 from our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hello and welcome to theCUBE studios in Palo Alto, California for another CUBE Conversation where we go in depth with thought leaders driving innovation across tech industry. I'm your host, Peter Burris. Almost everybody's heard of the term black hat and white hat and it constitutes groups of individuals that are either attacking or defending security challenges. It's been an arms race for the past 10, 20, 30 years as the world's become more digital. And an arms race that many of us are concerned that black hats appear to have the upper hand. But there's new developments in technology and new classes of tooling that are actually racing to the aid of white hats and could very well upset that equilibrium in favor of the white hats. To have that conversation about the ascension of the white hats, we're joined by Derek Mankey who's Chief Security Insights and Global Threat Alliances Lead at Fortinet. Derek, thanks for joining us for another CUBE Conversation. It's always a pleasure speaking with you. Very good to be here. Derek, let's start. What's going on at Fortelabs at Fortinet? So 2019, we've seen a ton of development, a lot pretty much on track with our predictions when we talked last year. Obviously a big increase in volume thanks to offensive automation. We're also seeing low volume attacks that are disrupting big business models. I'm talking about targeted ransom attacks, right? You know, criminals that are able to get into networks cause millions of dollars of damages thanks to critical revenue streams being out. Usually in the public sector, we've seen a lot of this. We've seen a rise in sophistication. The adversaries are not slowing down. AETs, advanced evasion techniques are on the rise. And so, you know, to do this in Fortiguard Labs to be able to track this and map this, we're not just relying on blogs anymore and, you know, 40, 50 page white papers. So we're actually looking at playbooks now, mapping the adversaries, understanding their tools, techniques, procedures, how they're operating, why they're operating, who are they hitting and what might be their next move. So that's a big development on the intelligence side too. All right, so I mentioned up front this notion that the white hats may be ascending. I'm implying a prediction here. Tell us a little bit about what we see on the horizon for that concept of the white hats ascending and specifically why is there reason to be optimistic? Yeah, so it's been gloomy for decades, like you said and for many reasons, right? And I think those reasons are no secrets. I mean, cyber criminals and black hats have always been able to move very, you know, with agility, right? Cyber crime has no borders. It's often a slap on the wrist that they get. They can do a million things wrong. They don't care, there's no ethics and quite frankly, no rules binding them, right? On the white hat side, we've always had rules binding us. We've had to take due care and we've had to move methodically, which slows us down. So a lot of that comes in place because of frameworks, because of technology as well, having to move after it's enabled to it with frameworks, so specifically with, you know, making correct action and things like that. So those are the challenges that we faced against, but you know, like thinking ahead to 2020, particularly with the use of artificial intelligence, everybody talks about AI, you know, it's impacted our daily lives, but when it's come to cybersecurity on the white hat side, you know, a proper AI and machine learning model takes time, it can take years. In fact, in our case and our experience about four to five years before we can actually roll it out to production. But the good news is that we have been investing, and when I say we, I'm just talking to the industry in general and white hat, we've been investing into this technology because quite frankly, we've had to. It takes a lot of data, it takes a lot of smart minds, a lot of investment, a lot of processing power, and that foundation has now been set over the last five years. If we look at the black hats, it's not the case. And why? Because they've been enjoying living off the land on low hanging fruit, path of least resistance, because they've been able to. So one of the things that's changing that equilibrium then is the availability of AI. And as you said, it could take four or five years to get to a point where we've actually got useful AI that can have an impact. I guess that means that we've been working on these things for four or five years. What's the state of the art with AI as it pertains to security? And are we seeing different phases of development start to emerge as we gain more experience with these technologies? Yeah, absolutely. And it's quite exciting, right? AI is into this universal brain that's that solves the world's problems that everyone thinks it might be, right? It's very specific. It relies on machine learning models. Each machine learning model is very specific to its task, right? I mean, voice learning technology versus autonomous vehicle driving versus cybersecurity is very different when it comes to these learning purposes. So in essence, the way I look at it, there's three generations of AI. We have generation one, which was the past generation two, which is a current where we are now and then generation three is where we're going. So generation one was pretty simple, right? It was just a central processing machine learning model that'll take in data, it'll correlate that data and then take action based off of it. Some simple inputs, simple output, right? Generation two, where we're