 TheCube presents Ignite22, brought to you by Palo Alto Networks. Good afternoon, guys and gals. We're so glad you're here with us. Welcome back to the MGM Grand Las Vegas. This is day two of theCube's coverage of Palo Alto Networks Ignite22. Lisa Martin here with Dave Vellante. Dave, as I mentioned, our second day of coverage. We've learned a lot about cybersecurity, the complexity, the challenges, but also the opportunities. We've had some great conversations really dissecting some recent survey data. We know that every industry, no industry is immune from this, but healthcare is one of the ones that's quite vulnerable. We're going to be talking about that next. Yeah, of course, we always talk about the super cloud and connecting hybrid across clouds and on-prem, but also now out to the edge. And nobody wants a separate stovepipe, but we saw this during the pandemic. We saw the pivot would work from home to endpoint and cloud security, re-architecting of the network, identity and more stovepipes, right? So, but that's not what the industry wants or needs, so. Well, I never would think about, you go to the doctor's office, you go to a hospital, X-ray machines, CT scanners, all these proliferation of medical IoT devices. Great for the patient, great for the providers, but a lot of opportunities for the attackers as well. We're going to be talking about that in part in our next conversation with an alumni that's coming back to the program. Anand Oswell is here, the SVP and GM of network security at Palo Alto Networks. Great to have you back. Great to have me, thank you. It's been a few years. Yeah, it's been a time. So I was looking at some of the Unit 42 research, medical devices are the weakest link on the hospital network. But so great for patient care, for doctors, providers, et cetera, but a challenge and an opportunity for the adversaries. What are some of the things that you guys are seeing? I know you have some news on the medical IoT front. Yeah, thanks for having me, by the way. So if you look at every industry has benefited from connected devices, changes the outcome and the experiences both for the end users as well as the businesses. And healthcare is no different. If you look at the experience that we had as patients over the last decade has changed dramatically. And in the pandemic, even more changes happened, right? This is really ushering in a new era of patient care, these connected devices. You know, I have a family member of mine who has diabetes. And as you know, you got to check the blood glucose level periodically. It's usually pricking, it's cumbersome, it can hurt you. But now with this new IoT-based glucose monitoring systems, you can monitor these levels in real time constantly. If it drops, you can inject the right amount of insulin. So changing the experience and the outcome for patients. Taking data from these devices to ensure that you have different outcomes. So really changing how you experience this patient, but like you said, along with all of this, it's adding increased cybersecurity, right? And we've seen over the last, I don't know, a year or so, a 200% increase in cyber attacks on healthcare organizations. And in the next couple of years, you're going to see 1.3 billion, yes, the B billion, new connected devices come to healthcare. So that's increasing the attack surface. So we've got to stay vigilant. There's a lot of great things you get from connected devices. It has cyber risk, it's planted properly. But it's hard just to cure medical IoT devices. Why is it so challenging and how do you help? Yeah, look, you can only secure what you see. First of all, right? So it's very important to understand what devices you have on your network. And these can't be done statically, right? Because they're made by different manufacturers and you're adding so many every day. So you need to use machine learning to identify what these devices are, but just not what a device is. Who's a manufacturer? What's the make? What's the model? What's the unpatched vulnerabilities? That's one part. I tell people that having visibility is good, but that's not enough. It's like me telling you you have a leak in your house. I don't give you any information on where the leak is. How do I call the plumber? What's the home warranty, home insurance coverage? So you've got visibility. Then you need to do segmentation. Segmentation all about who can talk to whom? Should your CT scan machine or MRI machine be talking to a server in the corporate environment? Should we talking to your point of sale terminal in the hospital? Maybe not, right? So you need to define those policies. Again, those can't be manual. They have to be automated because you're adding new devices every day. After you do that, it's around the data that is transporting on those devices. Do they have threats? Are they command control connections? Because threats can move laterally and need to inspect this in real time every day. Constantly, not just one time, right? That's the whole notion of zero trust, which is no notion of implied trust. You want to have least privileged access. And the most important is that, look, we talked about this before, majority of healthcare organizations have legacy security architectures. You can't have it solved by another point product, a new sensor, a partial solution. You need to get fully integrated because you need to reduce their operational costs. You need to ensure that they have better security, right? I tell people, what do organizations want? Make more money, save money, and steer out trouble, right? It's in simple ways. You need to ensure that they're able to get this done securely. That's very important. So a lot of the devices, so you think about OT, a lot of devices have been naturally air-gapped. That was sort of the safety. What's it like in healthcare? Is the MRI machine, was it historically fenced off from the network? And how is that changing? I'll give you an example. I talked to a customer. This is a few months ago, and this happened before the pandemic, luckily. They were doing a, the doctor was doing a surgery on a patient at roughly two in the morning, and using a ventilator. And guess what happened? The ventilator rebooted and said, the firm were upgrading, right? And luckily, when I talked to the customer, they said they had another ventilator that they could quickly do. This ventilator was connected to an Ethernet cable, in this case. And somebody decided that 2AM is the right time to