 Hey everyone, welcome to Fortinet's FortiGuard Lab series on the cube. I'm your host Lisa Martin. This episode is going to focus on the FortiNet's second half 2022 FortiGuard Labs Threat Report. One of our esteemed alumni is back to break this down, Derek Mankey, chief security strategist and global VP of threat intelligence at Fortinet. Derek, it's great to see you. Hey Lisa, how are you? It's always a pleasure to talk to you. Likewise, likewise. Before we dive into today's discussion, just remind the audience a little bit about your background. Talk about FortiNet's FortiGuard Labs, what you guys do, and sort of the intent behind this threat research. Sure. So my background I've been about 20 years now at Fortinet. I have a threat research background surprise myself. Now I lead our global threat intelligence team. So we have over 500 researchers working around the globe, eight dedicated labs. We're processing 200 billion threat events per day. That number keeps climbing. It's a noisy space. So there our job is to curate that intelligence. So we're making sensors, separating the signal from the noise, trying to make it actionable. And we do that through customer protection, of course, through our hundreds of thousands of customers worldwide in real time to update against the latest and greatest threats to reduce that attack surface, mitigate the risk. But we're also providing advice to strategic reports such as the Global Threat Landscape Report, which we do twice a year where it's a lot more, we have the fun job of breaking down six months worth of data. That's a lot of data considering we have 200 billion events a day. So we go through that, we curate it, we write mitigation advice, and we send that out to leaders, decision makers, to CISOs, global CISOs around the world as well too. So it's all a part of that. And we're also doing, we're not stopping there. We also take the intelligence further in terms of partnerships, private, private partnership, private and public partnership. The whole idea is we know what the bad guys are up to. So we don't want to just be on our heels with the shields up the whole time. We want to make progress. So we're working in the industry to actually disrupt cybercrime as well. That is so needed, disrupting cybercrime. I'd have to think back to, you said 200 billion events a day when I was interviewing you years ago, and it was a smaller number. So the fact that it's increasing isn't surprising, but it's great to see what Fortygarde Labs is up to. And you know, I always find these conversations around the global threat intelligence. Global threat landscape reports, so fascinating. The landscape changes so dramatically within six months. So Derek, talk about, in your opinion, what was your biggest takeaway or some of your biggest takeaways from this latest report for second half of 22? Yeah. So first of all, you're right, Lisa. The numbers do keep increasing. That's not a takeaway to me. I mean, that's almost a form. We can almost put a formula on that. That's just a result of the growing attack surface that we see. There's more IoT devices. We have operational technology. We have more connectivity now with 5G, 6G on the horizon, of course. So that's going to continue. We're just simply going to be seeing more volume. But to me, one of the biggest takeaways was actually not a volume problem. It's something of the phenomenon I'm calling advanced persistent cybercrime. And I'll explain that in a second. What we're actually seeing is a shift now in cybercrime, which is a majority 80% plus of attack activity versus targeted nation-state attacks that are going after critical infrastructure. The cybercrime phenomenon now, they're shifting more to targeted attacks. So the volume is actually dropping, but they're going after now very large enterprise, telecommunication carrier, MSSP providers are going after operational technology as well in targeted attacks because they know that if they can monetize that with the proverbial bigger fish, they're going to make a bigger payday. And this is what we saw. And the number one takeaway was wiper malware. This is a bad news story, unfortunately. So destructive malware is now being used by cybercriminals. This is something that in that 20% less of attacks we saw with nation-state actors starting in Ukraine. What we've seen malware that's been developed for warfare purpose that is destructive in nature has one target, but now that's being commoditized and it's being put into attack kits. And we're seeing hundreds of thousands of these detections worldwide. So the wiper malware, we only saw at least a maybe one per year. That's how sophisticated it was in the past. We saw 16 new ones developed in 2022. We've even seen more in Q1 of this year. And as I said, cybercriminals now are enterprising this. They're even creating open source code. This is something we observed in the report where this is now becoming rolled out in tool kits and readily available. I was reading the press release, Eric, and your blog and noticed that the increase in wiper malware was up 53% just from Q3 to Q4 alone. Huge activity. Cybercrime as a service is unfortunately booming. Yes, exactly. I'm glad you mentioned the cybercrime as a service because this is an example of how they're leveraging crime as a service because they're taking this and they're wrapping it, refactoring the code essentially, because a weapon is a weapon. It depends how you use it. But now they're integrating it into their own services, their own tool kits as well. We've seen, of course, ransom as a service. That's another thing we highlighted in the report. That it's still absolutely a problem. It's a high water mark. It's a constant wave that we're seeing with that because we have these business affiliates that are signing up to get commissions. So if they infect a system and they get paid ransom, then they'll continue to do that. And we're still seeing that. But now with the wiper malware, it's a destructive threat. So they're starting to combine this into the ransom as a service model as well