 Welcome back to our live programming in our Palo Alto studios. Wendy Whitmore is live remote, but she's in the house sorta. Wendy is the senior vice president of Palo Alto's Unit 42, the world-class threat intelligence operation. Wendy, great to see you again. Thanks so much for taking some time out for theCUBE. Oh, you're so welcome. Always great to see you, Dave. Hey, so, you know, some folks might not be familiar with Unit 42. So why don't you set up our discussion with a little background? Great, I'd love to. So you're probably familiar with Palo Alto Networks, right? We're the largest cybersecurity company at this point in the world. And Unit 42 is really the eyes and ears on the ground for Palo Alto. So we are the special forces team that jumps in and solves investigations on behalf of our clients. We're also made up of threat researchers and analysts, as well as threat hunters who are mining data sets throughout the globe to really identify what's new, what's latest and greatest when it comes to attacker techniques. So we first had you on just about a year ago, almost exactly a year ago. So what's changed in terms of the threat landscape over the past 12 months? Yeah, so three items I would highlight for you. So first, and there are all three assets. So scale, speed and sophistication. I would say from a scale perspective, this is the first year in, I mean, I've been doing this now over 20 years, which is hard to believe some days, but from a scale perspective, for the first time ever, attackers now are targeting mass vulnerabilities as they're inroads into getting into these organizations versus spearfishing. So that's really the first time that we've seen any type of avenue into an environment be larger than spearfishing. So attackers are looking for scale. How can they compromise more systems in a shorter timeframe? And that gets us to speed, right? How can they move quickly? So when we talk about cyber criminals or nation state actors, they were really looking at the ability to exfiltrate data within hours instead of days or weeks as it used to take and in some cases used to take months. And then from a sophistication perspective, we've always seen sophisticated nation state actors where they have an objective and they execute against it. But what we're seeing when it comes to cyber criminals is that they are more organized than they have ever been. They understand how businesses operate more effectively than they have. And they pair that with technical acumen as well as the ability to conduct social engineering attacks which are now fueled by AI. Okay, so you've got the nation states, Russia, North Korea, et cetera, and you've got cyber criminals. Can you sort of lay out the sophistication of each? Are they comparable? I know, I think they have different objectives, but how can you help us understand what that looks like? Yeah, I would say they're in a bit of an ARPs race, right? So from the perspective of causing the most damage and destruction to operational impact, I would rank cyber criminals today higher, right? These ransomware cases, we're seeing so many cases now, 37% this year versus 20% last year when we look at cases where there's extortion and so extortion, data theft, and then actually causing just disruption to individuals. So not only attacking an organization through their means of, say, a CEO's business email, but perhaps doing something, reaching out to a spouse over social media, sending flower arrangements to their house to prove that, hey, I have a lot of understanding of where you live. We're seeing just a tremendous amount of increase there. When we look at nation state actors, they're not typically, and we can circle back to this because some of this has changed, but they are not typically going after a return on investment from a financial lens immediately, right? They're looking to steal data and then to provide it to some backend group that's going to conduct the analytics on it and then make some decisions based on that data. So the means and the objectives are often different, but the capabilities, I think, are really growing increasingly pretty similar. Have you seen any evidence from, say for instance, Russia or Iran, given the war in Israel and everything that's going on over there, the chaos, have you seen any either escalated attacks or new threats from them or new signatures? Well, I think the real point of your question is the fact that these geopolitical wars throughout the world right now are causing the ability for nation state actors in particular to really operate behind the scenes in a way that's incredibly effective. So we have absolutely seen increased activity in particular with Chinese nation state actor related to activity within the Pacific Rim region, as well as the interest and intent to compromise more organizations throughout the globe as well. When we point back to Russia, still very active from a cyber landscape, right? So the war there certainly is very ongoing in a physical sphere, but in terms of just disruptive attacks in the cyber landscape, we're seeing those more and more, including attacks today. And with respect to Russia specifically, you're seeing obviously nation state activity. I suspect you're also seeing a lot of cyber criminals. Are they coordinated? Are they generally sort of isolated? What are you seeing there? That's a great question. I think with Russia specifically, it's sometimes hard to tell, right? The waters are often muddied and we see that on very intentionally from these nation state actors. And so, generally