really the potential there to enable customers in any industry to convert, well, let's use for transform, since we talk about digital transformation, transform from being reactive to being proactive to eventually predictive. Yep, and cost effective too, right? This is another thing with that cybersecurity skills gap. You know, the solution shouldn't be for any given customer to try to have 230 people in their security center, right? This is that working relationship where we can do a lot of that proactive automation for them, you know, via the fabric, via the all the stuff that we're doing through our investment in efforts on the backend. I think it's really important too. And yeah, at the end of the day, the other thing that we're doing with that data is generating human readable reports. So we're actually helping our customers at a high level understand the threat, right? So that they can actually create policies on their end to be able to respond to this, right? Harden their own security, deal with things like insider threats for their networks. These are all suggestions that we give them based off of our experience. You know, we issue our quarterly threat landscape report as an example. Come in the cube, some of your people come in the cube and talk about it. Yeah, absolutely. So that's one product of that 100 billion events that we're processing every day. But like I said, it's a multi-prong approach. We're doing a lot with that data, which is a great story, I think. It is, I wish we had more time, Derek. Thank you so much for coming by and never a dull moment, never a dull interview when you're here. We appreciate your time. I can't wait to see what that 100 billion number is next year at Fortinet 2020. It will be more, I can guarantee you that. I think, I sound like it. Derek, thank you so much for joining Peter and me. We appreciate it. For Peter Burris, I'm Lisa Martin. You're watching theCUBE.