too. It's the saber rattling, right? Saying, hey, we know we can hit a big system. We can take it offline. We can cause you to bleed two, three million dollars in revenue a day. And so you better pay us up front, a nominal fee and we'll give you your systems back. Right. And I was also noticing in the report that several new wipers were found in conjunction with the Russia-Ukraine war early in 2022, but spread to other countries, which was feeling that increase that we talked about. So it doesn't appear to be malware slowing down any time based on the activity and the volume. Organizations really need real-time threat intelligence holistically across their entire landscape. Besides the increase in wiper, you mentioned ransomware. What else stood out to you that was interesting or surprised you in the report? So I think this is like, so we talked about some of the bad news and I completely agree now with the targeted attacks that are happening. It's one thing to deal with an attack if you stumble across it, but to be targeted in any sense of nature is a completely different ball game. So I completely agree, real-time threat intelligence having more, especially with artificial intelligence and machine learning, again, 200 billion events being able to deal with that and identify those tactics that are being used in targeted attacks is key because the risk is just higher now, right? We're not talking about six-figure demands or payments. We're talking about eight-figure, not even seven-figure anymore. The damages are that big. So that's the bad news, of course. The good news though is we started to look at this from a different lens and we created a new view called the red zone. What that is is we looked at all the ways that these attackers are trying to get into system. So if you look at the attack surface, it's very large. As I said, it keeps expanding and growing. There's about 200,000 holes in that attack surface. Those are vulnerabilities in the history of time, right? And that continues to snowball as new devices are integrated into the attack surface. IoT devices, particularly sensors and OT networks, all of that. But what we saw is, that's a big number. You don't want to boil the ocean from a CISO perspective. If you're trying to mitigate that risk, how do you focus on the ones that matter to your organization? And so we started looking at that in the report and we created this red zone. So we said, okay, out of that entire attack surface, 200,000 attacks, what are the ones that are currently actually open to organizations, right? So unpatched and open to organizations. And then what are the ones that attackers are actually trying to attack, right? So that's the red zone. And the good news is, when we translated that, it was only 1% of that entire attack surface. The red zone, of course, because those are critical, it's active under attack. These are the ones that attackers are focusing on. So the good news is now we're not talking about 100% of this ocean. We're talking about 1% that we can really focus on and harden security and shore up the defenses. Okay. One of the other things I noticed was that even with all of the attention that log4j has gotten in the past couple of years, organizations that are still not prepared to protect against it. Let's double click on log4j findings. The tech sector, the most targeted industry followed by government and education, organizations need to do some work here. This has been around for a while. Yeah. And so this is something that we've been 20 years at 49 and following the threat landscape. It's not surprising to me, Lisa. And this is something I think we can learn from historical trends. So it's not just log4j, by the way, but that is one of the most recent big ones that we saw. Even going back to WannaCry in 2017, not Petia, who has a big worm that spread on that is called Eternal Blue, big vulnerability. That was over five years ago now in the report. It's still one of our number one worms and destructive threats that we see five or six years old. Log4j now is just over a year old. But yes, it is still one of the most prevalent threats that we're seeing. So it's not just this one-year window. In fact, we're seeing threats dating five, six years back. And that was another highlight from the report, is that we're seeing code reuse now as well. So things that have been successful in the past, cyber criminals, they're enterprising, right? If they know that it was successful, they start to take that and tweak it and tune it into deploying new attacks. So adding, that's just a whole with Log4j. So now, hey, we can put ransomware or Wiper malware combined onto that if we want to as well too. So again, the story here is that, unfortunately, we're still seeing five-year-old plus threats that are still being successful. And in fact, retrofitted, right? They're literally taking the code and they're adding new bolt-on applications to it and deploying it. And this is something we really sounded the alarm on in the industry a year ago, of course. I think everybody, even my parents, know about Log4j. But it's still something absolutely that is one of the number one threats we highlighted in the report. Vintage threats are a thing. So with the threat landscape being so amorphous, you talked about that, the attack surface spreading and spreading and it's only going to continue. When you're in customer conversations, Derek, how do you advise CISOs to prioritize risk mitigation efforts so that they can minimize the attack surface as it continues to grow? Right. So there's no, so this is a strategic approach. There's no silver bullet here. Thankfully, there are tools now. So number one, simplifying that attack surface, right? So starting with tools and technology and security solutions, there's a big shift in the industry now from consolidation and convergence of networking and security. So that's the number one conversation we're having with CISOs, right? And that I recommend is to reduce the complexity of your defense, right? Because if, you know, 10 years ago, it was