we've been able to see different objectives coming from a nation state that are largely based on right ceiling data, which I mentioned, but now you've started to see North Korea in particular and China in particular have organizations that are offshoots of part of threat actors that are tied to nation state actor behavior that are actually responsible now for conducting financial attacks and ransomware attacks. So I expect that we are going to see more of that in the future from countries throughout the world. I remember last year, last December at Palo Alto Ignite, near Zooks had made a statement, something the effect of within five years, every SecOps organization is gonna be AI-powered. Has that actually happened in 2023? I bet you we're much closer to that than maybe that five year forecast, but what have you seen in that regard? Well, it's wild that that was 12 months ago, right? Because I think so much has happened in that timeframe in terms of AI-powering activities in a great way for defenders and a great way for security operation centers, but also then causing certainly enhanced capabilities on the side of the attackers. So many SOCs throughout the world today are using AI for accelerated automation. They've been able to really offload some of the workflows so that they can focus their limited people resources on the highest criticality tasks and those that really require human analytics. So I think in those senses, we've seen a lot of positivity. Certainly on the side of the attackers, we're seeing them leverage AI today. It's less to effectively generate new types of malware and it's more to enhance the human side of social engineering, right? So the human side of these attacks, we've seen that ranging and everything from, eliminating language barrier in written communications to them being able to successfully conduct voice scams where they're replicating for identity verification, they're replicating employees' voices and being able to get through identity verification systems that way. So I think a year from now, we're going to be having an even more different conversation, right, based on the capabilities growth at that time. Yeah, when I asked you a similar question in last year, even at RSA, at the time it wasn't as obvious in just a few short months, now you're seeing very clear indications and patterns emerge. That's amazing. I think it really speaks to the growth of AI, right? Of generative AI in particular, right? Machine learning's been around a long time and different types of precision AI have been embedded in these technologies for a long time but generative AI has really changed the game and the landscape in terms of how we work and the ability to accelerate some of the workflow. So I think it was hard to predict at the time when it was just emerging and I think likely similarly, it's going to be hard for us to predict what 24 months looks like, right? These voice fakes are kind of scary, right? You'll get these robo calls or maybe not robo calls but you'll get these calls from, you don't know who it is, you're kind of afraid now to actually use your voice. You'd rather just, you know how you, some, Lena Smart from MongoDB says, just don't click on links. Just do not click on links. Now you shouldn't answer the phone unless you know who's calling. Right, right. It's just something that, you know, from an increased education perspective and awareness we all need to be aware of but for people, you know, like you and I that are out there and it's easy to find video clips, right? And voice clips certainly concerning. So how is all this, you know, you're seeing new tactics, you're seeing, hear about extortion versus, you know, they don't even bother encrypting anymore. How is this changing sort of the need for how organizations approach things like backup and recovery and how that fits into the whole equation? You know, I think backup and recovery have become foundational and table stakes for so many organizations. And that's great news but that's specifically then why we've seen attackers shift towards the extortion campaigns, right? So, hey, okay, we're going to steal your information and then we're going to threaten you with the public release event whether that's publicly whether that's to specific clients of yours whether it's, you know, coming back to the SEC, for example, afterwards and saying, you know, hey, we attack this organization we saw that they didn't disclose it. There's so many different angles of that now. So I think we'll continue to see, you know, the forced kind of really human connectivity in these attacks and those becoming very human. I think the good news for organizations is it so much of that information then still falls back to security best practices. And it doesn't mean that, you know, you have to buy the latest and greatest brand new technology. It means you still have to do the fundamentals very well. The thing I would say that's changed that we hear CISOs and I talked to CISOs nearly every day of the week and they say, it's really hard for me to prioritize what's next, what I defend when a new application comes out with a vulnerability that I've never even heard of that wasn't, you know, where that this was in my environment. So the ability to continue to identify where you're exposed in your external attack surface, I think that's more important now than it's ever been. But the good news is that's still really a security fundamental that so many organizations can do well. The thing about organizations, and there aren't a lot of them that