 From the CUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Hi, I'm Stu Miniman, and welcome to another CUBE Conversation. I'm here in our Boston area studio. And of course, the intersection of networking and security has always been a hot topic. Even more, if you look at it in 2020, everybody working from home, there's stresses and strains and a lot more change than usual for what corporate IT has to deal with. Happy to welcome to the program Tom Bienkowski. He is the director of product marketing with NetScout. We're gonna get into some of those topics more. Tom, thanks so much for joining us. You're welcome Stu, glad to be here. All right, so you came to NetScout by way of the Arbor Networks acquisition a few years ago. Why don't you give our audience just a little bit about your background, what your team works on, and we're gonna be talking about the edge defense solution set. Sure, yes, I've been with Arbor Networks for over 10 years. I've been the director of product marketing for the DDoS line of products during that time. And when we came over to NetScout, I still kind of continued that role. So I'm basically responsible for anything that's to do with the Arbor DDoS solutions. We have solutions for the service priors of the world and our gender prizes of the world. Yeah, maybe Stu would help if you just refresh our audience. So generally out in the marketplace, DDoS, it's attacks on the internet. If I was a big provider of technology, it's like, hey, why can't I get to that website? Oh, they had a DDoS attack that hit them. But when it comes to the enterprise, you talked about service providers also, when is this hitting them? Who are the ones causing this kind of thing? Just kind of give our audience a little bit of a level set, if you would, in 2020. Oh yeah, I mean, DDoS attacks have been around for over 20 years. This isn't anything new, as you know. But the reality is that these attacks have been getting bigger, they're getting more frequent, they're getting more complex. And like I said before, I've been here for over 10 years and I feel like I say that every single year. But it is absolutely true. And the service priors of the world bear the brunt of this problem. They're the ones taking on these large attacks. They're the ones trying to stop it, not only to protect their own infrastructure, but also potentially the target, which could or cannot be one of their customers. There's a lot of collateral damage associated with a DDoS attack, especially from a service priors perspective, because it impacts everything running on their backbone or in their whatever facility that this attack is flowing through. And then obviously you have potentially the target of these attacks, which could be any enterprise, any large government, whatever. It's very indiscriminate. Anyone could be a potential target and they are. All right, and for the enterprises themselves, how are they making sure that they are protecting their perimeter? Where does NetScout fit into helping protect them against the sort of malicious attack? Yeah, so when it comes to protecting their perimeter in particular, let's talk about where we are today in this whole COVID-19 pandemic. As we all know, this caused a massive work slash, learn from home scenarios never seen before. And the quote, new perimeter is everyone who was once inside the organization now home coming back in, right? And the internet, inbound internet circuit, the firewall, the VPN gateway, the load mass are all now coming from an opposite direction that maybe they were utilized in the past is really the new perimeter. And it has become very crucial to maintain business continuity, especially in this time. But as we'll talk about, it also has become very vulnerable to DDoS attacks in particular. And one of the areas that we'll talk about is how one particular piece of that infrastructure, the VPN gateway has actually become not only one of the most critical pieces in that chain of communication, but also one of the most vulnerable pieces too, simply because it was never anticipated that this many users would utilize that VPN gateway. And it was never designed for that. And therefore it's running at high or near capacity or at capacity and it could be toppled over pretty easily with fairly small DDoS attacks. We'll get into that a little bit later. Yeah, absolutely, Tom. So I've had so many conversations over the last few months about the ripple effects of what worked from home or if we think about however things play out in the next few months, it really will be almost work from anywhere is what will happen. And while everyone is working at home, that doesn't mean that some of those bad actors out there have gone away. In fact, every company I talked to that's involved with security has seen, we need to raise our capabilities and often are getting more attacks out there. What have you been seeing out there in the marketplace? How have things been so far in 2020 when it comes to your space? Yeah, now same thing. So I'm gonna put up a chart here and this is a chart which shows DDoS attacks during the first of six months of 2020. And this data comes from what we call our cyber threat horizon. This is a free online portal that anyone could access and see this information if they wish, but it's fueled by the deployment of our products all over the world. So our DDoS protection products are utilized by a majority of the world's internet service fighters. And from that deployment, they send this information about DDoS attack activity like the size of the attack, who's being attacked, where is it coming from, the protocols or vectors being used, et cetera. So we gather this information