 Live from San Francisco, it's theCUBE, covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA 2020 show here in Moscone in San Francisco. It's Thursday, we've been going wall to wall. We're really excited for our next guest. We've been talking about some kind of interesting topics getting a little bit into the weeds, not on the technology, but some of the philosophical things that are happening in this industry that you should be thinking about. And we're excited to welcome Lawrence Pitt. He is the cybersecurity strategist at Juniper Networks. Lawrence, great to meet you. Thank you very much. Hi. Yeah, so before we turn the cameras off, we've been talking about all kinds of fun things. So let's just jump into it. One of the topics that gets a lot of news is deep fakes and there's a lot of cute, funny things out there of people's voices and things that they're saying, not necessarily being what you expect them to be, but there's a real threat here and a real kind of scary situation that's just barely beginning to scratch the surface. I wonder if you could share some of your thoughts on deep fakes. I mean, I think you made a good point at the start. There's a lot of cute and funny stuff out there. There's a lot of fake political stuff you see. So it's seen as being humorous and people are sharing it a lot. But there is a darker side that's going to happen to deep fakes because a lot of the things that you see today that go out on video, the reason that it is, what it is, is because you're very familiar with the person that you're seeing in that video. It's a famous politician, it's a movie star and they're saying something that's out of character or funny and that's it. But what if that was actually the chief financial officer of a major company where the company appears to have launched a video very close to the bell ringing on the stock market that makes some kind of announcement about a product or a delay or something to do with their quarterly figures or something like that. That one minute video could do a huge amount of damage to that organization. It could be that somebody's looking to take advantage of a dip at that point, video goes out, their stock's going to dip, buy it up, they make a profit, but it all could also be much darker. It could be somebody who's trying to do that to actually damage their business. So would you define a very good text-based fishing, spear-fishing as a deep fake where they've got enough data where the relevance of the topic is so spot on, the names that are involved in the text are so spot on because they've done their homework and the transactions that they're suggesting are really spot on and consistent with the behavior of the things that their target does each and every day. So I'm not sure I'd define that as a deep fake yet. Obviously you've got two types of a fish. You've got a spearfish, which is the perfected version. The work has gone into target you as a specific high value individual for some reason in the organization. But what we are seeing is in the same way that deep fakes are leveraging technology to be able to manipulate somebody, things like the fact that we're all on Instagram, we're all on Facebook, we're all on Twitter, means that social manipulation is a lot easier for the bad guys to be able to create. Fishing campaigns that appear to be very much more targeted, they can create emails because they know you've got a dog, they know roughly where you live because this information's coming up in pictures and it's in Metro on the internet. And so they can generate automated messaging and emails and things that are going to go out that will appear to be from whomever you expect to receive it from using words that you think that only they would know about to make that appear to be more realistic. So that's actually something, we've sort of seen the start of that, but still the thing to spot is that the grammar is very often not very good in these. They haven't perfected the language side of it. But that's coming, right, but that's coming. We use an automated transcription service to do all the transcription on these videos. And it's funny, you can pay for the machine or you can pay for the human, we do both, but it's amazing, even only in the last six months to see the Delta shrink between the machine generated and the person generated. And this is even in pretty technical stuff that we get in, very specific kind of vocabulary around the tech conferences that we cover. The machines are catching up very, very fast. They very much are, but then if you think about, this is not new, what's happened, it's been happening in the background for a while, things like quite a lot of legal work is done. If you look at estate agency, for example, and conveyancing, it's not uncommon for the conveyancing to be done using machine learning and using computer generated documentation because it's within a framework. But of course, the more it does that, the more it learns and then that software can more easily be applied to other areas to be able to do that accurately. Right, so another big topic that gets a lot of conversation is passwords. You know, it's been going on forever, now we're starting to get into two-factor authentication, you know, the new Apple phones, you can look at it and it identifies you, so now you have kind of biometrics, but that can all be hacked too, right? It's just a slightly different method, but even though the biometric is not at all, well, that's secure. I think the thing is, you see, when you're logging into something, there's two pieces of information you need. There's what you are, you as a person, and then there's the thing that you know. A lot of people confuse biometrics, thinking the biometric authentication is their password, where actually the biometric is the them, and so you still should back things with strong passwords, you still should have that behind it because if somebody does get through the biometric, that shouldn't automatically just give them access to absolutely everything. You know, these are technologies that are provided to make things easier to make it so that you can have less strong passwords so that you do know where you're storing information, but people tend to rely on them too much. It is still very, very important to use strong passwords to think about the process for how you want to do that. Taking statements and then turning those statements into strange sentences that only you understand, maybe having your own code to do that conversion so that you have a very strong password that nobody's ever going to pick up. You know, we know the common passwords, unfortunately, are still one, two, three, four, five, six, seven and password. It's horrific. I saw some article that you were quoted in and it had the worst 25 passwords from 2018 and 2019. It's basically just pick a string. But you know, but it's interesting because, you know, having a hard, you know, it's easy to make, take the time and go ahead and create that strong password. But then, you know, three months later, Salesforce keeps making me do a new one or the bank keeps making me do a new one. What's your opinion of some of these kind of password managers? Because to me, it seems like, okay, well, that might be doing a great job creating some crazy passwords for the specific accounts, but what if I get hacked onto that thing, right? Now they have everything in a single place. Yeah, so this is where things like two-factor authentication become really, really important. So I use password manager and I've been, I'm very, very careful with how my passwords are created and what goes in there so that I know where certain passwords are created for certain types of account and certain complexities, but I also turn on two-factor. And if somebody does try to