 Live from San Francisco, it's theCUBE, covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Welcome back everyone, CUBE coverage here in Moscone in San Francisco for RSA 2020. I'm John Furrier, host of theCUBE. We got a great guest here talking about cybersecurity and the impact with AI and the role of data. It's always great to have Eric Mankeyan, Chief Security Insights Global Threat Alliances with FortiGuard Labs, part of Fortinet. FortiGuard Labs is a great, great organization. Thanks for coming on. It's a pleasure, always to be here. So you guys do a great threat report that we always cover. It's always covers all the bases and really kind of illustrates kind of the state of the art of viruses, the protection, threats, et cetera. But you're part of FortiGuard Labs. That's right. Part of Fortinet, which is a security company, public. What is FortiGuard Labs? What do you guys do? What's your mission? So FortiGuard Labs has existed since day one. You can think of us as the intelligence that's baked into the product, right? It's one thing to have a world-class product, but you need a world-class intelligence team backing that up. We're the ones fighting those fires against cyber crime on the back end, 24-7, 365, on a per-second basis. We're processing threat intelligence. We got over 10 million attacks. We're processing just per minute over 100 billion events in any given day that we have to sift through. We have to find out what's relevant. We have to find gaps that we might be missing detection and protection. We got to push that out to a customer base of 450,000 customers through FortiGuard Services and five million firewalls, a five million plus firewall ship now. So it's vitally important. You need intelligence to be able to detect and then protect and also to respond. Know the enemy, build a security solution around that and then also be able to act quickly about it if you are under active attack. So we're doing everything from creating security controls and protections so up to real-time updates for customers. But we're also doing playbooks. So finding out who these attackers are. Why are they coming after you? For a CISO, why does that matter? So this is all part of FortiGuard Labs. How many people are roughly involved? Take us a little inside the curtain there. What's going on? Personnel, size, scope. Yeah, so we're over 235. So for a network security vendor, this is the largest global sock that exists. Again, this is behind the curtains, like you said. These are the people that are fighting those fires every day, but it's a large team and we have experts to cover the entire attack surface, right? So we're looking at not just viruses, but we're looking at zero-day weapons, exploits and attacks, everything from cyber crime to cyber warfare, operational technology, all these sorts of things. And of course, to do that, we need to really heavily rely on good people, but also automation and artificial intelligence and machine learning models. You guys are walking on a tightrope there and I can only imagine how complex and stressful it is, just imagining the velocity alone. But one of the trends that's coming up here of this year at RSA and kind of been talking about in the industry is the who. A lot of who is the attacker because the shifts could shift and change. You got nation states are sitting out there. They're not going to have their hands dirty on this stuff. You got a lot of dark web activity. You got a lot of actors out there that go by different patterns, but you guys now have an aperture and the visibility is a lot of this stuff. Absolutely. So you can almost say that's that guy. That's the actor. That's a really big part. Talk about why that's important. This is critically important because in the past, let's say the first generation of threat intelligence was very flat, it was the what, right? So it was just talking about here's a bad IP, here's a bad URL, here's a bad file block it. But nowadays obviously the attackers are very clever. These are large organizations that are around a lot of people involved. There's real world damages happening and we're talking about, you look at OT attacks that are happening. Now there's, in some cases, 30, 40 million dollars from targeted ransom attacks that are happening. These people, A, have to be brought to justice so we need to understand the who, but we also need to be able to predict what their next move is. This is very similar to what you see online with CSI. The police trying to investigate and connect the dots like plotting the strings and the yarn on the map. This is the same thing we're doing, but on a way more advanced level. And it's very important to be able to understand who these groups are, what tools they use, what are the weapons, cyber weapons, if you will, and what's their next move potentially going to be. So there's a lot of different reasons it's important. You know, Derek, I was riffing with another guest earlier today about this notion of government protection. You know, we've got a military. Troops drop on our shores in my neighborhood. The Russians drop in my neighborhood, guess what? The police will probably come in and the army should take care of it. But if I got to run a business, do I got to build my own militia? So there's no support out there. The government's not going to support me. I'm hacked. Damage is done. You guys are in a way providing that critical lifeline that guard or shield, if you will, for customers. And they're going to want more of it. So I got to ask you the hard question, which is