on a daily basis presented in this portal. So what this represents is the first six months of 2020. And as you can see, there's been over 4.8 million attacks thus far in 2020. That's about 15% higher than last year at the same exact time period. But if you look at the chart a little bit closer, we snapped the line at February, sort of the start of the global pandemic and the lockdown periods, if you will. And what you can see every March, April, May as an uptick in the number of DDoS attacks almost up to 36% in May. So all this is happening during the time of this lockdown. All this is happening where organizations are struggling to maintain a new normal, if you will, or this is continuity, right? So what you said before that organizations are still struggling with cyber attacks, in fact, probably more, is exactly what's happened to in the DDoS realm. And then finally, if you look at June, you see this little drop off there. And here everyone talking about the new normal, the new normal is not the new normal, possibly. It's still too soon to tell, I think. We'll wait for another couple of months here. But the bottom line is that during the midst of all this, as organizations are trying to maintain some level of business continuity, they're also being faced with cyber threats like DDoS attacks too, like they've never seen before. So amazing challenge that folks have faced out there. Yeah, Tom, there's a few spaces in the marketplace that were already very important, really top of mind from the business. I think about automation and security being two of the ones that come up the most often. And when I talked to the participants in the space, they're like, I thought I was busy in 2019 and had a lot planned for 2020. And oh my gosh, I had no idea what 2020 was really going to bring. So that data that you showed, you're talking about millions of attacks and that increase there, putting a focus on it even more here. So a lot of work for people to be done. So bring us inside it a little bit. How are you helping customers? What advice do you have for them? How do we make sure that we can curb the impact of these attacks, which is said in the millions. Sure, so let's go back to that inbound infrastructure now. Everyone worry from home coming into the inbound router, hitting a firewall, and more likely hitting a VPN gateway of some sort. That's what's allowing them to get access into these internal resources. That VPN gateway, as I mentioned before, is been crucial during this time, but it also has been very susceptible to DDoS attacks. That VPN gateway, as well as that firewall, these are what was referred to as stateful devices. They have to track TCP state in order to work properly. Well, there are three types of DDoS attacks, if you will, to make things simple. One is the volumetric attack, which people normally think of as what a DDoS attack. It is designed to saturate that inbound circuit, that internet-facing router interface, right? And then there are application layer attacks. These are very small, stealthy attacks. They're going after specific application servers that try to bleed off resources there. And then there's an attack called state exhaustion attacks. These are specifically designed to go after stateful devices, like firewalls or in today's world, the VPN gateway. And it doesn't take much. It takes a small 100 megabit per second attack, lasting for, you know, five, 10 minutes to potentially fill the state tables in some of these VPN gateways, especially in light of the fact that they weren't prepared or designed to take on all the legitimate users, right? That are coming in as a result of the pandemic. So the key to stopping these sorts of attacks, these stateful attacks and protecting that VPN gateway, is to put something on premise that is stateless, meaning it has the ability to inspect packets using stateless packet processing technology. And we have such products, our product, which we call the Arbor Edge Defense, is designed to stop all types of attacks, but in this particular environment, it excels at stopping state exhaustion attacks. And you deploy it just inside the internet router and in front of the VPN gateway or that firewall. And there it could pick off short-lived state exhaustion attacks and protect the availability of the VPN gateway and the firewall. Now, if you're relying upon, which many organizations do, relying upon a cloud-based DDoS protection service, which we have to, we have something called Arbor Cloud, it may not be able to stop those attacks in time. So you're running a little risk by relying on more traditional cloud-based DDoS protection services. That's why you need this product, Arbor Edge Defense on premise, because it will react instantaneously and protect that VPN gateway from going on and maintain that business continuity for you. Yeah, Tom, when I think about that footprint that you have in a customer's environment, in addition to the DDoS services, it would seem like that's a prime opportunity that there's other services and applications that could be run there. Is that the case with your solution too? Well, if I understand what you mean by the services, well, we have the ability to have our current conductor fully managed service. Is that where you're going with that, Stu? Yeah, I think that, yeah, that's, wanna, right, understand how that service works, yes. So the Arbor Edge Defense is a system that once you have it configured, you design it for protecting sort of the interior services like protecting the VPN gateway, firewalls, any other application you have running internal. In the event of a large attack, as we've been talking that will fill that internet pipe, it