 Hi, I'm Peter Burris, and welcome to another theCUBE conversation from our outstanding studios here in beautiful Palo Alto, California. Like all our CUBE conversations, we've got a great one today. And this one we're going to talk about some of the trends that people are experiencing in the world of security and threats. And to have that conversation, we've got Tony Gian Domenico, who's a senior security strategist and researcher at Fort Nets Fort Agard Labs. Tony, welcome back to theCUBE. Hey, Peter, how you doing, man? It's great to be here. It's great to see you again, Tony. Look, we've had this conversation now for at least four quarters, and Fort Agard Labs has published their overall threat analysis for at least the past couple of years. And that's what we're going to talk about today. So give us a little bit of overview of what this report entails, where does the data come from, and how are you using it within Fort Nets and Fort Agard Labs? Sure, sure, well, so this is a quarterly threat landscape report, right? So obviously we do it on a quarterly basis, and it's really geared towards the IT security professional from the CISO all the way down to the folks that are actually in the operations, the daily operations, and we're getting billions of events that we're observing in real-time production environments, and we're looking specifically at application exploits, we're looking at malware, we're looking at botnets, and we hope to be able to identify different trends that then may be able to translate into that IT security professional to be able to figure out where they should be focusing their security efforts. Yeah, and I think that's an important issue because you can't know what you should do next if you don't know what's happening right now, and or what has happened recently, but you've tried to provide, let's call it a more general flavor to the report this year, in the sense that you've introduced some indexes that shows trends over time. Talk to us a little bit about that. Sure, yeah. So last quarter we finally introduced what's referred to as our threat index, and what we were trying to do is be able to track the ebbs and flows of threats over time, and like you know, we always break down our exploits or our threats into application exploits, malware, and botnet, so each one of them also have their individual index. Now, although there was some peaks and valleys and application exploits did hit an all-time high, at the end of the quarter, it ended up around the same the threat index did as last quarter, and I think a lot of that may be actually driven by the holiday season. Now, if I had a crystal ball, I would probably think that the future quarters, the threat index is probably going to continue to increase. And I think there's a couple reasons for that, right? It's when you say it's a holiday quarter, the overall threat index goes down because as people spend time home for the holidays, take vacation, a little bit less time at work, they're opening fewer malicious files from fewer unknown sources or bad websites. But I think you've made the point multiple times that just because they're not opening and a bad file in an email attachment right now doesn't mean that they're not going to open it when they get back from work. Yeah, that is definitely true. But you know what, maybe they are more actual kind of focused and they'll be more attentive to looking at their email. I will also say the bad guys need a break too, right? So when a holiday season comes around, I mean, they're going to probably slow down some of their malware and some of their exploits and just kind of enjoy the holidays. Good for them. All right, so let's take a look at each of the different areas. The overall threat index is comprised of, as you said, the application exploits, malware and botnet. So let's take them one at each. What did we see in the threat index as it pertains to application exploits? What were the big trends? Well, of the top 12, six of them, Peter, do you know what the six exploits we're focusing on for the top 12? Any idea? I read the report. So yes, but tell us. Okay. Yes, IOT. Now that's not like extremely interesting because we continue to see that quarter over quarter the adversaries are targeting more on the IOT devices, which makes sense, right? I mean, there's a lot of them out where the volume is there. And of course, they're not as secure as they typically need to be. But what's interesting though, out of those six, four of them happen to be IP cameras, right? So these monitoring devices that are monitoring your physical security, the adversaries are targeting those a little bit more because they understand that this cyber world and the physical security, they're combining. And when they're combining, if you're bringing over a physical security device that already has vulnerabilities, you're bringing that vulnerability with you. And that would just open up an opportunity for the adversary to be able to penetrate into that particular device and then get access to your internal network. Yeah, let me ask you a question, Tony, because I was very interested in the incidents related to cameras because cameras is kind of one of those domains, one of those technologies, one of those use cases that is somewhere between the old OC world or the OT world, the operational technology world and the IT world or the IoT world, where in the OT world, folks have spent an enormous amount of time making sure that the devices that they utilize are as secure as they possibly can be. I mean, they've got huge teams devoted to this. In the IoT world, we're working on speed, we're working on software defined, we're working on a little bit more generalization. But this notion of cameras is kind of coming in from an IoT side, but hitting the OT side. Is that one of the reasons why cameras in particular are vulnerable and does that tell us something about how IoT and OT have to work together based on the data that we're seeing in the report? Yeah, I mean, I would totally agree, right? Because a lot of those different types of technologies have been isolated, meaning that not everybody had the ability to reach out and touch it, maybe security wasn't top of mind here, but now that that convergence is taking