upgrade things. Like, you know, you have windows of, when you upgrade things, but you need to be able to manage the life cycle of these devices more intelligently. When is it being used? When is it upgraded? There's a life of a device and tell people there's a cyber life. Now, we have too many devices with end-of-life operating systems. We all remember the 2017 WannaCry attack. That was an end-of-life operating system. So you have a shelf life and you have a cyber life. You need to be able to manage the life cycle of these devices and easily onboard new devices, but also have the ability to sunset devices as needed. Okay, so the business generally stays ahead of cyber, but are those worlds coming together? I mean, I feel like with digital transformation, we're beginning to see that. Everybody talks about cyber can't just be a bolt-on. Yes. But it oftentimes is. So what's the state of play in healthcare? I think it's changing. You think about the healthcare organizations or generally even OT environments. The decision-maker is not just the CIO and CISO. It's also your plant manager, the hospital owner, or the manager of the operations of the hospital. They have to be taken into account. The other stakeholders, is a clinical and bio-med engineer who operates these devices, right? I was talking to a healthcare customer which said that asset utilization or device is important. Many times you find nurses or doctors will keep an infusion pump with them in their room because they want it easy to use. And then they say, I want five more or 10 more, right? We all live in an environment where budget will be more and more important. So how do you get in a full inventory of what's using? How often are they used? For example, MRI machines are many times preset for scanning certain parts of the body. Now you can change it, but it takes time, it's effort. So if you know the asset utilization or what you're doing, you can be more efficient and have a much more efficient organization. And so how do they do that? Is that some kind of predictive analytics that they're using? Yes, it's the whole lifecycle of a zero trust architecture. It is the whole lifecycle of managing these devices effectively and then simplifying your operations. Those are three things that we have to do. How can zero trust be really tailored to healthcare specifically? Yeah, let me tell you. First of all, when I talk of zero trust, I have a simple way of talking about it which is no notion of implied trust, right? Just because I'm in an environment doesn't mean I have access to a device and application, et cetera. And when we think of medical device, it's like who's the user who's accessing it? How do you authenticate that user? And that can be the things the organization has, password and MFA, et cetera. That's good, that's not enough. If you're accessing some, if I authenticated you from this device, but what if this device itself is infected with malware? So I need to know that it's the state of your device. Then what are you trying to access? Medical records, healthcare records, you have like permission sets to access it. Are they read-only, write-only? You have confidential information about it. And when you're exchanging this information, is there malware in that data? You need to do this on a continuous basis. So user, endpoint, access, and transaction. These four constructs have to be done continuously. That's the whole notion of zero trust. So, okay, because we were talking off camera and you said, say, ask somebody what zero trust is. You get 10 different answers, 10 people, 10 different answers. So I always would used to think unless a device or a person has been explicitly authorized and authenticated, they don't get access, but you just added something more. It also has to be clean, essentially. Right? And you've got the technology to do that? Absolutely, and if you think about it, we can do this across all facets, all use cases. If you think of traditional network security, it doesn't secure the network. Like I said, it secures everything on the network. The users, the IoT devices, and the applications they access. Now I can be in the office, I can be on the road, or I can be home. I may use different notions of stacks. I may use a hardware centric firewall for accessing data center based applications in my private data center. I may use a software firewall application for accessing things in the public cloud. I may use the cloud deliver sassy architecture from home or for remote branches. I want that consistent security. The way I do threat, the way I do phishing protection, ransomware protection, IoT security, it should be consistent, no matter where the user is, no matter where the data is, no matter where the applications is. And that's really what we can do with a consistent platform approach. So, on-prem, in all the clouds, at the edge. Not only healthcare, but operational technologies, the factory. You want to make sure that it's not only the best in class security, it's also consistent security and consistent manageability, right? Which means that the experience I have as an admin from day minus one to day end. And it can be for any use case I have. It could be for securing my applications in my private data center, my applications in the public cloud, or remote access from home or remote branch. I want that consistent security. I want that consistent policy. So, what is the treatment for you, the user, when you are in the office, on the go, or somewhere else? You don't want a different experience. You want the same experience. And it should be optimal. It can be slow. It can be like, it takes you a long time to access your application, either. Because all of us are, we spoil. We want it right away. It can't be a blocker to productivity. Exactly. I was looking at some of the Unit 42 data about just all the vulnerabilities in different machines. We talk about cyber resilience a lot. How, and as I mentioned, and I think even the survey that Palo Alto Networks released yesterday, what's next in cyber, was even demonstrating healthcare being one of the most vulnerable, and we talked about, you know, it being one of the weakest links. How can Palo Alto Networks work with healthcare organizations large and small across the globe to help them really dial up cyber resilience and start reducing the vulnerabilities that are there as device proliferation is just going to happen? Absolutely. I think you had a very good point. We have data which says that 