how are you guys going to constantly be on the front edge of all this? Because at the end of the day, you're in the protection business. Yep. Threats are coming at the speed of milliseconds and nanoseconds. Yeah. In memory, you need in memory, you need database, you got to have real time. It's a tsunami of attack. You guys are the front lines of this. Yeah. You're the heat shield. Yes, absolutely. How do you take it to the next level? Yeah. So collaboration, integration, having a broad integrated platform, that's our bread and butter. This is what we do, right? End to end security. The attack surface is growing. So we have to be able to, A, be able to cover all aspects of that attack surface. And again, have intelligence, right? So we're sharing through partners. We have our core intelligence network. Like I said, we're relying heavily on machine learning models to be able to find that needle in the haystack. Like as I said earlier, we're getting over a hundred billion potential threat events a day. We have to dissect that. We have to break it down. We have to say, what is this affecting endpoint? Is this affecting operational technology? What vertical? How do we process it? How do we verify that this is a real threat? And then most importantly, get that out in time and speed to our customers. So I started with automation years ago, but now really the way that we're doing this is through broad platform coverage, but also machine learning models for and- I want to dig into machine learning because I love that needle in the haystack analogy because if you take that to the next step, you got a stack of needles now. So you find a needle in the haystack. Now you got a bunch of needles. What do you find that? You need AI. You got to have some help, but you still got the human component. So talk about how you guys are advising customers and how you're using machine learning and get that AI up and running for customers and for yourselves. Yeah, so we're technology people, right? I always look at this as the stack, the stack model. The bottom of the stack, you have automation, right? You have layer one, layer two. That's like the basic things for, you know, feeds, threat feeds, how we can push out, automate, integrate that. Then you have the human. So the layer seven, right? This is where our human experts are coming in to actually advise our customers. We're creating threat signals with FortiGuard Labs as an example. These are bulletins. That's a quick two to three page read that a CSCO can pick up and say, here's what FortiGuard Labs has discovered this week. Is this relevant to my network? Do I have these protections in place? There's also that automated. And so, you know, I refer to this as a centaur model. It's half human, half machine. And, you know, the machines are driving a lot of that the day-to-day mundane tasks, if you will, but also finding, you know, collecting the needles of needles. But then ultimately, we have our humans that are processing that, analyzing it, creating the higher level strategic advice. Recently, we've launched a FortiAI product as well. This has the concept of a virtual- Oh, so, backup zoom. What's it called? FortiAI. Okay, yeah. So it's AI components. Is it a hardware box or- This is an on-premises appliance built off of five plus years of learning that we've done in the cloud to be able to identify threats in malware, understand what that malware does to a detailed level. And, you know, where we've seen this before, where is it potentially going? How do we protect against it? Something that typically you would need four to five headcount in your security operations center to do, we're using this as an assist tool. So that's why it's a virtual analyst. It's really a bot, if you will, something that can actually help. So it's an enabling opportunity for the customers. Absolutely, yeah. So what's this virtual assistant built into the box? What does that do, virtual analyst? Yeah, so the virtual analyst is able to sit on-premises, so it's localized learning, collect threats, understand the nature of those threats, to be able to look at the needles of the needles, if you will, make sense of that, and then automatically generate reports based off of that, right? So it's really an assist tool that a network admin or a security analyst was able to pick up and virtually save hours and hours of time of resource. So if you look at the history of our technology industry from a personalization standpoint, AI and data, whether you're a media business, personalization is ultimately the result of good data AI. Yes, yeah. So personalization for an analyst would be how not to screw up their job, right, at one level. Another one's to be proactive on being more offensive. And then third, collaboration with others. So you're starting to see that kind of picture form. What's your reaction to that? Yeah, I think it's great. You know, there's stepping stones that we have to go through. The collaboration is not always easy. I'm very familiar with this. I mean, I was, you know, with the Cyber Threat Alliance since day one, I work with, I head up and work with our global threat alliances. There's always good intentions. There's problems that can be created. And obviously you have things like PII now and data privacy and all these little hurdles they have to come over. But when it works right together, this is the way to do it. It's the same thing with, you talked about the data. Naturally, when you start building up IT stacks, you have silos of data. But ultimately, those silos need to be connected