place, it's really top priority to make sure that if you are merging those things together, make sure that those devices are part of your threatened vulnerability management process, because now vulnerabilities that may actually be introduced from that particular device can affect your entire cyber assets. Yeah, I think it's a great point that what one might regard as constrained devices, nonetheless often have enormous processing power, and if they're connected can have enormous application. Okay, let's move from the application exploits into the malware world. What was the big trend in malware in this past report? Sure, sure, yeah. So what we continue to see, and I think this was great, sharing information, sharing threat information, sharing malware samples is awesome. And we've been doing it for a long time, and we continue to see more and more of public available sources for showing exploits, for showing malware, open source malware. And that's great because as a cyber defender, it's great that I can research this and I can ensure that I have the right detections and ultimately the right protections against those particular threats. I would also add that we are such a skill shortage. I mean, we're trying to build up our cyber, our future cyber warriors, and the way we wanna be able to do that obviously is through a lot of training and we can give them great examples that they can actually glean and learn and learn from. And so all of this is good. But at the same time, when you have all this information out there, freely available, of course, the adversaries have access, they have access to it as well. So what that means is, I'll give you an example, Peter. So you'll download, let's say there's open source malware, that's ransomware. You can download that, modify the Bitcoin address or wear that victim, it's supposed to send the ransom and you just operationalize this ransomware. So, but then again, I mean, you might be saying, well, you just said that, well, it's available for us to be able to research and have better detections and you're right. Most of the time we'll detect that. But now you add in the fact that there's a whole bunch of open source evasion tools that you can run your malware through that would obfuscate possibly the malware enough that it can circumvent some of the actual security controls that you have in place. So it's a good thing, but we do continue to see some of the bad guys leverage it as well. So let me see if I can put that in the context of some overall industry trends. Historically, the things that got the greatest install base were the targets that were preferred by bad actors, because they could do the most damage in those large numbers and open source, as we improve these toolings, we see more people flock to that set of tools and as those tools become more popular, they both have more value to the enterprise as a protection but they become increasingly obvious targets to the bad actors. Is that kind of what you're saying? Yeah, sure. It's almost like, you know, the cyber crime ecosystem now, the actual tools that are available, the services that are available at your fingertips, no longer, you know, do you need to get, you know, to be an expert, to get in the life of cyber crime? You just need to know where to get these resources and that is what's really driving the volume of attacks these days. So you're absolutely right, Peter. So we've talked a little bit about application exploitation, we've talked a little bit about malware. Now these are things that we look at before the system gets compromised. We're really concerned about avoiding them getting a footprint or a hold within our system. Now let's talk about botnets, which are particularly interesting because often the botnet gets turned on and becomes a source of danger after the compromises take place. How does trends in, what did trends in botnets tell us? Sure, sure, yeah. So one interesting point in botnets in quarter four was the fact that the initial botnet infections per firm was up 15% from the quarter before. So what that means is on average, each firm saw about 12 botnet infections for that quarter and that kind of translates into out of maybe the 91 days that you have in that quarter, 12 of those days, they actually had some type of botnet infection that they had to actually respond to, right? Because they got to respond, like you said, Peter, the infection's already there. Somehow the payload circumvented their security defenses. It's on there and it's trying to communicate out to its command and control infrastructure, whether it's to download other malware, whether it's to actually possibly, you know, provide different types of commands to execute their cyber mission, whatever it is, it's there and that's where we were sort of triggering on it. And I'll add to this, you know, because of this, you kind of invoke your instant response process, which means you're taking time, you're taking resources away for folks that are probably working on other projects to be able to help them fortify their overall security program more, which I think underscores the need to be able to ensure that you're leveraging technology to help you make some of these automated, you know, decisions with being able to prevent and ultimately hopefully be able to remediate those threats. Yeah, so we've seen application exploits down a little bit, malware down a little bit, largely because of the fourth quarters, the holiday quarter. We've seen botnets also follow those trends, but still we have to be concerned about the number of net new days in which a botnet is operating. Is there something that we started to see in the data that requires new thinking, new approaches? What about all these memes that people are downloading, for example? Yeah, I'll tell you, you know, social media, right? Love pictures, you know, whether it's, you know, Facebook, whether it's Twitter, you know, Instagram, words are good, but what's even better, it seems is, you know, pictures. People love pictures and adversaries know that. So with an attack called leveraging steganography, I think I spoke about that a couple, you know, maybe it was last year, you know, sometime, you know, we talked about that, but if you don't remember steganography, it's