have sort of unit 42s world classness, if I can call it that, it looks like the anatomy of complex hacks is really evolving. You talked about mass vulnerabilities. I mean, we're just, we were familiar with, we were just in June at the, at, you know, MGM, one of the MGM facilities and you read about how MGM and Caesars got hacked with a spearfishing incident. And now you're talking about, just again, a few short months later, you're seeing just a completely different, you know, approach and the anatomy of these breaches is changing. Can you add some color in terms of what you're seeing with your incident response cases? Yeah, well, I would say one where our team's busier than we have ever been. And this team's been around for some time. And so I think that really speaks to the volume of attacks and breaches that are going on. You know, you mentioned the Las Vegas attacks. And so you have an attacker, in that case, Scattered Spider, you know, who you're, what I think you're really seeing, and part of the reason that these get so much attention in the press is they cause actual consumer impact. And I think that these attackers are, are quite bright, certainly in the way that they're approaching these types of attacks and we're likely to see more of that. Because when you get that consumer impact, it starts that they'd see, hey, I caused a lot of business disruption. There's not only, you know, the financial reporting that goes on behind the scenes, but there was actual, you know, trades and bets that couldn't be made. There were hotel rooms that couldn't be checked into. There were purchases that, you know, on the casino floor that could not be made. And that actually impacts people's livelihood when it comes to, you know, tourism and hospitality industry. So I think that we're likely to see more of those types of attacks where they're disruption focused and in particular are going to really challenge businesses to operate through these types of attacks, which becomes, you know, more now than norm than the exception to the role. So amazing. We were out there that same week of the MGM hack. We were staying at the Cosmopolitan and you've been to Vegas many times as have I. You know, the MGM is always lit up and it's green and you can see it from outer space probably. It was completely dark. There were maybe a couple of lights on and we were just astounded. They had to revert as you I'm sure know to sort of old techniques of actually escorting guests to their room to make sure that they could open the door. It was interesting the following week we're out at Caesars. Now it was a little more time to recover but they seem to recover a lot better. You know, the word was they paid the ransom but that's still such a hard thing for organizations. Do we pay? Do we not pay? It's sometimes illegal to pay. What do you tell people who ask you should we pay the ransom? I think the intent 100% of the time is always to never have to pay a ransom. The reality is there are some cases where that simply is not practical but whether it's national security related whether it's simply business impacts related and there was data stolen that the organization simply can't get access to. So what we recommend is that organizations are as prepared as possible on the front end of that and that is not just the CISO. That's the CEO, that's the board of directors having very close relationships with the CISO, with the CFO making sure that they understand what are the potential scenarios that we need to be prepared for? What are their scenarios within the realm of possibility that we would potentially need to pay? And if so, how do we do that effectively? How do we make sure that we protect our consumer and our clients data as much as possible and do the right thing? And then certainly coordinating all of that activity with the correct law enforcement entities and regulatory bodies. When I was in awe of people like yourself I think I wonder sometimes if you sleep with one eye open but after we get through the holidays obviously RSA is coming up, you're speaking there I'm sure again you probably have a lot going on there but what's next for unit 42 generally and you in the world of cyber? You know 42 in terms of not resting, right? We certainly, that's what we get paid to do is not rest. So holiday season unfortunately is often also known in our industry as breach season. So I think we've got our eyes and ears wide open as to what comes next. If there's some sort of major global attack or new exploit that's released that we all need to be prepared to defend against but we're really looking forward to moving into the new year and helping secure as many clients as possible. So do hackers take vacation? Do we have any evidence that they ever? You know they do but they don't seem to coincide with that major holidays, right? Just like anyone, they see that as an opportunity to potentially take advantage when you know people are out or their schedules are different. So we need to all be prepared for that. Wendy, thanks so much. I hope we see you at RSA 100% we want to get you back in the program. You've always been a friend of theCUBE and a great guest. I really appreciate your time. Awesome, thank you Dave. Look forward to seeing you again. All right, you bet. Okay, up next we wrap with analyst angle myself John Furrier and the two MDs of theCUBE research Kelly Kramer and Rob Scratchey. We're going to talk about what we learned today and we'll set up the next section of the program. We're going to hear from the ecosystem. Keep it right there.