 Excellent. Uh, so I'm Dave Merkel, uh, Chief Technology Officer at Mandiant. I am not related to the other Merkel that you may be more familiar with. We'll just keep that clear, less the Q and A, get a little bit out of hand. Just very briefly, you may not be familiar with Mandiant. We're a United States based company. Uh, and our specialty is actually dealing with the failures of cybersecurity. So that's, that's what my career has been spent doing. Uh, we practice the art and science of incident response. So if you've seen headlines about significant breaches, particularly in U.S. multinational companies, the likelihood we're behind the scenes assisting that organization or technology is behind the scenes assisting that organization is, is pretty high. Uh, we are based in a lot of different locations to include Dublin. So we are, we are Ireland natives now. Uh, and, um, we have literally written the book on the discipline of incident response and, and security failure. Uh, the, uh, the thing that has gotten us probably the most attention in the last 12 months is back in, I believe it was February this year and in January we released a report on Chinese nation state sponsored hacking, uh, the APT1 report, which we did to provide a view into the kinds of things that are going on in, uh, today's cybersecurity sphere. Nation states are into it. Organized crime is into it. And we detailed a lot of the techniques and the breadth of the attacks to try to raise not just U.S. awareness, but global awareness, uh, into the growing problem. You can actually get the report online at our website. If you haven't seen it's very, very interesting. Uh, I thought I would spend just a few minutes, uh, before getting out of the way for questions and answers for, for all of you, uh, to talk a little bit about, uh, things that we think are important when we talk about the discipline of cyber security. We start with this as a premise. Security breaches are inevitable. That's nice and depressing. Uh, this is the unicorns and rainbows briefing so you'll all be very excited after you leave this today. But this, this is very true. Uh, and we, we have the, the, uh, background knowledge and first hand experience to, to prove it. What, what, uh, what's some of the premise there? What about some of these things you hear about prevention and, and trying to maintain your systems and quality process? We think about prevention as very important in your environment, trying to keep bad things from happening. But we think of prevention not really as prevention. Prevention is friction. You are increasing the coefficient of friction in your environment. So when you are breached, and I use the word when very, very deliberately because it will happen or you're already breached and you don't know it. Uh, the attacker in their environment, in your environment, doesn't have the ability to move as quickly. Why is that important? Because at the end of the day, in addition to trying to increase the friction in your environment, you also need to be trying to identify the failure when it happens and then get that attacker out of your environment before they can achieve their objective. We talk about the phrase redefining the wind. Uh, so when attackers get through being able to rapidly respond so that you can stop them before they reach their objective so you can minimize the risk to your business and minimize the impact. The, uh, the premise that security breaches are inevitable, uh, is based on just very simple logic. Uh, the attacker defender problem is asymmetrical, right? So if you have imaginal lines somewhere in France and it's facing east, then the Germans will use that fancy flanking technique and just come in from the north. As a defender, you have to get everything right every single day. And that's not everything right as a security practitioner. You have to get it right as a security practitioner. Everyone in your company needs to not click on a malicious link and download a file. Everybody needs to change their password. Everybody needs to use complicated passwords and not write it down. Every single aspect of your business must be 100% correct every single day. What's the probability of that happening? Somewhere close to exactly zero. Uh, the attacker only has to get it right once. Asymmetry. Therefore, a breach is inevitable of some, of some scope and some scale. Um, Richard talked a little bit about some of the different kinds of attackers that are in the environment today. Uh, we tend to classify them this way, although I certainly acknowledge that the potential for cyber terrorism, uh, you're going to have a variety of different kinds of threats. But, uh, we take a look at things on the far right, economic espionage, nation state sponsored espionage, and now professional criminal organizations is really the top of the pyramid. But digital, I guess I'll use the word for lack of a better term weapons. It's a little bit hyperbolic. But, uh, these digital techniques are much more transferable and trickle down in this ecosystem. Um, you know, a hacktivist can't go build a tank, but they sure as heck can copy bits off the internet, reverse engineer those and use them in their own tech, uh, attack techniques. So what was created potentially by a nation state yesterday is used for free on the internet by a random group of marauding graffiti artists. So basically you are facing nation state grade technical problems in use by common people. So it's a very interesting dynamic and it's a lot of real world metaphors tend to break down when you think about cyber defense. Uh, another thing that we like to talk about at Mandy and is compliance is not security. Now I'm not saying compliance isn't important. I'm not saying that if you have a regulatory regime or a set of standards that you have to comply with that you shouldn't care about those things. You should care about those things. They establish a baseline. They establish a set of protections for a certain class of attacker and those attackers are about this tall. If you don't perform that compliance then you have to spend your time chasing short attackers. And well there's also really tall attackers and the only way you have time to hunt these guys is if you're not spending your time on these guys. So compliance is important but if you're lulling yourself into a sense of hey I'm compliant, I'm secure, I can't be