currently sitting is more advanced. It's looking at pattern recognition, more advanced inputs, a distributed models where we have sensors lying around networks. I'm talking about human IoT devices, security appliances and so forth, that still report up to this centralized brain that's learning and acting on things. But where things get really interesting moving forward in 2020 gets into this third generation where you have, especially moving towards about computer, sorry, edge computing, is where you have localized learning nodes that are actually processing and learning. So you can think of them as these mini brains, instead of having this monolithic centralized brain, you have individual learner nodes, individual brains doing their own machine learning that are actually connected to each other, learning from each other, speaking to each other. It's a very powerful model. We actually refer to this as federated machine learning in our industry. So we've been, first phase, we simply use statistics to correlate events, take action. Now we're doing exceptions, pattern recognition, or exceptions and building patterns. And in the future, we're going to be able to further distribute that. So that increasingly, the AI is going to work with other AI so that the aggregate, this federated aggregate gets better. Have I got that right? Yeah, absolutely. And what's the advantage of that? A couple of things. It's very similar to the human immune system, right? I mean, if you have, if I were to cut my finger on my hand, what's going to happen? Well, localized white blood cells, localized, nothing from a foreign entity or further away in my body are going to come to the rescue and start healing that, right? It's the same, it's because it's interconnected within the nervous system. It's the same idea of this federated machine learning. If a security appliances to detect a threat locally on site, it's able to alert other security appliances so that they can actually take action on this and learn from that as well. So connected machine learning models. It means that, by properly implementing these AI, this federated AI machine learning models in an organization, that that system is able to actually, in an autoimmune way, be able to pick up what that threat is, be able to act on that threat, which means it's able to respond to these threats quicker, shut them down to the point where it can be, virtually instantaneous, right? Before the damage is done and bleeding starts happening. So the common baseline is constantly getting better even as we're giving opportunities for local managers to perform the work in response to local conditions. So that takes us to the next notion of, we've got this federated AI on the horizon. How are people, how is the role of people, security professionals going to change? What kind of recipes are they going to follow to ensure that they are working in a maximally productive way with these new capabilities, these new federated capabilities, especially as we think about the introduction of 5G and greater density of devices and faster speeds and lower latencies. Yeah, so the world of cyber security has always been incredibly complex. So we're trying to simplify that. And that's where, again, this federated machine learning comes into place, particularly with playbooks. If we look at 2019 and where we're going in 2020, we put a lot of groundwork, quite frankly, into pioneering the work of playbooks. So when I say playbooks, I'm talking about adversary playbooks, knowing the offense, knowing the tools, techniques, procedures, the way that these cyber crime operations are moving and the black cats are moving. The more that we can understand that, the more we can predict their next move. And that centralized language, once you know that offense, we can start to create automated blue team playbooks, so defensive playbooks. That security technology can automatically integrate and respond to it. But to get back to your question, we can actually create human readable CISO guides that can actually say, look, there's a threat. Here's why it's a problem. Here are the gaps in your security that we've identified. Here's some recommended course of action as an idea too, right? So that's where the humans and the machines are really going to be working together. And quite frankly, moving at speed, being able to do that on a machine level, but also being able to simplify a complex landscape, that is where we can actually gain traction, right? This is part of that ascendancy of the White House because it's allowing us to move in a more agile nature. It's allowing us to gain ground against attackers. And quite frankly, it allows us to start disrupting their business model more, right? It's a more resilient network. In the future, this leads to the whole notion of self-healing networks as well. And quite frankly, it just makes it a big pain. It disrupts their business model. It forces them to go back to the drawing board too. Well, it also seems as though when we start talking about 5G, that the speeds, as I said, the speeds, the dentancy, the reduced latency, the potential for a bad thing to propagate very quickly demands that we have a more consistent, coherent response. At both the machine level, but also at the people level. We 5G into this conversation, what will be the impact of 5G on how these playbooks and AI start to come together over the next few years? Yeah, it's going to be very impactful. It is going to take a couple of years and we're just at the dawn of 5G right now. But if you think of 5G, you're talking about a lot more volume. Essentially, as we move to the future, we're entering into the age of 5G