has a feature called Cloud Signaling where it will intelligently call for help upstream to either an Arbor Cloud service, this is a fully managed DDoS protection service, we have global scrumming centers, and or call your ISP, who may be getting your DDoS protection service from already. So it has the ability to link the on-premise with the cloud-based protection. And this hybrid approach to protection is absolutely the industry best practice. This is how you protect yourself from the multiple vector DDoS attacks, as we mentioned previously. Now, if you're an organization that maybe doesn't have enough experience, doesn't wanna deal with the on-prem Arbor Edge of the fence, we have you covered there too. We have the ability to manage that scenario or that device for you. We have the ability to manage not only the Arbor Edge of the fence, but the also integration of the Arbor Cloud. So that whole hybrid scenario that we're talking about can be fully managed by our folks who do this every single day 24-7. Yeah, any breakdown as to your customers, as to when they choose that fully managed solution versus on-prem. Recommendation we've had for a long time is you wanna have your IT focused on things that have differentiation in your environment and it seems like a natural thing that your team has the expertise. So what is that decision point as to whether they do it themselves or go with a managed solution? I think it really has to do with the culture and the experience of the company. Really what we're seeing is some of the smaller organizations that you have smaller teams that wear multiple hats, they just cannot stay abreast of the latest threats and DDoS as I mentioned before, these things are getting more and more complex. So I think they're coming to the conclusion that all right, this is something that I can't do by myself anyway, for the large attacks, I need a cloud-based service prior of some sort. I need someone to help me there anyway. So why don't they just handle the whole thing? Why don't they just handle the on-premise component and the cloud-based component of this and make sure that it's running as efficiently as possible? But even when that's said, it's not just the small orgs, we're seeing larger orgs do it too, just to push things off their plates. Let's leave DDoS to the experts again because I can't do it by myself anyway. All right. Tom, I saw a video, I think it was you that did actually talking about how Arbor Edge Defense is the first and last defense when it comes to DDoS. Explain that to a little bit to our audience. Yeah, so our tagline for the product is first and last line of defense. The first line is what we've been talking about all along here is the ability to stop the inbound DDoS attacks. Now, it also acts as a last line defense too. So as we were alluding to before, all you hear during this time of the pandemic is watch out for COVID-19 related ransomware and things like that, right? Because the Arbor Edge Defense sits just inside the router and outside that firewall, it is literally the last component in that cybersecurity chain before the, let's look from the outbound perspective, packets leaving the enterprise and going out to the internet. It is the last piece of product in that security chain, right? Before it leaves the internet. The Arbor Edge Defense has the ability to consume threat intelligence, not only from our own Atlas system, which we spoke about earlier, but third parties too. Via sticks and taxi, it has the ability to consume threat intelligence. And there, sitting on that last piece of, you know, the security pipe, if you will, or chain, it has the ability to intercept indicators of compromise that have come from internal compromised devices that have made it through the entire security chain, go reach outside the firewall. Now it's one last line of defense, if you will, that has the ability to recognize and stop that internal indicator of compromise. And this is going to help stop the proliferation of malware and ultimately avoid that data breach that everyone is fearful of. So it has a dual role. It could protect you from inbound DDoS attacks and it also can have as his last line of defense stopping the proliferation of this malware we're talking about. Great, Tom, that actually refers, I was curious about what other things your device did and there's the intelligence baked into there to have kind of a multi-purpose when you're in that environment. All right, Tom, I want to give you the last word here. Companies today, they often need to react very fast to be able to deal with the changing dynamics of their business, spinning up resources, everybody working from home and the like. So what final advice do you have for them and give us the final word? Yeah, during this time, precedent times, we all unfortunately still have to remain very vigilant when it comes to protecting our organization from cyber attacks. One of the areas that seems to get overlooked is DDoS protection, right? Everyone is focused on malware and things like that but don't overlook DDoS attacks. These things are happening on a daily basis as I showed you over almost five million so far this year. It is an absolute part of maintaining the availability of your organization, it's part of the security triad as we know and it's really there to disrupt your business continuity if you are getting hit. So don't overlook your and don't underestimate your DDoS protection. All right, well, Tom Binkowski, thank you so much for the updates and appreciate everything you shared. You're welcome. All right, be sure to check out thecube.net for lots more coverage from theCUBE. I'm Stu Miniman, thanks for watching.