from different departments. They need to integrate and collaborate. It's the same thing that we're seeing from the security front now as well. Well, you guys have proven the model of Fortegaard that the more you can see, the more visibility you can see and more access to the data in real time or any time scale, the better the opportunity. So I got to take that to the next level where you guys are doing it, congratulations. But now the customer. How do I team up with, if I'm a customer with other customers, because the bad guys are teaming up. So the teaming up is now a real dynamic that companies are deploying. How are you guys looking at that? How is Fortegaard helping that? Is it through services? Is it through the products like virtual assistant, virtual for AI? Yeah, so you can think of this. I always make it an analogy to the human immune system, right? Artificial neural networks are built off of neural nets. If I have a problem in an infection, say on one hand, the rest of the body should be aware of that. That's collaboration from node to node, right? Blood cells, blood cells, it's the same thing with employees of a network in men sees a potential problem. They should be able to go and talk to the security at men who can go in, log into an appliance and create a proper response to that. This is what we're doing in the security fabric to empower the customer. So the customer doesn't have to always do this and have the humans actively doing those cycles. I mean, this is the integration, the orchestration is the big piece of what we're doing. So security orchestration between devices that's taking that gap out from the human to human, walking over with a piece of paper to another, or whatever it is, that's one of the key points that we're doing within the actual security fabric. So that's why silos is problematic. Absolutely, yeah. Because you can't get that impact. Yeah, and it also creates lag time. We have a need for speed nowadays. Threats are moving incredibly fast. I think we've talked about this on previous episodes with swarm technology, offensive automation, the weaponization of artificial intelligence. So it becomes critically important to have that quick response and silos really create barriers. Of course, I make it slower to respond. Oh, Derek, so I got to ask you, it's kind of like, I don't want to say it sounds like sports, but what's the state of the art in the attack vectors coming in? What are you guys seeing as some of the best of breed tax that people should really be paying attention to? They may or may not have fortified down. What are socks looking at? And what are security pros focused on right now in terms of the state of the art? Yeah, so the things that keep people up at night, right? So we follow this in our threat landscape report. Obviously, we just released our key four one with 40 guard labs. We're still seeing the same culprits. This is the same story we talk about a lot of times, things like it used to be eternal blue and now blue keep. You know, these vulnerabilities that are nothing new, but still pose big problems. We're still seeing that exposed on a lot of networks. Targeted ransom attacks, I was saying early, we've seen this shifter evolution from ransomware from day to day, like, you know, pay us $300 or $400. We'll give you access to your data back as to going after targeted accounts, high revenue business streams. So, you know, low volume, high risk. That's the trend that we're starting to see as well. And this is what I talk about for trying to find that needle in the haystack, right? This is again why it's important to have eyes on that, yeah. Well, you guys are really advanced and you guys doing great work. So congratulations. I got to ask you kind of like the spectrum of IT. You got a lot of people on the high end. Financial services, healthcare, they're regulated. They've got all kinds of challenges. But as IT and the enterprise starts to get woke to the fact that everyone's vulnerable. Yeah. I've heard people say, I'm good. I got a small little man and I'm only a hundred million dollar business. All I do is manufacture. I don't really have any IP. So what are you going to steal? So that's kind of a naive approach. Yeah. Yeah. The answer is, what, your operations ransomware? There's a zillion ways to get taken down. What are, how do you respond to that? Yeah, yeah, absolutely, absolutely. Going after the crown jewel is what hurts, right? So it might not be a patent or intellectual property. Again, the things that matter to these businesses, how they operate day to day, the obvious example is what we just talked about with revenue streams. And then there's other indirect problems too. Obviously, if that infrastructure of a legitimate organization is taken over and it's used as a botnet in an orchestrated denial of service attack to take down other organizations, that's going to have huge implications. And they won't even know it. Right, in terms of brand damage, there's legal implications as well that happen. This is going even down to the basics with consumers, thinking that they're not under attack, but at the end of the day, what matters to them is their identity. Identity theft, right? But this is on another level when it comes to the organization. Yeah, there's all kinds of things to do in this. You guys, there's so much more advance on the attacker side. All right, so I got to ask you a final question. I'm a business, you're a pro, you guys doing great work. What do I do? What's my strategy? How would you advise me? How do I get my