83% of imaging systems run end-of-life operating system stacks, right? And you remember in 2017, the WannaCry attack started with an end-of-life operating system device, right? It affected 150 countries in the UK alone, 70,000 devices, 30,000 patient cancellations. We know that if you think about infusion pumps, three out of four have unpatched vulnerabilities, which means that you can patch it. But it's very hard for the biomedical or clinical engineer to understand what to do and what not to do. Healthcare organizations have a lot of compliance requirements, right? They have HIPAA compliance, they have other regulations, so you need to make them ordered ready. Inventory of the devices, status of each device, make it ordered ready, compliance ready, so they're able to do what they do best in serving patients versus worrying about other things that we can automate for themselves. Lastly, I'll say is that you also want to simplify the operations of the health environment, right? Having more point products, more point solutions that's solving only a certain aspect of what you do, like only visibility, telling you you have a leak, but not putting the end solution adds more and more complexity to organizations. So, different dynamic in this world, this healthcare world, because you got all these devices and they're not, you know, I think about Patch Tuesday, right? I mean, Microsoft's always putting out patches in it, so that tells the hackers, hey, you know, going in Wednesday and hack away. It's probably different in healthcare. They're probably not as frequent patches published, or maybe there are, I don't know, I'm curious as to whether they are. But I mean, the device manufacturers, they're not the biggest software company in the world, so they're probably not as on top of it. So, I'm not saying it's better or worse, it's just a different environment. The patches to the end devices may not be as frequent, but patches that you can apply on from a security perspective on a security stack are like happening continuously in real time. The second thing is that you also want to ensure that the capabilities of your security product itself are able to stop attacks in line in real time. For example, 95% of all malware in the world is morph malware, which means it's variations of existing malware. You can stop this in line real time, right? Attackers are using more and more sophisticated techniques today to evade traditional sandboxing techniques. So you have to out innovate them. And that's what we've done by all our cloud services. We moved them very early on to the cloud to get the agility and scale that we get. But we invested a lot in machine learning and deep learning to stop these day zero threats in line real time. Attackers are using that window opportunity, like you mentioned, between the time when a breach is announced or detected and patched. And that breach, that time of window could be a minute. They're going to exploit that time. You want to reduce that to almost zero, which means that you need to stop it in line in real time continuously. So take the sandbox example. So what do you say? So if I'm doing a sandbox on-prem, one of the vulnerabilities is if my capacity is out of 10,000 files, they're just going to overwhelm me with 100,000 and then I'm going to be trying to figure out what's going on. And while I'm doing that, they're going to be sneaking in. And is that an example that you address because you're in the cloud? Yeah, that's one. But think about examples where attackers are devising malware, are creating malware that will basically evade traditional sandboxing techniques. So if I do a memory lookup on the register, that malware will diffuse. It only detonates on an end user, on a device or a database. So now you need to do intelligent techniques. So we built this lot of infrastructure for intelligent real time memory analysis to ensure that we are able to stay ahead of the competition. And we did that for phishing. We did that for command control connections. We did that for software exploits. We did that for malware, for DNS. We're able to stop about 11 to 12 million additional phishing sites in anybody else. We're able to have our sandboxing more effective than anybody else. We're able to stop 26% more malicious sessions than others in the industry. Why? Architecture? Architecture, a couple of things. First, architecture. Second is that through a lot of innovation that we've done in both machine learning and deep learning, to be able to look at unstructured data and be able to stop the attacks in line real time. Think about it, the traditional way of doing URL filtering has always been to be the database of URLs in the world. And you categorize these URLs into groups of categories, news, adult, and then you say, what's my risk profile for each of these? And you put a score and you say, I want to have this tolerance. That doesn't work anymore. The reason is because attackers are sophisticated. Websites come in up and down in seconds. Before I build a database, it's gone. I can't do this old way of doing things, signature and database. I've got to use the power of machine learning. I've got to use the power of deep learning and data. And as our healthcare leaders, do they have an appetite for that? I think healthcare leaders are looking for outcomes. They're looking, when I talk to healthcare professionals, they want to basically do what they do best, serve patients, give them optimal care. They want someone to take care of all these things holistically end to end. Simplify all the things that they have to do from a compliance perspective, architectural perspective, reduce their costs, give them a better outcome. That's what they want. It's all about outcomes. It's all about outcomes. And we know you cover much more than healthcare, but we obviously used most of our time on that. It's such an interesting, fascinating industry, obviously a lot of opportunities there for organizations to work with companies like Palo Alto to really dial up their cyber resilience. Absolutely. And ultimately, to your point, deliver the outcomes that they are there to do. Absolutely, yes. We'll have to have you back, because we just, I feel like we just scratched the surface and then, right? I will come back. Thank you. Thank you. Awesome. Thank you so much. Our pleasure to have you on the program for Anand Oswald and Dave Vellante. I'm Lisa Martin. You're watching theCUBE, the leader in live and emerging tech coverage.