go into my online password account, I will get an alert to say that they've tried to do that. A single failed authentication and I will get an alert to say that they've done it. An authentication that happens where I'm not, then I will get a note, so I've done that. So this is where that second factor actually becomes really important. If you have something that gives you the option to use two-factor authentication, use it. Use it. It is a pain when you're trying to do something with your credit card and you have to do the one-time text, but it'd be more of a pain if you didn't and somebody else was to use it and to fill it up nicely for you, wouldn't it? Right. It's funny, part of the keynote from Rohit was talking about, as a profession, spending way too much time thinking about the most kind of crazy, bizarre, sophisticated attacks at the fault of not necessarily paying attention to the basics and the basics is where still a lot of the damage is done, right? Well, this is the thing and there's a few things in our industry, so exactly what you just said. Everybody seems to believe that they're going to be the target of the next really big, complex, major attack. The reality is they aren't and the reality is that they're being hit by the basics, like ransomware, phishing, spear phishing, credential stuffing, all these attacks are hitting them all the time and so they need to have those foundational elements in place against those, understanding what those are and not worry about the big stuff because the reality is if your organization is going to be hit by a nation-state level complex attack or you can just fight against it, it's going to happen and that's the thing with a lot of the buzzwords that we see in Cybertoday, isn't it? And with smaller companies, SMBs, I mean is really their only solution to go with, you know, cloud providers and other types of organizations that are the resources to get the people and the systems and the processes to really protect them because you can't expect, you know, Jeff's flowers down on Forestry to have any type of sophistication needed but as soon as you plug that server and with the website, you're instantly going to get attacked, right? The thing is you can't expect that guy to be an expert. He's not going to be an expert in cybersecurity and the cost of him hiring someone is going to outweigh the value he's getting back. My recommendation in that case is to look for organizations that can actually help you to become more cyber resilient so an organization that I work with that's actually UK and US based is the Global Cyber Alliance. They actually produce a small business toolkit so it's a set of tools which are not chargeable, it's put together and some of it might be a white paper, a set of recommendations, it might actually be a vendor developed tool that they can use to download to check for vulnerabilities or something like that but what it does is it provides it in a framework for them so that they can go through and say, okay, yeah, I get this, this is English, simple language and it helps to protect me as a small business owner, not a massive enterprise where actually none of those solutions fit to what I want to do. So that's my recommendation for small businesses, look for these types of organization, work with someone like that, this is what they're doing and learn cyber from them. Yeah, that's a good tip. I want to kind of double click on that so that makes sense when it's easy to measure your ROI on a small business, I just can't afford the security pros. For bigger companies when they're doing their budgeting for security, to me it's always a really interesting it's insurance, at some point wouldn't it be great if I could insure 100% coverage but we can't and there's other needs in the business beyond just investing in cybersecurity. How should people think about the budgets relative to, as you just said, the value that they're trying to protect? How do you help people think about their cybersecurity budgets and allocations? So then there needs to be, and this is happening, a change in how the conversation works between the security team and the board who own those budgets. What tends to happen today is that there's a, the cyber team wants to provide the right information to the board that's going to make them see how good what they're doing is and how successful they are and justifies the spend that they've made and also justifies the future investments that they're going to need to make. But very often that falls back on reporting on big number statistics. We blocked billions of threats, we turned away millions of pieces of malware. Actually that conversation needs to narrow down and the team should be saying, okay, so in the last two months we had five attacks that came in. We actually dealt with them by doing this. This is the changes that we've made. This is what we've learned. However, if we had had this additional or this switched on then we would have been more successful or we'd have been faster or we could have turned down the time on doing that. Having that risk and compliance type conversation is actually adding value to the security solutions that they've got and the board understand it. They get that conversation and they're going to be happier to engage. This is happening. This is something that is happening and it's going to get better and better but that's where things need to go. Right, because the other hard thing is it's kind of like, we've joked earlier, it's kind of like an offensive lineman. They do a great job for 69 plays and on the 70th play they get a holding call. That's all anybody sees. And you know, there's, again, that was part of Rohit's keynote that we can't necessarily brag about all the DDO taxes that we stopped because we can't let the bad guys kind of know where we're being successful. So it's a little bit of a challenge in trying to show the ROI, show the value when you can't necessarily raise your hand and say, hey, we stopped the 87 tax because it's only the 88th that really is the one that showed up in the Wall Street Journal. I think the thing with that is when organizations are looking at security solutions specifically, we're very aware of that. Organizations struggle to get customer references. You'll see a lot of the references are major financial or large manufacturing organization because companies don't want to step up and say, I implemented security and it did this because the reverse of that is she didn't have it before then. Right, right. Or we'll go in that door, not that door. And so, but there are a lot of good testing organizations out there that actually do take the security solutions and run them through very, very stringent tests and then report back on the success of those tests. So, you know, we work closely with NSS Labs, for example, we've had some very good reports that have come out from that where they do a drill down into how fast, how much, how many. And then that's the kind of thing you can then take to the board. That's the kind of thing that you can publicize to say, the reason that we're using Juniper SRX firewalls is because in this report this is what it said. This is how good that product was. And then you're not admitting a weakness. You're actually saying we're strong because we did this work and this research up front. Very different kind of different approach. Yeah, yeah. Well, Lawrence really enjoyed the conversation. We'll have to leave it here, but I think you have no shortage of job security even though we will know everything in 2020 with the benefit of hindsight. Really? Yeah, thank you very much for that. All right, thanks a lot. All right, he's Lawrence. I'm Jeff, you're watching theCUBE. We're at RSA 2020 in Moscone. Thanks for watching. We'll see you next time.