breached, uh, you're 100% wrong. Uh, it's not just us, uh, talking about this in the industry, uh, actually some of the other panelists here have mentioned given a nod towards this inevitability. Uh, there's a lot of good materials actually from Gartner and Forrester that talk about the fact that, uh, there's not enough investment on the fact that your prevention and protection measures will fail and therefore you must put the things in place necessary to identify their failure and do something about it. Um, this concept is based still on that, that idea of a security gap, right? So I talked about the asymmetry. The attacker only has to get it right once. You have to get it right every single day. In addition to that, the attacker has a sense of agility that you do not. How long does it take you to propagate a change in your IT infrastructure when you want to deploy a new agent to your desktops? When you want to make a firewall change? When you want to put a new piece of security equipment into your network? How many weeks or months? How many signatures and approvals for both budget and change do you have to go through? This is what the attacker does. Click send, done. So their agility is greater than yours just by the virtue of your business. That gap is always present. So you have to mind that gap. You have to pay attention to it and attempt to cover it through vigilance, looking for the attacker leaping across it and successfully breaching your organization. Um, here's the good news slide. If we go take a look at 2012, all the incidents that Mandiant responded to as an organization, right? So large multinationals, hundreds of thousands of hours of incident response time clocked by our consultants. The average time between breach and detection of the breach was 243 days. This is the good news. The year before it was 416. So significant problem, imagine how much damage can be done to your organization when you don't know you were breached for 243 days. The world record for data theft of a Mandiant client is across the span of 10 months, 6.5 terabytes of information were stolen by a nation's data actor. That's not 6.5 terabytes of random hard drives and Microsoft Windows executable files. That's 6.5 terabytes of word documents, Excel spreadsheets, presentations, email, actual intellectual property from the victim organization. It was essentially everything they had ever done that mattered that generated revenue for that company. That was the good news slide because it went down to 243. So you smile now. Alright, so what do you do? Right, so I'm up here, gosh, should I be afraid? Can we do anything? Is it hopeless? No. The fact of the matter is there's a new security paradigm. You have to be able to operate through compromise. You need the kinds of visibility, intelligence and infrastructure that allow you to detect that breach. So not just protect but monitor your protection and identify when it fails so that you can act and eject an attacker from your environment. It's a concept that we call threat centric security. You know the threat is there, you know it'll be successful. You know you're vulnerable somewhere and they will ultimately get into your environment so you have to be ready to act. There's a number of different studies out there and lots of great material. Again, I'll point to some studies from Gartner that talk about these concepts of advanced threat defense. So you're not just protecting and passively sitting back but you're actively participating and walking the line of your environment to go at the attacker when they attack you. Things like lean forward network detection security technologies, lean forward endpoint technologies that give you the ability to actually see these things when these happen, when they happen. If you hunt for them and then ultimately take action. I won't detail them here but there's some very interesting research out there and if you haven't been exposed to this if this is a new concept I highly recommend taking a look. We talk about the concept of five styles framework. This is again something that Gartner put together where they classify different technologies and capabilities that are beyond some of the things you might be familiar with today in your security infrastructure. So beyond your antivirus, beyond your firewall, things like network forensics, network traffic analysis, machine learning and big data analysis, payload analysis. These are all interesting techniques that you could potentially apply and there's some good guidance out there to provide you as a defender some guides to okay what do I need to select because I can't spend infinity dollars on my defense. How can I best apply them and get best bang for my buck in my environment. We talk about this concept of incident response. If you don't have an incident response capability, if you haven't thought about that in your environment, if you're going gosh that's new to me, there's a lot of good material about maturity models and ways that you can potentially invest for what's right in your organization to create that capability to respond and you must have one whether you do it for yourself or you choose to outsource it through experts to provide that within your environment. Real quick conclusions. So prevention is friction but as I said it is necessary or all you do is you change the short guy or chase the short guys and that's ultimately going to fail. Breach is inevitable but the impact is variable depending on your readiness for that event and if you think you're not compromised are you looking and please remember the 243 day metric somewhere today in this country somebody saying I see that news event but are we compromised now we're not compromised. 243 days from now or more they may find out that they actually are. Threat centric security is required you have compliance regimes those are important you do have to have some eye on your vulnerability but that's not enough if you're not also thinking about the threat and active defense in the actions that you can take knowing that that threat is out there then there's a significant gap in your program and you can operate through breach we've taken organizations and they successfully do it they're under attack every single day they are breached monthly weekly but they successfully operate successfully defend their assets despite those failures in their security infrastructure.