act together? I'm whacking the mole every day. I'm trying my best. I'm pedaling as fast as I can. I'm overloaded. What do I do? How do I go the next step? So look for security solutions that are the assist model, like I said, right? There's never ever going to be a universal silver bullet to security. We all know this, right? But there are a lot of things that can help up to that 90%, 95%, right? So depending on the nature of the threats, having first detection first, that's always the most important. See what's on your network. This is things where SIM technology, sandboxing technology has really come into play, right? Once you have those detections, how can you actually take action? So look for integration. Really have a look at your security solutions to see if you have the integration piece. Orchestration and integration is next after detection. Finally, from there, having a proper channel. There's services you looked at for managed incident response as an example. Education and cyber hygiene are always key. These are free things that I push on everybody, right? I mean, we release weekly threat intelligence briefs. We're doing our quarterly threat landscape reports. We have something called threat signal. So it's 40 guard response to breaking industry events. I think that's key. Hygiene seems to come up over and over as the, that's the foundational bedrock of security. Yeah, and then, you know, as I said, ultimately, where we're heading with this is the AI solution model, right? And so that's something, again, that's that I think. Well, one final question since it's just popped into my head, I wanted to end on that last one, but I wanted to bring it up since you kind of were getting at it. And I know you guys are very sensitive to this one topic because you live it every day, but the notion of time and time elapsed is a huge concern because you got to know it's not if it's when. So the factor of time is a huge variable in all kinds of impact. Yes, yeah. Positive and negative. How do you talk about time and the notion of time elapsing? That's a great question. Yeah, so there's many ways to stage that. I'll try to simplify it. So number one, if we're talking about breaches, time is money, right? So the dwell time, the longer that a threat sits on a network and it's not cleaned up, the more damage is going to be done. I mean, think of the ransom attacks, denial of service, revenue streams being down. So that's the incident response problem, right? So time is very important to detect and respond. So that's one aspect of that. The other aspect of time is with machine learning as well. This is something that people don't always think about. They think that artificial intelligence solutions can be popped up overnight and within a couple of weeks they're going to be accurate. It's not the case. Machine's learning like humans do. It takes time to do that. It takes processing power. Anybody can get that nowadays. Data, most people can get that. But time is critical to that. So it's a fascinating conversation. There's many different avenues of time that we can talk about. And time to detect is also really important as well, again. Let's do a whole segment on that in our studio or follow up on that. I think it's a huge topic. I hear about all the time. It's a little bit illusive, but it kind of focuses your energy on, wait, what's going on here? I'm not reacting, it's a huge issue. Yeah, I mean, I refer to it as latency, right? I mean, latency is a key issue in cybersecurity, just like it is in the stock exchange. Yeah, I mean, one of the things I've been talking about with folks here, just kind of in fun conversation, is don't be playing defense all the time. If you have a good time, latency, you can actually be a little bit offensive. Why not take a little bit more offense? Absolutely. Why play defense the whole time? So again, you're starting to see this kind of mentality, not being just an IT, we got to cover, okay, respond, no, hold on to the ball game. Yeah, it comes back to the sports analogy again, right? Got to have a good offense, the West Coast offense. Derek, thanks so much. Quick plug for you, FortiGuard. Share with the folks what you guys are up to, what's new, what's the plug? Yeah, so FortiGuard Labs, so we're continuing to expand. Obviously, we're focused on, as I said, adding all the customer protection first and foremost, but beyond that, we're doing great things in industry, right? So we're working actively with law enforcement, with Interpol, Cyber Threat Alliance, with the World Economic Forum, and the Center for Cyber Security. There's a lot more of these collaboration key stakeholders. You talked about the human to human before. We're really setting the pioneering and setting that world stage, I think. So it's really exciting to me. It's a lot of good industry initiatives. I think it's impactful. We're going to see an impact. The whole goal is we're trying to slow the offense down, the offense being the cyber criminals, right? So there's more coming on that end. You're going to see a lot of great, follow our blogs at FortiGuard.com, and all the great reports. I'm a huge believer in that the government can't protect us digitally. There's going to be protection, heat shields out there. You guys are doing a good job. It's only going to be more important than ever before. So congratulations. Thanks for coming on. I really appreciate it. Never a adult day, as we say. All right, it's theCUBE's coverage year in San Francisco for RSJ 2020. I'm John Furrier, your host. Thanks for watching.