very commonplace for organizations to have 15, 20, 25 vendors in a security stack, and that becomes very complicated to manage. You have more holes if it's mis, if, you know, different appliances are misconfigured and not updated with threat intelligence and so forth. So first of all, consolidate that. We're not saying go down to just one, you know, security platform, but in general, you know, the advice is to go from that 10, 15 point solution approach to five, consolidate it down to five, then start to integrate and interoperate them through APIs, through SD-WAN, orchestration, SOAR. That's all a SOC conversation now too, right? Because there's a skills gap problem out there still, and we can't hire our way out of this problem. So these are tools that really help with that to orchestrate the defense, to have, you know, SIM and SOC. So, you know, event logs and then orchestration happening so you don't have a human logging into a platform manually trying to change, you know, update policies, that's too slow. These attacks are happening really fast today. So, you know, first of all, tools and solution approach first, but then, as I said, that's not just the silver bullet. You have to think of this as an ecosystem also, as a supply chain, if you want. And humans are a very, very big part of that. So training and education is still a big part of this as well too. As I said, the targeted attacks, big conversations I'm having with CSOS now is deception technology, anti-reconnaissance. So knowing what do the bad guys know about you, so that you can defend properly against that as well. Hatch management, of course, we talk about that ZTNA, zero trust network access, it's all part of that defensive, proactive, you know, stance. Then artificial intelligence, machine learning come in, you know, to also, as I said, those 200 billion events, that's our job at Forty Guard Love. So having, you know, real-time threat intelligence updated is important. And then lastly, you know, this isn't a one-shot thing. You can't just set and forget. This is something just like physical security needs to be looked at on a daily, really on a daily basis, but refactor that, right? So penetration testing, looking at what assets are your critical ones, are those secure? Running security audits against them is important. And then also having a playbook finally. It's not a matter of if, but when we say, so having a playbook ready, that when you are targeted and the attackers come knocking on your door, what is your incident response and readiness plan? If you don't have an IR, forensics team in-house, of course, have a trusted through-party provider to help with that. Yeah, like you said, it's not if anymore. It's when, it's probably how often, what's going to be the damage. So one thing I do want to understand is, in our last few minutes, Derek, is what FortiGuard Labs is doing and the FortiNet technology, how can it help CISOs and other leaders address the cybersecurity talent shortage? I imagine looking at machine learning and automation is going to be critical for a holistic security strategy in that landscape. Very critical. Absolutely. And again, I think of this as a stack, right? So you have, I mentioned the, it really starts with automation first. So again, technologies like SOAR and orchestration STM, that takes care of a lot of the sort of mundane day-to-day things that you really don't need humans to be doing. Then on top of that, yes, that's where machine learning, artificial intelligence comes in, things like NDR network detection response where it's actually picking out those sort of zero-day attacks, being able to deal with problems that it knows about the AI and ML systems. But if it doesn't have a solid solution to it, then escalate it to the human experts, right? So it's really a pyramid-based approach, right, where you have humans on top, automation living on the bottom, then AI and ML in the middle. But it's critical. With the amount of threats that we see out there today and the volume and the complexity, again, like I said, you can't hire your way out of the problem, even if you wanted to, because there is a skills gap. So it really is a balanced approach. And training is still important too for the security professionals that you do have. I also mentioned the partnerships too, right? So that's another aspect too, having, who do you call, right? If you have a threat. So the human element, that's where the incident response comes in. We have our analysts at FortyGuard Labs that integrate and work with customers every day too. So this report, we've just dissected a little bit of this. I'm sure the audience is eager. Where can they go to find the report and really study it in depth to learn how to improve their security posture? Sure. So the report's posted on FortyNet.com. You can also find, we have a blog released on it on blog.fortynet.com. It's under threat research. We have also regular updates on there for things that are breaking past this report. Of course, a report, it's a very comprehensive snapshot of six months. But threat landscape is living and breathing. So we're everyday researching and posting alerts on there as well. Fascinating. And of course, there's no rest for the weary Derek. You're already working on first half 2023, I imagine? Yes, absolutely. We are. It's part of the data compilation process. So, and by the way, as I said, that trend is continuing. Like in Q1, we've already released what we call threat signals from FortyGuard Labs on rewikers also that continue to be deployed this year. Awesome, Derek. Thank you so much for your time. This is this great series, FortyNet's FortyGuard Labs series on theCUBE. We appreciate your insights breaking down some of the trends that you're seeing. And as always, we love having you as a guest on theCUBE. Derek, thank you. It's a pleasure. Thanks, Lisa. Looking forward to the next time. Looking forward to the next one. And stay tuned. This is the first in our series with FortyNet's FortyGuard Labs. I'm Lisa Martin. We'll see you next time. Thanks for watching.