really the art of hiding something in a picture file, whether it was a message, whether it was a malicious payload, or it could even be different types of commands that the adversary wants to do to overall be able to complete their cyber mission. So they hide that information in there. And the adversaries to be able to attack or leverage a steganography attack, they're used in social media as a means of that communication. And what's interesting about that is, nowadays, you know, maybe 10 years ago, not as much, but nowadays, social media traffic and apps are kind of acceptable on a network these days, right? The marketing organizations, comms and, you know, PR, they leverage these social media sites. It's a key part of their overall plan. So you're going to see a lot of social media traffic in the network. So the adversary, if they can blend in with that normal, you know, traffic, they may go unnoticed for quite some time. So as new sources of data are exploited by the business to engage their customers, like social media, new technologies or new concepts like steganography or steganography has been around for a long time, but it's new to a lot of people becomes something that increasingly has to be observed and tracked and acted upon. Yeah, you know, I always say this, it's like we want to continue to advance technology, right? We want to leverage it. Why? Because overall it makes our society better, makes my life better, makes your life better, makes everybody, you know, future generations lives better, but we need to make sure that we are securing the advancement of that actual technology. So it's a constant kind of catch up game, you know, for us. That's, I need my cat pictures, Tony. All right, so I want to do one last thing here. We learned a lot in the overall four to guard labs reports over the past few quarters. Certainly it should come on a cube. I've learned a lot and I'm sure everybody who's been watching these cube conversations has learned a lot as well. Let's now think about some recommendations. If we kind of quickly summarize what happened in 2018, what does it tell us about things that people should do differently in 2019? What are the kind of two or three key recommendations that four to guard labs is putting forward right now? Yeah, I mean, I think one of the things that we continue to see is just how these, you know, these threats are becoming, you know, bigger, faster, stronger, right? And that's really being sort of driven by the cyber crime ecosystem, the advancement of these types of attacks. So, you know, how do you continue to ensure that you can keep up with this sophistication and this volume? And I'll kind of make it simple at a high level. Obviously it goes a lot deeper, but the first thing is having awareness. I really feel people don't truly know what they're actually protecting within all of their cyber assets. What are operating systems? What software? Where are they located? Where is their data located? How is their data flowing from system to system? I don't think they have a good understanding of that. So having that awareness, right? It's getting even harder now because it's cloud, right? It's on your workstation, it's in the cloud. It's all over the place. So it's good to get a handle on that. And once you have that, you need to act on it, right? So whether it's identifying vulnerabilities that need to be, say, patched or whether it's finding some type of threat in your environment and taking action, it's important that, you know, we need skilled resources, you know, to be able to deal with that. But I would say, once again, look at automation. How can you leverage technology to be able to communicate with each other through open APIs and make some automated decisions for you? Isolate those threats. Allow you to fight through the attack a little bit more so you can figure out what to do. Ultimately, hopefully it's going to minimize the impact of that one breach. And I would say this, threats are going to get in. But if you can continue to resist that threat before it gets into the core of your network, that's a win for everybody. So continue to resist is a big one. Because that initial access, it's going to happen. Continue to resist so you can ensure the minimization of the actual impact of that risk. So I got two quick comments about that, Tony. Tell me if I can summarize this right. One is that, look, everybody's going to digital. Everybody's going through a digital transformation. Very few firms, however, have truly adopted an asset-oriented approach to their data. What you're saying is security is how you go about making your data private so that you get value out of it and not bad people. That's, I think, kind of an overarching statement that this is a business problem that has to be treated like a business problem and invested in like a business problem. The second thing that I would say is, and let me see if I got this right, that the idea ultimately that data stays in one place and is used only in one way is wrong. It's going to change over time. And we have to acknowledge that there's not one approach to how we go about data security and handling these threats. There's differences in application, exploitation, differences in malware. And as you said, botnets are indications that something's already happened. So we have to use a more balanced, comprehensive view to how we think about handling the threats against us. Have I got that right? Yeah, absolutely. And I'll just end it with that. There's a lot of things that you have to deal with, right? And we have such a cybersecurity shortage and you can never get to everything, but like you had said, it's a business issue. If you can understand your critical business processes and focus on those things, those assets, that data, that is going to be how you're going to prioritize and ensure that you can minimize the overall impact of an actual threat that may actually enter into your environment. Tony Gian Domenico, Senior Security Strategist and Researcher at Fort Agard Labs of Fortinet. Once again, Tony, thanks for being on theCUBE. Always a pleasure, Peter. And I always love having Tony Gian. Hopefully you've enjoyed this CUBE conversation as well. Until next time, I'm Peter Burris. Talk to you soon.