and edge computing. And 5G and edge computing is going to start eating the cloud in a sense that more of that processing power that was in the cloud is starting to shift now towards edge computing, right? That this is that on-premises. So, A, it is going to allow models, like I was talking about, federated machine learning models from the white hats point of view, which again, I think we are in the driver's seat and in a better, more advantageous position here because we have more experience. Again, like I said, we've been doing this for years with the black hats, quite frankly, haven't. Yes, they're toying with it, but not to the same level and scale that we have. But, you know, I'm always a realist. This isn't a completely realsy picture. I mean, it is optimistic that we are able to get this upper hand. It has to be done, right? But if we think about the weaponization of 5G, that's also a very large problem, right? Last year, we're talking about swarm networks, right? The idea of swarm networks is a whole bunch of devices that can connect to each other, share intelligence, and then act to do something like a large-scale lead-off attack. That's absolutely in the realm of possibility when it comes to the weaponization of 5G as well. So one of the things, I guess, the last question I want to ask you is you noted that these playbooks incorporate the human element in ways that are uniquely human. So having CISO readable recipes for how people have to respond. Does that also elevate the conversation with the business and allows us to do a better job of understanding risk, pricing risk, and appropriately investing to manage and assure the business against risk in the right way? Absolutely, absolutely it does, yeah. Yeah, because the more you know about, going back to the playbooks, the more you know about the office and their tools, the more you know about how much of a danger it is, what sort of targets they're after, right? I mean, if they're just going, trying to collect a little bit of information on, you know, to do some reconnaissance, that first phase attack might not cause a lot of damage, but if this group is known to go in, hit hard, steal intellectual property, shut down critical business dreams through DOS that in the past we know and we've seen has caused four or $5 million from one breach. That's a very good way to start classifying risk. So yeah, I mean, it's all about really understanding the picture first on the offense, and that's exactly what these automated playbook guides are going to be doing on the blue team end. Again, not only from a CSC suite perspective, certainly that on the human level, but the nice thing about the playbooks is because we've done the research, the threat hunting and understood this, you know, from a machine level, it's also able to put a lot of those automated, let's say day to day decisions, making security operation centers. So I'm talking about like sec dev ops, much more efficient too. So we've talked about more density at the edge amongst these devices. I also want to bring back one last thought here, and that is you said that historically some of the black hats have been able to act with a degree of impunity. They haven't necessarily been hit hard. There's been a lot of slapping on the wrist, as I think you said. Talk about how the playbooks and AI is going to allow us to do more appropriately shared data with others that can help both now, but also in some of the forensics and the enforcement side, namely the legal and policing world. How are we going to share the responsibility or how is that going to change over the next few years to incorporate some of the folks that actually can then turn a defense into a legal attack? Threat elimination, this is what I call it, right? So again, if we look at the current state, we've made great strides, great progress working with law enforcement. So we've set up public private sector relationships. We need to do that, have security experts working with law enforcement, law enforcement's working on their end to train prosecutors to understand cybercrime and so forth. That foundation has been set, but it's still slow moving. There's only a limited amount of playbooks right now. It takes a lot of work to unearth and do to really move the needle. What we need to do again, like we're talking about is to integrate artificial intelligence with playbooks. The more that we understand about groups, the more that we do this threat elimination, the more we have cover about them, the more we know about them. And by doing that, we can start to form predictive models, right? I always say old habits die hard. So if an attacker goes in, hits a network and they're successful following a certain sequence of patterns, they're likely gonna follow that same sequence on their next victim or their next target. So the more that we understand about that, the more that we can forecast A from a mitigation standpoint, but also by the same token, the more correlation we're doing on these playbooks, the more machine learning we're doing on these playbooks, the more we're able to do attribution. And attribution is the holy grail. It's always been the toughest thing to do when it comes to research, but by combining the framework that we're using with playbooks and AI machine learning, it's a very, very powerful recipe. And that's what we need to get right and move forward in the right direction. Derek Mankey, Fortnets Chief of Security Insights and Threat Alliances. Thanks again for being on theCUBE. Hey, it's a pleasure, anytime, happy to talk. And I want to thank you for joining us for another CUBE Conversation. I'm Peter Burris, see you next time.